Unsolved
This post is more than 5 years old
16 Posts
0
39714
January 22nd, 2005 01:00
Adware/Spyware issues
Hi,
I have several adwar removal programs. I use them all frequently. However, after a few days, they seem to come back. I have a particualr problem with a file called csmss.exe. In addition, I know that I have a Coolweb issue, as my notepad.exe file keeps getting replaced. I assume that it is a hidden file reinfecting my system, but I can't find it. Below is the most current HJT log. Can anyone A) help me remove whatever problems HJT shows, B) get rid of CSMSS.exe, and C) find the hidden file?
Jim
Logfile of HijackThis v1.98.2
Scan saved at 10:48:11 PM, on 1/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Scan saved at 10:48:11 PM, on 1/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\ATI2PLXX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RXMON9X.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\ACCESSRAMP\ARMON32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SEALEDMEDIA\SEALMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\CARPSERV.EXE
C:\WINDOWS\SYSTEM\MDMS.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS1982.EXE
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\ATI2PLXX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RXMON9X.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\ACCESSRAMP\ARMON32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SEALEDMEDIA\SEALMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\CARPSERV.EXE
C:\WINDOWS\SYSTEM\MDMS.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS1982.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.optonline.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net
F1 - win.ini: run=hpfsched
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2plxx.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
O4 - HKLM\..\Run: [MadExe] C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AccessRampMonitor] C:\Program Files\AccessRamp\ARMon32.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system\mdms.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plxx.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Eukmw] C:\WINDOWS\SYSTEM\gexzn.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23d80ed2585f21dc7417/netzip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50203/QDow_AS2.cab
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net
F1 - win.ini: run=hpfsched
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2plxx.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
O4 - HKLM\..\Run: [MadExe] C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AccessRampMonitor] C:\Program Files\AccessRamp\ARMon32.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system\mdms.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plxx.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Eukmw] C:\WINDOWS\SYSTEM\gexzn.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23d80ed2585f21dc7417/netzip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50203/QDow_AS2.cab
Midnight Star
4.8K Posts
0
January 22nd, 2005 04:00
Let's start with HJT first. It looks like your system has picked up VX2 or a variant of it. We're going to try the VX2 cleaner first, if AdAware 'crashes' or cannot clean it up, then we'll switch to a different methong of removal.
If you don't already have it, download, install and run AdAware SE Personal.
-
Next, check for, and download any available updates:
1. click " Check for updates now".
2. Click " Connect".
3. If updates(definitions) are available click " Ok", otherwise, click " Ok".
4. Click " Finish".
-
Next, configure AdAware to be as effective as possible:
1. Click the ' gear' in the upper-right hand corner of the AdAware Window.
2. Click Scanning, and check(tick) the following:
Scan withing archives
Scan active processes
Scan registry
Deep-scan registry
Scan my IE Favorites for banned URLs
Scan my Hosts file
3. Click " Tweak".
4. Click " Scanning Engine", then check(tick) the following:
Unload recognized proceses & modules during scan
5. Click " Cleaning Engine", then check(tick) then following:
> Always try to unload modules before deletion
During removal, unload Explorer and IE if necessary
Let Winodws remove files in use at next reboot
Delete quarantined objects after retoring
6. Then click " Proceed"
-
Now, let AdAware locate and remove anything it finds, by:
1. Click " Start".
2. Check(tick) " perform full system scan".
3. Click " Next".
-
Exit the program.
If you don't already have it, let's go to Lavasoft's VX2 Cleaner web-page, and follow the instructions to download and install the utility.
-
Next, run AdAware SE Personal, then:
1. Click " Add-Ons".
2. Double-click " VX2 Cleaner"
3. Click " Ok", to " Execute this tool".
4. If nothing is found, click " Ok", then exit the program.
(or)
4. If VX2 has been found on your system, click " Clean System"
5. Then when it's complelely done, reboot your computer.
6. Repeat steps 1-4 again.
Be sure to follow any instructions it might give while using it.
Download, then unzip to " C:\HJT", the newest version of HiJackThis; version 1.99.0. Then repost your log, either now, or after following the steps in the solution ( if provided in this post). This version has features that might help in 'cleaning' up your system.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKCU\..\Run: [Eukmw] C:\WINDOWS\SYSTEM\gexzn.exe
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23d80ed2585f21dc7417/netzip/RdxIE601.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50203/QDow_AS2.cab
Now, with all windows closed except HiJackThis, click " Fix checked".
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
files...
C:\WINDOWS\SYSTEM\gexzn.exe
Post back a new log.
-
Mike.
james.jlynch
16 Posts
0
January 22nd, 2005 18:00
Ok,
I ran adarware. It located several processes, including coolweb. It also found 18 vx2 files and something called redirect host, as well as a bunch of cookies. However, whenever I try to delete/quarantine the files, adaware locks up. What do I do next? I also could not find the file gexzn.exe in windows\system. Posted below is the most current hjt
Scan saved at 2:58:05 PM, on 1/22/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\ATI2PLXX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RXMON9X.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\ACCESSRAMP\ARMON32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SEALEDMEDIA\SEALMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\CARPSERV.EXE
C:\WINDOWS\SYSTEM\MDMS.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net
F1 - win.ini: run=hpfsched
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2plxx.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
O4 - HKLM\..\Run: [MadExe] C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AccessRampMonitor] C:\Program Files\AccessRamp\ARMon32.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system\mdms.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plxx.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Eukmw] C:\WINDOWS\SYSTEM\gexzn.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted IP range: 213.159.117.133
O15 - Trusted IP range: (HKLM)
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
Midnight Star
4.8K Posts
0
January 22nd, 2005 19:00
Let's try the VX2 cleaner again, then HiJackThis. If that doesn't resolve our issue, then we'll take a different approach; it's the newer VX2 variant.
-
Let's get started...
Try running the VX2 cleaner again.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKCU\..\Run: [Eukmw] C:\WINDOWS\SYSTEM\gexzn.exe
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted IP range: 213.159.117.133
O15 - Trusted IP range: (HKLM)
Now, with all windows closed except HiJackThis, click " Fix checked".
Post back a new log.
-
Mike.
james.jlynch
16 Posts
0
January 22nd, 2005 21:00
Got it!
Whwnever i run adaware, it picks up 2 processes running, these are the coolweb infection systems. They are the files that mucked up deleting vx2. I ran the add on twice, and both times it said system clean. I deleted the things from HJT like you asked. Note, however, that the trusted ip ranges and the 3 hosts files pop up on the very next scan. How do i keep them off my system? Posted below is the next HJT log
Your help and instructions have been supreb so far. I can't thank you enough.
Jim
Scan saved at 6:03:39 PM, on 1/22/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\ATI2PLXX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RXMON9X.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\ACCESSRAMP\ARMON32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SEALEDMEDIA\SEALMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\CARPSERV.EXE
C:\WINDOWS\SYSTEM\MDMS.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net
F1 - win.ini: run=hpfsched
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2plxx.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
O4 - HKLM\..\Run: [MadExe] C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AccessRampMonitor] C:\Program Files\AccessRamp\ARMon32.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system\mdms.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plxx.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted IP range: 213.159.117.133
O15 - Trusted IP range: (HKLM)
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
Midnight Star
4.8K Posts
0
January 22nd, 2005 22:00
Jim,
Ok, let's see if CWShredder can remove the coolweb problem, and DLLCompare pick up any hidden VX2 dll(s)...
Download, unzip to your desktop CWShredder and run it, then:
1. Click "Check For Update"
(If an update isn't available, skip to step #4.)
2. Click "Click here to Download the upate".
3. When the new version has been downloaded, click "Save".
4. Click "Fix ->"
Let's see if we can try and fix this; it might get a little complicated, so, if you have questions at any time, just post back.
4. click " Make a Log of what was Found".
james.jlynch
16 Posts
0
January 22nd, 2005 23:00
Mike,
Thanks for all of your help. I ran the CWS shredder, and it seemed to work fine. I also downloaded the other programs. Here is a logfile of the dll compare:
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM\sxmscrpt.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\rsclts6.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\sctup4.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\wplp32t.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\rocltc1.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\arippaxx.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\ssi_ci.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\arivs2xx.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\mjvcp60.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\maacm.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\rgrc16.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\sorrun.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\mzorc32r.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\ayctres.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\muident.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\dutmsft.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\rmcltscm.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\ufl.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\hefprl15.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\mcihnd.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
________________________________________________
865 items found: 865 files (20 H/S), 0 directories.
Total of file sizes: 154,149,189 bytes 147.01 M
--------------------End log---------------------
Midnight Star
4.8K Posts
0
January 23rd, 2005 00:00
Jim,
Your welcome. We'll need to get rid of all those. It should take two passes to remove them, and the new ones they'll create.
-----
1. check(tick) "Replace on reboot"
2. enter C:\WINDOWS\SYSTEM\sxmscrpt.dll, in "Full Path of File to Delete".
3. check(tick) "Use Dummy".
4. click the red-x, just right of where you entered the file to delete.
5. Confirm that you want to replace the 'bad' file with the 'dummy'.
6. When prompted to "Reboot Now", select "No".
7. Now repease steps #1 - #6 for the following files:
C:\WINDOWS\SYSTEM\rsclts6.dll
C:\WINDOWS\SYSTEM\sctup4.dll
C:\WINDOWS\SYSTEM\wplp32t.dll
C:\WINDOWS\SYSTEM\rocltc1.dll
C:\WINDOWS\SYSTEM\arippaxx.dll
C:\WINDOWS\SYSTEM\ssi_ci.dll
C:\WINDOWS\SYSTEM\arivs2xx.dll
C:\WINDOWS\SYSTEM\mjvcp60.dll
C:\WINDOWS\SYSTEM\maacm.dll
C:\WINDOWS\SYSTEM\rgrc16.dll
C:\WINDOWS\SYSTEM\sorrun.dll
C:\WINDOWS\SYSTEM\mzorc32r.dll
C:\WINDOWS\SYSTEM\ayctres.dll
C:\WINDOWS\SYSTEM\muident.dll
C:\WINDOWS\SYSTEM\dutmsft.dll
C:\WINDOWS\SYSTEM\rmcltscm.dll
C:\WINDOWS\SYSTEM\ufl.dll
C:\WINDOWS\SYSTEM\hefprl15.dll
C:\WINDOWS\SYSTEM\mcihnd.dll
C:\Windows\System32\Guard.tmp
After entering the last file, when prompted to "Reboot Now", select "Yes".
-----
You can copy/paste these file name(s) to save on typing.
Now, let's go back and run DLLCompare again, just like we did in the previous post, and post back the results.
Be sure not to reboot your computer while we're working on this, otherwise we'll have a whole new set of program(s) to check for - this thing has a habit of changing the above names on reboot ...
Mike.
Midnight Star
4.8K Posts
0
January 23rd, 2005 00:00
A green check means selected and a red-x means unselected.
Mike.
blondeguy
215 Posts
0
January 23rd, 2005 00:00
Mike,
Concerning adaware, how do you know if a option is selected? Is it hilighted red or green if a item is selected?
Kirk
james.jlynch
16 Posts
0
January 23rd, 2005 01:00
Mike,
I rebooted and reran dllcompare. here is the result:
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM\rmr20.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\iset16.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\ditmsft.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\nitdi.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\iretcomm.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
C:\WINDOWS\SYSTEM\sorrun.dll Fri Jan 21 2005 8:19:20p ..S.R 222,568 217.35 K
________________________________________________
Total of file sizes: 155,262,029 bytes 148.07 M
james.jlynch
16 Posts
0
January 23rd, 2005 01:00
blondeguy
215 Posts
0
January 23rd, 2005 04:00
Thanks a lot for the reply Mike!
Kirk
Midnight Star
4.8K Posts
0
January 23rd, 2005 12:00
Jim,
Let's keep hammering away at this thing...
-----
1. check(tick) "Replace on reboot"
2. enter C:\WINDOWS\SYSTEM\sxmscrpt.dll , in "Full Path of File to Delete".
3. check(tick) "Use Dummy".
4. click the red-x, just right of where you entered the file to delete.
5. Confirm that you want to replace the 'bad' file with the 'dummy'.
6. When prompted to "Reboot Now", select "No".
7. Now repease steps #1 - #6 for the following files:
C:\WINDOWS\SYSTEM\rmr20.dll
C:\WINDOWS\SYSTEM\iset16.dll
C:\WINDOWS\SYSTEM\ditmsft.dll
C:\WINDOWS\SYSTEM\nitdi.dll
C:\WINDOWS\SYSTEM\iretcomm.dll
C:\WINDOWS\SYSTEM\sorrun.dll
C:\Windows\System32\Guard.tmp
After entering the last file, when prompted to "Reboot Now", select "Yes".
-----
You can copy/paste these file name(s) to save on typing.
Now, let's go back and run DLLCompare again, just like we did in the previous post, and post back the results.
Message Edited by Midnight Star on 01-23-2005 08:05 AM
james.jlynch
16 Posts
0
January 23rd, 2005 16:00
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
________________________________________________
Total of file sizes: 155,262,029 bytes 148.07 M
Midnight Star
4.8K Posts
0
January 24th, 2005 05:00
Jim,
We're almost there ... :)
-----
1. check(tick) "Replace on reboot"
2. enter C:\WINDOWS\SYSTEM\sxmscrpt.dll , in "Full Path of File to Delete".
3. check(tick) "Use Dummy".
4. click the red-x, just right of where you entered the file to delete.
5. Confirm that you want to replace the 'bad' file with the 'dummy'.
6. When prompted to "Reboot Now", select "No".
7. Now repease steps #1 - #6 for the following files:
C:\Windows\System32\Guard.tmp
After entering the last file, when prompted to "Reboot Now", select "Yes".
-----
You can copy/paste these file name(s) to save on typing.
Now, let's go back and run DLLCompare again, just like we did in the previous post, and post back the results. Hopefully, this time will come back ziltch.