boxig Posted June 17, 2004 Report Posted June 17, 2004 Hi all,Sorry for this out of topic but you are my last chance to solve my problem. It is very strange and mysterious. It seems I got some "virus" (???) or something similar which deletes "shell.dll" from my "System32" folder. I run Norton and AVG and Ad-Aware but they found nothing (I just keep a copy of the file and put it again when it is gone, and then it vanish again).When I open my browser (IE) my Home Page was stollen and I always get :res://ljtio.dll/index.html#96676 (Do not try to visit it or you'll be infected too !!!). Then something happens and my "shell.dll" is deleted, and when I change page I get this one: http://www.lookfor.cc/ DO NOt CLICK !!!I rechange my home page but it always replaced by "something" to that page: res://ljtio.dll/index.html#96676 I tried to delete all my "index.dat" but can't (will it help ?).Any tip, any idea, whatever on your mind.... I'm ready to try anything.Thank youGranot Quote
LumenLux Posted June 17, 2004 Report Posted June 17, 2004 I was wondering why we had not "seen" you lately. I am sorry to be of no help here, but look forward to the answer from someone. This morning I had to delete 179 "uncleanable" infected files. I am running fine at the moment but am leary of consequences when I need to run related programs or data. Quote
boxig Posted June 17, 2004 Author Report Posted June 17, 2004 Ok, solved part of the problem (stollen home Page) but my "shell.dll" is still getting deleted by itself (with a little help from "good people" somewhere there on the net). and this makes me CRAZY ! Quote
Ken Cox Posted June 17, 2004 Report Posted June 17, 2004 Granotxp holds a set of backup files, so if your remove one it is replacedif you go tohttp://housecall.antivirus.com/housecall/s.../start_corp.aspand do a free scan, it will tell you what you have to disable in order to remove the culprit -- i cant remember at present but i beleive maybe it is the restore pointthe culprit is kept in the restore files.once the scan is complete and the little bugger is removed or id'd, by you or the scan then you have to reset the restore point.you maybe should do a search on net for virus in restore point or words to that effect but you should run the free scan -- i will also search and get back if i find anythingken Quote
Ken Cox Posted June 17, 2004 Report Posted June 17, 2004 Granot seehttp://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_namgot the url fromhttp://www.google.ca/search?q=virus+in+xp+...le+Search&meta=first hit:)good luckget it clean asapken Quote
boxig Posted June 17, 2004 Author Report Posted June 17, 2004 Ken,Thanks a lot, I will do all your suggestions. In the mean time I found two files which I suspect, so maybe someone knows if they are dangerous or belong to the system. Te files are:HKLM\..\Run: [msov.exe] C:\WINDOWS\system32\msov.exeHKLM\..\RunOnce: [apijr.exe] C:\WINDOWS\apijr.exeAll XP users, please check if you have those files and let me know before I remove them if they belong to system.I also found a good program named: "hijackthis" which found my Home page hijacker but it comes back all the time even I remove it. Granot Quote
alrobin Posted June 17, 2004 Report Posted June 17, 2004 Te files are:HKLM\..\Run: [msov.exe] C:\WINDOWS\system32\msov.exeHKLM\..\RunOnce: [apijr.exe] C:\WINDOWS\apijr.exe Granot,I don't have either of the two files on my Win XP Pro system. Good luck! Quote
Ken Cox Posted June 17, 2004 Report Posted June 17, 2004 if they are backed up in the system restore folder i think it will only replace themno apijr.exeWINDOWS\system32\msov.exe on my xp homeken Quote
Ken Cox Posted June 17, 2004 Report Posted June 17, 2004 seehttp://www.networld.co.jp/msov/http://www.networld.co.jp/eng_view.htmi know Granot is a man of many talents -- he might make something of thisyou might also tryhttp://aumha.org/win5/a/noads2.htmthis site will check if you have a trogan or parasiteken Quote
boxig Posted June 17, 2004 Author Report Posted June 17, 2004 Ken and ALThank you both. I get more confused now. I removed both files but it asked for missing "apijr.exe" (???) while you, Ken, don't have this file and your system don't ask for it.I tried to make scan on line but it want to install things on my computer (?) and this is how all started when someone installed something on my computer. Is it safe ?Also, my browser become very very slow, any idea ? I also used the XP restore (never knew it exist) but... no change at all.Very strange.My Home Page is still being Hijacked, and my shell.dll still being deleted.I will try all other suggestions.Ken - the url you gave me http://www.networld.co.jp/msov/ is in... Japanese ! (or maybe I become crazy ?)I really become very "annoyed" and soon they will put me in a "close place". Now its Midnight, so good night to you all and hope for a lucky tomorrow.Granot Quote
Ken Cox Posted June 17, 2004 Report Posted June 17, 2004 Ken - the url you gave me http://www.networld.co.jp/msov/ is in... Japanese ! well man of many talents and world traveller, i did a search and found msov so i went there -- thought you might have a babe hid there trend anti virus d/l's the anti virus patterns then you select which drive/files you want to check -- it is a reputable companyhow far back did you go with restore -- if you can remeber when problems started - go a couple days past that datehttp://aumha.org/http://aumha.org/win5/a/noads2.phphis site runs a script to check trojans and parasiteshre has helped me in the past.have you run adawaresleep tight ken Quote
dagrace Posted June 17, 2004 Report Posted June 17, 2004 HKLM\..\Run: [msov.exe] C:\WINDOWS\system32\msov.exe I have neither file either on XP Home.Hope you find it soon! It's very annoying. Quote
boxig Posted June 18, 2004 Author Report Posted June 18, 2004 Good morning Back to my problem. And today's topic: WINDOWS\system32\msov.exeWINDOWS\apijr.exeWhat the hell are these ? ! I strongly recommen everyone to use "HijackThis" utility since my Norton and AVG and Ad-Aware didn't prevent and still can not find my problem, but "HijackThis" did find it and removed it, but still it's coming back, probably due to another vicious file.I will tell keep you update how it's going on.Thank you all again.Granot Quote
jeanie Posted June 18, 2004 Report Posted June 18, 2004 Hi,I'm only a newbie but I did have a horrible Trojn Horse, I think you call it, last week, which attached itself to my screen desk top. It suggested I might need to clean my computer of pornographic or peadophilia, (don't know how to spell it)as it would alway be hidden in my computer no matter what I did. If I'd been a man I might have been more frightened at what someone was suggesting. I was pretty cross all the same. A friend helped me and we used Spybot (a free download) and cleared alot of nasties from my computer. When we'd finished the nasty was still on the screen, so we went to the Display Menu. Nothing there to see, only showing my nice screen saver.But when we looked under the web tab there it still was. This we unchecked and deleted. This did the trick. These nasties I've never had before until I came interested in AVs and visited in these and linked sites. I've visited Minolta and Canon forums but no one has mentioned these kind of problems before. Since visiting here lots of members have mentioned it. Could it be anything to do with downloading for long periods. Seems strange don't you think. But what do I Know.I write this just in case someone gets similar.jeanie Quote
Alan Lyons Posted June 18, 2004 Report Posted June 18, 2004 Hi All, Just on what Jeanie said about downloading. I use Zone Alert firewall, and if I choose to download a file I have to switch off part of my privacy settings. This allows enbedded thingys and whatyamaycallets from the host site. So yes downloading is a problem. I leave the setting on and only turn it off if I wish to down load from a trusted site. I get a access denied notice then I switch the section off then refresh the page. I switch on after the down load so the gate is only open for the minimum time. I think the best way to deal with these nasties is to find the people who unleash them, have them trampled by a Trojan Horse then locked in a "close place" full of nasty viriuses. I use Pest Patrol to scan my drives for these intrusions.Oh! while I'm here Jeanie, a commettee will meet over pints in Dublin to discuss your music for your stop for a brew show. It's a nasty job but someone has to do it Full report next weekAlan Quote
Conflow Posted June 18, 2004 Report Posted June 18, 2004 Hi Granot - This is going to be a little long-Apologies.I may be able to help you with your problem. Firstly I am not a Software Engineer I am anApplications Engineer - I use PC's to execute diverse Engineering functions, Datalogging,System Controls, Motor Speed Controls, Auto-Presentations, Announcers, etc;etc-I had a look at your "rogue" DLL (IjTio.dll) and I think you accidentally downloaded whatwe call a "Cuckoo"Question? Were you downloading a Show or a set of Jpegs or Images and then afterwards all things went wrong ??A "Cuckoo" can be a Text File or Exe that is 'encryptionated' and embedded within a Jpeg.It is invisible - its works the same way as an embedded "Flash Object" where you click onthe Flash Image and an automatic Html starts running - in your case its a DLL trying to runan Application extension. The title - ijTio.dll/index.html#96676- is the format that a 'cuckoo'would use - its probably quite genuine, but because its missing its Application extension it(auto-generated) Reg Key is still looking for the Application.Look-up www.phsoft.nl for a utility "File Camouflager' and it will showyou how these things work.The problem is that this file is an Exe. and as such will have an .INI and .INF and an entered Registry Key - so deleting the File wont work - you have to delete the REG KEY and the INI and INF and the EXE if there is one remaining If you dont do this the "stupid system" will try and point to another Application of equal size and format and try to run that - in your case that seems to be happening ? I always use the "Find or Search" under the Start Button and simply type:- DLL and click run. Now you have to find the associated INI and run and also type INF and run, and again type EXE and run - Finally you have to delete the associated Reg.Key through "regedit"Eventually you will find the whole lot one by one, when you do delete them all but first make a copy of the Reg Key just in case its needed for the Shell.Dll of which there should be 5.2 in Win.System and a further 2 in System32 and also Shellext. In reIation to your Shell.DLL vanishing it really isn't because the real Shell.DLL is kept in the CAB.Directory (Bombproof) its simply that this 'auto-exe' needs a 'Shell Copy' to point to and then operate the 'Internet Finder' - where your problem came from in the 1st place.This "orphan file" is simply looking for its Application which you have removed, tut,tut !For this 'tricky work' I use a little freebie called "Smart Uninstaller" from webattack.com.You are a Software Man - you can see where I am coming from - Hope this helps ? Brian Kelly.Conflow Quote
boxig Posted June 18, 2004 Author Report Posted June 18, 2004 jeanieSpybot was good (thank you), it found another 31 malicious files on my PC, but unfortunatly didn't solve my problem. BrianIjTio.dll - Yes, I am downloading images, movies etc. but can't remember when problem stated. I deleted the IjTio.dll but not the problem. I removed from my registry all entries which include part of ijTio.dll/index.html#96676 but all entries come back, which means there is a file who puts it there. This happens when I open IE. It may or may not have connection to my disappearing "shell.dll" from system32 every time I put it back and use a program which needs this file, when close the program the shell.dll disappears.I did not removed any ini or inf files but I will look now and try to find them.All your suggestions are very helpful and I hope I can do it succesfuly. If I will have any question I will ask you. Thank you very much and now I'll go to look for the utilities you recommended and try to solve my problem.Many ThanksGranot Quote
Conflow Posted June 18, 2004 Report Posted June 18, 2004 Hi Granot (Return Call)Excellent,we are on the right track - it pops up when you open IE. This means it can only bein 5 places and because the INI & INF are still there a new Reg Key will be re-installedevery time IE. opens - until you delete these two.Proceed to find Files as follows:-1) From an INI File (Just open C:\Windows all the INI's are in front of you - find and delete)2) From an INF File (Just open C:\Windows\INF Folder - Find the INF and delete it.3) From C:\Windows Temp Folder (Open the Folder and delete contents - NOT THE FOLDER) 4) From IE. Cache (Open C:\Windows\ Temporary Internet Folder- ONLY DELETE CONTENTS.A copy could be left in Rundll, Rundll32 - I doubt it, but check anyway at C:\Windows you willsee both files with large Icons.Finally search for and delete the re-entered Reg Key - it may not be there - but check.You must Close All and Re-Start the Computer immediately for these changes to reset Registry.Urgently you need 'CM-Diskcleaner' available from www.webattack.comor from the their Website www.cmdiskcleaner.com I have the Beta version and ITS IN USE EVERYDAY. Also they are looking for an "Associate Agent" which would suit you.This cleans out IE.Cache. Win Temp. System Temp. All Cookies. All URL's in IE. all otherURL's in Shell Address (your problem). Resets-Registry. and a whole range of System Items.We have not had 1 Spam nor Spy Infection nor Virus in 6 years -Let me know how you get on ?Brian Kelly.Conflow. Quote
Ken Cox Posted June 18, 2004 Report Posted June 18, 2004 Granotthe originator of the parisite and trojan detector has his page going againseehttp://doxdesk.com/parasite/and you can use the scipt on your siteUsing this script on your own site If you’re a webmaster, and you don’t want extra advertising invading your site and companies spying on what your users do there, you’re welcome to use the script on your own pages. ken Quote
agrob Posted June 19, 2004 Report Posted June 19, 2004 Granot - this web site talks of the exact problem you are having and a workaround for nowhttp://www.spywareinfo.com/~merijn/Other things to consider are a patch for Internet Explorer to stop spoofing - giving you a false URL - and misdirecting you - here is more information regarding that and the patchhttp://www.computerproblems.com/questions/...on.cfm?id=10767the patch is found herehttp://security.openwares.org/Another site that I have found useful is:http://www.cexx.org/adware.htmthey keep a running repository of problems and how to fix them. Hope that helps - and I hope the workaround on that first page is helpful.P.S. and thanks again for creating that utility for me Quote
boxig Posted June 19, 2004 Author Report Posted June 19, 2004 Guys, you are all great and I'm very happy i was attacked by this file, because i see there are also good people who are trying to help contrary to those who are looking only to make wrong. So, in a way, i was lucky, because i was not sure if there are still some good people in our world. This is really heart warming. Thank you all.I can't keep up with you guys but I'm following all suggestions in all replys and taking each very seriously.Brian,I have 40 ini files, moved them all to a new folder on my desktop.I have 700 inf files in inf folder. I can't find the specific file. Can I delete them all ? Please tell me what to do.KenI have no problem with my site but on my PC. But it is good idea to protect it too. I'll check this link. Thanks.AlanThank for help, I will check also all your links and let know on results. Thank you very much.I found a forum where this specific problem is discused but I'm getting lost there See here.. GranotAfter few hours:I probably managed to eliminate ljtio.dll but.. surprise:ljtio.dll has come back with a fiend called hzapn.dll and now my browser is hijacked using this:res://hzapn.dll/index.html#96676From reading what people wrote in other forums about this problem, name of DLL can be changed to whatever. For now I just opened the DLL with Notepad and cleared the text (???).GranotThe hours pass and now my enemy is changing the DLL it uses each time:res://orlha.dll/index.html#96676Pop-up windows start to run over my screen and even "Google ToolBar" can stop them. But I still have hope... or should i jump from high building ?BTW, all pop-up windows offer programs to solve my problem and prevent it from happening again. Very clever, infect you and then sell you the medicine.GranotHUMMMM... night already and my enemy become smarter. I tried to kill it and now not only change DLL name but...http://search-to-find.com/sec.php?qq=&pin=96676 DO NOt CLICK !!!Granot Quote
boxig Posted June 20, 2004 Author Report Posted June 20, 2004 Found this great tool which scann and remove malicious files from your PC. It found 14 files on my PC which Norton didn't find. I recommend to all:http://www.pandasoftware.com/activescan/com/It seems as if it solved my problem but it's too early to tell.For the last hour I have no more pop-ups and ,my browser is not hijacked. (didn't check about the shell.dll yet).Brian, please continue on guiding me as for the inf files.And, does anyone know what is this:C:\WINDOWS\System32\DRIVERS\ndisuio.sys"Internal Windows driver; performs internalcommunications tasks within Windows".But I mean, what it downloads to our PC and from where ?What is good for ? Do we need it ? Is it enemy ?ThanksGranot Quote
Guest Techman1 Posted June 20, 2004 Report Posted June 20, 2004 Granot,The ndisuio.sys file appears to be part of Windows XP. It is from Microsoft and is their NDIS User Mode IO Driver. If my memory serves me, NDIS is typcially associated with TCP/IP networking.I don't know if your file has been modified. Mine is 12k in size and was created Aug 18, 2001 - in case that helps you at all.Good luck and I hope you get this sorted out. BTW, I haven't forgotten about retesting the AutoWindowMenu and will hopefully in the next day or so.Best regards,Fred Quote
boxig Posted June 20, 2004 Author Report Posted June 20, 2004 Fred,Thanks. Mine is 23 August 2001 12 kb (12,160 bytes). I ask because I installed Saygate Firewall and I blocked it. Everything wroks fine but every few seconds this file is trying to upload or make contact.I have good news: After three days, I solved all problems (I hope). Even the shell.dll don't disappear any more. As I said above, Panda online scan found those bad files and removed them.BTW: I need opinion for my "Shopping List Maker" you, or anyone who want to check I'll be glad to send it.Thank you all for your help.Granot Quote
Conflow Posted June 21, 2004 Report Posted June 21, 2004 Hi Granot,I have just read your recent Post of the 20th June.and I hope everything is O.KDO NOT TOUCH the "INF's" as I said, they are a Programs Data & System Set-up Files.Also I am getting suspicious about that "rogue dll" - I now think it is malicious !!If this was a "Genuine dll " it would not be changing its Name every time you logged on.You did not tell me this before - perhaps you only found out ?If these are the facts then its coming from a malicious "cookie" on your PC. which is tryingto log on each each time you attempt to go on line. Check that you are not "infected" with the following:-FX BEagle (Its a "script" destroyer)Novarg 32 (This attacks the Webcheck DLL)Swen 32 (This creates "Alias Addresses)Brian Kelly.Conflow.conflow@iol.ie Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.