Trojan removal/how?

My point exactly. I ask them to post it because I want to see it and help
them. The other posts ran her off and made her more confused, how is that
helping? I have been watching this thread and stayed out it for a while just
to see what happens. Those other MVP's and trolls would rather criticize me
and confuse the user, like they did, rather then help because they don't
want to see a hjt log. It's just stupid childish behavior.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"Shenan Stanley" wrote in message
...
pcbutts1 wrote:
Sorry Email won't work. I get way too many hjt logs in email so they
get stripped off and deleted. You have to use this group or post it
over at news:24hoursupport.helpdesk they are more civilized in that
group and know the importance of hjt.
snip

Actually - "civilized" has nothing to do with it. While I could care less
if someone posts there HJT log here, I will not quote it when responding
to the person nor will I argue with those who request that the logs get
posted in a forum more suited to it (such as a HJT specific forum.)

The reasoning is simple: The people in an HJT forum are there to answer
questions related to the HJT product and want to see those logs. The
people here in "microsoft.public.windowsxp.configuration_mana ge" and
"microsoft.public.windowsxp.help_and_support" are here to answer questions
on Windows XP product and may not care to see logs that have no meaning to
them (possibly - I know many "experts" in Windows XP that wouldn't know
what the HJT log was without a little thought and research.)

Freespirit can post what she wants here and if this is where you would
prefer to have her post it and you are the one helping her - so be it - I
do not have a problem with that and actually would encourage it.. But I
would not call the groups "uncivilized" because some here would prefer not
to see multipage logs posted on a group not frequented (necessarily) by
the experts in reading and interpreting those logs.

Hopefully some of the instructions I posted in another thread with her
will rid her of this plague she has on her machine and we can actually get
about making it fully functional again - if not - I welcome her logs here
for you to peruse and interpret!

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

Hi,

Try this too.

http://research.sunbelt-software.com...loader.BHO.req

---==X={}=X==---


Jim Self
AVIATION ANIMATION, the internet's largest depository.
http://avanimation.avsupport.com

Your only internet source for spiral staircase plans.
http://jself.com/stair/Stair.htm

Experimental Aircraft Association (EAA)
Technical Counselor

"Shenan Stanley" wrote in message
...
Shenan Stanley wrote:
Hopefully some of the instructions I posted in another thread with
her will rid her of this plague she has on her machine and we can
actually get about making it fully functional again - if not - I
welcome her logs here for you to peruse and interpret!

~ FreeSpirit ~ wrote:
I have a question about the names of the dlls that get deleted.

Snips from the post:
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} -
C:\WINDOWS\system32\ddayx.dll (The DLL may have a different name.)
O20 - Winlogon Notify: ddayx - C:\WINDOWS\system32\ddayx.dll (The
DLL may have a different name.)
- Next double click on explorer.exe and again click once on each
instance of ddayx.dll (remember - could be named something else)
then click the kill button.
- After you have killed all of the ddayx.dll's (or whatever it is
named -
it will be the unusually named DLL) under winlogon click OK.

How would I know what names if they're different? Do I just delete
the dlls I will see there? For example there are no ddayx.dlls on my
machine.

Make a list - post them here - then we can look over them.
=====================
It was no problem getting to the list via SafeMode/opening the "download
process Explorer" and finding the thread window. But the names there are
nothing like the ddaxy.dll or the one MSAS found = pmkhh.dll. They all
looked legitimate such as:

xmlmfc.dll+02x218e7 ....
Winmm.dllPlaySound
RPCRT4.dll
ntdll.dll Rt.Queue
winlogon.exe+0x .....

And a few more that are similar. This Trojan seems to have 5 plain low-case
letters - these look different. There were more but you can't cut and past
from there. There were 3 others that had changing numbers in front of them
as I watched. Processor use maybe??!?!

Also when making the reg.backup. When I removed the carrots it changed the
format a bit. Was I supposed to leave the carrots when C&Ping to notepad?

Since nothing looked like the 5 low-case letter Trojan's dlls I didn't
delete any of them. Where can we get more information on what to delete
there?

FS ~


--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

"pcbutts1" wrote in message
. ..
My point exactly. I ask them to post it because I want to see it and help
them. The other posts ran her off and made her more confused, how is that
helping? I have been watching this thread and stayed out it for a while
just to see what happens. Those other MVP's and trolls would rather
criticize me and confuse the user, like they did, rather then help because
they don't want to see a hjt log. It's just stupid childish behavior.


I don't think it's possible to get more confused than she already is. People
like her are exactly why HJT logs shouldn't be posted here. There are too
many people that don't what they are doing that will post a reply and only
cause her more problems. There are no moderators to remove the posts that
may be wrong. If you have followed the threads in the many newsgroups she
has posted to you can see that she will try any and every suggestion she
gets. The wrong suggestion with HJT and she may have a system that doesn't
work, although it seems like that's what she already has :-)

Kerry

So what's next? just forget about her and her problems because people are
scared of hjt logs. That's GREAT help. this group is AWESOME!

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"Kerry Brown" *a*m wrote in message
...
"pcbutts1" wrote in message
. ..
My point exactly. I ask them to post it because I want to see it and help
them. The other posts ran her off and made her more confused, how is that
helping? I have been watching this thread and stayed out it for a while
just to see what happens. Those other MVP's and trolls would rather
criticize me and confuse the user, like they did, rather then help
because they don't want to see a hjt log. It's just stupid childish
behavior.


I don't think it's possible to get more confused than she already is.
People like her are exactly why HJT logs shouldn't be posted here. There
are too many people that don't what they are doing that will post a reply
and only cause her more problems. There are no moderators to remove the
posts that may be wrong. If you have followed the threads in the many
newsgroups she has posted to you can see that she will try any and every
suggestion she gets. The wrong suggestion with HJT and she may have a
system that doesn't work, although it seems like that's what she already
has :-)

Kerry

FYI she downloaded hjt from a trusted source and got version 1.97.7 Anymore
bright ideas Leythos. I'm still waiting for those emails proving I don't
have permission to do what I do.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"Leythos" wrote in message
...
In article , pcbutts1
@seedsv.com says...
It's just stupid childish behavior.

No, stupid and childish is going against the groups norms for posting
and for linking other peoples works/products in your posts.

Childish and stupid is downloading other peoples works and products to
your own website instead of posting links to the vendors site for people
to download from a "trusted" source and where they can read about the
products.

All of us are more than willing to help, but most of us are mature
enough to not suggest people download unproven software from an unknown
site when the software is just as easily available from the vendors own
site. Also, we don't ask people to post HUGE logs or binaries here as
it's not the proper place for it - not to mention all the idiots that
quote the entire HJ log when they reply.

None of us Object to HJ logs posted in the groups that approve of it.

--


remove 999 in order to email me

"PA20Pilot" wrote in message
...
Hi,

Try this too.

http://research.sunbelt-software.com...loader.BHO.req
=========================================
This one claims to remove it but didn't even see it. It did find a few
others though.

FS~

"Leythos" wrote in message
...
In article , pcbutts1
@seedsv.com says...
So what's next? just forget about her and her problems because people are
scared of hjt logs. That's GREAT help. this group is AWESOME!
If you were to stop the BS the thread would be a lot smaller and more
help would be available.
====================
After all the help I recieved here and all the problems I've had in the past
few weeks, I believe this Trojan is GONE. I combining all the information
from *all of you* I tried a few things I picked up here and there.....

First I unchecked System Restore and rebooted. I removed the registry KEY
for this Trojan. I emptied not only the temporary Internet files but the
Temp files once again, plus HISTORY and all the cookies. In HJThis I told
it to delete the line containing the pmkhh.dll. In MSAS I clicked on delete
(the Trojan) - it said it did. Another reboot..... NO TROJAN!!! Could
it be this easy? I rebooted again. No Trojan. Was it hiding in the
Restore Files? In the Temp File?

Now,... despite running about 7 Antispyware programs there still seems to be
spyware somewhere because everytime I try to use I.E. I'm redirected to
another site. This one
hxxp://www.vipfares.com/new/index.php?aid=vm_fm_vipfares&lid and others.

Trying to get the next critical patches from MS still does not work but the
SP2 warning bar does not appear. I get the same MS message:

The website has encountered a problem and cannot display the page you are
trying to view. The options provided below might help you solve the problem.
For self-help options:
Frequently Asked Questions

Find Solutions
Windows Update Newsgroup

The search Window there rejects everything I type in to try and get help.
It accepts no word or phrase so I gave up on it. Now guys (and ladies) how
do I get my critical updates? Or should I give up and perhaps use Mazilla
or Netscape for a browser. I.E. seems wide open to these infestations. As
we can see, the Anti-Spyware programs out there are not doing the job of
finding these things - there are simply too many in the wild.

As hard as I've looked I can't find any scum-ware now on this PC that can be
redirecting me to these weird websites unless one of these recommended
anti-spyware programs came with GASP another Trojan! :-O

FS~

"pcbutts1" wrote in message
. ..
So what's next? just forget about her and her problems because people are
scared of hjt logs. That's GREAT help. this group is AWESOME!


I don't think anyone here is afraid of HJT logs. There are many expert users
of HJT on the MS newsgroups.

If you read my last post to her I pointed out an appropriate forum and told
her to come back here once she was finished there if she was still having
problems. Unfortunately she couldn't figure out how to use the forum. As she
is receiving some excellent help from Shenan Stanley I decided to leave well
enough alone for now.

Kerry

"~ FreeSpirit ~" wrote in message
...
After all the help I recieved here and all the problems I've had in the
past few weeks, I believe this Trojan is GONE. I combining all the
information from *all of you* I tried a few things I picked up here and
there.....

First I unchecked System Restore and rebooted. I removed the registry KEY
for this Trojan. I emptied not only the temporary Internet files but the
Temp files once again, plus HISTORY and all the cookies. In HJThis I told
it to delete the line containing the pmkhh.dll. In MSAS I clicked on
delete (the Trojan) - it said it did. Another reboot..... NO TROJAN!!!
Could it be this easy? I rebooted again. No Trojan. Was it hiding in
the Restore Files? In the Temp File?

Now,... despite running about 7 Antispyware programs there still seems to
be spyware somewhere because everytime I try to use I.E. I'm redirected to
another site. This one
hxxp://www.vipfares.com/new/index.php?aid=vm_fm_vipfares&lid and others.


snip

As hard as I've looked I can't find any scum-ware now on this PC that can
be redirecting me to these weird websites unless one of these recommended
anti-spyware programs came with GASP another Trojan! :-O


In MSAS go into Advanced Tools == System Explorers == IE Settings ==
Restore all IE default settings. Exit MSAS, reboot the computer, and see if
the settings have changed back to the web site you mentioned. If they have
then you still have some spyware running.

Kerry

~ FreeSpirit ~ wrote:
After all the help I recieved here and all the problems I've had in
the past few weeks, I believe this Trojan is GONE. I combining all
the information from *all of you* I tried a few things I picked up
here and there.....
First I unchecked System Restore and rebooted. I removed the
registry KEY for this Trojan. I emptied not only the temporary
Internet files but the Temp files once again, plus HISTORY and all
the cookies. In HJThis I told it to delete the line containing the
pmkhh.dll. In MSAS I clicked on delete (the Trojan) - it said it
did. Another reboot..... NO TROJAN!!! Could it be this easy? I
rebooted again. No Trojan. Was it hiding in the Restore Files? In
the Temp File?
Now,... despite running about 7 Antispyware programs there still
seems to be spyware somewhere because everytime I try to use I.E. I'm
redirected to another site. This one
hxxp://www.vipfares.com/new/index.php?aid=vm_fm_vipfares&lid and
others.
Trying to get the next critical patches from MS still does not work
but the SP2 warning bar does not appear. I get the same MS message:

The website has encountered a problem and cannot display the page you
are trying to view. The options provided below might help you solve
the problem. For self-help options:
Frequently Asked Questions

Find Solutions
Windows Update Newsgroup

The search Window there rejects everything I type in to try and get
help. It accepts no word or phrase so I gave up on it. Now guys (and
ladies) how do I get my critical updates? Or should I give up and
perhaps use Mazilla or Netscape for a browser. I.E. seems wide open
to these infestations. As we can see, the Anti-Spyware programs out
there are not doing the job of finding these things - there are
simply too many in the wild.
As hard as I've looked I can't find any scum-ware now on this PC that
can be redirecting me to these weird websites unless one of these
recommended anti-spyware programs came with GASP another
Trojan! :-O

FreeSpirit..

Rerun HJT - email me the log. An attachment text file is fine. You can
alos cut/paste all the text into the message body if that is easier for you.
My reply-to email will work.

As for everything else - keep it in this thread.

Although using an alternative browser for your everyday browsing is a great
idea (Firefox is a fantastic thing..) - you have to use Internet Explorer on
some sites - so we need to get that fixed. =)

You could use Automatic Updates for your Windows Updates - but with all the
trouble you have with the system now - manual intervention (after some
training) may be better. (The training - you've received over the last few
weeks! hah)


Let me ask you this.. Can you - in IE - get to:
http://www.microsoft.com/technet/sec.../ms05-aug.mspx

If so, can you then expand the:
(+) Critical (3)
Section? (Click on the plus sign on the page.)

If so, can you then click on the words in that section:
"Cumulative Security Update for Internet Explorer (896727)"?

That should take you to the following page:
http://www.microsoft.com/technet/sec.../MS05-038.mspx
Does it?

If so, can you scroll down the new page and find the line that reads:
"Internet Explorer 6 for Microsoft Windows XP Service Pack 2 - Download the
update"
and then click on the words "Download the update" in that line?

This should take you to another web page, particularly this one:
http://www.microsoft.com/downloads/d...displaylang=en
( Shorter Link: http://snipurl.com/h9oi )

Can you then click on the "Download" button and describe what happens?

If you get a chance to install an alternative browser - I suggest Firefox
HIGHLY. Install it and go to the LAST page i gave above, click on DOWNLOAD
there in the new browser and describe what happens then as well.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

See my answer to your hjt log posted in the other group.

--


The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com



"~ FreeSpirit ~" wrote in message
...

"Leythos" wrote in message
...
In article , pcbutts1
@seedsv.com says...
So what's next? just forget about her and her problems because people
are
scared of hjt logs. That's GREAT help. this group is AWESOME!
If you were to stop the BS the thread would be a lot smaller and more
help would be available.
====================
After all the help I recieved here and all the problems I've had in the
past few weeks, I believe this Trojan is GONE. I combining all the
information from *all of you* I tried a few things I picked up here and
there.....

First I unchecked System Restore and rebooted. I removed the registry KEY
for this Trojan. I emptied not only the temporary Internet files but the
Temp files once again, plus HISTORY and all the cookies. In HJThis I told
it to delete the line containing the pmkhh.dll. In MSAS I clicked on
delete (the Trojan) - it said it did. Another reboot..... NO TROJAN!!!
Could it be this easy? I rebooted again. No Trojan. Was it hiding in
the Restore Files? In the Temp File?

Now,... despite running about 7 Antispyware programs there still seems to
be spyware somewhere because everytime I try to use I.E. I'm redirected to
another site. This one
hxxp://www.vipfares.com/new/index.php?aid=vm_fm_vipfares&lid and others.

Trying to get the next critical patches from MS still does not work but
the SP2 warning bar does not appear. I get the same MS message:

The website has encountered a problem and cannot display the page you are
trying to view. The options provided below might help you solve the
problem.
For self-help options:
Frequently Asked Questions

Find Solutions
Windows Update Newsgroup

The search Window there rejects everything I type in to try and get help.
It accepts no word or phrase so I gave up on it. Now guys (and ladies)
how do I get my critical updates? Or should I give up and perhaps use
Mazilla or Netscape for a browser. I.E. seems wide open to these
infestations. As we can see, the Anti-Spyware programs out there are not
doing the job of finding these things - there are simply too many in the
wild.

As hard as I've looked I can't find any scum-ware now on this PC that can
be redirecting me to these weird websites unless one of these recommended
anti-spyware programs came with GASP another Trojan! :-O

FS~

"Kerry Brown" *a*m wrote in message
...
"~ FreeSpirit ~" wrote in message
...
After all the help I recieved here and all the problems I've had in the
past few weeks, I believe this Trojan is GONE. I combining all the
information from *all of you* I tried a few things I picked up here and
there.....

First I unchecked System Restore and rebooted. I removed the registry
KEY for this Trojan. I emptied not only the temporary Internet files but
the Temp files once again, plus HISTORY and all the cookies. In HJThis I
told it to delete the line containing the pmkhh.dll. In MSAS I clicked
on delete (the Trojan) - it said it did. Another reboot..... NO
TROJAN!!! Could it be this easy? I rebooted again. No Trojan. Was it
hiding in the Restore Files? In the Temp File?

Now,... despite running about 7 Antispyware programs there still seems to
be spyware somewhere because everytime I try to use I.E. I'm redirected
to another site. This one
hxxp://www.vipfares.com/new/index.php?aid=vm_fm_vipfares&lid and others.


snip

As hard as I've looked I can't find any scum-ware now on this PC that can
be redirecting me to these weird websites unless one of these recommended
anti-spyware programs came with GASP another Trojan! :-O


In MSAS go into Advanced Tools == System Explorers == IE Settings ==
Restore all IE default settings. Exit MSAS, reboot the computer, and see
if the settings have changed back to the web site you mentioned. If they
have then you still have some spyware running.

Kerry
=========================
Thanks Kerry, I did that and an interesting thing happened - Spyware Doctor
started doing strange things and suddenly I.E. was GONE!!!! GONE!!!
?!?!?! SD said some unknown "?" was trying to hijack my browser. I deleted
SD and rebooted. Still no I.E. Evidently SD and MSAS are not going to get
along in some areas. SD sees MSAS as a hijacker when someone does as you
suggested. Then bye bye I.E. I did a system restore that I set last night
when I was sure the Trojan was gone. The system restore worked flawlessly
and all seems to be well now. AND - no more being hi-jacked to strange
websites - so far. And I.E. is so much faster! :-))) Could SD itself
have included a browser hijacker? I don't know....... :-( I do know my
PC is running fine right now.

So right now I have running:

MSAS, CounterSpy, A-Guard and of course ZoneAlarm. I'll continue to run
Spybot and Adaware weekly but have lost faith in them.

I sure want to thank *ALL OF YOU* for your patience and help. :-)

FS~

"~ FreeSpirit ~" wrote in message
Thanks Kerry, I did that and an interesting thing happened - Spyware
Doctor started doing strange things and suddenly I.E. was GONE!!!!
GONE!!! ?!?!?! SD said some unknown "?" was trying to hijack my browser.
I deleted SD and rebooted. Still no I.E. Evidently SD and MSAS are not
going to get along in some areas. SD sees MSAS as a hijacker when someone
does as you suggested. Then bye bye I.E. I did a system restore that I
set last night when I was sure the Trojan was gone. The system restore
worked flawlessly and all seems to be well now. AND - no more being
hi-jacked to strange websites - so far. And I.E. is so much faster!
:-))) Could SD itself have included a browser hijacker? I don't
know....... :-( I do know my PC is running fine right now.

So right now I have running:

MSAS, CounterSpy, A-Guard and of course ZoneAlarm. I'll continue to run
Spybot and Adaware weekly but have lost faith in them.

I sure want to thank *ALL OF YOU* for your patience and help. :-)


That's great glad you finally got things worked out. Personally I would only
have one antispyware program running at a time. I would use the others to
scan once a week or so. My personal preference would be MSAS running and use
the others for scanning only.

Kerry

"Shenan Stanley" wrote in message
...
~ FreeSpirit ~ wrote: BREVITY SNIP
As hard as I've looked I can't find any scum-ware now on this PC that
can be redirecting me to these weird websites unless one of these
recommended anti-spyware programs came with GASP another
Trojan! :-O

FreeSpirit..
=============================================
Rerun HJT - email me the log. An attachment text file is fine. You can
alos cut/paste all the text into the message body if that is easier for
you.
My reply-to email will work.

## I just sent it.

As for everything else - keep it in this thread.

Although using an alternative browser for your everyday browsing is a
great idea (Firefox is a fantastic thing..) - you have to use Internet
Explorer on some sites - so we need to get that fixed. =)

## OK. It may be fixed. See my post above. Although I still can't use
the MS Windows Update Page I do have Auto-Updates turned on. I am not being
hijacked to "strange" websites since using the MSAS browser restore feature
and removing SpywareDoctor (there was a conflict) from my PC.

You could use Automatic Updates for your Windows Updates - but with all
the trouble you have with the system now - manual intervention (after some
training) may be better. (The training - you've received over the last
few weeks! hah)

## YES!!! I'm learning more on these NGs than I have from all the PC mags I
ever read and the XP book I have. ;-)

Let me ask you this.. Can you - in IE - get to:
http://www.microsoft.com/technet/sec.../ms05-aug.mspx

## I got there without a problem and plan to READ everything in sight there
when I'm done here on the NGs.

If so, can you then expand the:
(+) Critical (3)
Section? (Click on the plus sign on the page.)
If so, can you then click on the words in that section:
"Cumulative Security Update for Internet Explorer (896727)"?
That should take you to the following page:
http://www.microsoft.com/technet/sec.../MS05-038.mspx
Does it?

## Yes. No problem......

If so, can you scroll down the new page and find the line that reads:
"Internet Explorer 6 for Microsoft Windows XP Service Pack 2 - Download
the update"
and then click on the words "Download the update" in that line?
This should take you to another web page, particularly this one:

http://www.microsoft.com/downloads/d...displaylang=en
( Shorter Link: http://snipurl.com/h9oi )

Can you then click on the "Download" button and describe what happens?

## I did, I downloaded the patch there - but it can't be installed. I get
this error: Setup Error: "The System Cannot Find The File Specified." -
Installation did not complete.

If you get a chance to install an alternative browser - I suggest Firefox
HIGHLY. Install it and go to the LAST page i gave above, click on
DOWNLOAD there in the new browser and describe what happens then as well.

## Wait a minute.... the last page you gave me is
http://snipurl.com/h9oi - there is no download for Firefox there?!?!?! What
do you mean? You lost me..........

FS~

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html