Hardware·18,997 discussions

IE Hijacker

Locked

I am running an XP system and it has been recently infected by an IE Hijacker. I can clean it with Ad-Ware, SpyBot, Sophus, but on reboot it reloads files in C:/Documents and Settings/Owner named (I think, as I have removed them for now) RePatch and Uploader.

Right now, I can’t even get HiJackThis to download (or to run if I load it from a memory stick).

Where do I start?

Thanks

Topic

Clarifications

In reply to IE Hijacker

Clarifications

Have you

In reply to IE Hijacker

turned off System Restore and run your Malware removal tools in Safe Mode.

No and yes

In reply to Have you

I had run everything under Safe Mode, but I hadn’t turned off System Restore. I will try that. Thanks.

They will be lurking

In reply to No and yes

in System Restore, let us know how you get on.

Nope

In reply to They will be lurking

I ran Sophus, Ad-Aware, Spybot all in safe mode and all with System Restore off.

When I restarted to normal mode, Sophus pulls up these two warnings:

RunUpdater.exe is part of Mal/Generic-A
RunPatch.exe is part of Mal/DownLdr-O

My internet is still being hi-jacked. I can’t download HiJackThis at all. When I try, the system takes me back to the desktop.

Try this

In reply to Nope

Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Copy the SAV32CLI folder produced onto a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session)or a Flash Stick.
Restart the computer in Safe Mode. Go to Start|Shut Down. Select ‘Restart’ from the dropdown list and click ‘OK’. Windows will restart. Press F8 when you see the following text at the bottom of the screen “For troubleshooting and advanced startup options for Windows 2000, press F8”. In the Windows 2000 Advanced Options Menu, select the third option ‘Safe Mode with Command Prompt’.
At the affected computer, place the CD in the CD drive (D: in this example). At the command prompt type

D:

to access the CD drive. Type:
CD SAV32CLI

Then type:
SAV32CLI -REMOVE -P=C:\LOGFILE.TXT

to remove the file.

Still came back

In reply to Try this

I did the whole procedure, but as soon as I reboot to normal windows, those same files reappear RunPatch and RunUpdater

See if this helps

In reply to Still came back

I wasn’t ready and accidently hit the button.

Trend Micro results

In reply to No and yes

Found one malware JAVA_BYTEVER.BJ and one spyware ADWARE_ALWAYSUPDATEDNEWS. Both were removed.

Previous problem with RunPatch and Updater seems to be fixed. They haven’t returned.

Still can’t run hijackthis. As others have reported, if I try to download it from the Web, the system takes me off the Net and back to the desktop.

I’m certainly better than I was, but I would still like to figure out what the root problem is.

Any more ideas? Your help has been much appreciated so far.

Update Spybot

In reply to Trend Micro results

boot into Safe Mode to run it. While you are there try running HT from your stick.

< add a bit >

See if you can download this and run it. Silent Runners

http://www.silentrunners.org/sr_download.html

Silent Runners Log

In reply to Update Spybot

Spybot is already up to date. I tried HT once again in safe mode – nothing.

Attached is the Silent Runners Log. I haven’t looked at it yet.

“Silent Runners.vbs”, revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:
———————————

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
“{C806F694-06A1-1033-0819-050831010001}” = “”C:\Program Files\Common Files\{C806F694-06A1-1033-0819-050831010001}\Update.exe” mc-110-12-0000140″ [file not found]

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“MsnMsgr” = “”C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background” [MS]
“NvMediaCenter” = “”RUNDLL32.EXE” C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit” [MS]
“ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS]
“PowerBar” = “(empty string)” [file not found]
“IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}” = “”C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe” ASO-616B5711-6DAE-4795-A05F-39A1E5104020″ [file not found]
“ISUSScheduler” = “”C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start” [“Macrovision Corporation”]
“WMPNSCFG” = “C:\Program Files\Windows Media Player\WMPNSCFG.exe” [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
“iTunesHelper” = “”C:\Program Files\iTunes\iTunesHelper.exe”” [“Apple Computer, Inc.”]
“NvCplDaemon” = “”RUNDLL32.EXE” C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS]
“QuickTime Task” = “”C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”]
“Adobe Photo Downloader” = “”C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe”” [“Adobe Systems Incorporated”]
“SunJavaUpdateSched” = “”C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”” [“Sun Microsystems, Inc.”]
“NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]
“dvd43” = “C:\Program Files\dvd43\dvd43_tray.exe” [empty string]
“TkBellExe” = “”C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”]
“MSConfig” = “C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto” [MS]
“KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k”

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM…CLSID} = “AcroIEHlprObj Class”
\InProcServer32\(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]
{3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided)
-> {HKLM…CLSID} = “RealPlayer Download and Record Plugin for Internet Explorer”
\InProcServer32\(Default) = “C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll” [“RealPlayer”]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM…CLSID} = “SSVHelper Class”
\InProcServer32\(Default) = “C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll” [“Sun Microsystems, Inc.”]
{933ED98E-57E9-11DD-BF82-A36255D89593}\(Default) = “CUNta”
-> {HKLM…CLSID} = “CUNta”
\InProcServer32\(Default) = “C:\WINDOWS\system32\cunta.dll” [“Insoft”]
{B03C703B-B8AE-9059-F9DA-B7DEBBB75BBB}\(Default) = (no title provided)
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = “C:\WINDOWS\system32\gpa.dll” [file not found]
{B53C766B-E9FB-9759-F7DA-B7DEBBB758E2}\(Default) = (no title provided)
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = “C:\WINDOWS\system32\xmsonbbu.dll” [file not found]
{ED3C7664-BAFF-9051-F1DA-B7DEBBB759E0}\(Default) = (no title provided)
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = “C:\WINDOWS\system32\xtmfldv.dll” [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Display Panning CPL Extension”
-> {HKLM…CLSID} = “Display Panning CPL Extension”
\InProcServer32\(Default) = “deskpan.dll” [file not found]
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “HyperTerminal Icon Ext”
-> {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32\(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]
“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer”
-> {HKLM…CLSID} = “Desktop Explorer”
\InProcServer32\(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]
“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]
“{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes”
-> {HKLM…CLSID} = “iTunes”
\InProcServer32\(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Computer, Inc.”]
“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32\(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS]
“{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}” = “Messenger Sharing Folders”
-> {HKLM…CLSID} = “My Sharing Folders”
\InProcServer32\(Default) = “C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll” [MS]
“{7C9D5882-CB4A-4090-96C8-430BFE8B795B}” = “Webroot Spy Sweeper Context Menu Integration”
-> {HKLM…CLSID} = “Webroot Spy Sweeper Context Menu Integration”
\InProcServer32\(Default) = “C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll” [file not found]
“{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler”
-> {HKLM…CLSID} = “NeroDigitalIconHandler Class”
\InProcServer32\(Default) = “C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll” [file not found]
“{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler”
-> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class”
\InProcServer32\(Default) = “C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll” [file not found]
“{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player”
-> {HKLM…CLSID} = “RealOne Player Context Menu Class”
\InProcServer32\(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”]
“{A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D}” = “Sophos Anti-Virus Shell Extension”
-> {HKLM…CLSID} = “ContextMenuHandler Class”
\InProcServer32\(Default) = “C:\Program Files\Sophos\Sophos Anti-Virus\SavShellExt.dll” [“Sophos Plc”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
“WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}”
-> {HKLM…CLSID} = “WPDShServiceObj Class”
\InProcServer32\(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<> “BootExecute” = “autocheck autochk *”|”lsdelete” [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> daebefeabc\DLLName = “C:\WINDOWS\system32\daebefeabc.dll” [null data]
<> igfxcui\DLLName = “igfxdev.dll” [“Intel Corporation”]
<> WRNotifier\DLLName = “WRLogonNTF.dll” [file not found]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32\(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = “NeroDigitalExt.NeroDigitalColumnHandler”
-> {HKLM…CLSID} = “NeroDigitalColumnHandler Class”
\InProcServer32\(Default) = “C:\Program Files\Common Files\Nero\Lib\NeroDigitalExt.dll” [file not found]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = “PDF Column Info”
-> {HKLM…CLSID} = “PDF Shell Extension”
\InProcServer32\(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
SavShellExt\(Default) = “{A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D}”
-> {HKLM…CLSID} = “ContextMenuHandler Class”
\InProcServer32\(Default) = “C:\Program Files\Sophos\Sophos Anti-Virus\SavShellExt.dll” [“Sophos Plc”]
WinRAR\(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32\(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
SavShellExt\(Default) = “{A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D}”
-> {HKLM…CLSID} = “ContextMenuHandler Class”
\InProcServer32\(Default) = “C:\Program Files\Sophos\Sophos Anti-Virus\SavShellExt.dll” [“Sophos Plc”]
WinRAR\(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32\(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
SavShellExt\(Default) = “{A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D}”
-> {HKLM…CLSID} = “ContextMenuHandler Class”
\InProcServer32\(Default) = “C:\Program Files\Sophos\Sophos Anti-Virus\SavShellExt.dll” [“Sophos Plc”]
SpySweeper\(Default) = “{7C9D5882-CB4A-4090-96C8-430BFE8B795B}”
-> {HKLM…CLSID} = “Webroot Spy Sweeper Context Menu Integration”
\InProcServer32\(Default) = “C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll” [file not found]
WinRAR\(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32\(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
SpySweeper\(Default) = “{7C9D5882-CB4A-4090-96C8-430BFE8B795B}”
-> {HKLM…CLSID} = “Webroot Spy Sweeper Context Menu Integration”
\InProcServer32\(Default) = “C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll” [file not found]

Group Policies {GPedit.msc branch and setting}:
———————————————–

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

“DisableTaskMgr” = (REG_DWORD) dword:0x00000000
{unrecognized setting}

Active Desktop and Wallpaper:
—————————–

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
“Wallpaper” = “%APPDATA%\Webshots\The Webshots Desktop\Webshots Wallpaper.bmp”

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
“Wallpaper” = “C:\Documents and Settings\Owner\Application Data\Webshots\The Webshots Desktop\Webshots Wallpaper.bmp”

Windows Portable Device AutoPlay Handlers
—————————————–

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

DVDFabDecrypterOnDVDArrival\
“Provider” = “DVDFab Decrypter”
“InvokeProgID” = “DVDFabDecrypterOpen”
“InvokeVerb” = “Open”
HKLM\SOFTWARE\Classes\DVDFabDecrypterOpen\shell\Open\command\(Default) = “C:\PROGRA~1\DVDFAB~1\DVDFAB~1.EXE” [file not found]

DVDFabHDDecrypterOnDVDArrival\
“Provider” = “DVDFab HD Decrypter”
“InvokeProgID” = “DVDFabHDDecrypterOpen”
“InvokeVerb” = “Open”
HKLM\SOFTWARE\Classes\DVDFabHDDecrypterOpen\shell\Open\command\(Default) = “E:\PROGRA~1\DVDFAB~1\DVDFAB~1.EXE” [file not found]

iTunesBurnCDOnArrival\
“Provider” = “iTunes”
“InvokeProgID” = “iTunes.BurnCD”
“InvokeVerb” = “burn”
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = “”C:\Program Files\iTunes\iTunes.exe” /AutoPlayBurn “%L”” [“Apple Computer, Inc.”]

iTunesImportSongsOnArrival\
“Provider” = “iTunes”
“InvokeProgID” = “iTunes.ImportSongsOnCD”
“InvokeVerb” = “import”
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = “”C:\Program Files\iTunes\iTunes.exe” /AutoPlayImportSongs “%L”” [“Apple Computer, Inc.”]

iTunesPlaySongsOnArrival\
“Provider” = “iTunes”
“InvokeProgID” = “iTunes.PlaySongsOnCD”
“InvokeVerb” = “play”
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = “”C:\Program Files\iTunes\iTunes.exe” /playCD “%L”” [“Apple Computer, Inc.”]

iTunesShowSongsOnArrival\
“Provider” = “iTunes”
“InvokeProgID” = “iTunes.ShowSongsOnCD”
“InvokeVerb” = “showsongs”
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = “”C:\Program Files\iTunes\iTunes.exe” /AutoPlayShowSongs “%L”” [“Apple Computer, Inc.”]

MSWPDShellNamespaceHandler\
“Provider” = “@%SystemRoot%\System32\WPDShextRes.dll,-501”
“CLSID” = “{A55803CC-4D53-404c-8557-FD63DBA95D24}”
“InitCmdLine” = ” ”
-> {HKLM…CLSID} = “WPDShextAutoplay”
\LocalServer32\(Default) = “C:\WINDOWS\system32\WPDShextAutoplay.exe” [MS]

A couple more steps

In reply to Silent Runners Log

Download and install CCleaner to tidy up your Registry. Backup the Registry as you go along, rescan again and again saving as you go until there are no errors left.

Cleaner: Windows

When you first open Ccleaner you will have an option to Analyze or Run Cleaner, after checking the left Pane and making your choices. Delete all Temp Files. If you scroll down you will see a greyed out box that has Advanced next to it. Left click on it and keep pressing OK to all of the responses. I normally Untick Windows Log Files and Memory Dumps as they may come in handy.

You don’t have to install all of the add ons or shortcuts just the one to the Desktop.

http://www.ccleaner.com/download

What apart from HijackThis isn’t working.

Go to Start, All Programs and System Tools, Click Internet Explorer (No Add-ons)

Restart Internet Explorer. If it runs smoothly, then it can be determined that one of the add-ons was causing the problem. You will need to continue troubleshooting this issue until you find out which add on was causing the problem.

Still not there

In reply to A couple more steps

CCleaner complete – no registry issues.

IE – even with no add-ons, if I type hijackthis in the Google search bar, IE stops and puts me back to the desktop.

Hijack this still doesn’t work.

USB Stick

In reply to No and yes

Doesn’t seem to accomplish anything. autorun.inf and m.exe are on the stick before and after the del process. I can run the drive through Sophus which always picks up m.exe as belonging to Mal/Generic-A and I can clean it up but it comes right back within seconds. m.exe is part of Win32.x

Try and format it

In reply to USB Stick

as FAT32 and see if that gets rid of it.

You’ve lost me

In reply to Try and format it

I don’t understand the reasoning behing formatting the USB stick?? The m.exe file is being added to the stick from the system somehow. I’ve erased it countless times and it comes right back. Sorry if I’m missing something elemental here….. Wouldn’t be the first time.

From which system

In reply to You’ve lost me

Upon execution, the worm copies itself to the following location.

%WinDir%\msmsgs.exe It drops the following files:

%WinDir%\Debug\sysdeb.ini (data file) %UserProfile%\Local Settings\Temp\windll.exe (BackDoor-CEP trojan) %SystemDir%\explorer.exe (BackDoor-CEP trojan)The worm adds the following registry key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“Windows Messenger” = %WinDir%\msmsgs.exeThe dropped BackDoor-CEP trojan adds the following registry keys:

HKEY_CURRENT_USER\Software\Wget
“klg” = 01 HKEY_LOCAL_MACHINE\SOFTWARE\Wget
“nck” = (binary data) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
“stubpath” = %SystemDir%\explorer.exe sThe BackDoor-CEP trojan attempts to connect the following remote site and waits commands.

christophe.[removed].net port:80

Symptoms
Symptoms –

Presence of file(s) and registry key(s) as previously mentioned. Unexpected network connections to the mentioned site(s).
Method of Infection
Method of Infection –

The worm attemps to drop the following files into the removable drives:

autorun.inf (root folder) Recycler\Recycler\autorun.exe (W32/CEP.worm) Recycler\Recycler\desktop.ini

MANUALLY try to delete it following the steps below.

When Adware.TargetSaver is executed, it performs the following actions:

May create one or more of the following folders:

%Program Files%\Common Files\tsa
%Program Files%\Common Files\tsa\rainbow
%Program Files%\Common Files\[random four letter name]
%Program Files%\Common Files\[random four letter name]\[random four letter name]d
%Windir%\[random four letter name]

Note:
%ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

May create one or more of the following files:

%Program Files%\Common Files\tsa\inst.dat
%Program Files%\Common Files\tsa\ts2.exel
%Program Files%\Common Files\tsa\ts2lock
%Program Files%\Common Files\tsa\tsl2.exe
%Program Files%\Common Files\tsa\tsm2.exe
%Program Files%\Common Files\tsa\tsm2lock
%Program Files%\Common Files\tsa\tsm2.exe
%Program Files%\Common Files\tsa\tsm2lock
%Program Files%\Common Files\tsa\tsp2.exe
%Program Files%\Common Files\tsa\tsuninst.exe
%Program Files%\Common Files\tsa\wu
%Program Files%\Common Files\tsa\rainbow\class-barrel
%Program Files%\Common Files\tsa\rainbow\classify.dll
%Program Files%\Common Files\tsa\rainbow\vocabulary
%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]a.exe
%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]a.lck
%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]l.exe
%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]l.lck
%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]m.exe
%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]m.lck
%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]p.exe
%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]d\class-barrel
%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]d\[RANDOM FOUR LETTER NAME]c.dll
%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]d\vocabulary
%UserProfile%\Temp\tsupdate_[VERSION NUMBER]_b2.exe
%Windir%\[RANDOM FOUR LETTER NAME]\wu
%Windir%\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]z.dat
%System%\tsuninst.exe

Notes:
%UserProfile% is a variable that refers to the current user’s profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

May add the following value:

“Tsa2” = “%Program Files%\Common Files\tsa\tsm2.exe”

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the adware runs every time Windows starts.

May add one or more of the following values:

“[RANDOM FOUR LETTER NAME]” = “%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]m.exe”

to the registry subkey:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the adware runs every time Windows starts.

Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\TSA
HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM FOUR LETTER NAME]
HKEY_CURRENT_USER\SOFTWARE\TSA
HKEY_CURRENT_USER\SOFTWARE\[RANDOM FOUR LETTER NAME]
HKEY_LOCAL_MACHINE\SOFTWARE\Uninstall\TSA
HKEY_LOCAL_MACHINE\SOFTWARE\Uninstall\[RANDOM FOUR LETTER NAME]

Downloads updates from a remote site.

Monitors open windows for words from the vocabulary file.

Displays advertisements using pop-up and pop-under windows.

REMOVAL
Note: This adware may include an uninstaller. The uninstaller file is usually %Program Files%\Common Files\tsuninst.exe. Using Windows Explorer, see if this file exists.

If you cannot find the file, follow the instructions below.
If the file does exist, double-click it and follow any prompts. After the uninstaller is finished, to make sure that the threat has been removed, follow the instructions below.

The following instructions pertain to all Symantec antivirus products that support security risk detection.

Update the definitions.
Run a full system scan.
Delete any values added to the registry.

For specific details on each of these steps, read the following instructions.

1. To update the definitions
To obtain the most recent definitions, start your Symantec program and run LiveUpdate.

2. To run the scan
Start your Symantec antivirus program, and then run a full system scan.

If any files are detected, and depending on which software version you are using, you may see one or more of the following options:

Note: This applies only to versions of Norton AntiVirus that support security risk detection. If you are running a version of Symantec AntiVirus Corporate Edition that supports security risk detection, and security risk detection has been enabled, you will only see a message box that gives the results of the scan. If you have questions in this situation, contact your network administrator.

Exclude (Not recommended): If you click this button, it will set the risk so that it is no longer detectable. That is, the antivirus program will keep the security risk on your computer and will no longer detect it to remove from your computer.

Ignore or Skip: This option tells the scanner to ignore the risk for this scan only. It will be detected again the next time that you run a scan.

Cancel: This option is new to Norton Antivirus 2005. It is used when Norton Antivirus 2005 has determined that it cannot delete a security risk. This Cancel option tells the scanner to ignore the risk for this scan only, and thus, the risk will be detected again the next time that you run a scan.

To actually delete the security risk:
Click its file name (under the Filename column).
In the Item Information box that displays, write down the full path and file name.
Then use Windows Explorer to locate and delete the file.

If Windows reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer. Restart the computer in Normal mode.

Delete: This option will attempt to delete the detected files. In some cases, the scanner will not be able to do this.
If you see a message, “Delete Failed” (or similar message), manually delete the file.
Click the file name of the risk that is under the Filename column.
In the Item Information box that displays, write down the full path and file name.
Then use Windows Explorer to locate and delete the file.

If Windows reports that it cannot delete the file, this indicates that the file is in use. In this situation, complete the rest of the instructions on this page, restart the computer in Safe mode, and then delete the file using Windows Explorer. Restart the computer in Normal mode.

Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.

After the files are deleted, restart the computer in Normal mode and proceed with the next section.

Warning messages may be displayed when the computer is restarted, since the risk may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:

Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

3. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. Read the document: How to make a backup of the Windows registry.

Click Start > Run.
Type regedit

Then click OK.

Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

“Tsa2” = “%Program Files%\Common Files\tsa\tsm2.exe”

Navigate to the subkey:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

“[RANDOM FOUR LETTER NAME]” = “%Program Files%\Common Files\[RANDOM FOUR LETTER NAME]\[RANDOM FOUR LETTER NAME]m.exe”

Navigate to and delete the following subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\TSA
HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM FOUR LETTER NAME]
HKEY_CURRENT_USER\SOFTWARE\TSA
HKEY_CURRENT_USER\SOFTWARE\[RANDOM FOUR LETTER NAME]
HKEY_LOCAL_MACHINE\SOFTWARE\Uninstall\TSA
HKEY_LOCAL_MACHINE\SOFTWARE\Uninstall\[RANDOM FOUR LETTER NAME]

Exit the Registry Editor.

http://www.symantec.com/security_response/print_writeup.jsp?docid=2004-121515-0757-99

Can you get HiJackThis

In reply to IE Hijacker

to run in Safe Mode and post the log file.

No, it won’t

In reply to Can you get HiJackThis

I’ve tried to run it in safe mode. I’ve tried to rename the file. No luck getting it to run.

Try this

In reply to No, it won’t

Click on Start, Run and type in msconfig and press Enter. Disable RunUpdater.exe, RunPatch.exe entry in the list on the Startup Tab and restart the PC. See if you can run HijackThis. If you can’t go to step two remembering to make a Backup in case anything goes wrong.

Start, Run and type in regedt32 and press Enter. Navigate to these Run Keys and look for RunUpdater.exe, RunPatch.exe and delete them.

There are seven Run keys in the registry that cause programs to be run automatically:

? HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

? HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

? HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

? HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

? HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices

? HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServicesOnce

? HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunOnce\Setup

Getting closer

In reply to Try this

Couldn’t find runpatch or updater in the registry keys but did find some other nasties; csrrs and access2007a. Deleted both of those.

On restart, runpatch and uploader are no longer appearing in the c:/documents and settings/owner file, but Hijackthis will still not start (not in normal mode; haven’t tried safe mode yet; nope to safe mode too)

I ran a full Ad-Aware in safe mode and did get indication of Malware in HKLM/system/controlset001/control/safeboot/minimal//ctl_w32l.sys but I could neither delete it or send it to quarantine.

Really appreciate the help so far.

Any other ideas

See if this will help

In reply to Getting closer

do an online scan with Bitdefender.

http://www.bitdefender.com/scan8/ie.html

BitDefender log

In reply to See if this will help

Log is attached

BitDefender Online Scanner

Scan report generated at: Sun, Aug 03, 2008 – 19:50:30

Scan path: A:\;C:\;D:\;E:\;F:\;

Statistics

Time
00:56:01

Files
119830

Folders
4863

Boot Sectors
4

Archives
902

Packed Files
5624

Results

Identified Viruses
8

Infected Files
17

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
17

Engines Info

Virus Definitions
1414001

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
16

Archive plugins
43

Unpack plugins
7

E-mail plugins
6

System plugins
5

Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\1st File Hider v3.22.zip=>fhrapp.exe=>(CAB Sfx r)=>t.exe
Infected with: Trojan.Generic.370470

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\1st File Hider v3.22.zip=>fhrapp.exe=>(CAB Sfx r)=>t.exe
Deleted

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\1st File Hider v3.22.zip=>fhrapp.exe=>(CAB Sfx r)
Update failed

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Borland C++ Builder 6.0 Enterprise by NLiSO.zip=>nli-bcb6kg.exe=>(CAB Sfx r)=>t.exe
Infected with: Trojan.Generic.370470

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Borland C++ Builder 6.0 Enterprise by NLiSO.zip=>nli-bcb6kg.exe=>(CAB Sfx r)=>t.exe
Deleted

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Borland C++ Builder 6.0 Enterprise by NLiSO.zip=>nli-bcb6kg.exe=>(CAB Sfx r)
Update failed

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\CFATest by DBC.zip=>tca_cfatestkg.exe=>(CAB Sfx r)=>t.exe
Infected with: Trojan.Generic.370470

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\CFATest by DBC.zip=>tca_cfatestkg.exe=>(CAB Sfx r)=>t.exe
Deleted

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\CFATest by DBC.zip=>tca_cfatestkg.exe=>(CAB Sfx r)
Update failed

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Command.And.Conquer.The.First.Decade.GENERIC KEYGEN-FFF.zip=>fff-ea123.exe=>(CAB Sfx r)=>t.exe
Infected with: Trojan.Generic.370470

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Command.And.Conquer.The.First.Decade.GENERIC KEYGEN-FFF.zip=>fff-ea123.exe=>(CAB Sfx r)=>t.exe
Deleted

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Command.And.Conquer.The.First.Decade.GENERIC KEYGEN-FFF.zip=>fff-ea123.exe=>(CAB Sfx r)
Update failed

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\HollywoodFX 4.5.2.25 Gold.zip=>HollywoodFX 4.5.2.25 Gold Crack.exe=>(CAB Sfx r)=>t.exe
Infected with: Trojan.Generic.370470

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\HollywoodFX 4.5.2.25 Gold.zip=>HollywoodFX 4.5.2.25 Gold Crack.exe=>(CAB Sfx r)=>t.exe
Deleted

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\HollywoodFX 4.5.2.25 Gold.zip=>HollywoodFX 4.5.2.25 Gold Crack.exe=>(CAB Sfx r)
Update failed

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Microsoft Office Accounting Professional 2007.zip=>teamCODEX MOA2007/CRACK.exe=>(CAB Sfx r)=>t.exe
Infected with: Trojan.Generic.370470

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Microsoft Office Accounting Professional 2007.zip=>teamCODEX MOA2007/CRACK.exe=>(CAB Sfx r)=>t.exe
Deleted

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Microsoft Office Accounting Professional 2007.zip=>teamCODEX MOA2007/CRACK.exe=>(CAB Sfx r)
Update failed

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sonic.Foundry.Sound.Forge.v4.5h.402.final.zip=>EXTWISE.EXE=>(CAB Sfx r)=>t.exe
Infected with: Trojan.Generic.370470

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sonic.Foundry.Sound.Forge.v4.5h.402.final.zip=>EXTWISE.EXE=>(CAB Sfx r)=>t.exe
Deleted

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sonic.Foundry.Sound.Forge.v4.5h.402.final.zip=>EXTWISE.EXE=>(CAB Sfx r)
Update failed

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sonic.Foundry.Sound.Forge.v4.5h.402.final.zip=>exwise.exe=>(CAB Sfx r)=>t.exe
Infected with: Trojan.Generic.370470

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sonic.Foundry.Sound.Forge.v4.5h.402.final.zip=>exwise.exe=>(CAB Sfx r)=>t.exe
Deleted

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sonic.Foundry.Sound.Forge.v4.5h.402.final.zip=>exwise.exe=>(CAB Sfx r)
Update failed

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sonic.Foundry.Sound.Forge.v4.5h.402.final.zip=>sfreg.exe=>(CAB Sfx r)=>t.exe
Infected with: Trojan.Generic.370470

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sonic.Foundry.Sound.Forge.v4.5h.402.final.zip=>sfreg.exe=>(CAB Sfx r)=>t.exe
Deleted

C:\Documents and Settings\Owner\Application Data\Microsoft\dtsc\Sonic.Foundry.Sound.Forge.v4.5h.402.final.zip=>sfreg.exe=>(CAB Sfx r)
Update failed

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\52\6d7493b4-32089521=>OP.class
Infected with: Trojan.Exploit.Java.Byteverify.L

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\52\6d7493b4-32089521=>OP.class
Deleted

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\52\6d7493b4-32089521
Updated

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-7a6b3710=>OwnClassLoader.class
Infected with: Trojan.Exploit.Byteverify.V

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-7a6b3710=>OwnClassLoader.class
Deleted

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-7a6b3710
Updated

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-7a6b3710=>ProxyClassLoader.class
Infected with: Trojan.Exploit.Byteverify.AC

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-7a6b3710=>ProxyClassLoader.class
Deleted

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-7a6b3710
Updated

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-7a6b3710=>Installer.class
Infected with: Trojan.Downloader.Java.Agent.A

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-7a6b3710=>Installer.class
Deleted

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\59\107cd1bb-7a6b3710
Updated

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0HD21N2O\1217391382[1].exe
Infected with: Trojan.Downloader.Small.AAQX

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0HD21N2O\1217391382[1].exe
Deleted

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0HD21N2O\setup[1].htm
Infected with: Trojan.Downloader.JS.Psyme.SG

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0HD21N2O\setup[1].htm
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0HD21N2O\setup[1].htm
Deleted

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0HD21N2O\setup[2].htm
Infected with: Trojan.Downloader.JS.Psyme.SG

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0HD21N2O\setup[2].htm
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0HD21N2O\setup[2].htm
Deleted

C:\WINDOWS\system32\92c642fb10056c59727f39e6b60f83e0.TMP
Infected with: Trojan.Inject.IZ

C:\WINDOWS\system32\92c642fb10056c59727f39e6b60f83e0.TMP
Deleted

One more

In reply to BitDefender log

http://housecall.trendmicro.com/au/

I am certainly earning my Thumbs on this one.

Let us know how it is going eh!

Try this link

In reply to IE Hijacker

http://www.majorgeeks.com/download.php?det=3155

I really need to look at a log file from HT if at all possible but if not another log from Silent Runners will have to do and then I will have to do a bit of research. You could also try this.

How to reinstall or repair Internet Explorer in Windows XP

http://support.microsoft.com/kb/318378

Root maybe?

In reply to IE Hijacker

u said u ran sophos and others, did ur scan include rootkit detection?

Also is your boot slower than normal?

Good thinkin

In reply to Root maybe?

i’ll supply the links. 😉

BitDefender RootkitUncover

http://www.majorgeeks.com/BitDefender_RootkitUncover_d5157.html

RootkitRevealer v1.71

http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

When you think that you are clean re-enable Systen Restore

Rootkit

In reply to Good thinkin

The BitDefender program ran and found one file and renamed it.

However, I couldn’t access the technet file from the infected computer (when I tried to access the file, I got kicked back to the desktop). I accessed the file from a clean computer and e-mailed it to the bad one, but it acts the same as HiJackThis; the computer won’t let me run it.

Try running it in safe mode with no networking.

In reply to Rootkit

And if your comfortable with servics etc on your computer then DarkSpy may be able to let you find the suspect service, or IceSword. Both good programs and not as main stream as HT.
http://www.antirootkit.com/software/DarkSpy.htm
http://www.antirootkit.com/software/IceSword.htm

My preference is for Darkspy. I like its process viewer. Either burn to a cd or put on a flash drive from a “clean” computer and copy to the infected machine in safe mode.

still problematic

In reply to Try running it in safe mode with no networking.

While trying to open DarkSpy I ended up somehow adding a minor problem (IEDefender) to my clean computer. SpyBot got rid of it, but I’m getting nervous moving between the two.

I also noticed that the main problem computer (C1 for short; I’ll call the clean one C2) is adding a file (m.exe) to my E:drive (that’s the USB port drive). I can clean it off, or delete it, but it comes right back. Sophus says it’s part of Mal/Generic-A.

OK, I got DarkSpy on C1 and it gives me an error message “fails to start” in Safe Mode. It runs in normal mode, but what do I do with the results? I’ve got various tabs…. the machine just crashed; I’ve rebooted. Should I run DarkSpy again…

advice please before I go any farther.

Many thanks for all the help so far.

DarkSpy running

In reply to still problematic

I have DarkSpy operational. I have info on the process tabs which doesn’t seem to point to anything I don’t recognize as OK.

Try this on your USB stick

In reply to DarkSpy running

One of the ways by which a virus can infect your PC is through USB/Pen drives. Common viruses such as ?Ravmon? , ?New Folder.exe?, ?Orkut is banned? etc are spreading through USB drives. Most anti virus programs are unable to detect them and even if they do, in most cases they are unable to delete the file, only quarantine it. Here are the things which you can do if you want to remove such viruses from your USB drives.

Don?t click on Ok , just choose ?Cancel?. Open the Command Prompt by typing ?cmd? in the run box. In the command prompt type the drive letter: and press enter . Now type dir /w/a and press enter.

This will display a list of the files in the pen drive. Check whether the following files are there or not

Autorun.inf
Ravmon.exe
New Folder.exe
svchost.exe
Heap41a

or any other exe file which may be suspicious.

If any of the above files are there, then probably the USB drive is infected. In command prompt type attrib -r -a -s -h *.* and press enter. This will remove the Read Only, Archive, System and hidden file attribute from all the files. Now just delete the files using the command del filename. example del Ravmon.exe. Delete all the files that are suspicious. To be on a safer side, just scan the USB drive with an anti virus program to check whether it is free of virus or not. Now remove the drive and plug it again. In most of the cases, the real culprit turns out to be the ?Autorun.inf? file which mostly gets executed when someone clicks Ok in the dialog window which appears above. Thus the infections can spread

http://www.whoismadhur.com/2008/01/26/how-to-remove-virus-from-usb-drives/

You know

In reply to IE Hijacker

from the amount of time that we have been trying to remove this parasite you could have backed up and reinstalled several times. It is starting to look to me that you may have inadvertently infected the second PC. If this virus is on the USB stick that has been placed in both PC’s there is a possibility that it is infected as well.

If the previous instructions have no effect you may want to consider a reinstall.

Clean!

In reply to You know

I finally got HJT running by finding a rogue .exe in the registry and removing it. Once that was done, the final cleanup went rather smoothly. Thanks for the help.

No Probs

In reply to Clean!

.

[Author]

Replies