Why Do I Keep Seeing This?? / It's still happening!!!

Hey, it gives me something to do with my free time

Plus, this is an interesting baddie in that it hides from some scans (though Ewido catches some of it).

I will put something together for you. Likely Thursday evening before I am back on this compy to post it . . .

PP

 

Hi Dawn,

This thing is proving to be a bit of a monster!!

Please bear with me for ONE LAST SCAN! I promise it's the last one . . . .

Please go here --> WinPFind by OldTimer

Follow the instructions to download, scan and save the results and then please attach the log for me. I just want to see if we can pin this thing down a bit more before we start throwing darts at it.

PP

 

Hey Houdini,

You so need to change your nic...especially if you are successful with my trojan. I know you must have nightmares about him (I've named him Howard...he's such a big part of my life these days I figured he deserved a name lol!!!)!

Ok so here is the log you asked for. Hopefully it shines a light on what is going on.

~Dawn

 

LOL!

Actually, "Howard" is proving to be really difficult to pin down. He did not show up in that last log . . . . It should have found some trace of the trojan.


Anyhoo, let's try this:

Please unzip Pocket KillBox to its own folder. Leave it where you can find it for the time being.

Please download the attached KillHoward.zip and EXTRACT it to your desktop.

Just run through these steps as best you can. Should one give you a problem, just keep going.

FIRST:
Uninstall SpyBotSD for the time being. Then REBOOT.

NEXT:
Go START > RUN > type cmd then type ipconfig /flushdns and hit ENTER - Be sure to leave a space after ipconfig

NEXT:
DoubleClick on KillHoward.reg and follow the prompts to allow it to merge into the registry.

NEXT:
Please Open Pocket KillBox.
Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” and “End Explorer Shell While Killing File ” Options. Enter or Copy&Paste each of the following into the box one by one, making sure Delete on Reboot and End Explorer Shell While Killing File are Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be Rebooted until the last item has been entered:

** Note: For the .dlls, instead of End Explorer Shell While Killing File , check the Unregister .dll Before Deleting box instead.

C:\WINDOWS\system32\drv2cltr.dll
C:\WINDOWS\system32\hclean32.exe
C:\WINDOWS\system32\ntfsnlpa.exe
C:\WINDOWS\System32\dmbcd.exe
C:\WINDOWS\system32\xdctn.dll
C:\WINDOWS\baloon.wav
C:\WINDOWS\balloon.wav
C:\WINDOWS\SYSTEM32\RDSNDIN.EXE
C:\WINDOWS\system32\dmjih.exe
C:\WINDOWS\system32\hgqhp.exe
C:\WINDOWS\RDT.INI
C:\WINDOWS\System32\dmxoq.exe
C:\WINDOWS\System32\csizd.exe
C:\WINDOWS\SYSTEM32\CSVMC.EXE

When the last item has been entered and you are prompted to reboot, ALLOW Pocket KillBox to Reboot your computer. If Killbox fails to Reboot your machine, do it manually.

Upon reboot, boot directly into safe mode and run EWIDO and then CCleaner.

Please attach the EWIDO Log for me and let me know how things are running and whether you had any problems with these instructions.
I'll check back as time permits.

PP

 

LMAO@naming the registry KillHoward!! That was great!

Ok I did what you said...sort of.

The option to click the box Unregister .dll Before Deleting was grayed out, so I couldnt get rid of any of the .dll's at all.

When I rebooted after I deleted all the other files it went to normal mode first (kids needed me and I wasnt fast enough) so I rebooted again to safe mode.

I'm attaching the Ewido log, but it didnt really find anything.

I'll let you know if I see Howard again.

I finally get to have a life tonight (had to consult the dictionary on that term as it has been so long!) so I will check back tomorrow.

~Dawn

 

What is this . . . life you speak of? I am unfamiliar with that term . . . LOL!

Here's hoping that got rid of "Howard!" I can't shake the feeling that I am missing something. The problem is. . . I can't see anything in the scans and its hard to kill what you can't see.

It is encouraging that the EWIDO scan is clean - It tends to find and clean some of this baddie, so we might have gotten it. But, we thought so before . . . I still wonder if you are being reinfected during surfing?

Anyhoo, I do imagine that even if we are missing some critical component of this baddie, EWIDO or one of the other anti-spy tools will soon catch it. Just be sure to internet update the tools before you run them - and run them often!

Let me know if "Howard" shows up again. I'll keep my fingers crossed.

PP

 

Life: defined as living, having fun, doing something other then working, cooking, cleaning and taking care of others. Doing something exciting for ones self. i.e. a night out on the town. Hopefully it sounds somewhat familiar to you!

Anyway, you are totally my hero! Howard is dead, dead, dead!! Let's hope he's not like those zombies in "Night of the living dead" and stays that way!!

Thanks a million....you can now say with confidence that you ARE a "Major Geek" and have fought the invinsible Howard!!!

Houdini Rules!!

~Dawn

 

Thanks for the good word! I'm happy to try to help

I still wonder if it has been completely removed - When it came back the last time, I was not sure if it was a reinfection or if we missed something. I guess time will tell.

Don't forget to have a peek at Chaslang's suggestions or mine here.

Best
PP