I've been trying to fix a family members computer after it has been infected with 
the Cabrotor hijack virus and other spyware. 
I've used Spybot and Adaware SE to clean the system. Trendmicro's Housecall virus 
scan reports that the system is now clean. However it's still doing the odd strange 
thing. 
I had to use system restore as I couldn't get a working dial-up connection and the 
system wouldn't start in safe mode. After the successful restore I again ran full 
virus/spyware scans and it's now clean. The internet connection is still unstable 
at times.
I'm not sure whether system files have been corrupted. Or if there is still a Hijack 
program running. I've run a "Hijack this" scan report but am having trouble deciphering 
it. 
I'm trying to upgrade the machine to IE6 a prerequisite before I can install Trendmicro 
Internet Security 2005.
I had installed IE6 prior to using system restore. The machine is now running with 
IE5.5. The IE6 setup won't install properly, I think because it sees an earlier setup. 
Looks like I have to manually uninstall all the various bits and pieces of the program 
according to http://support.microsoft.com/default.aspx?scid=kb;en-us;303399
This seems to be a major pain in the proverbial...
Any help or suggestions would be greatly appreciated.

Thanks

Allan

[Reply or follow-up to this message]

Check in the Add/Remove programs list for an entry "Microsoft Internet Explorer 6.0 and Internet Tools and see if it is still there. If it is you can do a REPAIR of IE and OE.

If Internet Explorer or Explorer has been damaged by hijackers, virus or other Malware, try to REPAIR IE with the IE service pack update files on your system. To REPAIR IE, go to Control Panel, Add/Remove Programs icon, and select (highlight) the entry for "Microsoft Internet Explorer 6.0 and Internet Tools" and then click the Add/Remove button at the bottom of the window. In the options window, select the "Repair Internet Explorer" option and click OK. When it is done reboot the system.

If not able to do a REPAIR of IE, look in the C:\Windows folder for a folder named "Window Update Setup Files" and in it the program IE6SETUP.EXE and if there, you should be able to run IE6SETUP and reinstall IE6.0 that way.

If you are still having problems and unsure of your Startup list programs (and what HijackThis shows), you can use MSCONFIG and its Startup tab to temporally disable startup programs that you don't need. If you use Dial-Up you will have to identify your modem driver(s) and make sure you keep them in the list. Use the following link to determine what the required Startup tab entries are that you don't have to have while you clean up your system. The rest can be temporally remove until you can investigate each one of them (some may be left over from Adware/Spyware that has been deleted). You can also use the web site this web page

See: page

[Reply or follow-up to this message]

Allan, I don't know all the details on your problem, but you're welcome to post the 
Hijack This log here. I'll have a look and try to help. 

Keep in mind, you'll need to be patient, as I/we can't always get to it immediately. 
We get busy helping others on the forum, and sometimes it takes a bit of research 
to check things out.

In addition, clear out ALL temp folders: Go into Internet Options - delete TIF and 
choose 'delete all Offline content'. Settings - set the size of your TIF folder between 
5 - 10 MB. Empty C:\Windows\temp folder and C:\temp folder, if you have one. Empty 
Recycle Bin.

Hijack This 1.99  Important...Unzip 'Hijack This' into it's own 
folder. Example: C:\HJT. It creates backups, and they're automatically saved 
in the same location. Log off and close all open windows. Run 'HJT' and Click "Do 
a system scan and save a logfile". It'll automatically open in Notepad. Most of the 
entries are legitimate or required entries. Don't fix anything yet. For a 
description of the entries: 
HJT Tutorial Then paste the contents of the logfile here in a post. 
Before posting, PLEASE select this Option below the message window: Check this 
box to preserve your spacing, etc....

Install SpywareBlaster to help prevent future malware infections. It's NOT a cleaner. 
It won't help with any current infections. Be sure to load it and check for/download 
updates after installing. Then Enable all protection. Exit. Be sure to check for 
updates frequently: 
JavaCool Software  

It's adviseable to consider using an alternative browser as your main browser. FireFox 
(most popular) or Opera are a couple good choices. IE has too many security issues 
and is very vulnerable to malware infections and hijackings. Hijackings are very 
rare, with other browsers. If you stay with IE, I suggest IE-Spyads, also. For other 
tips and suggestions: 

How you got infected in the first place

Dealing with Unwanted Spyware and Parasites

I'm afraid things are going from bad to worse.

None of the Microsoft programs appeared in the Add/remove list in control panel, 
and I couldn't get IE6 to reinstall it kept coming up with an error message missing 
a link. I tried to undo the last system restore to get back to the previous condition 
and start again. 
Unfortunately it didn't restore properly. Now when I select restore to an earlier 
point or undo the last restore I get an error message: An error has occurred in this 
dialog. Error 29 unspecified error. Another dialog box sits behind the first one: 
Internet Explorer script error, an error has occurred in the script on this page.

I get a the same error when I open My Computer and double click on C: drive, although 
I can see the files and folders.

When I open control panel the same error message comes up and the control panel is 
completely empty.

When I open About Interner Explorer a similar error message comes up with error 84 
unspecified error and the version is blank, Cipher Strength () and Product ID blank.

I ran msconfig, many items appeared to be missing from the list.

I ran Wintop & Hijack this, the following processes were running.

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 3.0 SE\CALCHECK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

Prior to attempting to undo the restore, system scans with up to date Spybot, Adaware, 
and Trendmicro house call where clean.

However I've just run another Hijack this auto-analysis from the site you recommended 
which revealed 4 nasty items.

I would appreciate any help trying to recover this system.

Allan

[Reply or follow-up to this message]

Hi Carol,

Many thanks for your offer to help. 
This forum won't let me post a Hijack this scan.
I originally delayed posting as you suggested as I had an old version of HJT. I've 
now brought the problem computer home from my sisters and installed the latest version 
of HJT.

In the meantime I'd run into problems scanning the PC with antivirus software but 
eventually got Trendmicro Housecall to run a scan which was clean, I needed to install 
IE6 so I could install Trendmicro Internet security 2005 (wouldn't install without 
IE6).

Adware and spybot scans were clean. I tried to undo the last system restore but it 
failed. When I select restore to an earlier point or undo the last restore I get 
an error message: An error has occurred in this dialog. Error 29 unspecified error. 
Another dialog box sits behind the first one: 
Internet Explorer script error, an error has occurred in the script on this page.

I get a the same error when I open My Computer and double click on C: drive, although 
I can see the files and folders.

When I open control panel the same error message comes up and the control panel is 
completely empty.

When I open About Interner Explorer a similar error message comes up with error 84 
unspecified error and the version is blank, Cipher Strength () and Product ID blank.

I ran msconfig, many items appear to be missing from the list.

If I open a dial up internet connection it works for about 5-10 minutes I can browse 
(seems slow) then seems to stop. I'm tring to rerun houscall it gets to about 10% 
download then stops, and I can no longer get to any web pages, just get message that 
the site is unavailable.

If I shut the computer down and restart, I can use the internet connection again 
for about 5-10 minutes before it stops again.

I think I need to reinstall Windows ME, I'd like to try an overwrite if possible. 
But want to make sure all the spyware and Hijack programs are gone before I start.

I believe I have a copy of WinMe install files on my own machine in Window/Options/Cab/setup.exe

Can I copy the cab files accross to the problem machine and run it or do I need to 
start fresh with WinME install CD.

Should I copy WinME install files from the install CD into a folder on C:\ and run 
it from there?

Do you think an overwrite will work?

Do I need to reinstall IE6 and Outlook Express etc, or are these programs covered 
in the WinME installation?

I tried to post the latest Hijack this scan result but this forum won't let me post 
the result, it comes up with a post error.

Thanks again for your help.

Allan

[Reply or follow-up to this message]

This is a lot to comprehend, but about the problems posting your HJT log. You shouldn't 
have a problem as long as you post it here in as a reply. If you got a Post 
Error message, there have been a glitch when you tried. If you start a new thread 
with a HJT log included, you'd get a message, but it wouldn't be a post error. Try 
it again, should work. 

As for copying CABS from one systtem to another, I'm not sure, but doesn't this machine 
have it's own CAB directory? Yes, you can copy CABS from a CD to the HDD and install 
from there. Since this is another topic, you could start a new thread on this query, 
after we check the log. Yes, Trend is the only one that requires IE, pretty strange, 
but there are other good online scans. Some of the problems you're describing with 
your directories and IE, may be related to the malware. . 

Dealing with Unwanted Spyware and Parasites

Hi Carol,

It still won't let me post a HJT scan in this reply to you.

Comes up with the following error message:

Post Error 

I'm sorry, but scripts and embedded objects are no longer allowed in forum messages. 
Please remove any (embed), (script), (applet), (frameset), (style), (form), (meta), 
and (body) codes from your message and try again.

Note: I couldn't post the above message until I replaced <> brackets with () brackets.

Is there any other way I can get the Hijack this scan checked?

My email address is: allaneb66@hotmail.com if you wish to respond directly.

Thanks again for your help and time on this.

Allan






On Friday, January 7, 2005 at 12:16 am, Carol J wrote:

>

>This is a lot to comprehend, but about the problems posting your HJT log. You shouldn't 

>have a problem as long as you post it here in as a reply. If you got a Post 

>Error message, there have been a glitch when you tried. If you start a new thread 

>with a HJT log included, you'd get a message, but it wouldn't be a post error. Try 

>it again, should work. 

>

>As for copying CABS from one systtem to another, I'm not sure, but doesn't this 
machine 

>have it's own CAB directory? Yes, you can copy CABS from a CD to the HDD and install 

>from there. Since this is another topic, you could start a new thread on this query, 

>after we check the log. Yes, Trend is the only one that requires IE, pretty strange, 

>but there are other good online scans. Some of the problems you're describing with 

>your directories and IE, may be related to the malware. . 

>

>color="CC00FF">

>Dealing with Unwanted Spyware and Parasites 

"I'm sorry, but scripts and embedded objects are no longer allowed in forum messages. 
Please remove any (embed), (script), (applet), (frameset), (style), (form), (meta), 
and (body) codes from your message and try again."

Ah, there's a good reason for that message. It protects others from getting a virus 
infection, just by viewing your log! There's some malicious code in the log. This 
is only the second time I've seen a case like this on the forum. The other poster 
had some Java Script code, a "virus code", entries in the log. 

No thanks, and even though I have protection, I'm not accepting an email like that. 
Those entries are easy to identify, so you may be able to take care of that yourself, 
then you should run an online scan or two. I'd suggest running McAfee Stinger, also, 
in Safe mode.

McAfee AVERT Stinger

RAV is an excellent choice, and it's fast. You can also scan select directories. 

RAV Anti Virus Scan 
BitDefender Online Virus Scan

Judging by your description of the problems, it would be best to format the drive 
and do a clean install. Keep in  mind, you'd need the Product Code. 


Dealing with Unwanted Spyware and Parasites

I forgot to suggest that you choose Auto Clean before you run the virus scan. Good luck. If you can get that cleaned up, the log may be allowed. Good luck!

Dealing with Unwanted Spyware and Parasites

[Reply or follow-up to this message]

Hi Carol,

Your post has given me a real fright!!

Does this mean that my own computer is infected with the malicious code too??

As I couldn't get a stable internet connection on the problem computer, I emailed 
the HJT log as a Text file to my computer. So I could then attempt to post it online.

I thought this would be perfectly safe as I keep my machine up to date with Trend 
Micro Internet Security 2004, I check for updates every time I log on. I keep Spybot 
up to date with Tea timer and immunize enabled. And run frequent checks with Ad aware.
I even did a virus scan on the txt file when I saved it to disk.

I've also just installed Spyware Blaster as you suggested in your earlier post.

Does this mean that I need to reformat and reinstall Windows ME and the other programs 
on my "own" machine as well as the problem computer?

What about all the personal files - do they need to be dumped?

I was in the process of backing up to disk the personal files and folders on the 
problem machine as there are vital research & work files which can't afford to be 
lost.

Can I be sure if I scan with McAfee and RAV that all the personal files are clean?

What about emails that have been sent out both by me and from the other PC are these 
likely to be infected with the code too!

I really appreciate the time and effort you've given me. I can't believe people write 
these malicious viruses.

Allan :(







On Friday, January 7, 2005 at 11:46 am, Carol J wrote:

>

>I forgot to suggest that you choose Auto Clean before you run the virus scan. Good 

>luck. If you can get that cleaned up, the log may be allowed. Good luck!

>

>

>color="CC00FF">

>Dealing with Unwanted Spyware and Parasites 

I should clarify. No Java Script (good or bad) is allowed to be posted on the forums, 
for obvious reasons. I assume that's what the problem is about posting the log. Since 
it's listed in HJT, there must be some sort of malicious script running on that system.

The problem isn't on your system. As long as you have some sort of script blocking 
enabled, it shouldn't affect you. Check the log, as I suggested.  



Dealing with Unwanted Spyware and Parasites

Hi Carol,

I'm working on this; so far I've run online RAV scan, it found:

process://C:\WINDOWS\SYSTEM\MAPISVC32.EXE - Backdoor:Win32/VB.KX -> Infected
c:\WINDOWS\SYSTEM\mapisvc32.exe - Backdoor:Win32/VB.KX -> Infected
c:\WINDOWS\Temporary Internet Files\Content.IE5\I1O7QLQ5\hijackthis050107.txt - Exploit:HTML/MhtRedir.gen* 
-> Infected
c:\My Documents\AB Program Files\freehistorycleaner.exe->[setuf]->mapisvc32.exe - 
Backdoor:Win32/VB.KX -> Infected

I don't think it removed the files even though I had autoclean selected.

Interestingly though I ran a full AV scan with my up to date Trendmicro Antivirus 
and it came up clean, including mapisvc32.exe.

I'm don't know how to recognise the malicious code to remove it. 
Just to clarify, are you suggesting that I run HJT again? What do I look for?
Will opening the log not just reinfect the PC?

I had no idea written text could be so dangerous.

How do I block such script from getting on my PC?

I ran McAfee Stinger in safe mode, it didn't find anything.

I am unable to run an online scan on the problem PC as an internet connection won't 
run long enough to download the files.
Is there a complete package of some sort I could download onto a CD to then copy 
over onto the problem PC so I can scan it properly. I really want to backup the personal 
files and need to make sure they're clean.

Haven't had time to run BitDefender Online Virus Scan, will do that next.

Thanks again 

Allan 

[Reply or follow-up to this message]

Carol,

By the way, I tried to quarantine mapisvc32.exe with Trendmicro Internet Security 
but it wouldn't let me. How do I remove this infected file?

Allan

[Reply or follow-up to this message]

Is there a complete package of some sort I could download onto a CD to then copy 
over onto the problem PC so I can scan it properly. 

You've ran an AV program on the system, which clean what they can. The anti-spyware 
programs, cleaned what they could. AV programs don't/can't clean most trojans, but 
there are different types of trojans. They usually require manual removal. That's 
where HJT helps, but since you can't post the log, boot into Safe mode to remove 
them. You can download a free trial Trojan Scanner, and update manually. Then run 
it, but there's no package that will clean up everything. The rest is likely going 
to have to be manually removed. However, since I do not know what all is on your 
system, there could be other malware that requires other removal procedures and/or 
tools. 

Download the trial version of TDS-3 and update the database manually, and 
perform a full system scan: Wilders.org - anti trojans

Naturally, you need to run it on the "problem" machine, in order to fix the entries. 
It serves no purpose to run it on your system and have it fix anything, correct? 
First make sure hidden files are showing in Folder Options. End task on any of those 
listed as running in TaskMgr. (they're less likely to load in Safe mode, but there 
are some that do) Next, locate and delete the trojan files. Clear out all temp folders 
on the system again. 

I'm working on this; so far I've run online RAV scan, it found:

OK..You said in another post, the infected machine couldn't get online. Now you're 
saying you ran an online scan and found all those trojans? Which is it? You're on 
your own clearing this up, since you can't post a log to this forum. I'm not going 
to manually go through all this bit by bit. It's often time consuming enough, having 
a HJT log to go by.

Q: Do I need to reinstall IE6 and Outlook Express etc, or are these programs covered 
in the WinME installation? 

A: You'd need to reinstall IE 6, as ME comes with 5.5 installed. Once you updated 
it, it should be listed in Add/Remove so you can run the repair tool.

Good luck


Dealing with Unwanted Spyware and Parasites

Hi Carol,

Sorry for the confusion.

I've now been focusing on my own machine as because I had emailed the HJT log from 
the problem machine to myself I was worried that my machine had become infected with 
the malicious code. I got a fright with your earlier post which indicated the HJT 
log itself could cause a malicious infection (correct me if I'm wrong). So I ran 
the in-depth RAV scan etc on my machine and it found a number of things that my AV 
scanner (Trend Micro) didn't pick up. Including the HJT log in a temporary internet 
folder.

I've deleted or quarantined any files it picked up. I managed to get the quarantine 
working by running it in Safe Mode.

Getting back to the problem machine; I intend, as you advised, to reformat the drive 
and reinstall Windows ME.
I understand this will kill everything.

However I've been backing up important personal documents, emails etc to CD, I had 
to put them in a Zip file to preserve the long file names.

I've then placed the backup CD in a CD drive in my own personal machine and run BitDefender 
Online Scan over it. It came up clean. 

Do you think this is satisfactory?

Once I've got the problem machine up and running after reformatting etc. and copied 
the backup files back accross, I'll run the anti-trojan scan you suggested.

Is it right therefore to assume that I don't need to run a HJT log on the problem 
machine now?

Maybe I should do one on my personal machine to be sure it's OK?

I really don't know what I should be looking for in the log?

By opening the HJT log, do I run the risk of being reinfected with malicious code?

I really appreciate your help on this.

Allan

[Reply or follow-up to this message]

Firstly, I've obviously been wasting my time. Your initial post was a request for 
help cleaning a "family member's" infected system. You're planning to format the 
drive on the problem machine, you don't need to do any more cleaning. Formatting 
will clean the infections, along with all the data. 

There's no reason to keep the HJT log. You had the log created, for the purpose of 
posting it on the forum. You'd already opened the log and tried to paste it in a 
post. It doesn't sound like you have your thinking cap on. If you were going to get 
infected, it's over. Forget about the log and delete it. 


Dealing with Unwanted Spyware and Parasites

Hi Carol,

I’m sorry you feel you’ve been wasting your time.

You seem to have misunderstood my posts.

A brief outline of the events:
In the course of trying to fix my sister’s computer which had become infected, your 
post alerted me that my PC had likely been infected with malicious code. I had used 
my PC to try and post the log, as I couldn't get a working internet connection on 
my sister’s faulty machine. I was unaware that the log “itself” posed a threat.

Your earlier post said:

"Ah, there's a good reason for that message. It protects others from getting a virus
infection, just by viewing your log! There's some malicious code in the log. This
is only the second time I've seen a case like this on the forum. The other poster
had some Java Script code, a "virus code", entries in the log.

No thanks, and even though I have protection, I'm not accepting an email like that.
Those entries are easy to identify, so you may be able to take care of that yourself,
then you should run an online scan or two. I'd suggest running McAfee Stinger, also,
in Safe mode....
...Judging by your description of the problems, it would be best to format the drive
and do a clean install."

My thinking on the matter is quite clear! From your description of the threat I only 
had two options.

1. Reformat and reinstall Windows on my sister’s problem machine.

2. Scan my own PC for malicious code.

A priority was to attempt the recovery of vital personal files from my sister’s machine 
before the reformat and ensure that the files were clean.

I sought your assistance to achieve these tasks.

The information you gave me was most helpful and may well help others reading this 
forum.

The acerbic tone in your last post is unwarranted.

I wish you a good day.

Allan








On Sunday, January 9, 2005 at 12:07 am, Carol J wrote:

>

>Firstly, I've obviously been wasting my time. Your initial post was a request for 

>help cleaning a "family member's" infected system. You're planning to format the 

>drive on the problem machine, you don't need to do any more cleaning. Formatting 

>will clean the infections, along with all the data. 

>

>There's no reason to keep the HJT log. You had the log created, for the purpose 
of 

>posting it on the forum. You'd already opened the log and tried to paste it in a 

>post. It doesn't sound like you have your thinking cap on. If you were going to 
get 

>infected, it's over. Forget about the log and delete it. 

>

>

>color="CC00FF">

>Dealing with Unwanted Spyware and Parasites 

• Search this forum
• Start a new thread on a different subject

• Report abuse of the forum