please help with hijackthis log. tried everything.

By exp1orer
Jul 14, 2005
Topic Status:
Not open for further replies.
  1. I have rebooted to safe mode and run the following programs in this order:
    cc cleaner
    spybot s&d
    spyware doctor
    a squared
    ewido security (free trojan scanner)
    Norton Anti-virus 2004 pro

    all have had thier most recent updates.

    then i rebooted to normal mode
    ran hijackthis and put the log through 2 hijackthis automated log analyzers.
    removed a few things.

    now everything is back. no matter what I cant get rid of this thing. help!

    attached is my latest log.

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    You should uninstall PCtools SpywareDoctor/Spyware Guard, its a mediocre program at best!

    Boot in Safe Mode.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    comfaxa.exe
    csccatex.exe
    CxtPls.exe
    casclient.exe
    hukjja.exe
    ausanc.exe
    umddra.exe
    camtra.exe

    Next, try to UNinstall anything to do with (not delete yet!):
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Aprps\CxtPls.exe
    C:\Program Files\Cas\Client\casclient.exe

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    ...................................................................................................
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\WINDOWS\system32\comfaxa.exe
    C:\WINDOWS\system32\csccatex.exe
    C:\Program Files\Aprps\CxtPls.exe
    C:\Program Files\Cas\Client\casclient.exe

    O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
    O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hukjja.exe reg_run
    O4 - HKLM\..\Run: [suvlen] c:\windows\system32\ausanc.exe r
    O4 - HKLM\..\Run: [437S35V] csccatex.exe
    O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
    O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
    O4 - HKCU\..\Run: [umddra] C:\WINDOWS\system32\umddra.exe
    O4 - HKCU\..\Run: [camtra] C:\WINDOWS\system32\camtra.exe
    O4 - HKCU\..\Run: [L0o2RRZse] comfaxa.exe
    O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"

    Fix ALL O16 - DPF: entries

    O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
    O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\cgadmin.dll
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    Boot normal. When all OK, switch System Restore back on.
  3. exp1orer

    exp1orer Newcomer, in training Topic Starter

    one file won't delete

    Thanks for taking time to help me. I did what you asked and everything went according to plan with the exception of the cgadmin.dll file that would not delete. I was in safe mode with all programs stoped that it would allow me too and it still would not let me delete it. I also tried "del c:\windows\system32\cgadmin.dll" from the command prompt and it still would not let me delete. when i rebooted to normal mode i tried again. nothing.

    is this a danger? also, what is the best way to keep this from happening? last question, if you download a file and you want to check it before opening it, what is the best way/program to use or is it impossible? I scan some files this way using norton but it seems useless.

    in your debt.
    exp1orer
  4. exp1orer

    exp1orer Newcomer, in training Topic Starter

    There all back. i had this computer isolated. must still be in therer somewhere.

    i am sorry to say they are all back. I will follow your instructions one more time. (although I'm certian i did it right the first time). could it be that one .dll file that would not delete?

    dont give up on me now.

    exp1orer
  5. exp1orer

    exp1orer Newcomer, in training Topic Starter

    ok got it now. it was the .dll linked to the winlogon.exe

    first I would like to say thanks to realblackstuff for the help. I could not have fixed this without you. the rest of this post is for anyone else that does a search seeking help with a .dll file that won't delete. Mine was tied to an entry that hijackthis picked up but could not delete. the line was a code 20 winlogon.exe .

    I used a tool called KillBox by Explicit Software. this allowed me to kill the association to winlogon.exe and delete the file. then when i ran hijack this i was able to delete the entry and it didn't come back! WOO HOO!!!!

    Just another quick note. the .dll i was trying to delete changed names on me. twice. so if you have a code 20 tied to a winlogon.exe and you cant find anything on the net about that file theres a good chance its randomly generated. If any of this is wrong or counterproductive then it is my hope that realblackstuff will delete it.

    thanks
    exp1orer
    let me know if this helps anybody.
    exp1orer@yahoo.com
  6. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    exp1orer got it right, and thank you for the flowers!
    I would also have advised him to get DrDelete or Killbox.
    Either program will remove an unwilling program-file, be it immediately or at the next boot.

    PS: I don't always have time to check the various threads more than (or even) once a day, after all this is 'charity'-work.
  7. Vigilante

    Vigilante TechSpot Paladin Posts: 2,120

    If you don't have any real time protection against spyware, check out these progs:

    1. The built-in tool in Spybot called Tea Timer. It will pop up and tell you when anything is trying to attach to your system.

    2. Similar to TeaTimer is Microsoft's own Antispyware Beta tool. But only if you're on XP. Use one or the other.

    3. Check out the tools on http://www.javacoolsoftware.com/
    SpywareBlaster will "immunize" your system from thousands of known Internet junk stuff. Similar to Spybot's Immunize function but more complete.

    4. Keep tabs on your startups with Autoruns from Sysinternals. http://www.sysinternals.com/Utilities/Autoruns.html
    It lists far more startup locations then Hijackthis does.

    5. Use Firefox as your browser instead of Internet Explorer. www.mozilla.org

    6. For a second opinion on virus infection, run a virus scan from the web at "housecall.trendmicro.com"

    As a side-note, you want to run these scans and checks from EACH user account in XP, and in Safe Mode. Each user can have it's own spyware. Use Safe Mode with Networking if you need to go online.

    cheers
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.