Computer Hope
Software => Computer viruses and spyware => Topic started by: matt on November 07, 2004, 10:15:21 AM
-
ok, i have the sygate personal firewall on my computer, i run firefox as my browser, but when ever i launch explorer to acesses my computer or my documents, the firwall pops up and says:
Windows Explorer (exploter.exe) is trying to connect to money.cafreedom.com [66.17.180.52] using remote port 80(HTTP - World Wide Web). Do you want to allow this program to access the network?"
i always say no, but then ever i close out to my computer/mydocuments etc., explorere crashed. it reloads fine and the computer still runs, just what is this? and how can i get ride of it? i ran ad-aware but that found nothing.
-
Scan for Spyware.
-
i ran both ad-aware and spy-bot
-
Reconfigure them to do extensive scans.
-
i did for ad-aware, im not sure how for spy-bot
-
Have you scanned for Viruses and Trojan Horses?
-
yea, using AVG anti-virus, i'll run it agian now though, and how can i set spy-bot to deep scan
-
the virus/trojan scan came up clean
-
I have no experience with Spybot S&D
Do you have programs installed that may be forcing your browser to connect to that adress?
Use HijackThis (http://www.spychecker.com/program/hijackthis.html)
-
not to my knowledge, but i'll try highjack this
-
here is my hijack this log:
O2 - BHO: (no name) - {11CEFA27-5AE9-46CB-B791-738C242B4761} - E:\WINDOWS\system32\6ji.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Dell AIO Printer A920] "E:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG_CC] E:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: PeerGuardian (2).lnk = E:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM95\aim.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - e:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
it all seems fine to me, expect the first and third objects, i dont know what they are.
-
The Toolbar & Radio is harmless, I believe. I've seen it before on my PC as well. Must come with Internet Explorer.
Entry number one does seem a bit dubious, no Google search results..
There's a tool that seems to be recommended often. Give it a try: CWShredder (http://www.intermute.com/spysubtract/cwshredder_download.html)
-
i fooled around with CWShredder, but it didnt find anything. any other ideas, this thing is really anoying.
-
use different spyware/virus scanners. See if any of them picks up any threats the others do not.
-
Do you have any dealings or relationship to any of the following:
NRSoftware
Bane Media
xeex
Yipes
The url and IP address belongs NRSoftware. They are a rather nefarious outfit and are known to be spammers. They use hosting companies to cover their tracks. You likely have a backdoor that they are trying to use. Use a dedicated trojan detection software and keylogger detection. By all means, keep it blocked in the firewall.
-
i have none of those programs you mentioned, and i am keeping it blocked. what trojan/keylogger scaning software should i use?
-
I recommend The Cleaner (http://www.moosoft.com/products/cleaner). It is not freeware but can be downloaded for a 30 day free trial. $49.95 if you you decide to keep it after the trial period.
-
i also ran a scan with that it too came up empty :-/
-
Have you bothered going to the URL?
what do you want to find here?
Doesn't even set a cookie.
I think you should scan your entire system to the fullest extent using different spyware and virus scanners and configuring them all to scan each file and folder.
-
matt.....Go to the link below.....it will explain all of the entries and will direct you to various places so you can check each item.
http://computercops.biz/HijackThis.html
I just had a quick look at your log and it doesn't appear to be complete .......did you neglect to post all of it ?
BTW , you asked about your enties 1 and 3
O2 - BHO: (no name) - {11CEFA27-5AE9-46CB-B791-738C242B4761} - E:\WINDOWS\system32\6ji.dll ......this entry looks odd .....
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
This entry is normal and ok
perhaps you should check out all of your log entries after reading the explanation link .
let us know
dl65 ::)
-
firewall PeerGuardian as well its seems? run my old mate the best there is>http://removespyware.net/ratings/spy-sweeper.htm and sorry to jump into this post....
-
i have gone to the website, through firefox and saw "what do you want to find here", figured that couldnt be good, i downloaded spysweapers, it found something on my D: (secondhard drive), but i still get the trying to connect to money.cafreedom.
that was my full hijack this file, sense i reinstalled windows i've kept all internet explorer things blocked with my firewall.
here is screenshot of the actuall firewall popup:
http://www.msu.edu/~rosemat2/images/money.htm
and of my hijackthis log:
http://www.msu.edu/~rosemat2/images/hijack.htm
not that that will help, but could this be in a different sectoin of my hd, i've been scanning all:
C: is a fat32 i've used for storage between linux and xp. i currenlty have no linux on my system. it is usually on D: which is a second 6 gb harddrive. my E: is my xp ntfs harddrive.
-
AHH HAAA!!! its fixed
;D
it was that first entry in hijack this:
O2 - BHO: (no name) - {11CEFA27-5AE9-46CB-B791-738C242B4761} - E:\WINDOWS\system32\6ji.dll
i went to http://computercops.biz/HijackThis.html , and did a search on it, it came up with no responce so i deleted it, and that did it.
THANKS FOR ALL THE HELP!!!!! ;D ;D ;D
-
*censored*!
no its not, when i delted it from hijack this it went away, how ever when i restarted my computer it came back!, i re-deleated it from hijack this, and uninstalled peer gardiean, then rebooted and it came back, agian :(, what could be adding it everytime i reboot?
-
matt......have you had a look in .....
WINDOWS\system32\6ji.dll to see if its there and then manually remove it ....
Keep looking its hiding in there somewhere .
let us know
dl65 ::)
-
im looking in my E:\WINDOWS\system32, i selected show hidden folders too, im not finding it, could it be in my temp file somewhere? im still looking but cant seem to find it. ive done a windows search too.
-
it maybe lurking in the reg...disable system restore and delete it again...and to be sure disconnect your pc from the net..
-
i dont have system restor set up, how do i go about disabling it
-
Right click My Computer -> Properties -> System Restore (tab) Disable it on all partitions/HDD's.
-
i undid it, rebooted still had it, allowed it then undid it agian, and rebooted, still have it :-\
-
This thing is very persistent and difficult to get rid of. The reason you can't find the .dll is because everytime you reboot the file name is regenerated, and it is random. When it next tries to connect, before you dismiss the window, bring up task manager and see what processes are running. Make note of any odd .exe files that should not be there. Make sure system restore is off and you have stopped the processes from running. Locate the odd files and delete them. Go into the registry and delete any entries that are "run once". Search for any entries for the files name(s) that you have found and delete the keys for those files.
-
ok, but im not sure which .exe processes are considered normal, here are the ones i'm running after rebooting.
http://www.msu.edu/~rosemat2/images/processes.htm
also, where is the regestry, and how do i delete the 'run once' objects?
-
also here are my running processes after a reboot and trying to open 'my computer'
i went through them, they are in a different order, but they are the same
-
sorry, my after starting 'my computer' the processes are this:
http://www.msu.edu/~rosemat2/images/processes2.htm
-
anyone? how can i get to the regestry and clear that out?
-
matt...to get into the registry......do the following click Start.....then Run .......then type Regedit in the run box and enter......( make sure you back up your registry just in case your remove the wrong thing ) .....Now when the registry editor opens.....up at the top click edit......now go down to..... find..... and click on it .....the find box will open enter what your looking for and press enter it will search and if it finds what it is your looking for it will be displayed ........so just delete it .........or if it finds nothing try searching for something else.
dl65 ::)
-
sweet, i did a search for 6ji.dll with in regestiry after a reboot and it found something, first i delet the entire entry with everthingin it correct? second how do i back up the regestry first? thanks :D
-
http://www.computerhope.com/registry.htm
-
ok, i made a back-up, ran regedit, did a search for 6ji.dll. i found it and delted the entire folder it was in. that worked, however when i rebooted it came back agian. this thing is persestant. could it be tied in with someprogram i have? i cant think of what it would be, i am carefull about what i download. anyideas of what might be putting it back in the regestry every reboot?
-
ok, i booted into safemode and logged in as administrator, did the regedit thing, and cleared out c:\windows\temp and c:\d+s\default user(and matt)\local settings\temp, then rebooted in to normal. when i open my documents or my computer, the firewall doesnt show anything trying to connect, but after i close, maybe 5 or 6 seconds later, explorer restarts like it did before, and when i run hijack this i am still getting 6ji.dll in there, as removing it, as before, fixed the problem. so i think i got at least part of it in the temp folders, but something is still putting 6ji.dll in the regestry every reboot.
-
two things to remember here is the system restore and system file prrotection thats why the file keeps reappearing try this..>.http://www.dougknox.com/xp/tips/xp_undeletable_file.htm
-
in hijack this it shows 6ji.dll in E:\windows\system32\6ji.dll, when i try and delete it in command promt it says it can not find the file. i tried closeing exploroer and removing it from the regertry using regedit, i actually found two entires for 6ji.dll but when i restarted explororer it came back agian. i can get rid of it using hijack this but when ever explorer is restarted it comes back. :(
-
Then stop using Internet Explorer. There are alternative browsers out there.
-
i have been using only firefox 1.0, which suprisses me that i have sometime like this. the only thing that bugs me is it's all explorer windows, My Computer and My Documents included. i guess i'll keep fooling around with it, but thanks for the help so far!!