Sponsored By

Cretemonster

Members
  • Content Count

    12
  • Joined

  • Last visited

About Cretemonster

  • Rank
    HJT Team
  1. Expired is NO GOOD for nuttin! First thing will be to disable Symantec through Msconfigs StartUp and Services tabs! All the Norton or Symantec entries should be terminated! Now,for some good free Antivirus Software AVG http://www.grisoft.com/doc/40/lng/us/tpl/tpl01 Antivir http://www.free-av.com/ avast! 4 Home Edition http://www.avast.com/eng/avast_4_home.html BitDefender Free Edition v7 http://www.bitdefender.com/bd/site/products.php?p_id=24 a-squared Free http://www.emsisoft.com/en/software/free/ ClamAV http://www.clamwin.com/ Free Firewall Software Kerio Personal Firewall http://www.kerio.com/kpf_download.html Sygate Personal Firewall: http://smb.sygate.com/products/spf_standard.htm ZoneAlarm http://www.zonelabs.com/store/content/comp...reeDownload.jsp Once one of each is installed and Updated and running the way you want it! Uninstall Norton\Symantec from Add\Remove Programs in Safe Mode! Hopefully everything will be disabled in Safe Mode! http://www.cit.cornell.edu/helpdesk/win/na...installnav.html Maybe that link will Help! After all that I think you are set! Renable System Restore Reconfigure Windows to Hide Files Reconfigure Msconfig the way you like the PC to Startup! That pretty much gets it! Any Questions?
  2. Looking Good!!! Hows it running? At this point I would start getting rid of all the stuff that has been used to clean up the PC! Only Keep what you really want! All the scanning programs,aside from HijackThis,can go! Are all the Symantec products working and can you update them and use the scan OK? Is there a Firewall with the Symantec product? Be sure that SpywareBlaster got installed and that System Restore is disabled! Post back and ask all the questions you want and let me know about the questions I asked!
  3. Good Deal!! Did all those files go peacefully? Now,this file you are searching for,it may look just like the legit file-> USERINIT.EXE Trick is to look at the Date and Size of the file Good File-> C:\WINDOWS\SYSTEM32\USERINIT.EXE Created 08/29/2002 04:00 AM Size 22,016bytes or 21.5 KB Bad File-> C:\WINDOWS\SYSTEM32\??erinit.exe (The ? can be anything) Created 01/11/2005 07:15 AM Size 401,408 bytes or 392 KB Thats the file you want to delete! You will notice,when you place the Pointer over the bad file,all that will be displayed is the Date Created and The Size! You may need to be in Safe Mode and Have windows showing hidden files to locate this file! Post back and Let me know if you find it!
  4. Howdy Hector, Good job getting rid of Qoologic!! There is definatly some trash left to take out! Download the following! The attached Zip folder with a reg file I fixed up for you!(Unzip and Extract All) LQfix Unzip it and save it to your desktop, don't use it yet! CCleaner: http://www.filehippo.com/download_ccleaner.html This is to help keep those Temporary Files Cleaned Up! CleanUp! 4.0: http://downloads.stevengould.org/cleanup/CleanUp40.exe Restart in Safe Mode! From LQfix Folder-> Doubleclick LQfix.bat that you saved on your desktop before. A doswindow will open and close again, this is normal. Use Killbox and Delete all of the following files\folders C:\UCmore C:\install.cab C:\WINDOWS\bundles C:\WINDOWS\Helper101.dll C:\WINDOWS\INF\biQ.inf C:\WINDOWS\INF\polmx2.inf C:\WINDOWS\jzey.exe C:\WINDOWS\prelimhanse.exe C:\WINDOWS\SSK3_B5.exe C:\WINDOWS\StubInst.exe C:\WINDOWS\alchem.ini C:\WINDOWS\msxct1.ini C:\WINDOWS\NDNuninstall4_80.exe C:\WINDOWS\smdat32a.sys C:\WINDOWS\ucmoreiex.exe C:\WINDOWS\weirdontheweb_topc.exe C:\WINDOWS\SYSTEM32\eliteciy32.exe C:\WINDOWS\SYSTEM32\elitegfv32.exe C:\WINDOWS\SYSTEM32\elitekyc32.exe C:\WINDOWS\SYSTEM32\elitevmx32.exe C:\WINDOWS\SYSTEM32\elitevpv32.exe C:\WINDOWS\SYSTEM32\ezPopStub.exe C:\WINDOWS\SYSTEM32\INNERADINSTALL.LOG C:\WINDOWS\SYSTEM32\Party Poker.ico C:\WINDOWS\SYSTEM32\rtneg.dll C:\WINDOWS\SYSTEM32\saieau.dat C:\WINDOWS\SYSTEM32\stlb2.xml C:\WINDOWS\SYSTEM32\tsuninst.exe C:\WINDOWS\SYSTEM32\winupdt.008 C:\WINDOWS\SYSTEM32\26kcfjfi.dll C:\WINDOWS\SYSTEM32\ACCTRES4.exe C:\WINDOWS\SYSTEM32\BDErastM.exe C:\WINDOWS\SYSTEM32\broadcastpc.exe C:\WINDOWS\SYSTEM32\cdral548.exe C:\WINDOWS\SYSTEM32\CIADMIN3.exe C:\WINDOWS\SYSTEM32\ikjmdywf.dll C:\WINDOWS\SYSTEM32\inetFuel.exe C:\WINDOWS\SYSTEM32\msfdje.gif C:\WINDOWS\SYSTEM32\rezbw.dll C:\WINDOWS\SYSTEM32\Uninstaller.exe C:\WINDOWS\SYSTEM32\nsvsvc C:\WINDOWS\SYSTEM32\SahImages C:\WINDOWS\SYSTEM32\Cache\180SAInstaller.exe C:\WINDOWS\SYSTEM32\Cache\em_d.exe C:\WINDOWS\SYSTEM32\Cache\ezstub.exe C:\WINDOWS\SYSTEM32\Cache\gogotoolssilawo18pi.exe C:\WINDOWS\SYSTEM32\Cache\ic_d.exe C:\WINDOWS\SYSTEM32\Cache\installer_MARKETING17.exe C:\WINDOWS\SYSTEM32\Cache\MTE0MzA6ODoxMg.exe C:\WINDOWS\SYSTEM32\Cache\MTE1NjE6ODoxMg.exe C:\WINDOWS\SYSTEM32\Cache\MTE1NTA6ODoxMg.exe C:\WINDOWS\SYSTEM32\Cache\runsearch.exe C:\WINDOWS\SYSTEM32\Cache\setup1015.exe C:\WINDOWS\SYSTEM32\Cache\SSK_B5 Seedcorn 2.EXE C:\WINDOWS\SYSTEM32\Cache\trafficgen-fran.exe C:\WINDOWS\SYSTEM32\Cache\trgen-fran-default.exe C:\WINDOWS\SYSTEM32\Cache\trgen_fran-162813.exe C:\WINDOWS\SYSTEM32\Cache\VCM QOOL_3.exe C:\WINDOWS\SYSTEM32\Cache\videoinst.exe C:\WINDOWS\SYSTEM32\CACHE\mswinstall.exe C:\WINDOWS\DOWNLOADED PROGRAM FILES\ATPartners.inf C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.6.inf C:\DOCUMENTS AND SETTINGS\ALEX MCINROE\APPLICATION DATA\Sskcwrd.dll C:\DOCUMENTS AND SETTINGS\ALEX MCINROE\APPLICATION DATA\tvmcwrd.dll C:\DOCUMENTS AND SETTINGS\ALEX MCINROE\APPLICATION DATA\Lycos C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AdDestroyer C:\Documents and Settings\All Users\Application Data\IEService C:\Documents and Settings\All Users\Application Data\msw C:\Documents and Settings\Mayra McInroe\Application Data\eetu.exe C:\PROGRAM FILES\Bpt C:\PROGRAM FILES\SEARCH3 TOOLBAR C:\PROGRAM FILES\sf Place a tick by any of these selections available "Standard File Kill" "End Explorer Shell while Killing File" "Unregister .dll before Deleting" "Deltree(Include Subdirectories)" Double Click the Reg File you downloaded and allow it to merge into the registry! Now run CCleaner-> Just Click the "Run Cleaner" tab and let it do its thing! Now run CleanUp!-> Click the Cleanup tab and let it remove all the files it finds-> Click Close-> Click "Yes" to logoff and Restart back in Normal Mode! Restart back in Normal Mode! Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as FindFile.bat and save it on your Desktop. dir C:\WINDOWS\SYSTEM32\??erinit.exe /a h > files.txt notepad files.txt Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here along with a new HiJackThis log. Hopefully you have installed Spyware Blaster and the Hosts file I suggested! Now go to the Windows Update Site and Be sure Windows is fully updated! Please let me know if the Antivirus and Firewall you have are still valid and updated? If we need to replace those,we can do that for free! You have to get this Machine Secured or you are destined to get reinfected! Post back and let me know how it goes! ClrHec.zip
  5. Be sure System Restore is Disabled! http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam Last lets get a hefty Reg Cleaner and move out all dead registry entries! RegSupreme Pro 1.1.0.32 http://majorgeeks.com/RegSupreme_Pro_d4256.html Once downloaded and launched,Click Yes to Update the Cache-> Click "Registry Cleaner"-> Click "Aggresive" and "Start"-> Fix everything it finds-> Name the Backup it creates and Save it somewhere safe! Wait until Safe Mode to run it! Take special note,Any registry cleaner such as this,is not intended for daily,weekly or even monthly use! It should only be run every 4 months or so! Copy&Paste all those into Killbox and Select "Delete on Reboot"-> Click the Red Circle to Delete! C:\WINDOWS\System32\jjaaoo.exe C:\WINDOWS\System32\ddjjllw.dll C:\WINDOWS\System32\bbrrooq.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nnpp.exe C:\WINDOWS\llmmj.dll C:\WINDOWS\System32\ppbbv.dat C:\WINDOWS\System32\jjoob.dll Reboot in Safe Mode Run them through Killbox again to be sure they are gone Open HijackThis and put a check next to this O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jjaaoo.exe reg_run Make sure All Windows and Browsers are Closed and Click "Fix Checked! Now run the Registry Cleaner! May as well Uninstall Ewido is the 14 day trial has expired! Restart Normal and Have the PC Scanned here Panda Active Scan Save the Report from Panda and post it along with a fresh HijackThis log! When you post back,we can go through the list of programs no longer needed! Thank You for being so patient with us!
  6. OK Hector you get the credit for motivating me to find out what the deal is with this new Qoologic Infection and thats exactly what I have done! Download Process Explorer from here http://www.sysinternals.com/Files/ProcessExplorerNt.zip Right Click the Zip file and Select "Extract All" Open Process Explorer by double clicking "procexp.exe" Once opened,locate this process jjaaoo.exe Double Click that process and Select Strings-> Place a Tick in Memory-> Give a second to load and Click Save-> Save that to the Desktop! Post those results! After this is over,we need to get all the programs removed that will no longer be of use toyou anymore!
  7. Well this has me scratching my head! So whats the Verdict on the .cpl file,is it gone or not? Make a Post with all 3 logs again In Safe Mode,run WinPFind Restart Normal,Run the VB Script and produce a HijackThis Startup List Log! Post all 3 logs! What is the Status of System Restore? Enabled or Disabled! Are you getting any kind of PopUps or Redirects?
  8. Good Job Hector,you did Killbox C:\WINDOWS\SYSTEM32\conres.cpl??? There are a few more to kill as well,Delete on Reboot,into Safe Mode! Run the files through Killbox again! C:\WINDOWS\system32\ddjjllw.dll C:\WINDOWS\system32\jjoob.dll C:\WINDOWS\System32\jjaaoo.exe C:\WINDOWS\system32\yrjreqhj.exe Remove the 04 again with HijackThis O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jjaaoo.exe reg_run After the files are gone,run the Hoster again just as you did before! Until we know for sure you are clean please install these for added protection! Winhelp2002 Hosts File http://www.mvps.org/winhelp2002/hosts.htm Made easy http://www.mvps.org/winhelp2002/hosts2.htm SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html Update Immediatly! Post back and lets have a look! We arent the only ones having trouble with this particular file! Let me know what became of C:\WINDOWS\SYSTEM32\conres.cpl??
  9. C:\WINDOWS\SYSTEM32\conres.cpl<<<<<< Get that File Scanned First,before Deleting! What was the Outcome of that file Scan? Post a HijackThis Startup log so I can check the Policy Keys again!
  10. Have HijackThis Fix this one O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jjaaoo.exe reg_run Go to Safe Mode and do one more Scan with WinPFind! Restart and Post a fresh HijackThis log and the log from WinPFind!
  11. Holy Smokes!!!!!!!! First get this file scanned at the 2 sites below C:\WINDOWS\SYSTEM32\conres.cpl http://virusscan.jotti.org/ http://www.virustotal.com/flash/index_en.html If scans all clear-> Remove it from the Deletion list! You know what to do if it Scans Nasty! Next,Download the Attachment to your desktop and Unzip it! Download the Hoster from here: http://www.funkytoad.com/download/hoster.zip Press "Restore Original Hosts" and press "OK"!! Exit Program!! Copy&Paste the list of files below into Killbox and use the Instructions that follow! C:\WINDOWS\SYSTEM32\conres.cpl<<<<<< Get that File Scanned First,before Deleting! C:\WINDOWS\system32\drivers\ETC\hosts C:\WINDOWS\system32\drivers\ETC\hosts.20040904-165330.backup C:\WINDOWS\system32\yuhxqdtf.exe C:\WINDOWS\System32\jjoob.dll C:\WINDOWS\System32\datadx.dll C:\WINDOWS\system32\vmggewdm.exe C:\WINDOWS\system32\vb07dv9p.ini C:\WINDOWS\system32\rt87rov2.ini C:\WINDOWS\system32\saie_kyf.dat C:\WINDOWS\system32\second.awp C:\WINDOWS\system32\sew.exe C:\WINDOWS\system32\uafvwzax.exe C:\WINDOWS\system32\dpvhromb.exe C:\WINDOWS\system32\dthmrusx.exe C:\WINDOWS\system32\first.awp C:\WINDOWS\system32\fpmat78.dll C:\WINDOWS\system32\fudeptps.exe C:\WINDOWS\system32\Fzjxeek1.xml C:\WINDOWS\system32\gah95on6.ini C:\WINDOWS\system32\in10b6s.dll C:\WINDOWS\system32\jfqosi.exe C:\WINDOWS\system32\jjoob.dll C:\WINDOWS\system32\jpdfyhtl.exe C:\WINDOWS\system32\msdjgk.dll C:\WINDOWS\system32\msiaih.dll C:\WINDOWS\system32\msnimk.gif C:\WINDOWS\system32\ooslpmre.exe C:\WINDOWS\system32\ddjjllw.dll C:\WINDOWS\system32\barekdug.exe C:\WINDOWS\system32\betterinternet1.exe C:\WINDOWS\system32\bH.dll C:\WINDOWS\system32\biQ.exe C:\WINDOWS\system32\bln02nqv.ini C:\WINDOWS\system32\bluestd.exe C:\WINDOWS\system32\70tovmto.ini C:\WINDOWS\system32\9tan13d8.ini C:\WINDOWS\system32\abiscxpw.exe C:\WINDOWS\system32\AUNPS.dll C:\WINDOWS\system32\autoupgrader.exe C:\WINDOWS\tct101.dll C:\WINDOWS\rt87rov2.exe C:\WINDOWS\del.tmp C:\WINDOWS\abiuninst.htm C:\WINDOWS\aniqueo.exe C:\WINDOWS\choice.exe As each is pasted into Killbox,place a tick by these Selection when available! "Delete on Reboot" "Unregister .dll before Deleting" Click the Red Circle with the White X in the Middle to Delete! Click "Yes" to Confirm Click "No" to Reboot Once at the last file Click "Yes" to Confirm Click "Yes" to Reboot If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually. Reboot into Safe Mode and Run those files through Killbox again,this time place a tick by any of these selections available! "Standard File Kill" "End Explorer Shell while Killing File" "Unregister .dll before Deleting" Locate the Reg File I had you download to the Desktop! Double Click to execute and Allow it to Merge into the Registry! Open and Run the Hoster again,just as you did before! Restart Normal and Post a fresh HijackThis log! Rem.zip
  12. Hey Jeff and Hector! Dont mean to butt in but this Qoo Crap is Ticking me off! Hector if you will,please Download WinPFind: http://www.bleepingcomputer.com/files/winpfind.php Right Click the Zip Folder and Select "Extract All" Don't use it yet! Restart in Safe Mode Doubleclick WinPFind.exe and Click "Start Scan" It will scan the entire System, so please be patient! Once the Scan is Complete-> Locate WinPFind.txt in the WinPFind Folder and place those in the Next Post! Produce another HijackThis StartUp log and Use the TrackQoo VB Script as well Save the report from both of those! You can find the lasy version of TrackQoo from here http://webpages.charter.net/cretemonster/Track%20qoo%201.zip Once downloaded-> Just Double Click the Vb file and wait for the Report! Post all 3 of logs and lets find out where these pesky bug is hiding at!