chaslang-I did what you asked-Give4free

Hello. I did what you asked as far as downloading all the right products, running them in safe mode,going into windows explorer and clicking view all hidden files, uninstalling java and replacing sun java,and running online tests. This Give4free is still there on my search bar. It used to say-under- IE>view>explorer> GIve4free uninstaller and under that>Tip of the day,and now it says Give for free installer,Tip of the day,and under that it says Discuss.It's mutating! any ideas?

 

If you have exhausted all Cleaning Options, go ahead and send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I imagine Chas will check back as time permits.

PP

 

ok, Here it is. I took this log to a friend who is a tech, and he seems to think it is in system32\brss01a.exe and system32\BRMFRSMG.EXE and maybe the lowercase one that replicates it.(brmfrsmg.exe) any ideas? ...........Bueller,....Bueller,......anyone?

 

Phillie is probably going to ask you to put HJT in its own folder sush as C:\Program Files\HJT. This is important if you have to fix something. Do that and then resubmit your HJT log.

There is nothing wrong with brss01a.exe
Brother Print

 

Nothing wrong with BRMFRSMG.exe either
Brother

BTW you don't have the latest HJT file it is now 1.99.1

 

I put it in c|program files\and in its own folder. Did I do it right?

 

Yes, your fine now. Thanks.

 

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

NOW:
Please look in Task Manager (ctrl-alt-del)and try to END the following running processes, if found:

2005216204830_mcinfo.exe

Now scan with HijackThis and Check the Boxes for the following:

O4 - HKLM\..\Run: [msci] C:\DOCUME~1\User\LOCALS~1\Temp\2005216204830_mcinfo.exe /insfin

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following file if it should remain:

C:\DOCUME~1\User\LOCALS~1\Temp\2005216204830_mcinfo.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

THEN:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

ok, Here it is. I did get rid of the files you asked, and performed the procedures. I thought that the Give4free add would be gone from IE but its still there. The good news is, my system seems to be running better. I think were getting closer. Do you think it installed a program that I need to uninstall? My firewall blocked a program trying to re-adjust my browser located which said" DSLmodem.domain.actdsltmp 192.168.0.1 win32

any ideas?

 

Let's check a couple of things.

Navigate to this file C:\Program Files\Webshots\Launcher.exe, then right click, properties, version and tell me what it says.

Also Please look in Add or Remove Programs for the following and Uninstall them if found:

Give4Free

I know my router has that same address. Do you have a router?

Also see if "launcher" is a running process

 

Also what does the give4free add look like? Is it a popup or does it just go to it as your home page. If that's the case try changing the home page.

 

Type of tile-application
description-launcher
The file was created about the time I installed it. -I don't see anything about the version except in compatability mode. There is no Winxp in that compatability mode.

I'm not sure if I have a router- I run a DSL modem with wireless gateway.

There is nothing in the add/remove programs. The only thing that looks suspiscious is " intel(R) 537EP Modem - Kazaa is still in the add\remove programs but I've uninstalled it already. When I click on the remove program icon it says not able to locate file-already removed. So I right click on it to delete it and it won't let me. Maybe in safe mode?

Also, Give4free is not a popup-it's fixed to my toolbar under explorer, and under that it sais" Tip of the day", and under that it sais" Discuss"- When I click on either of those mentioned, a icon pops up about 2 inches thick at the bottom of my screen with a computer tip. When I click on Give4free,the same tray pops up but with nothing in it. Do you think it's a program that's hiding under another common name?

 

also "Launcher" is not a running process. I did find something else- zlclient.exe- not sure what this is.

 

that is from zone labs it is OK. Your modem hooks up to Cable or DSL outlet and then your router hooks up to the modem. Your computers then hook up to the router. You would probably know if you had it.

 

Not sure if this will help but try looking under the Tools menu for Manage Browser Add-ons and see if it is shown there. (Give4Free)

Also Navigate to this file C:\Program Files\MSN\MSNCoreFiles\msn.exe, then right click, properties, version and tell me what it says. There is a trojan that uses that name. Also do a search for sins.exe or msninst.exe and tell me if you have them, where it is, and the version. You might want to go here and see what it says about those files.
MSN.exe Symantec
MSN.exe

 

I DO have msninst.exe on my computer. There is not msn.exe or sins.exe that the comp could find. Under msninst.exe it is a application file-description-Msn Installer application,(spelled Msn-not MSN or msn) and the version is 9.10.375.1

There is also msninst.dll in the same file with the same version. The msninst.exe is the only file in there that was spelled "Msn" instead of msn. Should I uninstall msn alltogether and look to see if those files are still there? Maybe go into regedit and look under software? There is no "corefiles" under msn either. I also looked on the internet for Give4Free and I found a link that said there has been some talk lately on Major Geeks about this file, and so far they have not5 been able to figure it out. I don't know, it's just what the link said. Any ideas?

 

I take that back. I did find msn.exe in the comp search but not sin.exe. I found 2 in prefetch, one that is in c:\WINDOWS\winxpcd\WIN9XUPG that is setup information, and one that is in E:\WINDOWS that sais "setupapi.log". I also found one that is called UninstallInfo.xml that is in C:\Progran Files\MSN\MsnInstaller.

This is the same one that was spelled different but under the comp search it has a different property and is a different file type. should I remove it?

 

I also found MSN.EXE-203c664d.pf in C:\documents and setting\User\Recent

 

Where is msninst.exe located?

 

MSN.EXE is in Doc Sett\User\Recent per my comp search

 

The other Msn.instll is located in C:\Windows\program files\msn

 

P.S. I also found this on the net C:\Program Files\Give4Free Plugin\ibho1.dll ... O16 -
DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) Whatever that means.

 

You do not have this 016 in your HJT log so it doesn't apply to you. As far as the msn files I can not be sure if it is a trojan or not. From what i can tell they are not in the location that indicates they are a problem. I don't know what else to do with the Give4free because it does not show up on your HJT log. You can search for it and see if you can find a folder for it.

 

Alright, Well, thanks for trying. I might just wipe my system out and start fresh. All the programs that I found that said they would remove it I have tried, and it's still there. Again, Thank You!

 

I wouldn't wipe the system.. There has got to be a way to get it. Is there any other strange programs in the Add/Remove, do you see any strange folders anywhere? Also you never told me where is msninst.exe located?

Also make sure you go here.
Protect from Malware

 

You should run all the online scans in the READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.

Even do the extra ones.
Alternative Scans - If still having problems

If you are still having problems after performing all the above, these alternative scans below may prove to be useful. As mentioned above, it would be good to perform these in safe mode since it may assist in the ability to remove an infection. However, there are cases where a problem does not show itself completely until you boot in normal mode. So first run these scans in normal boot mode, and if they have problems cleaning any particular items repeat the scan in safe mode to see if it helps. Always keep track of what these scans find (save logs or take notes), and report them back in your thread to anyone helping you.

Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan

a-squared (a²) Free edition free but requires an email address to register
avast! Virus Cleaner Tool
ADS SPY - Alternate Data Streams Spy from Merijn

 

msninst.exe is located in C:\program files\msn\msninstaller- There are a few installers in here. There is also a uninstaller. When I looked on the net for info about this threat, it said it was a uninstaller.exe - It also said that it is a IBHO.dll file.In the same msn file there is a MSNIA folder and a MsnInstaller folder. In the MSNIA folder there are 6 items. custdial.dll, msncore.inf ,msniasvc.exe ,msniasvc.xml ,prestp.exe ,unicows.dll -and in the MsnInstaller folder there are 15 items. a folder that sais resources, and the following-iBrand,msdbxi.dll,msnilc.dll,msninst.exe-note(this file does not look the same as the other msn butterfly. It has two black marks on the wing). msnms.ico, msnsusi.inf, UninstalLinfo.xml, iasvcstb.dll, install, msnihc, msninst.dll, msnitd, msnsign.dll, unicows.dll. -

 

There is also nothing in the add/remove programs. Nothing suspiscious anyway. Doesn't this have to be a installed program? If I don't recognize it then it's masking itself as something else.(Msn?)

 

See if you can find this file and if so where is it and is there any info on it.

ibho.dll or ibho1.dll

 

Make sure the Viewing of Hidden Files is Enabled as per the tutorial.

 

A few other things.

Have you:

Immunized with Spybot
Enabled all with SpywareBlaster
You should use Firefox Browser

These are all found in
How to Protect yourself from malware!

 

I did find ibho.dll in a cleaner.log that was already removed. I have ran all the tests in safe mode and regular mode. I have immunized, made sure spyware blaster is active, updated every piece of spyware removal that I have, unchecked the hidden folders, turned system restore off, and just about put myself in a asain asylum in the process. In the beginning the only spyware that would remove it was microstoft anti-spyware. Nothing else would detect it. The anti-spyware detected it in the internet browser(Which is where it is) and would remove it. Then it would detect it again on the automatic cleaning at 3a.m. It would keep popping up. Then I went into regedit and found Myway and Give4Free under HKEY\local machine\software. I manually removed all the files and Microsoft anti-spyware stopped detecting it. It is still in my IE browser though. I'm about ready to jump through my office window at this point! How fun is this huh? And just think, you get to do this allday. I'm jealous! Do you have any ideas on where to go at this point, or should I throw in the towel?

 

one more thing, I do use firefox as well.

 

Shankster

I feel for ya. It's exhausting. I am going to see if I can get PP or Chaslang to come into this thread. I don't know what else to do to find it. They may be able to help you so don't give up yet.

 

Please attach a current HJT log.

 

Ok, sorry about that. The only thing in managed add ons that looks suspiscous is msnmetal. publisher is not verified and then it says microsoft corp. I attached the new HJT log, and also have some good news for you. I looked for line in regedit that you wanted me to check and it was there. I deleted the properties in the sub folders and then deleted the folders. It was there twice. The sub-folders were called "inproServer32" and inside the folders the TYPE was Reg_sz and the DATA was Blank. Once I removed them the Give4Free icon in my browser went byby and now I only have 2 left. "TIP OF THE DAY" , and "DISCUSS". Now,,,, Last night my Microsoft Anti-spyware detected 2 new entries. MySearchBar(Browserplugin)HKEY_ClassRoot\CLSID\{014dA6C9-1895-421a-88c then it cutoff and I couldn't read anymore. I went into the registry and found both files and deleted them manually as well. Again, there was 2 identicle files just like I mentioned above on your string. The Sub-files were named the same(InproServer32)same type and data(REG_SZ and Blank). I also found in System 32 some interesting info. p2p.dll , p2pgasvc.dll,p2pgraph.dll, p2pnetsh.dll, and p2psvc.dll. Now I thought that the p2p was Peer2Peer for Kazaa, so I took a desperate chance and tried to delete them. When I did I watched them pop back up. They couldn't be deleted. One more thing; Microsoft Anti-Spyware pereodically pops up in the corner of my screen saying that it wants to add a certain site to my "trusted site list" and I deny the permission given the circumstances. So anyway, there's my night.
Any ideas?

 

I did some research and found out that apparently the Tip Of The Day and Discuss are supposed to be on IE 5.0. Does this mean we got that filthy varmit?

 

One more thing O'Mighty One, now when I try to download photos in webshots,it's telling me that the Hyperlink DDE transaction failed, What's that all about? I have internet service but it's telling me to check my LAN settings and make sure I'm connected or to check my proxy setting if I'm using a dial up.(Which I'm not). Also, How do I get rid of Kazaa in my add\remove programs. It's telling me that the file cannot be deleted because it doesnt exist.

 

Hey Chas! MG's havnt posted this latest version of KazaaBegone but there is a newer version availble, 1.25. I have been using this version for months and have not ran into any problems. Now version 1.1 has a bug that CAN break the LSP Chain, Ive ran into this a few times. Just in case you didnt know about the new version.

Download KazaaBegone 1.25

 

ok- It worked. Thank you again for all your time and effort. Very much appreciated!!!!!!!!!

 

Your Welcome!

Be sure to see Chaslang's Commandments!

 

I would like to thank bjGarrick, Chasling, and TheOldThug for helping me on this issue. It was a long trying 2 weeks but we got it. Again, Thank's for all your time and patience. You guy's ROCK!!! Keep up the good work!

P.S. I went into Chaslang's Commandments! to get your helpfull hints, but the site said " No thread specified,If you followed a valid link, please contact webmaster" Just FYI Again, thank you

 

Your Welcome!

Try this,

http://forums.majorgeeks.com/showthread.php?t=44525

 

Your Welcome - Good Luck!!

 

That one did the same thing....75% of the links I try in posts come up as not being good???????

 

I think you may be referring to the fact that you cannot get certain links to work. That could be due to server name changes that have been going on here.[/QUOTE]
Thats what I was talking about...no big deal...sorry for posting in the wrong spot