Followed Instructions

Hello I followed the instructions on spyware removal...etc... the long process.... downloaded, updated all the spyware stuff etc.... Now upon rebooting.... Using AVG.... I get C:\WINDOWS\System32\delttsul.exe
Trojan Horse Startpage.3.AY

I select "heal" yet each time I do boot... I get the same......
Not going to post my logfile unless you require... thanks

Birdo

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Thanks for the response... I also get another Trojan called Downloader.Small.38AM... the object is C:\WINDOWS\system32\ctdtcndw30103lib.dll

This appears when I go to open a program...the other pops up on boot start.
I have used AVG and it has deleted them 2 times only for them to re-appear again. Quite frustrating.
Appreciate any and all help.
Thanks
Birdo

 

The first thing I notice is that your running Norton AntiVirus and AVG AntiVirus. You need to pick one and uninstall the other. Runnning two antivirus programs can cause conflicts on your computer.

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yaho o.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yaho o.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yaho o.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yaho o.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yaho o.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yaho o.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 12.242.19.9:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 12.242.19.9
(Keep these if you need them)

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\stivc.exe

O2 - BHO: SDWin32 Class - {232A3FA0-17C0-4CB9-BF6F-69996EB879FF} - C:\WINDOWS\System32\zrrxi.dll (file missing)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - (no file)

O4 - HKLM\..\Run: [ctdtc] C:\WINDOWS\System32\ctdtc.exe

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll (file missing)
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\system32\ctdtcndw30103lib.dll

C:\WINDOWS\System32\delttsul.exe

C:\WINDOWS\System32\stivc.exe

C:\WINDOWS\System32\ctdtc.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

ok thanks here is the next log file...
We will see how it goes.... and get back to me if you see anything else please? I appreciate your help!

Regards,
Birdo

 

Your HJT log is clean!

I'm assuming you needed those entries is why you left them, correct?

Are you having any furhter problems?

 

I just didnt delete them.. but I went ahead and did it anyway... question.. I am a gamer.. and I like to have a little as possible processes running in background.. I usually have about 23 or so...
I was told that when I went to task manager.. it should bounce from 0% to 2% otherwise I have garbage running that I dont want running...
After I followed your post and used "End it all" It was doing it...from 0 to 2 % which is cool....
But later today... and now...bounces from 0 to 5 to 0 to 7% etc....
Dunno why....
I ran another Hijack and saw the yahoo stuff on there again.. but not the no file and other junk that was on there ... only the R1 and R0 stuff...
any suggestions?
Oh and I did a scan of pc with AVG and was clean
thanks
Birdo

 

Attach a fresh HJT log and I will tell you what processes are running and which can be removed. Its normal for your CPU usuage to vary between 0% and 7% when your using it.

 

thanks again.. and if you could tell me how to end those... not in msconfig right? in services?
thanks
Birdo

 

First, scan with HJT and have it fix the below entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

You have pretty much the minimum processes running. Everyone of those are pretty much required to run.

 

Hello... I appreciate all of your help and had donated previously.....
I now have problems with things running correctly... error messages etc... PC shutting down in the middle of things and rebooting.... I am posting a logfile and would appreciate any help you might be able to give me.
Thanks,
Birdo

 

birdo,

You still havnt updated to Service Pack 2. Without this update you will continue to have problems. You need this update for all the latest patches and fixes.

Since it has been so long go ahead and complete the READ ME again and afterwards post a fresh HJT log.

 

Ok..... I have installed service pack 2... However... my motherboard blew along with my cpu... I had a place install a new MB and processor... but didnt work well with my store bought pc.... I spent more bucks.. went with a generic case... MSI motherboard 2800+ and new power supply...
The guy put on Macafee and Windows XP Home on a new C drive....He told me that I might want to run the antivirus program after first booting up... Sounded strange to me....
WOW tons of Trojans and spyware.... Macafee pop ups all over the place...
My guess he gave me a crack version of the XP..... or a used Western Electric C drive....
I went through the READ ME FIRST>>>. and did everything EXACTLY as directed...
went to msconfig and have everything run on boot...
Spybot deleted everything except "ISEARCHTECH.YSB
I posted a logfile and hope that I can correct this without going out and buying a fresh OS.... but will if it comes down to it...
Thanks for all your help.....
Regards,
Birdo

 

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, Right Click on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.


After you have relocated HJT as requested above, procede with the below.

Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report along with a fresh HJT log.

 

Ok done and here are the attached files.... thanks for any and all of the help that you can give me...
Birdo

 

First, uninstall ewido as it will block parts of this fix. Also, disable any anti-virus and anti-spyware programs so they will not block anything.

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [8bAtDt] C:\WINDOWS\auxwiuii.exe
O4 - HKLM\..\Run: [XOZcZNCxF] C:\WINDOWS\auxwiuii.exe
O4 - HKLM\..\Run: [5srW35l] cdfdbg.exe
O4 - HKCU\..\Run: [KB06RRJ3l] cmuand.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O23 - Service: hexadecimal (HexadecimaRepresentation) - Unknown owner - C:\WINDOWS\Edit.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\auxwiuii.exe

C:\WINDOWS\system32\cdfdbg.exe

C:\WINDOWS\system32\cmuand.exe

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

I found the system32\cdfdbg file in system32 folder...and the cmuand one.... but not sure if they were exe files or not.... just had the icon.... with the name... when you said "navigate" to find them after deleting them with the hijack this... didnt want to right click and delete them... I went to properties and said they were application type file?
anyway here is the new log file. sir
Regards,
Birdo

 

Download Pocket KillBox
(Don't run it yet)

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKCU\..\Run: [KB06RRJ3l] cmuand.exe

O23 - Service: hexadecimal (HexadecimaRepresentation) - Unknown owner - C:\WINDOWS\Edit.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate hexadecimal (HexadecimaRepresentation) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NEXT:
Run CCleaner to clean up cookies and temp files.


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\cmuand.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete all of the above, reboot and attach one last HJT log from normal mode.

 

Thanks so much for all of your help... wow I hope it is now all clean as a whistle..... here is the log file... how does it look now sir?

Birdo~

 

Ran Spy Bot after the last post I made.... here is what it found.....
Isearchtech.ysb...... 1 entry
Security Risks 5 entries
Tango 1 entry

It cleared everything except the Isearchtech.ysb.....
same as before.... urrg.... cant seem to get rid of that Isearchtech.ysb

 

Your HJT log is clean, now I need you to attach the scan log from Spybot S&D so I can see exactly what it is finding. Is it a registry entry, file or folder?

 

I got rid of the isearch.ysb by deleting it in my registry... ran spybot again and it is clean... I will attach one more logfile to another post ... thanks

 

here you are sir CLEAN?

 

You are clean my friend, are you having any further malware issues?

 

Thank goodness not.... only the Malware Man that installed my supposed OS..... a new HD and OS with trojans etc? with 180search assistant?
Please.... he denied everything.....

Again thanks so much for your time and support

~~BIRDO

 

Your Welcome!

You should now follow this article on How to Protect yourself from malware!

Surf Safely!

 

Hello Again Sir,
As mentioned before I appreciate all the help you have given me in the past. I have donated before to show my support as well.
I am faced with a problem that I would like to ask help with, however I am not sure if you are able to help me.
I am on probation from the courts and am needing a program called "Spector" running on my system. I am not wanting to delete it nor alter it in any way. If you are not familar, it is a program that logs sites visited etc, and in addition takes screen shots. The manufactures of Spector tell me that it should not effect the performance of my pc etc. However, when I go to the online game I play called Aces High II ( world war II aircraft game) I get freezes, screen blacks out etc... and have to keep rebooting. I am not sure if spector is tied in somehow to my video card and using resources I am unaware of etc. OR>>>>>> if I have some type of malware etc. that might be causing the problem. So..... I thought I would present this to you and see what you might have to say or suggest. I still have all the malware removal programs etc..... that I have gone through in the "read me first" post. I have not gone through them lately...... So I am unsure of where to start..... If you have any suggestions or can point me in a direction, I would appreciate it.

Regards,
Birdo

 

Attach a current HJT log from normal mode and we will rule out malware as possible cause. If this is NOT malware related I'm afraid there isn't much I can do.

 

Thanks.... I appreciate it as always.....
Be well,
Birdo

 

Your HJT log is clean, I see nothing of concern.