Wierd search and dialer proggy..think im hijacked

i did everything in this thread last night (long time that was)

http://forums.majorgeeks.com/showthread.php?t=35407

and ran hijack-this today and stuff is still comming up today

Logfile of HijackThis v1.99.0
Scan saved at 4:27:08 PM, on 2/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Edit by chaslang: Unrequested inline log deleted.

any help would be Great

Thanks

Eric

 

Welcome

When asked to post a HJT log it must not be inline but rather a .log or .txt file. If you have done the whole TUTORIAL then:

Please try to turn OFF any applications that are not needed It makes it much easier to look at the HJT log.
Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

Sorry about the log i was jumping the gun

anyway, yes i did everything in the thread last night and the pc seemed to be ok...so i went to bed i turn on pc today and all hell breaks loose... i have one page that tryies to open to some site horseserver dot net and some klikfeed i think its called and some site called allsearchweb something to that effect...ans some wierd tibs thing trys to install a dial up connection and thank god im on cable but its still annoying.....i have attached a file so maybe you can see wtf some one did to me....thanks for your time

Eric

 

Your tibs is a dialer. I am going to give you some suggetions but wait for PP or Chaslang to confirm this before doing it.

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

NOW:
Please look in Task Manager (ctrl-alt-del)and try to END the following running processes, if found:

tibs3.exe

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost; ????????
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following file(s) and folder(s) if they should remain:

C:\WINDOWS\System32\tibs3.exe
C:\WINDOWS\cerbmod.dll
C:\WINDOWS\System32\DSMANA~1.DLL
C:\WINDOWS\System32\snim.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

THEN:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

Just to make this clear there are no folders to do in this step, just files:

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following file(s) and folder(s) if they should remain:

C:\WINDOWS\System32\tibs3.exe
C:\WINDOWS\cerbmod.dll
C:\WINDOWS\System32\DSMANA~1.DLL
C:\WINDOWS\System32\snim.dll

 

ok took me a sec to post this casue the damn things started to pop up again grrrr but here is the new log and some things are still there

oh by the way the C:\WINDOWS\System32\DSMANA~1.DLL
one wasnt there ??

 

ok did them all but im not sure it helped yet somethings are still there...but here is the log....

 

ok just after i hit post message i got this


the famous Blue Screen

Technical Informaition

*** Stop 0x0000008E,(0xC0000005,0xF9226914,0xEFD61688,0x00000000

***d346bus.sys Address F9226914 Base at F919000 Date Stamp40522078


then i reboot again and started this post and the pop up dialer program started again and the search thing will it ever end

thanks for your time

 

yep i found it and deleted it and i checked after i rebooted back to regular mode to see if it was there and it was so i reboot again in safe and deleted it again and its still there grrrrrrrrr


and yes all while i was off line and no browsers open

 

its back when i reboot in normal mode??

i just did it again and here is the new log


pls i have this exe file with a pic of a chick on it on my desktop and in c:/127051.exe


thanks again

 

Let's get this straight.
This of course is after you make the fixes Chas said.

Can u be specific.

 

When does it come back? Before or after you plug in the cable to the internet? Before

Don't forget plugging in the cable is not the samething as browsing. yes i know


Delete it in safe mode. Reboot in normal mode. Is the file back? yes


Now plug in your cable? Is the file back? yes

Now open a browser? Is the file back? yes naturaly but now the site browser comes up and sends me to the lik search page

and all that is happing after i have done this atleast twice now...

i can do it again if you would like

 

Chas

I see he got WebsiteViewer now. I don't know if this helps.

Website Viewer

 

Thanks Par that was nice and specific. Tibs is back and a few other mutations. There is new stuff now. This is a tough little bugger.

 

no prob i just want the crap gone its been a long time since i had anything bad on this pc but when you leave for a weekend and your family watches your house shit happens lol


ill check back in a few i need sleep got to work in the am "sigh"

thanks alot for your time guys

and i would just reformate but never got a reboot disk with my pc oh well

 

Hey Chas,

Not what you want to hear, but this is part of a nasty Haxdoor infection that has been going around!

See what I did for it in post #22 in this thread: Any Tips?

I am in the process of tweaking my generic fix for this baddie, so if the fix in the above link doesn't work, I'll have new one ready shortly.

PP

 

so PP should i follow the directions in the ANY TIPS thread or just stand by for now?


Thanks

 

Hi Par5,

Were you able to find any of the files listed in the thread I linked?

Please unzip and run the tool I attached below.
Please make sure that your Anti-Virus app does not have Script Blocking enabled.

Please enter the following into the Search Box:

winlow

Then, do the same for these two:

vdmt16

drct16

Please save the results of this search and attach them along with a Fresh HJT Log. Also, don't forget to answer my question at the beginning of this post. I will try to check back tonight as time permits.

PP

 

what files ? i was going through that thread and didnt see anything familiar...

here are the 3 search txt files for the words in question

 

the 3rd one


and recent hjt log

 

Try looking for these and note the ones that you find - Don't bother trying to delete them as they will come back:

C:\System32\w32tm.exe
C:\System32\drct16.dll
C:\System32\cz.dll
C:\System32\vdmt16.sys
C:\System32\hz.dll
C:\System32\winlow.sys
C:\System32\wz.dll
C:\System32\p2.ini

ALSO:
Please unzip the attached tool to a folder of your choice.

NOW: boot to Safe Mode and DoubleClick the rkfiles.bat to run the scan. It will take a while, so let it go until the DOS window closes.

THEN: reboot to Normal Windows and look in C:\ Drive for a file named log.txt and attach it with your post.

We'll see what it has to say and I'll put something together for you. Don't forget to let me know about those files!

PP

 

i hope you ment C:\WINDOWS\System32??


C:\System32\w32tm.exe -------yes
C:\System32\drct16.dll -------yes
C:\System32\cz.dll -------yes
C:\System32\vdmt16.sys -------yes
C:\System32\hz.dll -------yes
C:\System32\winlow.sys -------yes
C:\System32\wz.dll -------yes
C:\System32\p2.ini-------yes

and here is the log

 

YES - Sorry . . . .

WOW! You found a lot! Hang in there while I put a fix together . . . It'll either be late tonight or Wednesday evening before I can post it. You will be shocked how deep this Haxdoor piece of crap runs on your machine!!!

PP

 

ok ill be waiting with bells on


and again thanks for all your time..

 

Hi Par5,

Happy to try to help Different versions of this baddie are popping up all over the place and are proving to be quite difficult to remove!! With that in mind. . . . . . . . Be advised that this is definitely a “use at your own risk proposition!”

Read through these instructions before doing anything else so you can familiarize yourself with the process!


PleaseDownLoad the following tool: Pocket KillBox

ALSO:
Please DownLoad Registrar Lite and Install it.


***** It might also be a good idea if you used ERUNT to back up your registry before proceeding with the instructions below. Just install it and it should prompt you the Backup the Registry. It is definitely a good idea to do this anyway!

Please save these instructions locally so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

You will need to be totally disconnected from the internet when you do this!



FIRST:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it HaxFix.reg


REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\memlow]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_MEMLOW]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\draw32]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drct16]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VDMT16]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vdmt16]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_VDMT16]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vdmt16]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdmt16]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINLOW]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winlow]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINLOW]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\winlow]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winlow]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"secboot"=-
"tibs3"=-

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters]
"Disable TrayIcon"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
"StackSize"=-
"Impersonate"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion]
"hws"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Session Manager\Memory Management]
"EnforceWriteProtect"=-
"hws"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"EnforceWriteProtect"=-
"hws"=-


Just leave the HaxFix.reg file on your Desktop for now.


NOW, DISCONNECT FROM THE INTERNET AND BEGIN:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


NOW
Please Run Registrar Lite and Copy&Paste the following into the address bar and click GO:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16

RightClick on LEGACY_VDMT16 and select properties.

Then Click the "Take Ownership" button in the properties box and OK out.

Then RightClick the LEGACY_VDMT16 and select "Delete"

NOW, Repeat the above for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW
and
LEGACY_WINLOW


NEXT:
DoubleClick on the HaxFix.reg file on your Desktop that you made earlier and allow it to merge the registry entries into the registry.


NOW:
Please scan with HijackThis and Check the Boxes for the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINDOWS\blank.htm

O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll

O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe snim.dll, DllRegisterServer
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe

O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\System32\snim.dll
Be sure All Browser Windows are Closed when you Click FIX.


NEXT
You will be entering the boatload of files below into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy and Paste each of the following into the box, making sure Delete on Reboot is Checked for each entry. Click the Red X to Delete each one, but DO NOT Allow your machine to Reboot until the last item has been entered:

C:\WINDOWS\SYSTEM32\2359.exe
C:\WINDOWS\SYSTEM32\dsmanager.dll
C:\WINDOWS\SYSTEM32\gekqidoi.exe
C:\WINDOWS\SYSTEM32\gubadusv.exe
c:\windows\system32\klogini.dll
c:\windows\system32\p2.ini
c:\windows\system32\ps.a3d
C:\WINDOWS\system32\wz.dll
C:\WINDOWS\system32\cz.dll
C:\WINDOWS\system32\hz.dll
C:\WINDOWS\SYSTEM32\hicom.exe
C:\WINDOWS\SYSTEM32\hicomd.exe
c:\windows\system32\vdnt32.sys
c:\windows\system32\vdmt16.sys
c:\windows\system32\winlow.sys
C:\WINDOWS\System32\snim.dll
c:\windows\system32\klo5.sys
c:\windows\system32\drct16.dll
c:\windows\system32\mszx23.exe
C:\WINDOWS\SYSTEM32\hiden.exe
C:\WINDOWS\SYSTEM32\ieexec.exe
C:\WINDOWS\SYSTEM32\mdaaaaaa.exe
C:\WINDOWS\SYSTEM32\olexp.exe
C:\WINDOWS\SYSTEM32\pkinotqc.exe
C:\WINDOWS\system32\cm.dll
C:\WINDOWS\system32\hm.sys
C:\WINDOWS\system32\memlow.sys
C:\WINDOWS\system32\wd.sys
C:\WINDOWS\SYSTEM32\telcmd.exe
C:\WINDOWS\SYSTEM32\vgmuqtbr.exe
C:\WINDOWS\SYSTEM32\wtl32a.exe
C:\WINDOWS\SYSTEM32\22023562.exe
C:\WINDOWS\SYSTEM32\22028078.exe
C:\WINDOWS\SYSTEM32\cz.dll
C:\WINDOWS\SYSTEM32\tibs3.exe
C:\WINDOWS\system32\mszx23.exe
C:\WINDOWS\system32\w32tm.exe

When the last item has been entered and you are prompted to reboot, allow Pocket KillBox to Reboot your computer.


NEXT:
Please run SpyBotSD and Ad-aware and allow them to fix what they find. Now, run CCleaner. Probably a good idea to ReRun the HaxFix file on Desktop again as well.

AGAIN:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Finally , please scan with HijackThis and attach the log. Let me know how things went, if you encountered any problems along the way and whether the above instructions worked. I need as many details as possible!!
Will check back as time permits.

Best Luck
PP

 

tried them both and get ACCESS DENIED boxes??

should i continue?

 

well i just did the others in the way you said and here is the log and so far so good no popups yet

 

To get a better idea of success, since many of these baddies are hidden from HijackThis is for you to do the following:

1 - Repeat the scans from post #21 and add memlow to the list of items to look for. Attach those 4 logs. (Will take 2 posts)

2 -Repeat the rkfiles.bat scan from post #24 and attach that log to yet another post and we'll see what remains, if anything.

So, everything seems to be running well? Aything at all out of the ordinary?

Will check back tonight, time permitting.

PP

 

I forgot to add that this line should be fixed with HJT:
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll

And DELETE: C:\WINDOWS\cerbmod.dll

PP

 

ok the only ones it found are the ones posted...now im off to do post #24 again

 

here is the log file

Nope nothing i can see as of yet

 

Look in this last log for those numbered files and then look in System32 Folder for them and RightClick them to see if you can get Property and Version info!
They are odd.

C:\WINDOWS\SYSTEM32\220515.exe
C:\WINDOWS\SYSTEM32\225250.exe
C:\WINDOWS\SYSTEM32\9820859.exe
C:\WINDOWS\SYSTEM32\9824312.exe
C:\WINDOWS\SYSTEM32\220515.exe
C:\WINDOWS\SYSTEM32\225250.exe
C:\WINDOWS\SYSTEM32\9820859.exe
C:\WINDOWS\SYSTEM32\9824312.exe


RE: the other logs, the bad registry entries remain. I believe it is due to the bit in my instructions with Registrar Lite failing. You might try that again in safe mode and see if you can "Take Possession" and then delete those entries.

I'll see what I can come up with tonight when I get some free time. Chances are good that you are probably OK now and that the bad files are gone and all that remain are remnants in the registry. Still . . . . I like to be thorough!

Will check back tonight.

PP

 

not sure how or what that Property and Version info!
is but i hit properties and it has three tabs and doesnt say anything just something about when it was created

ill try the "Take Possession" in safe mode and see what happens then

 

did the safe boot "Take Possession" and still "ACESS DENIED" when i tried to delete it..


so ill wait and see what else you have for me when ya get some time....thanks again

 

Did you backup your registry with Erunt ? If not, you should do that before proceeding further.

Are you comfortable with regedit? We need to remove those pesky registry entries!

Let's try regedit.
You need to have Administrator Privileges to do this.

Go START > RUN > Type regedit

Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16

and RightClick on it and select Delete. If that is not allowed, RightClick it and look on the list of options for “Permissions…. ” and select it. Now, where it says “Permissions for Administrators,” check the box for Full Clontrol and hit Apply and OK. Now RightClick LEGACY_VDMT16 and try to delete it.

Do the same for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW


NOW,go back to that FixHax.reg you previously created and DoubleClick it and follow the prompts to allow it to merge into the registry.

Let me know how you fare.

PP

 

ok got both of those deleted now...


anything else ?

what about those ...

C:\WINDOWS\SYSTEM32\220515.exe
C:\WINDOWS\SYSTEM32\225250.exe
C:\WINDOWS\SYSTEM32\9820859.exe
C:\WINDOWS\SYSTEM32\9824312.exe
C:\WINDOWS\SYSTEM32\220515.exe
C:\WINDOWS\SYSTEM32\225250.exe
C:\WINDOWS\SYSTEM32\9820859.exe
C:\WINDOWS\SYSTEM32\9824312.exe


or am i getting to far ahead lol

 

Did you run the HaxFix registry merge?
How did it do now that you were able to delete those two entries?

Two things you can do to see if machine is now clean:

1) Rerun those registry scans from post 21 - They all should come up with nothing after the Hax.Fix merge.

2) Run a search of your computer for the files you deleted with Pocket KillBox and see if they are all gone.

Especially:
C:\Windows\System32\w32tm.exe
C:\Windows\System32\drct16.dll
C:\Windows\System32\cz.dll
C:\Windows\System32\vdmt16.sys
C:\Windows\System32\hz.dll
C:\Windows\System32\winlow.sys
C:\Windows\System32\wz.dll
C:\Windows\System32\p2.ini

You can probably safely delete those strange numbered files as well. Or, to be safer, rename them from ex/ 1234567.exe to 1234567.BAD and see if you need them - in which case you can change them back.

Keep me posted - Will check back tomorrow!

PP

 

Did you run the HaxFix registry merge? not sure what it is suposed to do it just says added one box says is this ok and the 2nd box says it made it...or to that effect
How did it do now that you were able to delete those two entries? those two entries came out fine now

1) Rerun those registry scans from post 21 - They all should come up with nothing after the Hax.Fix merge.

those logs are attached


2) Run a search of your computer for the files you deleted with Pocket KillBox and see if they are all gone.

the only one i see is

C:\Windows\System32\w32tm.exe

but its all capitals would that matter ...W32TM.EXE



the rest are gone


ill do the #number ones now and see what happens

 

Those logs should be Empty. You could doublecheck with regedit and delete those lines.

There is a small possibility it is legit. Submit it here for a scan and see what they say: http://www.kaspersky.com/scanforvirus

OK - You are probably good to go! As long as those bad Haxdoor files have been eradicated, there is probably nothing to worry about. A few orphaned registry entries aren't too worrisome.

Gotta run - Will check back Thursday evening.

PP

 

this is from http://www.kaspersky.com/scanforvirus

Scanned file: 220515.exe

220515.exe - infected by Trojan-Clicker.Win32.Small.dv

Scanned file: 225250.exe

225250.exe - infected by Trojan-Clicker.Win32.Small.dv

Scanned file: 230562.exe

230562.exe - infected by Trojan-Dropper.Win32.Small.rd

Scanned file: 376093.exe

376093.exe - infected by Trojan-Dropper.Win32.Small.rd

Scanned file: 9820859.exe

9820859.exe - infected by Trojan-Clicker.Win32.Small.dv

Scanned file: 9824312.exe

9824312.exe - infected by Trojan-Clicker.Win32.Small.dv

Scanned file: 9827812.exe

9827812.exe - infected by Trojan-Dropper.Win32.Small.rd

Scanned file: 10287250.exe

10287250.exe - infected by Trojan-Dropper.Win32.Small.rd

Scanned file: 22032718.exe

22032718.exe - infected by Trojan-Dropper.Win32.Small.rd

-------------------------------------------------------------

so i guess they are bad lol


ill redo the post 21 and get back with ya

thanks again

 

ran the RegSrch and on the winlow it came up with this

[HKEY_USERS\S-1-5-21-2220802870-3759819549-2866213812-1006\Software\Resplendence Sp\Registrar Lite\Settings]
"LastOpenedKey"="HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet003\\Enum\\Root\\LEGACY_WINLOW"


and the vdmt16 came out clean ...

so ill see you tomorrow to see what that is

and i deleted all the #numbered exe ones to


thanks again

Par5
Eric

 

Hi Eric,

The winlow & vdmt16 look OK. If you really want to be thorough, you could use regedit to look for any of those registry keys I listed in post #28 and see if they somehow remain.

Good to get rid of those numbered, trojan infected files. That Kaspersky scanner is handy! What about C:\Windows\System32\w32tm.exe?

Please give me one last HJT log and let's see if we can declare your machine healed!

Will check back tonight!

PP

 

regedit looks clean

it was fine the W32TM.EXE

and here is the HJT log





i tried to put my win firewall up and it still says

An error occured while Itnernet Conection Sharing was being enabled

the specific service does not exist as an installed service....

not sure if that had to do with the tibs dialer that was allways trying to connect or not..


thanks again for your time

 

Happy to try to help!

Your HJT log looks ok. I think you got it all!

Not sure about Internet Conection Sharing, but I would definitely suggest following the recommendations in the link below and using one of the free firewalls Chas mentions. They will give better protection than the Windows Firewall because they monitor both incoming and outgoing activity!

How to protect yourself from malware!

PP

 

thanks a bunch PP you have helped alot...seeing that i use the pc for my daily job it sucks when this stuff happens...so thanks a bunch


ill check out his thread and see how it goes


Thanks
Again

Par5golf
Eric

 

You're Welcome! Surf Safely

 

I found the fix to this issue at the following forum.

http://forums.maddoktor2.com/index.php?showtopic=2659

Worked excellent for me.