One Last Time, Ruby...

[Futterman]

I already posted the CheckError program message.

Original Path = C:\WINDOWS\DESKTOP\CHECKERROR\
Local File Name = C:\clean.bat

I also installed the program in the actual ETR folder, so the "Original Path" also appears as "C:\ETR" depending where I run it from.

In Safe mode, though, I do not even get to the MS-DOS window (in either program) as a message telling me that C:\clean.bat is missing appears. I attached an image of the CheckError MS-DOS window in Normal Mode in reply #17


I just ran ETR in Normal Mode, and the MS-DOS window works. Nothing has improved, but I attached a screenshot.


Thanks,
Brian

[SimplyTech]

In Safe mode, though, I do not even get to the MS-DOS window (in either program) as a message telling me that C:\clean.bat is missing appears. I attached an image of the CheckError MS-DOS window in Normal Mode in reply #17

Hi Brian!

I was interested in the message given when the CheckError ran in Safe Mode, I didn't understood that also the CheckError crashed totally.

Can you please do a new test?

I need you to download a new version of the CheckError program from here:

http://www.simplytech.it/ETRemover/CheckError.zip

You will find 3 button this time. Please do the test only in Safe Mode and test both the button 2 either the button 3.

I need the content of the textbox during the two tests or simply some new screenshot.

Thanks in advance,

all the best,

Giancarlo

[Futterman]

I ran this new program in safe mode, and here's the log after pressing just buttons 2 and 3:

Original Path = C:\WINDOWS\DESKTOP\CHECKERROR\
Local File Name = C:\clean.bat
Button 3
Local File Name = C:\clean.bat

MS-DOS still does't work. Should I try again in normal mode?

I've also attached a screenshot of a message that has always been popping up in safe mode whenever CheckError or ETR would try to open an MS-DOS window. It comes up right before the message telling me that it cannot find C:\clean.bat.


Brian

[SimplyTech]

Should I try again in normal mode?

Hi Brian and thanks for the new tests.

Acting in Normal Mode is useless now and there's nothing else to do at this point. I'm finishing the developing of the 2.x.x series and we will forget any Dos box windows with that new program.

Please be patient some other days,

all the best,

Giancarlo

[Futterman]

Ok, Giancarlo, thanks so far. I hope I was able to help you develop Version 2.x.x...when you release it, please post it here.

Brian

[Ruby]

Hi Futterman - Hello SimplyTech

When you both have finished your examinations I would like to go on with the system of Futterman. May I please see one more HijackThis Logfile?

Thanks.

[Futterman]

Hi Ruby,

Here's a new HJT log:

Code:

Logfile of HijackThis v1.99.1
Scan saved at 5:28:01 PM, on 6/2/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACRORD32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.airliners.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O2 - BHO: Fizzlebar.clsFwBar - {9056A11F-5EA6-4A67-BDE9-8D3C7C453DAC} - C:\SYSFWB\7353215471\IEFWBAR.DLL
O2 - BHO: Replace Search Ctl - {832BEBED-C3DA-4534-A2C2-B2FFF220C820} - C:\WINDOWS\SYSTEM\REPLACESEARCH.DLL
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINDOWS\SYSTEM\STLB2.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O4 - HKLM\..\Run: [WMPLAYER] C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\RunServices: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw2.cab

Brian

[Ruby]

Well @ Brian

I know you like gathering malware.
Every time you come here you run a new kind of malware.
And you also like to take part in Browser Hijackings.
I don't know why this is so....
Perhaps you should not visit permanently the wrong websites.

Ok, let's go on.

You will want to copy the text from this post and save it as a text file
(*.txt) or print it because you will be working offline (in safemode) to resolve
your problem and not have access to this forum.

Follow these STEPS.

STEP 1
You must turn off System Restore during this process.
You will keep it off until we are done fixing your system.

STEP 2
Download a Trial Version of Ewido.
Update it online.

STEP 3
Now turn off your computer and remove the network cable/phone line from your machine.
Reboot your computer in Safe Mode

STEP 4
Scan whole your system by ewido.
Save the logfile.

STEP 5
Reconnect your network cable/phone line
Reboot your system into normal mode.

Post the Ewido Logfile.

[Futterman]

Haha, I figure I'll do my best to keep you busy.

Looking at the Ewido download page, it says it was developed for Windows 2000 and XP.

I am running Windows ME. Will it work? How long will it take?

[Ruby]

No, it doesn't work.

You will want to copy the text from this post and save it as a text file (*.txt) or print it because you will be working offline (in safemode) to resolve your problem and not have access to this forum.

Follow these STEPS.

STEP 1
You must turn off System Restore during this process. You will keep it off until we are done fixing your system.

STEP 2

1. Download mwavscan (It is free), if you don't have a zip-tool we suggest zipgenius (It is free).
2. You MUST Unzip mwavscan to 'C:\bases' (case sensitive, any other folder and it won't work properly)
3. After installing some systems automatically start up the program, if this happens close it, you don't want to run it now.
4. Open 'My Computer'
5. Double click on 'C:'
6. Double click on the folder 'bases'
7. Now in that root folder look for 'kavupd.exe' and double click on it. (We are updating mwavscan to the latest definitions.)
8. NOTE: Occasionally users receive an error that 'signatures are more then 30 days old'. If you receive this keep trying to run kavupd.exe, it means the definition server is busy, but you will eventually get through.

STEP 3

1. Now turn off your computer and remove the network cable/phone line from your machine.
2. Reboot your computer in Safe Mode

STEP 4

1. Open 'My Computer'
2. Double click on 'C:'
3. Double click on the folder 'bases'
4. Double click on 'mwavscan.com'
5. Now close all other windows, browsers, and programs other then Mwavscan before continuing
6. Checkmark: Memory, StartUp-Folders, Drives, All Local Drives, Registry and INI Files, System Folders, Services
7. Now select 'Scan All Files'
8. Finally, click on 'Scan Clean' (The program will take several hours to run)
9. When the scan is complete, click 'View Log' and Save it!

STEP 5

1. Reconnect your network cable/phone line
2. Reboot your system into normal mode.

STEP 6

1. Open 'My Computer'
2. Double click on 'C:'
3. Double click on the folder 'bases'
4. Find the log file in the directory.
5. Open it with an editor (Notepad will do fine)
6. Look for the files which are tagged as "virus" or "infected"
7. Copy&paste all these files tagged as "virus" or "infected" in a new document and save to your desktop

STEP 7
Run Hijackthis again and have it save a new log file.

Step 8

Post every file of mwavscan by looking for "infected" and "tagged as" to this thread:

It looks like this:

File C:\WINDOWS\sssasasb32.exe infected by "Trojan-Downloader.Win32.Agent.ig" Virus. Action Taken

File C:\Documents and Settings\Name\Local Settings\Application Data\Wildtangent\0F.dat tagged as not-a-virus:AdWare.WildTangent.b. No Action Taken.

Also post the total results:

=>Total Number of Files Scanned:
=>Total Number of Virus(es) Found:
=>Total Number of Disinfected Files:
=>Total Number of Files Renamed:
=>Total Number of Deleted Files:
=>Total Number of Errors:
***** Scanning complete. *****

Finally, post the new Hijackthis logfile!