Free Weekly Tech Newsletter

jonro · 06-05-2004, 02:18 AM

Hi

When windows loads and the desktop appears i get 3 error messeges saying:

error loading

mesg no.1 c:\WINDOWS\system32\li01f948.dll
no.2 c:\WINDOWS\system32\readdb40.dll
no.3 c:\WINDOWS\system32\iel2cde8.dll
the specified module could not be found

I then proceed to click ok for each of them and my computer seems to run fine after that.

Also when restarting or turning off my computer i have to cklck on restart or turn off twice to do it.

Any help with these problems would be really good

THANKS

Lobos · 06-05-2004, 02:51 AM

they look viral

Run an online antivirus check from at least one and preferably 2 of the following sites.... click below

Housecall
Panda scan
RAV

let me know how it goes

Colonel Sanders · 06-05-2004, 02:58 AM

I recomend getting AVG anti-virus, Ad-Aware and Spybot S & D.

As a last attempt, dig out your Windows CD and replace the .dlls from the files on the CD. Afterwards, run windows update incase said .dlls were modified in an update.

L J

jonro · 06-05-2004, 03:38 AM

Hi lobos here are the results of my panda scan.
im still gooing to use another one
just thought id post this quickly.

Incident Status Location

Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\johno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\playup.jar-2b3bfa6d-2dcb5942.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\johno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\playup.jar-2b3bfa6d-2dcb5942.zip[Dummy.class]
Virus:Trj/Downloader.FI Disinfected C:\WINDOWS\sb.exe
Virus:Trj/Downloader.FA Disinfected C:\WINDOWS\system32\aud-cnet9.exe
Virus:Trj/Downloader.FA Disinfected C:\WINDOWS\system32\iiwvxfj.exe
Virus:Trj/Downloader.FI Disinfected C:\WINDOWS\tnmng.exe THANKS

jonro · 06-05-2004, 04:44 AM

Heres the RAV scan its got me confused

Scan started at 5/06/2004 7:03:31 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\johno\Application Data\hmol.exe->(UPXW)->(EXEEmb) - Clicker:Win32/BuddyLinks.A -> Infected
C:\Documents and Settings\johno\My Documents\hijackthis.log - Exploit:HTML/MhtRedir.gen* -> Infected
C:\Program Files\IncrediFind\BHO\IncFindBHO.dll - TrojanDownloader:Win32/Small.BX -> Infected
C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP1\A0000005.exe - TrojanDownloader:Win32/Small -> Infected
C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP1\A0000008.exe - TrojanDownloader:Win32/Small -> Infected
C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP5\A0000329.exe - PWS:Win32/Briss -> Infected
C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP5\A0000330.exe - PWS:Win32/Briss -> Infected
C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP5\A0000331.exe - PWS:Win32/Briss -> Infected
C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP5\A0000333.exe - TrojanDownloader:Win32/Small -> Infected
C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP5\A0000334.exe - TrojanDownloader:Win32/Small.FO -> Infected
C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP6\A0001546.exe - TrojanDownloader:Win32/Small -> Infected
C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP8\A0002206.exe - TrojanProxy/Win32.Agent.AD -> Infected
C:\WINDOWS\system32\appsys.exe - TrojanDownloader:Win32/Delf.AU -> Infected
D:\2 - Exploit:HTML/MhtRedir.gen* -> Infected
D:\hijackthis.log - Exploit:HTML/MhtRedir.gen* -> Infected

Scanned
============================
Objects: 72142
Directories: 4487
Archives: 948
Size(Kb): 785030
Infected files: 15

Found
============================
Viruses found: 9
Suspicious files: 0
Disinfected files: 0
Mail files: 149

THANKS

Lobos · 06-05-2004, 04:51 AM

these dont worry about as long as you dont restore your computer to a previous point your computer is safe from them

C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP1\A0000005.exe - TrojanDownloader:Win32/Small -> Infected
C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP1\A0000008.exe - TrojanDownloader:Win32/Small -> Infected
C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP5\A0000329.exe - PWS:Win32/Briss -> Infected
C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP5\A0000330.exe - PWS:Win32/Briss -> Infected
C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP5\A0000331.exe - PWS:Win32/Briss -> Infected
C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP5\A0000333.exe - TrojanDownloader:Win32/Small -> Infected
C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP5\A0000334.exe - TrojanDownloader:Win32/Small.FO -> Infected
C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP6\A0001546.exe - TrojanDownloader:Win32/Small -> Infected
C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP8\A0002206.exe - TrojanProxy/Win32.Agent.AD -> Infected

Now To try and clean you up

do you have an av

Lobos · 06-05-2004, 04:54 AM

can you give me your hjt Log again

jonro · 06-05-2004, 05:12 AM

i dont have hyjackthis on my computer anymore so i did a search on yahoo and couldent acsess the download site???

Lobos · 06-05-2004, 05:15 AM

First, create a folder for HijackThis in the root folder of your hard drive

example

C:/HJT
C/hijackthis

and put hijack this into that folder

Click here to download Hijack This. Save it to it’s own folder you have just created
Close all open windows and open HIJACK THIS. Click “Scan”[/b] . When the scan is finished (it only takes a second), the scan button will change to“Save Log”. Click on“Save Log” and save it to NotePad. Copy the entire log and paste it here.

DO NOT FIX ANYTHING YET , most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise.

jonro · 06-05-2004, 05:35 AM

Thanks lobos for all your help
Heres my hijackthis log

Logfile of HijackThis v1.97.7
Scan saved at 8:31:07 PM, on 5/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
d:\avast4\aswUpdSv.exe
d:\avast4\ashServ.exe
d:\antivir\AVWUPSRV.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\PROGRA~1\MediaKey\MMKeybd.EXE
C:\PROGRA~1\MediaKey\MMKeybd.EXE
D:\avast4\ashDisp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\avast4\ashmaisv.exe
D:\zonealarm\zlclient.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\INTERN~3\inetmgr.exe
D:\winamp5.0\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\NetMeter\NetMeter.exe
D:\imesh\iMeshClient.exe
C:\PROGRA~1\INTERN~3\inetsvc.exe
D:\hylackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.5/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.5/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\cokhmaa.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.225.176.5/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\cokhmaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://195.225.176.5/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.5/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.5/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://195.225.176.5/ie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/
R3 - Default URLSearchHook is missing
O1 - Hosts: 3466709097 sitefinder.verisign.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com your.com
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - (no file)
O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINDOWS\System32\wm41a398.dll
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - (no file)
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~3\inetkw.dll
O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS\System32\msmk.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
O4 - HKLM\..\Run: [MediaKey] C:\PROGRA~1\MediaKey\MMKeybd.EXE
O4 - HKLM\..\Run: [avast!] d:\avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] d:\avast4\ashmaisv.exe
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKLM\..\Run: [Zone Labs Client] "d:\zonealarm\zlclient.exe"
O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32
O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\System32\readdb40.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\System32\wm41a398.dll,EnableRunDLL32
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~3\inetmgr.exe
O4 - HKLM\..\Run: [WinampAgent] d:\winamp5.0\winampa.exe
O4 - HKLM\..\Run: [THGuard] "D:\trojanhunter2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - Startup: iMesh.lnk = D:\imesh\iMeshClient.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potd_x.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26fee675...p/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemp...veSecurity.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://vscan.exp.net/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...133.3101736111
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

THANKS

Lobos · 06-05-2004, 06:52 AM

Wow you have alot of adware spyware on your computer Imesh being one of them

Uninstall through your control panel add/remove programs

imesh

NetMeter.exe

QuickSearch
--------------------------------------------------------------------------

Click here to down load CWShredder by Merijn Bellekom, the creator of Hijack This

Run it, press 'Fix', and allow it to fix all it finds.
And remember to click "Fix" (Not "Scan only")
Reboot

Run hijack this put a check next to these close all browsers and hit fix

Make sure not to miss one

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.5/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.5/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\cokhmaa.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\cokhmaa.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://195.225.176.5/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.5/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.5/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://195.225.176.5/ie

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/

R3 - Default URLSearchHook is missing

O1 - Hosts: 3466709097 sitefinder.verisign.com

O1 - Hosts: 3466709097 sitefinder-idn.verisign.com

O1 - Hosts: 3466709097 www.your.com your.com

O1 - Hosts: 3466690378 ad.doubleclick.net

O1 - Hosts: 3466690378 view.atdmt.com

O1 - Hosts: 3466690378 click.atdmt.com

O1 - Hosts: 3466690378 leader.linkexchange.com

O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - (no file)

O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINDOWS\System32\wm41a398.dll

O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - (no file)

O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~3\inetkw.dll

O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS\System32\msmk.dll (file missing)

O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll

O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32

O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32

O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\System32\readdb40.dll,EnableRunDLL32

O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\System32\wm41a398.dll,EnableRunDLL32

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~3\inetmgr.exe

O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe

O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe

O4 - Startup: iMesh.lnk = D:\imesh\iMeshClient.exe

O4 - Startup: PowerReg Scheduler.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26fee67...ip/RdxIE601.cab

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptem...iveSecurity.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
-----------------------------------------------------------------------------------------------------------------------------------

Open My Computer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click"Apply to all folders"
Click "Apply" then "OK

we will turn it back on once your clean. this will clear out some of the infected files in your systems restore

1: Right click on the My Computer icon on your desktop and select properties.
2: Click on the system restore tab.
3: Check the box that says "Turn off system restore on all drives". Click OK.
4: Click Yes when you are prompted to restart the computer

reboot into safe mode
How to boot into safe mode

delete what is in bold

these folders

D:\imesh

C:\Program Files\NetMeter

C:\PROGRA~1\INTERN~3

C:\Program Files\Common files\updater

C:\Program Files\QuickSearch

C:\Program Files\[b]IncrediFind\[b]

these files

C:\Documents and Settings\johno\Application Data\hmol.exe

C:\Documents and Settings\johno\My Documents\hijackthis.log

C:\WINDOWS\system32\appsys.exe

C:\WINDOWS\System32\wm41a398.dll

C:\WINDOWS\System32\readdb40.dll

C:\WINDOWS\System32\iel2cde8.dll

c:\windows\winlogon.exe dont not delete the one in your systems folder

C:\WINDOWS\System32\li01f948.dll

then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it

as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this
while in the temp folder, select view and select details.
then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page.
select all the files/folders except the today ones and delete them all.

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

clear out your trash bin

No run your Av While your in safe mode and clean anything it finds
then

Reboot normally &

come back and post a fresh log

Lobos

jonro · 06-05-2004, 08:18 AM

Lobos

As much as i apreacate your help and it is nothing pointed towords u. The last time i did this i got to the part where i removed similar files with hijackthis (i dont now but i could have removed a wrong file somewhere)and after rebooting could not connect to the internet.(if u rember thats why i dident get back to u)As it turns out i had to get a technision in to reinstall windows as i dont have a copy of the installation discs myself.So it cost me a dime and i dont have the money to do it again.As much as i want to do this im to scared to. But i did run cws shredder and removed imesh.So if theres anythig else i could do please help me.

Once again THANK YOU GREATLY for all your help and support

PS. Im saving my dime to buy a copy of windows for the futre

06-05-2004, 02:18 AM	#1
jonro Member (8 bit) Join Date: May 2004 Location: Sydney, Australia Posts: 152	c:\windows\system32\error ???? Hi When windows loads and the desktop appears i get 3 error messeges saying: error loading mesg no.1 c:\WINDOWS\system32\li01f948.dll no.2 c:\WINDOWS\system32\readdb40.dll no.3 c:\WINDOWS\system32\iel2cde8.dll the specified module could not be found I then proceed to click ok for each of them and my computer seems to run fine after that. Also when restarting or turning off my computer i have to cklck on restart or turn off twice to do it. Any help with these problems would be really good THANKS Share Share this post on Digg Del.icio.us Technorati Twitter __________________ JonrO E6750 Core 2 Duo Gigabyte P35-DS3 GeIL 2G (2X1GB) DDRII 667 (PC-5300) CoolerMaster EXTREME POWER 550W V2 ECS 8800GTS 320MB Seagate SATA 250GB Barracuda

06-05-2004, 02:51 AM	#2
Lobos Member (10 bit) Join Date: Mar 2004 Location: California Posts: 936	they look viral Run an online antivirus check from at least one and preferably 2 of the following sites.... click below Housecall Panda scan RAV let me know how it goes Share Share this post on Digg Del.icio.us Technorati Twitter

06-05-2004, 02:58 AM	#3
Colonel Sanders Resident AMD enthusiast Join Date: Jul 2001 Location: Kansas Posts: 1,445	I recomend getting AVG anti-virus, Ad-Aware and Spybot S & D. As a last attempt, dig out your Windows CD and replace the .dlls from the files on the CD. Afterwards, run windows update incase said .dlls were modified in an update. L J Share Share this post on Digg Del.icio.us Technorati Twitter __________________ Main: Gigabyte GA-770T USB3 - Phenom II 840 - 4GB DDR3 - Radeon 5750 1GB HTPC: MSI K9N6PGM2-V2 - Athlon II 250 - 4GB DDR2 - Radeon 5670 512MB HTPC: Zotac GeForce 6100E-E - Athlon X2 5800+ - 4GB DDR2 "Play a Windows CD backwards and you'll hear satanic voices, thats nothing, play it forwards and it installs Windows."

06-05-2004, 03:38 AM	#4
jonro Member (8 bit) Join Date: May 2004 Location: Sydney, Australia Posts: 152	Hi lobos here are the results of my panda scan. im still gooing to use another one just thought id post this quickly. Incident Status Location Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\johno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\playup.jar-2b3bfa6d-2dcb5942.zip[VerifierBug.class] Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\johno\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\playup.jar-2b3bfa6d-2dcb5942.zip[Dummy.class] Virus:Trj/Downloader.FI Disinfected C:\WINDOWS\sb.exe Virus:Trj/Downloader.FA Disinfected C:\WINDOWS\system32\aud-cnet9.exe Virus:Trj/Downloader.FA Disinfected C:\WINDOWS\system32\iiwvxfj.exe Virus:Trj/Downloader.FI Disinfected C:\WINDOWS\tnmng.exe THANKS Share Share this post on Digg Del.icio.us Technorati Twitter

06-05-2004, 04:44 AM	#5
jonro Member (8 bit) Join Date: May 2004 Location: Sydney, Australia Posts: 152	Heres the RAV scan its got me confused Scan started at 5/06/2004 7:03:31 PM Scanning memory... Scanning boot sectors... Scanning files... C:\Documents and Settings\johno\Application Data\hmol.exe->(UPXW)->(EXEEmb) - Clicker:Win32/BuddyLinks.A -> Infected C:\Documents and Settings\johno\My Documents\hijackthis.log - Exploit:HTML/MhtRedir.gen* -> Infected C:\Program Files\IncrediFind\BHO\IncFindBHO.dll - TrojanDownloader:Win32/Small.BX -> Infected C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP1\A0000005.exe - TrojanDownloader:Win32/Small -> Infected C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP1\A0000008.exe - TrojanDownloader:Win32/Small -> Infected C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP5\A0000329.exe - PWS:Win32/Briss -> Infected C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP5\A0000330.exe - PWS:Win32/Briss -> Infected C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP5\A0000331.exe - PWS:Win32/Briss -> Infected C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP5\A0000333.exe - TrojanDownloader:Win32/Small -> Infected C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP5\A0000334.exe - TrojanDownloader:Win32/Small.FO -> Infected C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP6\A0001546.exe - TrojanDownloader:Win32/Small -> Infected C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP8\A0002206.exe - TrojanProxy/Win32.Agent.AD -> Infected C:\WINDOWS\system32\appsys.exe - TrojanDownloader:Win32/Delf.AU -> Infected D:\2 - Exploit:HTML/MhtRedir.gen* -> Infected D:\hijackthis.log - Exploit:HTML/MhtRedir.gen* -> Infected Scanned ============================ Objects: 72142 Directories: 4487 Archives: 948 Size(Kb): 785030 Infected files: 15 Found ============================ Viruses found: 9 Suspicious files: 0 Disinfected files: 0 Mail files: 149 THANKS Share Share this post on Digg Del.icio.us Technorati Twitter

Need Some Help? Type Your Keywords Here:

Still Need Help? Type Your Keywords Here:

Free Weekly Tech Newsletter

06-05-2004, 04:51 AM	#6
Lobos Member (10 bit) Join Date: Mar 2004 Location: California Posts: 936	these dont worry about as long as you dont restore your computer to a previous point your computer is safe from them C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP1\A0000005.exe - TrojanDownloader:Win32/Small -> Infected C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP1\A0000008.exe - TrojanDownloader:Win32/Small -> Infected C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP5\A0000329.exe - PWS:Win32/Briss -> Infected C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP5\A0000330.exe - PWS:Win32/Briss -> Infected C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP5\A0000331.exe - PWS:Win32/Briss -> Infected C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP5\A0000333.exe - TrojanDownloader:Win32/Small -> Infected C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP5\A0000334.exe - TrojanDownloader:Win32/Small.FO -> Infected C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP6\A0001546.exe - TrojanDownloader:Win32/Small -> Infected C:\System Volume Information\_restore{88C20D3F-8B57-4D07-B9CB-41D7D5E61AAA}\RP8\A0002206.exe - TrojanProxy/Win32.Agent.AD -> Infected Now To try and clean you up do you have an av Share Share this post on Digg Del.icio.us Technorati Twitter

06-05-2004, 04:54 AM	#7
Lobos Member (10 bit) Join Date: Mar 2004 Location: California Posts: 936	can you give me your hjt Log again Share Share this post on Digg Del.icio.us Technorati Twitter

06-05-2004, 05:12 AM	#8
jonro Member (8 bit) Join Date: May 2004 Location: Sydney, Australia Posts: 152	i dont have hyjackthis on my computer anymore so i did a search on yahoo and couldent acsess the download site??? Share Share this post on Digg Del.icio.us Technorati Twitter

06-05-2004, 05:15 AM	#9
Lobos Member (10 bit) Join Date: Mar 2004 Location: California Posts: 936	First, create a folder for HijackThis in the root folder of your hard drive example C:/HJT C/hijackthis and put hijack this into that folder Click here to download Hijack This. Save it to it’s own folder you have just created Close all open windows and open HIJACK THIS. Click “Scan”[/b] . When the scan is finished (it only takes a second), the scan button will change to“Save Log”. Click on“Save Log” and save it to NotePad. Copy the entire log and paste it here. DO NOT FIX ANYTHING YET , most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise. Share Share this post on Digg Del.icio.us Technorati Twitter

06-05-2004, 05:35 AM	#10
jonro Member (8 bit) Join Date: May 2004 Location: Sydney, Australia Posts: 152	Thanks lobos for all your help Heres my hijackthis log Logfile of HijackThis v1.97.7 Scan saved at 8:31:07 PM, on 5/06/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe d:\avast4\aswUpdSv.exe d:\avast4\ashServ.exe d:\antivir\AVWUPSRV.EXE C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\ABIT\ABIT uGuru\uGuru.exe C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE C:\PROGRA~1\MediaKey\MMKeybd.EXE C:\PROGRA~1\MediaKey\MMKeybd.EXE D:\avast4\ashDisp.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe D:\avast4\ashmaisv.exe D:\zonealarm\zlclient.exe C:\WINDOWS\kdx\KHost.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\PROGRA~1\INTERN~3\inetmgr.exe D:\winamp5.0\winampa.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\NetMeter\NetMeter.exe D:\imesh\iMeshClient.exe C:\PROGRA~1\INTERN~3\inetsvc.exe D:\hylackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.5/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.5/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\cokhmaa.dll/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.225.176.5/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\cokhmaa.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://195.225.176.5/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.5/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.5/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://195.225.176.5/ie R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/ R3 - Default URLSearchHook is missing O1 - Hosts: 3466709097 sitefinder.verisign.com O1 - Hosts: 3466709097 sitefinder-idn.verisign.com O1 - Hosts: 3466709097 www.your.com your.com O1 - Hosts: 3466690378 ad.doubleclick.net O1 - Hosts: 3466690378 view.atdmt.com O1 - Hosts: 3466690378 click.atdmt.com O1 - Hosts: 3466690378 leader.linkexchange.com O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - (no file) O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINDOWS\System32\wm41a398.dll O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - (no file) O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~3\inetkw.dll O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS\System32\msmk.dll (file missing) O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [ATIPTA] C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE O4 - HKLM\..\Run: [MediaKey] C:\PROGRA~1\MediaKey\MMKeybd.EXE O4 - HKLM\..\Run: [avast!] d:\avast4\ashDisp.exe O4 - HKLM\..\Run: [ashMaiSv] d:\avast4\ashmaisv.exe O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe O4 - HKLM\..\Run: [Zone Labs Client] "d:\zonealarm\zlclient.exe" O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32 O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32 O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\System32\readdb40.dll,EnableRunDLL32 O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\System32\wm41a398.dll,EnableRunDLL32 O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~3\inetmgr.exe O4 - HKLM\..\Run: [WinampAgent] d:\winamp5.0\winampa.exe O4 - HKLM\..\Run: [THGuard] "D:\trojanhunter2\THGuard.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe O4 - Startup: iMesh.lnk = D:\imesh\iMeshClient.exe O4 - Startup: PowerReg Scheduler.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: ICQ 4.0 (HKLM) O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potd_x.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26fee675...p/RdxIE601.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemp...veSecurity.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://vscan.exp.net/scan/Msie/bitdefender.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...133.3101736111 O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab THANKS Share Share this post on Digg Del.icio.us Technorati Twitter

06-05-2004, 06:52 AM	#11
Lobos Member (10 bit) Join Date: Mar 2004 Location: California Posts: 936	Wow you have alot of adware spyware on your computer Imesh being one of them Uninstall through your control panel add/remove programs imesh NetMeter.exe QuickSearch -------------------------------------------------------------------------- Click here to down load CWShredder by Merijn Bellekom, the creator of Hijack This Run it, press 'Fix', and allow it to fix all it finds. And remember to click "Fix" (Not "Scan only") Reboot Run hijack this put a check next to these close all browsers and hit fix Make sure not to miss one R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.5/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.5/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\cokhmaa.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\cokhmaa.dll/sp.html (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://195.225.176.5/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.225.176.5/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://195.225.176.5/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://195.225.176.5/ie R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/ R3 - Default URLSearchHook is missing O1 - Hosts: 3466709097 sitefinder.verisign.com O1 - Hosts: 3466709097 sitefinder-idn.verisign.com O1 - Hosts: 3466709097 www.your.com your.com O1 - Hosts: 3466690378 ad.doubleclick.net O1 - Hosts: 3466690378 view.atdmt.com O1 - Hosts: 3466690378 click.atdmt.com O1 - Hosts: 3466690378 leader.linkexchange.com O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - (no file) O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINDOWS\System32\wm41a398.dll O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - (no file) O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~3\inetkw.dll O2 - BHO: (no name) - {98DBBF16-CA43-4c33-BE80-99E6694468A4} - C:\WINDOWS\System32\msmk.dll (file missing) O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINDOWS\System32\li01f948.dll,EnableRunDLL32 O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINDOWS\System32\iel2cde8.dll,EnableRunDLL32 O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\System32\readdb40.dll,EnableRunDLL32 O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINDOWS\System32\wm41a398.dll,EnableRunDLL32 O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~3\inetmgr.exe O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe O4 - Startup: iMesh.lnk = D:\imesh\iMeshClient.exe O4 - Startup: PowerReg Scheduler.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26fee67...ip/RdxIE601.cab O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptem...iveSecurity.cab O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab ----------------------------------------------------------------------------------------------------------------------------------- Open My Computer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click"Apply to all folders" Click "Apply" then "OK we will turn it back on once your clean. this will clear out some of the infected files in your systems restore 1: Right click on the My Computer icon on your desktop and select properties. 2: Click on the system restore tab. 3: Check the box that says "Turn off system restore on all drives". Click OK. 4: Click Yes when you are prompted to restart the computer reboot into safe mode How to boot into safe mode delete what is in bold these folders D:\imesh C:\Program Files\NetMeter C:\PROGRA~1\INTERN~3 C:\Program Files\Common files\updater C:\Program Files\QuickSearch C:\Program Files\[b]IncrediFind\[b] these files C:\Documents and Settings\johno\Application Data\hmol.exe C:\Documents and Settings\johno\My Documents\hijackthis.log C:\WINDOWS\system32\appsys.exe C:\WINDOWS\System32\wm41a398.dll C:\WINDOWS\System32\readdb40.dll C:\WINDOWS\System32\iel2cde8.dll c:\windows\winlogon.exe dont not delete the one in your systems folder C:\WINDOWS\System32\li01f948.dll then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this while in the temp folder, select view and select details. then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page. select all the files/folders except the today ones and delete them all. 1) Open Control Panel 2) Click on Internet Options 3) On the General Tab, in the middle of the screen, click on Delete Files 4) You may also want to check the box "Delete all offline content" 5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files 6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive clear out your trash bin No run your Av While your in safe mode and clean anything it finds then Reboot normally & come back and post a fresh log Lobos Share Share this post on Digg Del.icio.us Technorati Twitter Last edited by Lobos; 06-05-2004 at 06:56 AM.

06-05-2004, 08:18 AM	#12
jonro Member (8 bit) Join Date: May 2004 Location: Sydney, Australia Posts: 152	Lobos As much as i apreacate your help and it is nothing pointed towords u. The last time i did this i got to the part where i removed similar files with hijackthis (i dont now but i could have removed a wrong file somewhere)and after rebooting could not connect to the internet.(if u rember thats why i dident get back to u)As it turns out i had to get a technision in to reinstall windows as i dont have a copy of the installation discs myself.So it cost me a dime and i dont have the money to do it again.As much as i want to do this im to scared to. But i did run cws shredder and removed imesh.So if theres anythig else i could do please help me. Once again THANK YOU GREATLY for all your help and support PS. Im saving my dime to buy a copy of windows for the futre Share Share this post on Digg Del.icio.us Technorati Twitter

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

Subscribe to THE INSIDER

Need Some Help? Type Your Keywords Here:

Still Need Help? Type Your Keywords Here:

Free Weekly Tech Newsletter