Jump to content

noahdfear

Trusted Malware Techs
  • Content Count

    336
  • Joined

  • Last visited

Posts posted by noahdfear


  1. I think you'll find your drivers here;

     

    http://www.esstech.com/techsupp/drivers.shtm

     

    listed under PCI AudioDrive (check device manager to make sure you don't have the Audio/Modem combo first! Those drivers are farther down the page.). Get the drivers for both the Allegro 1988 and 1989 for 98SE. Extract one to a folder, open and run setup.exe. Follow any instructions if given.

    Reboot and see if the exclamation point is gone. If not, right click and remove the ESS AllegroX MPU-401 Compatible from device manager and reboot. It should re-install with the new drivers. If still present, or your sound doesn't work right, try the second file.

     

    When you get an IE error, there should be a 'details' button or similar that will show some sort of error information. Try to get that and let me know what it is, eg; illegal function in mshtml.dll or similar, maybe a random string of numbers that don't seem to mean much, stop code.

     

    I've got a feeling your printer may have gone south. Can you possible borrow another to try or try yours on another computer? I wouldn't think that the ink would be a problem, but have you pulled the cartridges and cleaned the heads with a soft, lint free cloth? Try new cartridges?


  2. Well, I see nothing bad in the startup log. Please delete the SIXA connection again and let me know if it returns after reboot.

     

    I would also like you to do a file search for the following and let me know what comes up.

     

    sixa.*

    *sixa.*

    sixa*.*

     

    I do recommend disconnecting from the internet while gone, and I would physically unplug the cable from the comp until we know what this extra connection is, if it returns.


  3. Forgot to add, please create srvchk.bat from the text in the quote box below, save to the desktop and run it, then post the log.

     

    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_zkyethubfgtl" /s >>servchk.txt

     

    reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_zkyethubfgtl" /s >>servchk.txt

     

    reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zkyethubfgtl" /s >>servchk.txt

     

    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zkyethubfgtl" /s >>servchk.txt

     

    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_whatnibk6" /s >>servchk.txt

     

    reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_whatnibk6" /s >>servchk.txt

     

    reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\whatnibk6" /s >>servchk.txt

     

    reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\whatnibk6" /s >>servchk.txt

     

    start notepad servchk.txt

     

    cls


  4. The wininet was infected by one of the smitfraud variants. The Bloodhound.W32.EP notice is Norton's way of saying it's heuristic scanning has detected an unknown virus. It may well be the wininet.dll it's flagging.

     

    Copy the bold text below to notepad on two lines, just as it appears.

     

    dir %Systemdrive%\wininet.dll /a h /s > files.txt

    start notepad files.txt

     

    Close, saving it to your desktop as;

     

    Filename: wininet.bat

    Save as type: All Files

     

    Double click to run. It will open files.txt and place a copy on the desktop. Please post the contents.

     

    Then go to Windows Update and install Service Pack 2. It contains an updated wininet.dll and should replace the infected one. When done and rebooted, delete the files.txt and run the wininet.bat again, then post the new log. We'll continue with some other scans when done.

     

    Is there a file in C:\Windows\system32 named Bloodhound.W32.EP?


  5. Download and run Everest to identify the Sound card. There may be a link provided to update drivers. If so, try to locate and download the latest. Look for installation instructions. You will likely need to extract/install them, then open the device manager and right click>remove the ESS device with the yellow exclamation point, then close and reboot. It should find new hardware and the new drivers and re-install them upon startup. If no luck, let us know what you find.

     

    Everest Home Edition http://www.lavalys.com/index.php?page=product&view=1

     

    Check for driver updates for the printer too, from the manufacturer's website. Does it print a test page OK?

     

    Are these the only problems remaining?


  6. Can you left click and drag to highlight the instructions, then press Ctrl+C to copy, open notepad and press Ctrl+V to paste, then close and save? I would also be happy to email the instructions, then you can save the email to the desktop or where ever you want with easy access in safe mode. The downloads should remain on the desktop. Double click the zip file to begin extraction. Just add Panda ActiveScan to your Favorites and you can access it from the start menu. If still unable to right click and install the DelDomains.inf in safe mode, try again after running all the fixes.


  7. Save these instructions to text where you can access them in safe mode.

     

    Please download the attached smitRem.zip file, saving it to your desktop. Right click the file and extract it to it's own folder on the desktop.

     

    Check for updates to Spybot.

    If you don't have Ad-aware 1.06 installed, please install it and check for updates.

     

    http://www.lavasoft.de/support/download/

     

     

    Place a shortcut to Panda Activescan on your desktop.

     

    Download the DelDomains.inf file to your desktop.

     

    Please download the trial version of ewido security suite. Install ewido security suite and start the program from the icon on your desktop, then check for and download updates. Close for now.

     

    Either reboot and repeatedly tap F8 to enable the start menu then select safe mode, or go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and click OK. Click yes to restart. This will restart your computer in safe mode. Logon to your user account.

     

     

    Scan again with HijackThis, place a chech next to the following entries, close all other windows and click fix.

     

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...count_id=135343

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.190.135/?to=FED&from=start_pa...ype=start_page2

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R3 - Default URLSearchHook is missing

    F2 - REG:system.ini: Shell=Explorer.exe init32ym.exe

    F3 - REG:win.ini: load=??? ??? ??? ? ? ?????

    F3 - REG:win.ini: run= ??? ??? ??? ? ? ????? ??? ??? ??? ? ? ?????

    O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll

    O2 - BHO: (no name) - {77D457C5-0134-306F-8350-0D79EAE4EF7B} - C:\WINDOWS\System32\eoildwym.dll (file missing)

    O2 - BHO: (no name) - {B81D988D-272A-421C-DC4C-5EE3D3A2A531} - C:\WINDOWS\System32\icxkqcms.dll (file missing)

    O2 - BHO: (no name) - {DDF27077-9175-A5E5-D8C8-971171B04D33} - C:\WINDOWS\System32\vtvzshmi.dll (file missing)

    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - (no file)

    O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

    O4 - HKLM\..\Run: [sys201] C:\WINDOWS\System32\sys209.exe

    O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

    O4 - HKLM\..\RunOnce: [DeleteISTbar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\ISTbar\istbarcm.dll"

    O4 - HKCU\..\Run: [ZeroAds] 0

    O4 - HKCU\..\Run: [Monopoly3.exe] C:\DOWNLO~1\MONOPO~1.EXE /r

    O4 - HKCU\..\Run: [Ghohl] C:\WINDOWS\System32\m?iexec.exe

    O15 - Trusted Zone: *.05p.com (HKLM)

    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

    O15 - Trusted Zone: *.scoobidoo.com (HKLM)

    O15 - Trusted IP range: 206.161.125.149

    O15 - Trusted IP range: 206.161.124.130 (HKLM)

    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

    O23 - Service: zkyethubfgtl (whatnibk6) - Unknown owner - C:\WINDOWS\System32\betdlisg6.exe

     

    After clicking fix and before closing HijackThis, click the config button, then the Delete an NT Service button. Paste or type in whatnibk6 then click OK. Do NOT allow a reboot! Close HijackThis.

     

     

    Click start>run and type cmd to open a command prompt window. Open these saved instructions and copy the first command below, then paste it in the command window and click OK. Then do the others one at a time. Close the command window when done.

     

    attrib -h -r -s c:\windows\system32\init32ym.exe

     

    del c:\windows\system32\init32ym.exe

     

    attrib -h -r -s c:\windows\system32\m?iexec.exe

     

    del c:\windows\system32\m?iexec.exe

     

    attrib -h -r -s c:\windows\system32\betdlisg6.exe

     

    del c:\windows\system32\betdlisg6.exe

     

    attrib -h -r -s c:\windows\system32\sys209.exe

     

    del c:\windows\system32\sys209.exe

     

    attrib -h -r -s c:\windows\sys2*.exe

     

    del c:\windows\sys2*.exe

     

    attrib -h -r -s c:\windows\sys5*.exe

     

    del c:\windows\sys5*.exe

     

     

    Delete the folder Internet Optimizer in C:\Program Files

     

     

    Right-click on the deldomains.inf file and select Install.

     

    Open the control panel, then the Java Plug-in. Click the cache tab then clear. Click OK and close the Java console.

     

     

    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.

    Wait for the tool to complete and disk cleanup to finish.

     

     

    Open Spybot and run a scan. Fix all it finds.

    Run Ad-aware in full scan mode. Fix all it finds.

     

     

    Open Ewido Security Suite

    • Click on scanner
    • Make sure the following boxes are checked before scanning:
      • Binder
      • Crypter
      • Archives
    • Click on Start Scan
    • Let the program scan the machine
    While the scan is in progress you will be prompted to clean files, click OK

     

    Once the scan has completed, there will be a button located on the bottom of the screen named Save report

    • Click Save report
    • Save the report to your desktop
    In the Control Panel click Display > Desktop > Customize desktop > Website > Uncheck "Security Info" if present.

     

    Reboot back into Windows and click the Panda Activescan shortcut, then do a full system scan. Make sure the autoclean box is checked! Save the scan log.

     

    Open Add/Remove programs in the control panel, then uninstall Jave Runtime Environment (JRE). Go to the Sun Java Website and update your JRE. Current is 1.4.2_08

     

     

    Post the ActiveScan log, the Ewido log and a new HijackThis log. Let us know if any problems persist.


  8. Download "Registry Search Tool" (RegSrch.vbs) from here

    http://www.billsway.com/vbspage/

    start it and type in SIXA, wait for it to complete the search, click ok at the prompt. Then when wordpad opens, copy that back here please.

     

     

    Open HijackThis to the misc tools section, check the boxes next to Generate a startup list, then click the button. Post the contents. (would you mind editing your last name out please ;) )

     

     

    Please download and run F-Secure Blacklight <<link and let us know the results.

     

    Did you scan wininet.dll?

     

    Click Start>run and type cmd to open a command window. Copy and paste the following commands onto the command line, one at a time, hitting enter after each.

     

    attrib -h -r -s C:\WINDOWS\Downlo~1\f3initialsetup*

     

    del C:\WINDOWS\Downlo~1\f3initialsetup*

     

    attrib -h -r -s C:\WINDOWS\inf\conscorr.inf

     

    del C:\WINDOWS\inf\conscorr.inf


  9. Hi darkeyes!

     

    I've been throught the log and nothing bad jumps out at me, other than Kazaa. Is it still installed? If it is, I strongly recommend you uninstall it. This is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of. If you opt to remove it, first use Add/Remove Program to remove it and any reference to Altnet and P2P Networking. Go to your control panel, then to add/remove programs...uninstall P2P networking...If/when asked whether you also want to remove Altnet components, say 'Yes'.

    P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns. You may also want to run KazaaBegone to completely purge it from the system. Make sure to get the available LSPFix, and run it if you're unable to get an internet connection when done.

     

    Reboot to safe mode. Search for and delete all folders named Symantec, Norton and Live Update. Delete the Kazaa and Altnet folders in C:\Program Files if present. Search for a folder named p2pnetworking (should be C:\Windows\system) and delete if found.

     

    From any open Window within My Computer, select tools from the menu, then folder options. Click the view tab. Scroll down and check the boxes to show hidden files and folders as well as system files. Click Apply then OK.

     

    Open C:\Temp (if present), select all and delete.

    Open C:\Windows\Temp, select all and delete.

    Open C:\Windows\Applog, select all and delete.

    Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content.

     

    Open My Computer and right click Local Disk C:, then choose disk cleanup. Check all boxes and click OK.

     

    Make sure your recycle bin is empty.

     

    Use RegSeeker again to clean the registry.

     

    Reboot back into Windows.

     

    If still having trouble with IE, close all programs and see if Internet Explorer is listed in Add/Remove programs, then click to remove. You should be offered to repair it. Do so. If not listed, check at Start>programs>accessories>system tools> system information. Click Tools on the menu, then Internet Explorer repair tool. If neither of the above help, click Start>run and paste the following command, then hit enter.

     

    rundll32 setupwbv.dll,IE6Maintenance "C:\Program Files\Internet Explorer\Setup\SETUP.EXE" /g "C:\WINDOWS\IE Uninstall Log.Txt"

     

    Give us an update of what's going on after doing the above. If still receiving errors, please give details. ;)


  10. Are things working properly again?

     

    Please use this online malware scanner <<link to check the file wininet.dll located in C:\Windows\system32 and post the results.

     

    I recommend you download the stand-alone CWShredder 2.15 from here <<link. Save it to the desktop. Close all other windows, open CWShredder and click fix.

     

    Run HijackThis and fix the following entry.

     

    O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe

     

     

    Reboot to safe mode.

    Delete the following files and folders in bold.

     

    C:\Program Files\Daily Weather Forecast

    C:\WINDOWS\Downloaded Program Files\f3initialsetup*

    C:\WINDOWS\inf\conscorr.inf

     

    Open the Favorites folder and delete all of the Adware/CWS shortcuts shown in the ActiveScan log if present.

     

    Open the Control Panel, then the Java Plug-in. Click the cache tab, then clear.

     

    Open My Computer, right click Local Disk C: and choose propeties, then disk cleanup. Check all boxes except compress old files and click OK.

     

     

    Reboot and post another HijackThis log.


  11. Please download the attached smitRem.zip file, saving it to your desktop. Right click the file and extract it to it's own folder on the desktop.

     

    Place a shortcut to Panda Activescan on your desktop.

     

    Please download the trial version of ewido security suite. Install ewido security suite and start the program from the icon on your desktop, then check for and download updates. Close for now.

     

    Reboot to safe mode and logon to your user account. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.

     

    Open Ewido Security Suite

    • Click on scanner
    • Make sure the following boxes are checked before scanning:
      • Binder
      • Crypter
      • Archives
    • Click on Start Scan
    • Let the program scan the machine
    While the scan is in progress you will be prompted to clean files, click OK

     

    Once the scan has completed, there will be a button located on the bottom of the screen named Save report

    • Click Save report
    • Save the report to your desktop
    In the Control Panel click Display > Desktop > Customize desktop > Website > Uncheck "Security Info" if present.

     

    Reboot back into Windows and click the Panda Activescan shortcut, then do a full system scan. Make sure the autoclean box is checked! Save the scan log and post it along with a new HijackThis log and the Ewido log. Let us know if any problems persist.


  12. Feel free to PM a moderator or Administrator with a request to have it removed, but I wouldn't count on it happening. It's not at all uncommon for it to happen, nor is it a security risk for you. As a general rule, every thread here may help someone else, therefore removing them isn't practiced. Google also keeps a cached page so removing the thread won't remove the Google hit, or the information there.


  13. When installed, Sun Java adds an autoupdate entry into the registry's run key, so that it starts everytime you start the computer. This is supposed to check for and notify you of updates. Unfortunately, in past versions it hasn't worked well, nor did the update feature in the Plug-in. I'm hoping they have improved on that in the latest version. I do recommend checking in from time-to-time just to be sure. Keep that cache clean too! ;)

     

    Unfortunately, I can't kill Google for you. :mrsgreen: I did however, go through this thread and edit your last name from all the post's where it was shown. It shows up that way because your username on your computer is your full name and that shows in many places scanned by some of the tools we have used. It won't make ALOT of difference having edited those posts, but it will make some. That result will eventually get buried in the many pages of results. I'm sure if someone were to look through the 11,600 results on the Google search, they'd find you in there elsewhere too. Many, if not most adult's name can be found in a Google these days. Gotta love the internet! :rolleyes:

     

    You should be in good shape now. I do recommend you consider using a third party firewall. The Windows XP firewall really doesn't provide adequate protection. Some popular freebies can be found here.

     

    http://www.webattack.com/freeware/security/fwfirewall.html

     

    Zone Alarm, Sygate and Kerio are among the most popular and recommended.

     

    Happy to help! :)


  14. No need to scan anymore at this time. Instead, open the RegSeeker folder, then backup folder and locate one of the latest scan files. Right click and choose edit. Copy what is there and post that.

     

    Go ahead and run MWAV again and see if you can post the log. If not, send me the log file.


  15. Very happy to have helped. :)

     

    I'm assuming you are letting them on one of the accounts, which has admin rights. You could instead create another account for them with limited user rights, then password protect it (don't tell them the password). You could also place a BIOS password on it, which will stop anyone from getting beyond a prompt for a password every time the computer is turned on.


  16. I'm going to recommend Power Archiver, mostly because I like it better, partly because WinZip is an evaluation version and prompts you to buy everytime you use it. ;)

     

    Download Power Archiver version 611 here. (it's the last free version)

     

    http://www.oldversion.com/program.php?n=powarc

     

    Install it (no need to run it), then right click the Regseeker file wherever you saved it (a convenient location is best....move it if you want) and select Extract here. You will be promted to associate zip files, and probably others. Say yes.

     

    You're most welcome. :)

×
×
  • Create New...