MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: need help repairing OS due to Harnig infection
November 22, 2019, 03:46:08 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 22, 2019, 03:46:08 PM

Login with username, password and session length
 Featured Sites:
News
12th Anniversary Celebrating 12 Years! (1997 - 2009) 12th Anniversary
Thanks to ALL that make this site what it is!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2 3 Go Down Print
Author Topic: need help repairing OS due to Harnig infection  (Read 5943 times)
eulady
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 27


Bookmark and Share

View Profile
« on: May 21, 2004, 03:09:42 PM »

Operating System Version: Windows 98
Processor Pentium 2

Hello,

My computer was a victim of the following viruses Trojan harnig.n and G, and downloader. Done another scan and they were healed/or removed.

Computer is currently running on 16 colors, 640x480 resolution. Tried to change setting to 256 colors but won't work. Usually "hangs" and would show the warning screen/busy screen after ctrl-alt-del.

Also shows "explorer(not responding)"

noticed the following "new" files dlm.exe/dl.exe

How can I repair this? Do I have to install certain system files only or reinstall windows 98? I'm concerned because I don't wanna lose some files I saved on my computer.

I appreciate all the help taht i can get and thank you very much.



Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #1 on: May 21, 2004, 08:33:35 PM »

Those 2 files tell me that you have malware on your computer

Would you first download
Adaware 6---It's Free

Save to disk----Install---CHECK FOR UPDATES----
Set these options to scan
Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"

Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK.
Logged

 
eulady
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 27


Bookmark and Share

View Profile
« Reply #2 on: May 24, 2004, 03:14:25 PM »

Hello,

thank you very much benditup. I did what you suggested, and there were results during the scan. So what do I do after this?

By the way a couple of days ago I manually deleted the dlm and dl.exe files. I did this by going to regedit, deleting them under run (since I couldn't delete them since they were "running") and then I used find and the manually deleted them. Will this affect everything, especially with regards to your suggestions?

Still currently having problems with explorer. Still at 16 colors and 640x480 resolution and frequently "hangs" when opening folders such as "my documents" folder and "recycle bin".

I hope you could help me with this. Thank you in advance.


Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #3 on: May 24, 2004, 03:17:02 PM »

Did you download and run HIJACKTHIS?

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
eulady
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 27


Bookmark and Share

View Profile
« Reply #4 on: May 24, 2004, 05:12:22 PM »

Hello

yes Cactus i did run Hijackthis. the problem was I mistakenly pressed the fix button. Hurriedly tried to close Hijackthis but it was too late, some of the files were deleted. Will i be able to restore them?
 Thanks for responding.
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #5 on: May 24, 2004, 05:20:44 PM »

Hi eulady...

In HijackThis, click Config and then Backups. You should see them and be able to Restore some or all.

Then post the HJT Log file here.

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
eulady
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 27


Bookmark and Share

View Profile
« Reply #6 on: May 24, 2004, 05:21:37 PM »

hello,

I was able to save a log before I pressed fix hough. then after I pressed the "fix" button (after some of the entries were deleted), I saved another file log of it. Will it help? By the way I was using an AVG antivirus software before and some of the infected files are in the "vault", should I restore them before running Ad-aware?
Logged

 
eulady
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 27


Bookmark and Share

View Profile
« Reply #7 on: May 24, 2004, 05:28:46 PM »

Hello cactus,

Thanks. I did check under backup files but there were no files - it was blank. i did check under main (under config) and the box on "make backups before fixing" was ticked. What does this mean/ Are the files irretrievable? How do i post the log here? Can't seem to use copy paste.


Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #8 on: May 24, 2004, 05:45:05 PM »

Open the log file with NotePad...copy and then you can paste into this post.
If not send me log and I'll post it...

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
eulady
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 27


Bookmark and Share

View Profile
« Reply #9 on: May 24, 2004, 05:54:43 PM »

hello cactus,

here's the log. Can't open the previous one (the original). Would say that the file is too big to open under Notepad and asked me to use wordpad. I used wordpad but symbols were seen.

here's the log:


Logfile of HijackThis v1.97.7
Scan saved at 1:31:05 PM, on 5/24/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AMERICA ONLINE 7.0\AOLTRAY.EXE
C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\PROFILES\ROBIN\TEMPORARY INTERNET FILES\CONTENT.IE5\WVU3MXI9\HIJACKTHIS[1].EXE

R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC}_ - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=east&bw=dsl&cd=4.0&bm=ho_home
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38005.4079398148
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/autocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-
Logged

 
eulady
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 27


Bookmark and Share

View Profile
« Reply #10 on: May 24, 2004, 06:04:18 PM »

hello,

BTW, the previous log file (before the fix button was pressed) file size was 157 kb. can it still be accessed. And inside the folder, I see several files with "back-up" the first words of the fle names
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #11 on: May 24, 2004, 06:16:40 PM »

Close all open programs and and have HJT fix these:

R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC}_ - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-


Re-boot.

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #12 on: May 24, 2004, 06:19:16 PM »

You might be able to access the files there.Try it.
But see if you can access the original HTJ log file, as you might restore the prob. when restoring some of the files.

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
eulady
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 27


Bookmark and Share

View Profile
« Reply #13 on: May 24, 2004, 07:03:49 PM »

Cactus,

Tried fixing it but the top two won't go away
R3 - URLSearchHook: (no name) - {9368D063-44BE-49B9-BD14-BB9663FD38FC}_ - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

With regards to your second suggestion, you mean I go to the folder, and try opening each "backup"? Or do you mean the original log?
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #14 on: May 24, 2004, 07:10:05 PM »



If your searching for files you had HJT remove...chk the backup files.
I would run HJT again and repost the New Log file.

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
Pages: [1] 2 3 Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page September 26, 2018, 02:26:20 AM