Need your help

[boxig]

Hi all,

Sorry for this out of topic but you are my last chance to solve my problem. It is very strange and mysterious. It seems I got some "virus" (???) or something similar which deletes "shell.dll" from my "System32" folder. I run Norton and AVG and Ad-Aware but they found nothing (I just keep a copy of the file and put it again when it is gone, and then it vanish again).

When I open my browser (IE) my Home Page was stollen and I always get :

res://ljtio.dll/index.html#96676 (Do not try to visit it or you'll be infected too !!!). Then something happens and my "shell.dll" is deleted, and when I change page I get this one: http://www.lookfor.cc/ DO NOt CLICK !!!

I rechange my home page but it always replaced by "something" to that page: res://ljtio.dll/index.html#96676

I tried to delete all my "index.dat" but can't (will it help ?).

Any tip, any idea, whatever on your mind.... I'm ready to try anything.

Thank you

Granot

[LumenLux]

I was wondering why we had not "seen" you lately. I am sorry to be of no help here, but look forward to the answer from someone.

This morning I had to delete 179 "uncleanable" infected files. I am running fine at the moment but am leary of consequences when I need to run related programs or data.

[boxig]

Ok, solved part of the problem (stollen home Page) but my "shell.dll" is still getting deleted by itself (with a little help from "good people" somewhere there on the net). and this makes me CRAZY !

[Ken Cox]

Granot

xp holds a set of backup files, so if your remove one it is replaced

if you go to

http://housecall.antivirus.com/housecall/s.../start_corp.asp

and do a free scan, it will tell you what you have to disable in order to remove the culprit -- i cant remember at present but i beleive maybe it is the restore point

the culprit is kept in the restore files.

once the scan is complete and the little bugger is removed or id'd, by you or the scan then you have to reset the restore point.

you maybe should do a search on net for virus in restore point or words to that effect

but you should run the free scan -- i will also search and get back if i find anything

ken

[Ken Cox]

Granot

see

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

got the url from

http://www.google.ca/search?q=virus+in+xp+...le+Search&meta=

first hit:)

good luck

get it clean asap

ken

[boxig]

Ken,

Thanks a lot, I will do all your suggestions. In the mean time I found two files which I suspect, so maybe someone knows if they are dangerous or belong to the system. Te files are:

HKLM\..\Run: [msov.exe] C:\WINDOWS\system32\msov.exe

HKLM\..\RunOnce: [apijr.exe] C:\WINDOWS\apijr.exe

All XP users, please check if you have those files and let me know before I remove them if they belong to system.

I also found a good program named: "hijackthis" which found my Home page hijacker but it comes back all the time even I remove it.

Granot

[alrobin]

Te files are:

HKLM\..\Run: [msov.exe] C:\WINDOWS\system32\msov.exe

HKLM\..\RunOnce: [apijr.exe] C:\WINDOWS\apijr.exe

Granot,

I don't have either of the two files on my Win XP Pro system. Good luck!

[Ken Cox]

if they are backed up in the system restore folder i think it will only replace them

no apijr.exe

WINDOWS\system32\msov.exe

on my xp home

ken

[Ken Cox]

see

http://www.networld.co.jp/msov/

http://www.networld.co.jp/eng_view.htm

i know Granot is a man of many talents -- he might make something of this

you might also try

http://aumha.org/win5/a/noads2.htm

this site will check if you have a trogan or parasite

ken

[boxig]

Ken and AL

Thank you both. I get more confused now. I removed both files but it asked for missing "apijr.exe" (???) while you, Ken, don't have this file and your system don't ask for it.

I tried to make scan on line but it want to install things on my computer (?) and this is how all started when someone installed something on my computer. Is it safe ?

Also, my browser become very very slow, any idea ?

I also used the XP restore (never knew it exist) but... no change at all.

Very strange.

My Home Page is still being Hijacked, and my shell.dll still being deleted.

I will try all other suggestions.

Ken - the url you gave me http://www.networld.co.jp/msov/ is in... Japanese !

(or maybe I become crazy ?)

I really become very "annoyed" and soon they will put me in a "close place".

Now its Midnight, so good night to you all and hope for a lucky tomorrow.

Granot

[Ken Cox]

Ken - the url you gave me http://www.networld.co.jp/msov/ is in... Japanese !

well man of many talents and world traveller, i did a search and found msov so i went there -- thought you might have a babe hid there

trend anti virus d/l's the anti virus patterns then you select which drive/files you want to check -- it is a reputable company

how far back did you go with restore -- if you can remeber when problems started - go a couple days past that date

http://aumha.org/

http://aumha.org/win5/a/noads2.php

his site runs a script to check trojans and parasites

hre has helped me in the past.

have you run adaware

sleep tight

ken

[dagrace]

HKLM\..\Run: [msov.exe]

C:\WINDOWS\system32\msov.exe

I have neither file either on XP Home.

Hope you find it soon! It's very annoying.

[boxig]

Good morning

Back to my problem. And today's topic:

WINDOWS\system32\msov.exe

WINDOWS\apijr.exe

What the hell are these ? !

I strongly recommen everyone to use "HijackThis" utility since my Norton and AVG and Ad-Aware didn't prevent and still can not find my problem, but "HijackThis" did find it and removed it, but still it's coming back, probably due to another vicious file.

I will tell keep you update how it's going on.

Thank you all again.

Granot

[jeanie]

Hi,

I'm only a newbie but I did have a horrible Trojn Horse, I think you call it, last week, which attached itself to my screen desk top. It suggested I might need to clean my computer of pornographic or peadophilia, (don't know how to spell it)as it would alway be hidden in my computer no matter what I did. If I'd been a man I might have been more frightened at what someone was suggesting. I was pretty cross all the same. A friend helped me and we used Spybot (a free download) and cleared alot of nasties from my computer. When we'd finished the nasty was still on the screen, so we went to the Display Menu. Nothing there to see, only showing my nice screen saver.But when we looked under the web tab there it still was. This we unchecked and deleted. This did the trick.

These nasties I've never had before until I came interested in AVs and visited in these and linked sites. I've visited Minolta and Canon forums but no one has mentioned these kind of problems before. Since visiting here lots of members have mentioned it. Could it be anything to do with downloading for long periods. Seems strange don't you think. But what do I Know.

I write this just in case someone gets similar.

jeanie

[Alan Lyons]

Hi All,

Just on what Jeanie said about downloading. I use Zone Alert firewall, and if I choose to download a file I have to switch off part of my privacy settings. This allows enbedded thingys and whatyamaycallets from the host site. So yes downloading is a problem. I leave the setting on and only turn it off if I wish to down load from a trusted site. I get a access denied notice then I switch the section off then refresh the page. I switch on after the down load so the gate is only open for the minimum time.

I think the best way to deal with these nasties is to find the people who unleash them, have them trampled by a Trojan Horse then locked in a "close place" full of nasty viriuses.

I use Pest Patrol to scan my drives for these intrusions.

Oh! while I'm here Jeanie, a commettee will meet over pints in Dublin to discuss your music for your stop for a brew show. It's a nasty job but someone has to do it Full report next week

Alan

[Conflow]

Hi Granot - This is going to be a little long-Apologies.

I may be able to help you with your problem. Firstly I am not a Software Engineer I am an

Applications Engineer - I use PC's to execute diverse Engineering functions, Datalogging,

System Controls, Motor Speed Controls, Auto-Presentations, Announcers, etc;etc-

I had a look at your "rogue" DLL (IjTio.dll) and I think you accidentally downloaded what

we call a "Cuckoo"

Question? Were you downloading a Show or a set of Jpegs or Images and then afterwards

all things went wrong ??

A "Cuckoo" can be a Text File or Exe that is 'encryptionated' and embedded within a Jpeg.

It is invisible - its works the same way as an embedded "Flash Object" where you click on

the Flash Image and an automatic Html starts running - in your case its a DLL trying to run

an Application extension. The title - ijTio.dll/index.html#96676- is the format that a 'cuckoo'

would use - its probably quite genuine, but because its missing its Application extension it

(auto-generated) Reg Key is still looking for the Application.

Look-up www.phsoft.nl for a utility "File Camouflager' and it will show

you how these things work.

The problem is that this file is an Exe. and as such will have an .INI and .INF and an entered Registry Key - so deleting the File wont work - you have to delete the REG KEY and the INI and INF and the EXE if there is one remaining

If you dont do this the "stupid system" will try and point to another Application of equal size and format and try to run that - in your case that seems to be happening ?

I always use the "Find or Search" under the Start Button and simply type:- DLL and click run. Now you have to find the associated INI and run and also type INF and run, and again type EXE and run - Finally you have to delete the associated Reg.Key through "regedit"

Eventually you will find the whole lot one by one, when you do delete them all but first make

a copy of the Reg Key just in case its needed for the Shell.Dll of which there should be 5.

2 in Win.System and a further 2 in System32 and also Shellext.

In reIation to your Shell.DLL vanishing it really isn't because the real Shell.DLL is kept in the CAB.Directory (Bombproof) its simply that this 'auto-exe' needs a 'Shell Copy' to point to and then operate the 'Internet Finder' - where your problem came from in the 1st place.

This "orphan file" is simply looking for its Application which you have removed, tut,tut !

For this 'tricky work' I use a little freebie called "Smart Uninstaller" from webattack.com.

You are a Software Man - you can see where I am coming from - Hope this helps ?

Brian Kelly.Conflow

[boxig]

jeanie

Spybot was good (thank you), it found another 31 malicious files on my PC, but unfortunatly didn't solve my problem.

Brian

IjTio.dll - Yes, I am downloading images, movies etc. but can't remember when problem stated. I deleted the IjTio.dll but not the problem. I removed from my registry all entries which include part of ijTio.dll/index.html#96676 but all entries come back, which means there is a file who puts it there. This happens when I open IE. It may or may not have connection to my disappearing "shell.dll" from system32 every time I put it back and use a program which needs this file, when close the program the shell.dll disappears.

I did not removed any ini or inf files but I will look now and try to find them.

All your suggestions are very helpful and I hope I can do it succesfuly. If I will have any question I will ask you. Thank you very much and now I'll go to look for the utilities you recommended and try to solve my problem.

Many Thanks

Granot

[Conflow]

Hi Granot (Return Call)

Excellent,we are on the right track - it pops up when you open IE. This means it can only be

in 5 places and because the INI & INF are still there a new Reg Key will be re-installed

every time IE. opens - until you delete these two.

Proceed to find Files as follows:-

1) From an INI File (Just open C:\Windows all the INI's are in front of you - find and delete)

2) From an INF File (Just open C:\Windows\INF Folder - Find the INF and delete it.

3) From C:\Windows Temp Folder (Open the Folder and delete contents - NOT THE FOLDER)

4) From IE. Cache (Open C:\Windows\ Temporary Internet Folder- ONLY DELETE CONTENTS.

A copy could be left in Rundll, Rundll32 - I doubt it, but check anyway at C:\Windows you will

see both files with large Icons.

Finally search for and delete the re-entered Reg Key - it may not be there - but check.

You must Close All and Re-Start the Computer immediately for these changes to reset Registry.

Urgently you need 'CM-Diskcleaner' available from www.webattack.com

or from the their Website www.cmdiskcleaner.com

I have the Beta version and ITS IN USE EVERYDAY.

Also they are looking for an "Associate Agent" which would suit you.

This cleans out IE.Cache. Win Temp. System Temp. All Cookies. All URL's in IE. all other

URL's in Shell Address (your problem). Resets-Registry. and a whole range of System Items.

We have not had 1 Spam nor Spy Infection nor Virus in 6 years -

Let me know how you get on ?

Brian Kelly.Conflow.

[Ken Cox]

Granot

the originator of the parisite and trojan detector has his page going again

see

http://doxdesk.com/parasite/

and you can use the scipt on your site

Using this script on your own site

If you’re a webmaster, and you don’t want extra advertising invading your site and companies spying on what your users do there, you’re welcome to use the script on your own pages.

ken

[agrob]

Granot - this web site talks of the exact problem you are having and a workaround for now

http://www.spywareinfo.com/~merijn/

Other things to consider are a patch for Internet Explorer to stop spoofing - giving you a false URL - and misdirecting you - here is more information regarding that and the patch

http://www.computerproblems.com/questions/...on.cfm?id=10767

the patch is found here

http://security.openwares.org/

Another site that I have found useful is:

http://www.cexx.org/adware.htm

they keep a running repository of problems and how to fix them.

Hope that helps - and I hope the workaround on that first page is helpful.

P.S. and thanks again for creating that utility for me

[boxig]

Guys, you are all great and I'm very happy i was attacked by this file, because i see there are also good people who are trying to help contrary to those who are looking only to make wrong. So, in a way, i was lucky, because i was not sure if there are still some good people in our world. This is really heart warming. Thank you all.

I can't keep up with you guys but I'm following all suggestions in all replys and taking each very seriously.

Brian,

I have 40 ini files, moved them all to a new folder on my desktop.

I have 700 inf files in inf folder. I can't find the specific file. Can I delete them all ? Please tell me what to do.

Ken

I have no problem with my site but on my PC. But it is good idea to protect it too. I'll check this link. Thanks.

Alan

Thank for help, I will check also all your links and let know on results. Thank you very much.

I found a forum where this specific problem is discused but I'm getting lost there See here..

Granot

After few hours:

I probably managed to eliminate ljtio.dll but.. surprise:

ljtio.dll has come back with a fiend called hzapn.dll and now my browser is hijacked using this:

res://hzapn.dll/index.html#96676

From reading what people wrote in other forums about this problem, name of DLL can be changed to whatever. For now I just opened the DLL with Notepad and cleared the text (???).

Granot

The hours pass and now my enemy is changing the DLL it uses each time:

res://orlha.dll/index.html#96676

Pop-up windows start to run over my screen and even "Google ToolBar" can stop them. But I still have hope... or should i jump from high building ?

BTW, all pop-up windows offer programs to solve my problem and prevent it from happening again. Very clever, infect you and then sell you the medicine.

Granot

HUMMMM... night already and my enemy become smarter. I tried to kill it and now not only change DLL name but...

http://search-to-find.com/sec.php?qq=&pin=96676 DO NOt CLICK !!!

Granot

[boxig]

Found this great tool which scann and remove malicious files from your PC. It found 14 files on my PC which Norton didn't find. I recommend to all:

http://www.pandasoftware.com/activescan/com/

It seems as if it solved my problem but it's too early to tell.

For the last hour I have no more pop-ups and ,my browser is not hijacked.

(didn't check about the shell.dll yet).

Brian, please continue on guiding me as for the inf files.

And, does anyone know what is this:

C:\WINDOWS\System32\DRIVERS\ndisuio.sys

"Internal Windows driver; performs internal

communications tasks within Windows".

But I mean, what it downloads to our PC and from where ?

What is good for ? Do we need it ? Is it enemy ?

Thanks

Granot

[Guest Techman1]

Granot,

The ndisuio.sys file appears to be part of Windows XP. It is from Microsoft and is their NDIS User Mode IO Driver. If my memory serves me, NDIS is typcially associated with TCP/IP networking.

I don't know if your file has been modified. Mine is 12k in size and was created Aug 18, 2001 - in case that helps you at all.

Good luck and I hope you get this sorted out. BTW, I haven't forgotten about retesting the AutoWindowMenu and will hopefully in the next day or so.

Best regards,

Fred

[boxig]

Fred,

Thanks. Mine is 23 August 2001 12 kb (12,160 bytes). I ask because I installed Saygate Firewall and I blocked it. Everything wroks fine but every few seconds this file is trying to upload or make contact.

I have good news: After three days, I solved all problems (I hope). Even the shell.dll don't disappear any more. As I said above, Panda online scan found those bad files and removed them.

BTW: I need opinion for my "Shopping List Maker" you, or anyone who want to check I'll be glad to send it.

Thank you all for your help.

Granot

[Conflow]

Hi Granot,

I have just read your recent Post of the 20th June.and I hope everything is O.K

DO NOT TOUCH the "INF's" as I said, they are a Programs Data & System Set-up Files.

Also I am getting suspicious about that "rogue dll" - I now think it is malicious !!

If this was a "Genuine dll " it would not be changing its Name every time you logged on.

You did not tell me this before - perhaps you only found out ?

If these are the facts then its coming from a malicious "cookie" on your PC. which is trying

to log on each each time you attempt to go on line. Check that you are not "infected" with the following:-

FX BEagle (Its a "script" destroyer)

Novarg 32 (This attacks the Webcheck DLL)

Swen 32 (This creates "Alias Addresses)

Brian Kelly.Conflow.

conflow@iol.ie