Help....db105.com

Your message is a little confusing. Why would you "delete SpyBot because Ad-aware does not seem to be doing anything"? And what in the world do you mean by that anyway. Both of those programs work fine and are still being updated. Ad-aware (new version is Ad-aware SE) just updated on 9/6/2004 (yesterday).

Please follow all the steps in this Sticky thread < READ ME FIRST: Basic Spyware, Trojan And Virus Removal >

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

After that let us know where you stand.

 

Were you able to virus scan online? That should help with your problem. I removed the ad-aware scan log as its not needed. You should be able to boot into safe mode to enable hidden files.

I think in your case, it would be easier to see your Hijack This logfile to help you know what to remove, please read the top of this: http://forums.majorgeeks.com/showthread.php?t=38752 after scanning chose save log and save it as a .txt file, for example hijack.txt, then attach it to a thread here.

 

Sound like you have the TX4 BHO to me. A line like this may be in your HijackThis log:


O2 - BHO: TX4 - {00000000-0008-D357-0798-004401965D4A} - C:\WINDOWS\System32\apphelp32.dll

where the CLSID varies and dll file name could be anything.

 

You don't just have db10.com issues! You have a bunch of crap in there including EliteBar!
But the first thing you must do is get HijackThis out of the ZIP file and installed into its own directory.
If you run it from the ZIP, you will not get any backups. Extract the HijackThis.exe file into its own directory (not a temp folder and not to your Desktop).

And this next line is a real bad one:
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

We have to be careful with this one or make so you will not be able to log back into your PC.
Let's fix this wsaupdater problem first. Go to the link below and follow the instructions for WinXP. You may not have the omniscient or WindowsSA stuff but check anyway and follow those directions too if found.

Also, I don't think you followed all the steps in the READ ME FIRST thread. I see no sign of the PandaSoftware scan. You need to go back and run it. You have a bunch of trojans I hope it picks up at least some of them. Also run this:
http://www.windowsecurity.com/trojanscan/

Also, you have a broken LSP chain. Download LSPFix (http://www.cexx.org/lspfix.htm) and run it.
Check the "I know what I am doing" box Click on osmim.dll on the left window and click on the arrow pointing to the right. Click Finish and follow the prompts. Delete the following below file (if you can find it):
c:\windows\system32\osmim.dll

Give me a new HijackThis log attachment after doing all the above.

 

Sorry about that Jayrod! I forgot to give you the link or the wsupdater problem. Here it is:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BLAZEFIND.A

Your right the READ ME FIRST tutorial said Panda was optional. We have modified that READ ME quite a bit just today (well yesterday) and have remove Panda completely because it was awkward to get started.

So try to fix the wsupdater issue first. My next message will begin other fixes.

I see this ElimiExplorer Popup Killer in your log. I don't know anything about this one or who makes it. Are you happy with it and do you trust that it is a valid application?

 

Make sure you still have System Restore disabled: http://forums.majorgeeks.com/showthread.php?t=31668
Don't reboot when asked well do that later when we go to safe mode.

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text (include the quotes):
regsvr32 /u "C:\WINDOWS\EliteBar\EliteBar version 50.dll"
then click OK. If a dialog box confirming this action appears, click OK.
Let me know if that works okay.

Enable viewing of hidden files and folders: http://forums.majorgeeks.com/showthread.php?t=37650
Make sure you know how to boot in safe mode (but don't do it yet):
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

Bring up Task Manager by hitting CTRL-ALT-DEL and select Processes. You for the following processes and if found, end them:
active.exe
iidarwoj.exe
cashback.exe
nls.exe
explorer32.exe
wincme32.exe
ttuh.exe
jwl.exe
gx9fz83m9.exe

Then exit Task Manager.
You should print these instructions now or save locally to a file because in the next step you MUST terminate all browser sessions.

Run HijackThis and put check marks on the following lines BUT DO NOT CLICK FIX until you have terminated all browser sessions including the one you are reading this message in (do not open a browser again until told):
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://db105.com:81/cgi-bin/index.cgi?c=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://db105.com:81/cgi-bin/index.cgi?c=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://db105.com:81/cgi-bin/index.cgi?c=0
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://db105.com:81/cgi-bin/index.cgi?c=0
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://db105.com:81/cgi-bin/index.cgi?c=0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1127
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 50.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 50.dll
O4 - HKLM\..\Run: [tvtlxefy] C:\WINDOWS\System32\iidarwoj.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\System32\explorer32.exe
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\wincme32.exe
O4 - HKLM\..\Run: [MS Decryption Software] C:\active.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Jenelle\Application Data\ttuh.exe
O4 - HKCU\..\Run: [Umoei] C:\WINDOWS\System32\jwl.exe
O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\System32\explorer32.exe
O8 - Extra context menu item: &Search - http://bar.mwebsearch.com/menusearch.html?p=ZSzeb029
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=8d4aeb9f2d7d9b98cf0462f700d8784dea4658f90d814bb1dccef9ae299f7d8ebaa98c32aeeca181e4716a739511a7b921463862be113ab59d1f6dbe8abf2e:5f0045545912f7d652e2128cb624e1ee
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

After fixing those lines immediately reboot into safe mode.
Now use Windows Explorer to find and delete:
C:\Program Files\CashBack <---- delete the whole directory and all its contents
C:\Program Files\NaviSearch <---- delete the whole directory and all its contents
C:\WINDOWS\EliteBar <---- delete the whole directory and all its contents
C:\WINDOWS\System32\iidarwoj.exe
C:\WINDOWS\System32\explorer32.exe
C:\windows\system32\wincme32.exe
C:\active.exe
C:\Documents and Settings\Jenelle\Application Data\ttuh.exe
C:\WINDOWS\System32\jwl.exe
C:\WINDOWS\gx9fz83m9.exe <--- this is the one you said TrendMicro found.

If you have problems deleting any of those file, run Task Manager again and see if the one you are having a problem with is running again. If so, end it. Then try deleting it again. Let me know if you have any problems getting all of these deleted.

Reset your homepage to whatever you like

- Close all Internet Explorer windows (if you opened any)
- Open Control Panel. Click Start>Settings>Control Panel.
- Double-click the Internet Options icon.
- In the Internet Properties window, click the General tab and enter in the homepage URL you want
- Under the "Temporary Internet Files" section click on Delete Files, then check the box for "delete all offline content" and Click Ok. Once the Temporary Internet Files have been deleted (it may take a few minutes), Click OK and close Internet Options and then close the Control Panel.


Now reboot in normal mode an tell me how things are working. Post another HJT log attachment.
If everything is fixed, enable system restore.

 

Exactly what did you do?

Did you run the steps from the link where it said:

In the right panel, locate and modify the entry:
UserInit = "%System%\wsaupdater.exe"
To:
UserInit="%System%\userinit.exe,"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)

Or did you delete the F2 line with HJT.

Remember I did say,
"We have to be careful with this one or make so you will not be able to log back into your PC.
"

We may have to dig out your WinXP disk and use boot from the XP CD to the recovery console to repair this. You do have you XP CD right?

 

Okay! You need to know the password for the Administrator login account. If you did not change it, there should be no password (just hit return) when prompted. Here is what you need to do:

Ok put the Windows CD in the tray and reboot the computer..
-You should get a "press any key to boot from Cd" message, so do that.
-It will load a bunch of files and eventually give you a menu where you can select the "Recovery Console" by pressing R
-You'll see your Windows Installation like "C:\Windows", type the number 1 and press enter.
-Administrator password is next: is probably blank so just press enter, unless you set one in which case enter it.
-With all that done you'll end up with a C:\Windows> prompt

- now type the following lines each followed by the Enter key:
cd C:\Windows\System32
copy userinit.exe wsaupdater.exe

If you get a prompt about overwriting wsaupdater.exe, just say okay or yes!
If this fails, type: attrib -s -h -r wsaupdater.exe
and then try the copy again. Once you succeed in copying the userinit.exe file, reboot normal (take the CD out) and tell me if you can login now.

 

You need to tell me the results of steps. I need to know exactly what happens for every step. Don't forget I cannot see what is going on. You may have gotten an error message when copying the file. Please boot to Recovery Console again.

Then type the following commands each followed by the Enter key:
cd c:\windows\system32 <---- the result of this should just be a change in your command prompt
attrib -h userinit.exe
copy userinit.exe wsaupdater.exe <-- should say 1 file copied
dir userinit.exe <---- should give something like 08/29/2002 07:00 AM 22,016 USERINIT.EXE
dir wsaupdater.exe <---- should give something like 08/29/2002 07:00 AM 22,016 wsaupdater.exe

If your userinit.exe is not this size, tell me what size it is. You may still have a different update version of Windows then I do.

When you ran the steps from the TrendMicro link (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BLAZEFIND.A)
did you run all of them. And did they all work without any errors.

Typically the inability to login occurs because the wsaupdater.exe file is delete before the registry has been properly edited to change UserInit=c:\windows\system32\userinit.exe

Using the recovery console to copy userinit.exe to wsaupdater.exe should allow you to login again and properly edit the registry. I'm not sure why this is not working. All I can guess is that the copy did not work or that you userinit.exe is not valid.

 

Step 5 said,

In the right panel, locate and modify the entry:
UserInit = "%System%\wsaupdater.exe"
To:
UserInit="%System%\userinit.exe,"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.)

if you deleted the line instead of renaming it thats a problem. Also if you did not include the comma after userinit.exe, thats a problem.

Do you have another PC you can connect to this PC via a network? There could be away to fix this using the "Connect Network Registry" ability of regedit.

 

Yes, you can reinstall WinXP from your original CD and re-activate. I believe Microsoft does limit the amount of time a serial number can be activated though.

regedit has an option to run over a network. The option is called Connect Network Registry. The network can be as simple as two PCs tied together thru a cross over cable (or by using a hub). You could then edit and repair your registry remotely. I'm not sure if you have the ability to do this.

 

Thanks for answering my PM Adryn!

Jayrod, check that link out. Let us know if it works for you.

 

Could you be more specific. What is the exact line you are talking about?

 

Yes Adryn! The comma is important from what I remember reading.

 

Sounds like you may need to reinstall some applications and drivers for your hardware. Like your video card, printer, and sound card. Possibly other items too.

 

Do you have the disks that came with your computer and your printer?

 

Okay! Did you install your printer to begin with or did someone do it for you. It is fairly simple to just follow the guidles in the documentation that come with the printer. But first you would need to delete the current installation by bringing up Control Panel and select the Printer and Faxes icon. When the window comes up right click on the printer and select delete. Then reboot your computer. The follow the directions in your printer manual (or possible what windows gives you on reboot if it auto detects the printer).

 

Install your drivers for you video display adapter first. You need to get that working properly before doing anything else.

 

I would assume the so. The drivers for all the hardware that came with the PC should be on the disks they gave you.

 

Didn't any documentation come with your PC? Do you know what Dell PC model and serial number and service code tag? You can get into from Dell on your system.

You can go here and enter that info:
http://support.dell.com/support/troubleshooting.aspx?c=us&cs=19&l=en&s=dhs

and get info about your PC and possible patches and upgrades. Drivers should even be downloadable. Instructions usually come with the downloads.

Also see this:
http://support.dell.com/support/systemsinfo/documentation.aspx?c=us&cs=19&l=en&s=dhs&~cat=8

You need to determine your Video display card

 

Sounds like a built-in controller on the motherboard. Did you try plugin in your serial number into that link I gave you to get info on what came with your PC and to look for driver information. Also, if you have your documentation it should tell you what came with the PC.

The basic process is that you have to load the device drivers for your display adapter again. You should be able to find them on your CD but since I don't know anything about your CD structure I cannot tell you where to look.

If you click Start, Run and enter "compmgmt.msc" without the quotes and click okay a computer management window comes up. Select Device Manager and then click the + sign by Display Adapters. What does it say for your display type? This is also where you can Update or install drivers. You would right click on the actual display adapter it shows and then select Update drivers. This is where you would eventually have to tell it where to look on your CD. You could try just letting Windows try to find the best adapter from what you already have installed but that may or may not work.

 

Sure! As long as you have the ability to do that.
Make sure that you have copies of a virus scan application, spyware blockers, a firewall... basically all the stuff here: How to Protect yourself from malware!

And install them right away after re-installing your OS and before connection to the internet. You should then go get your Microsoft Updates immediately before any of the Blaster or Sasser worms get a chance to mess you up.

 

I would start from scratch. That is, repartition and reformat and complete installation of WinXP. Just doing a reinstall using recovery console may not remove all the problems. But that's up to you. You could just try that re-install and see how things work.


And see this link on keeping your activation status: http://techrepublic.com.com/5208-6230-0.html?forumID=89&threadID=161440&messageID=1665503

 

That question would be better asked over in the Software Forum. Sorry but we are a little too busy here with malware problems. If you have your, Win XP CD and boot from it, much of the process is done during the install if you make the proper selections on how to install and what to do with the current installation it will find.