[PangingJr]

one of the trojan virus remove/replace it..

D-click on the notepad.exe in \WINDOWS and see if it worked..

then just copy the notepad.exe from \WINDOWS to overwrite the one in \WINDOWS\system32.

if it's not working then get the file from your XP CD.
if you still having prob running it from the start menu's shortcut, let me know.

[BWX]

Ha- it finally worked! Man, what a pain.... I guess the only thing now is that funny.exe (that I know of)..

But that might be the cause of all of this in the first place.. But who knows. It seems strange I cannot delete it in safe mode, and when I search registry, I cannot find it by using search function.. it is a 0k file.. maybe that is why? Weird. I'd like to know what website gave me this, because I don't think it was an email right now.

[PangingJr]

i don't have time to read it yet.. check it out.. will see if i can get more info later...
http://groups.google.com/groups?hl=e...G=Search&meta=

[BWX]

http://www.pestpatrol.com/PestInfo/a/aim_pws.asp

I just found this too thanks-

[BWX]

Update-

it says I have CWS.GoogleMS.3 or some crap.



I wonder if any of these are normal from my HJT? I'm gnna go try to get it removed, Thanks for all the help- this one was tough.

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html

[malkor]

Wait, wait...

If you do have the Google toolbar installed, are using the most updated version of spywareblaster (or are using Spybot's "immunize" function) and got this info from a Pestpatrol scan......it is a FALSE POSITIVE


Spywareblaster (and Spybot "immunize") have started putting sites into IE's restricted zone with a DWord of 4. Pestpatrol is identifying this as CWGoogleMS trojan. It is a false positive.

Again, if the three conditions listed above apply to your machine, don't start removing those entries.


Just to be sure, go to Internet Options, click the security tab, restricted zone, then click on the sites button. and see if there is an entry for xxxtoolbar.com. If so, false positive and pestPatrol is trying to remove that site from your restricted Zone!!!

[BWX]

Quote:

Originally posted by malkor
Wait, wait...

If you do have the Google toolbar installed, are using the most updated version of spywareblaster (or are using Spybot's "immunize" function) and got this info from a Pestpatrol scan......it is a FALSE POSITIVE


Spywareblaster (and Spybot "immunize") have started putting sites into IE's restricted zone with a DWord of 4. Pestpatrol is identifying this as CWGoogleMS trojan. It is a false positive.

Again, if the three conditions listed above apply to your machine, don't start removing those entries.


Just to be sure, go to Internet Options, click the security tab, restricted zone, then click on the sites button. and see if there is an entry for xxxtoolbar.com. If so, false positive and pestPatrol is trying to remove that site from your restricted Zone!!!

Yeah I was just reading this too:
affect Windows 3.x, Macintosh, OS/2, UNIX, or Linux .
Exploit: Most exploits IE to allow a .css (Cascading Style Sheet) to run Javascript. The exploit only works if the system has the "ByteCode Verifier" vulnerability. A patch for this vulnerability has been available since April 9, 2003.

Um, My PC is up to date, so how could I get it? Plus, yes I am using up to date Spyware Blaster AND Spybot w/ immunize- So it's a false positive...


Back to square , uhh, 3 I guess...

[PangingJr]

"CWS.GoogleMS.3"
D/L the lastest version of the CWShredder,
http://www.spywareinfo.com/~merijn/downloads.html
close all your web browser and run it.

"O8" - Extra MSIE context menu items

that entries are from the R-click context menus of IESpell, NeoTrace and GoogleToolbar.. it's all look okay but if you like to remove it i suggest backup it first

[malkor]

You didn't get anything. It's FALSE. You are protected, PestPatrol has made a mistake.

If you want a real check for trojans then use one of these:


TDS-3 Trial Version make sure to update defs

TrojanHunter Trial update defs

or, for a less powerful, but entirely free trojan scanner, (pretty good):

A-squared


I think you may have remnants of an infection, but your system is working fine right? Your homepage wasn't hijacked? Sygate is no longer popping up notices? Your HJT log is pretty clean actually.

[PangingJr]

Email Viruses And Hoaxes - W32.Cianam - funny.exe
http://www.pv.vccs.edu/helpdesk/menu...ses/cianam.htm

W32/Joggle-A ..Funny.exe
http://www.sophos.com/virusinfo/anal...32jogglea.html

Adware.Smartsearch.. funny.exe
http://securityresponse.symantec.com...artsearch.html

[BWX]

http://securityresponse.symantec.com...artsearch.html

Typed URLs are redirected to http:/ /smartsearch.ws.

C:\funny.exe




---Looks like it's a variant of that or something... But nothing detects it at all.
I'll have to try to remove it later- I've been up for like 4 days.. I'm starting to hallucinate and fall asleep sitting up.. Laterz---

[malkor]

I forgot to add a speech that I usually give in threads like these. Just tell me to shut up.

[RANT] I don't know why, with the nature of the internet today, ANYONE would continue to use Internet Explorer as their default browser. The simple change to an alternate browser like Mozilla, Firefox or Opera will eliminate even the chance of being infected by more than 80 or 90% of these hijackers/worms/trojans.

It just doesn't make any sense to me why someone would choose to continue to use IE and/or OE. [/RANT]

I'll shut up now.

[BWX]

thanks malkor and Net-

I'm going to try to get rid of that funny.exe with some of those scans/tools I'll probably try all of them just be safe...

I don't know why nothing else is detecting it, because it IS something-- I cannot delete it, and if I try to change any settings in it, it makes a shortcut to itself in the same folder- very strange. It's linked to I do think it is a remnant of something that never completely was able to infect me- that's why nothings detects it?

Interesting-
In the 'program' tab, and advanced button on the bottom, a window pops up listed as Windows PIF Settings.

Autoexec filename: %SystemRoot%\SYSTEM32\AUTOEXEC.NT
Config filename: %SystemRoot%\SYSTEM32\CONFIG.NT

Then there is a check box (not checked): Compatible timer hardware emulation
Thats' why I'm afraid of this- I don't want huge problems if I delete it- and want to know if this thing over-road the file protection and changed a critical file.. Just not sure.. I'll do some scans now.






@ malkor about speech- yeah, I've tried Mozilla, and tried to get used to it, but I couldn't, it's nowhere near as customizable or configurable as IE6- and the scrolling sux bad..
@ OE6?, I'm too used to it, and I like the filtering system- I've disabled all the moronic M$ default settings- But I am starting to think I should try another client out- after 6 or so years of learning it, it's hard to throw it away. I have no idea if this happened because of either of those programs though-

[malkor]

Quote:

Originally posted by BWX
@ malkor about speech- yeah, I've tried Mozilla, and tried to get used to it, but I couldn't, it's nowhere near as customizable or configurable as IE6- and the scrolling sux bad..

It is FAR more customizable than IE6. There are extensions you can add, scripts you can add. There is a huge difference in functionality, all in the favour of Mozilla. It is an adjustment, but well worth it. Once you get used to it, you love it.


I personally don't have use for the full blown browser/mail client/newsgroup that Mozilla is. I use Firefox. Much, much, much more customizable than IE6.

[BWX]

Quote:

Originally posted by malkor
It is FAR more customizable than IE6. There are extensions you can add, scripts you can add. There is a huge difference in functionality, all in the favour of Mozilla. It is an adjustment, but well worth it. Once you get used to it, you love it.


I personally don't have use for the full blown browser/mail client/newsgroup that Mozilla is. I use Firefox. Much, much, much more customizable than IE6.

I did have it installed (not Firefox) and I just didn't like it- Believe me I wanted to like it- But I couldn't rearrange the navigation buttons- maybe I just need a good site that has those plug ins and extensions.. I'll probably try Firefox sometime.

I checked and it was none of the above listed things- time to run updated CWShredder..


EDIT- actually come to think of it, this all started while I was searching the net for patches to grand Prix Legends, and I was at some pretty shady sites sometimes- I wouldn't doubt if it did come through IE6, but it's all up to date, I don't know how it could have gotten on here that way.. hard to say really because I'll never even know what it was.

[PangingJr]

Quote:

Originally posted by BWX
Interesting-
In the 'program' tab, and advanced button on the bottom, a window pops up listed as Windows PIF Settings.
Autoexec filename: %SystemRoot%\SYSTEM32\AUTOEXEC.NT
Config filename: %SystemRoot%\SYSTEM32\CONFIG.NT

something link this..


maybe the file name is "Funny.exe.pif"
and it's a shortcut to one of the MS-DOS program... check the tab General.
(the .pif is an extension of a shortcut just like a .ink)

[BWX]

Quote:

Originally posted by Net
something link this..


maybe the file name is "Funny.exe.pif"
and it's a shortcut to one of the MS-DOS program... check the tab General.
(the .pif is an extension of a shortcut just like a .ink)

EXACTLY like that!

[BWX]

Quote:

Originally posted by Net
something link this..


maybe the file name is "Funny.exe.pif"
and it's a shortcut to one of the MS-DOS program... check the tab General.
(the .pif is an extension of a shortcut just like a .ink)

EXACTLY like that:

General tab, file type: application
not shortcut

[PangingJr]

ok so that is the file itself,
in the Security tab, try taking ownership of the file and give a full control (permissions)

[BWX]

Quote:

Originally posted by Net
ok so that is the file itself,
in the Security tab, try taking ownership of the file and give a full control (permissions)

Nope it doesn't have a securities tab- and if I change any settings, it won't save them, then it just creates a shortcut to itself- it's the weirdest thing..


I'm wondering if deleting it will mess up my system though... since it's pointing to those system files. But maybe it won't hurt anything..

It really worried me when I went onto safe mode and it wouldn't delete..
I should take some screenshots of the tabs- lot's of different options, but none stick anyway.

[PangingJr]

[BWX]

CWShredder:


CWShredder v1.59.0 scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
You can use HijackThis for that:
http://www.merijn.org/files/hijackthis.zip
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Documents and Settings\Administrator\Application Data
Username: ---------

Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (734 bytes, RA)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Found Win.ini file: C:\WINDOWS\win.ini (1268 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (580 bytes, A)


Not sure what that means- I did just a check, not a fix- so I guess it's just saying it found these, not that there is anything wrong with them.. Or maybe not, it should say- but it doesn't.

[PangingJr]

start the program again, then clcik on Fix button... not the scan one.

[BWX]

Quote:

Originally posted by Net

Yeah, it has all those except the security tab.

[BWX]

Quote:

Originally posted by Net
start the program again, then clcik on Fix button... not the scan one.

Ok, I was going to try that next-

[PangingJr]

it won't help removing the funny file... but it'll reset some of your bad registry.. and remove the bad entry in the hosts file..

[PangingJr]

Quote:

Originally posted by BWX
Yeah, it has all those except the security tab.

go to the Folder options, then remove the dot or uncheck in front of the Use simple file sharing..

[BWX]

Quote:

Originally posted by Net
go to the Folder options, then remove the dot or uncheck in front of the Use simple file sharing..

Well I used CWShredder and it didn't find anything- it said all was clean.


No folder option anywhere in that file's properties, nothing about sharing at all.. None of the settings stick anyway. They all go back to original settings every time it's changed...

[PangingJr]

Quote:

Originally posted by BWX
Well I used CWShredder and it didn't find anything- it said all was clean.

No folder option anywhere in that file's properties, nothing about sharing at all.. None of the settings stick anyway. They all go back to original settings every time it's changed...

"Well I used CWShredder and it didn't find anything- it said all was clean"
it's clean. good.
pls note that all of my answers is based on your questions.. the answer is usually in the question...
for an example..
you Knew that the prob is in somewhere connecting to the ntlanman.exe, search.requestlookup.net, funny.exe and the notepad, i saw it on your question.. then i started my first reply with the file in question... i wanted to get rid of the one first.. then the rest of your probs would be next.


"No folder option anywhere in that file's properties, nothing about sharing at all.."
sorry i thought you knew..
you can find the "Folder Options" in Control Panel..
or open any folder and go to Tools -> Folder Options -> View tab -> Uncheck the Use simple file sharing... if it's checked and see if the Security tap is show up..


from your previuos msg.. "I do think it is a remnant of something that never completely was able to infect me- that's why nothings detects it?"..
the only prob that i saw and thought that would be a real issue on your system and should be the one that must be concentrated first and the most was the ntlanman.exe which has been removed.. the funny file could be related to it but i dont think so and and i dont think it's an important file for your system or causing any prob if it has been removed from.. evntho there's nothings detects it but you did detected it.. find out more info about it if you like after that just remove it... read my expand notes below..


eventho i think i know quite a bit on what's going on in your system and how to fix/remove it
and what is to keep and what's to go.. i think the only prob that i seem to have here and there is how to tell you... in a good and easy understanding english... this's my prob not yours.. i guess i have to tell you everything.. i mean in more details.. not just a short ones..


and if you're not so sure of anything either things that you see on my suggestions
or thing that you think it may cause more prob to your PC or whatever else that you're worry..
simply don't follow my suggestion.. do whatever that you think its best, its your PC, your decision.


edit-- 'pls note that all of my answers is based on your questions'...
pls note that all of my answers/replies are based on your questions/informations/repiles.

[BWX]

Ok, well I already had the simple shares clicked in the folder options, I thought you were talking about a setting for that file particularly. So I guess I'll just have to deal with that file, it isn't hurting anything as far as I know. Everything else is back to normal and whatever tried to get on my PC is gone..

I'll just have to find out how to delete that file somehow.