Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 20 of 21 Posts

·
Registered
Joined
·
14 Posts
Discussion Starter · #1 ·
Windows ME, Internet Explorer

An email supposedly from my ISP gave me a virus/spyware/i donno. HiJackThis cannot remove it. My Ad-Aware SE , Spybot S&D, Symantec & Enigma Firewall/Pop-up Blocker can NOT do anything. Seems like it will re-attach itself even HiJackThis removes it. IE webpage pop-up everytime I start my PC.

The registry name is: [External Dependencies]external.exe

Please someone advice me what to do? PLEASE HELP. Thanks in advance!
 

·
Registered
Joined
·
14 Posts
Discussion Starter · #3 ·
Logfile of HijackThis v1.99.1
Scan saved at 6:04:48 PM, on 6/24/2005
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\EXTERNAL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMA POPUP STOP\ENIGMAPOPUPSTOP.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMAFIREWALL\ENIGMAFIREWALL.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
 

·
Registered
Joined
·
14 Posts
Discussion Starter · #5 ·
Logfile of HijackThis v1.99.1
Scan saved at 6:04:48 PM, on 6/24/2005
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\EXTERNAL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMA POPUP STOP\ENIGMAPOPUPSTOP.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMAFIREWALL\ENIGMAFIREWALL.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aroundhawaii.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\Enigma Popup Stop\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Enigma Firewall] C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMAFIREWALL\EnigmaFirewall.exe
O4 - HKLM\..\Run: [XFILTER] C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMAFIREWALL\ESPFSDK.DLL
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [External Dependencies] External.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [External Dependencies] External.exe
O4 - HKCU\..\Run: [AWMON] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE"
O4 - Startup: Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge Center\bin\silent.exe
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
 

·
Retired Moderator
Joined
·
84,301 Posts
With IE closed, run Hijack This again.
Put a checkmark on these entries and hit "fix checked":

O4 - HKLM\..\Run: [External Dependencies] External.exe

O4 - HKLM\..\RunServices: [External Dependencies] External.exe


Boot into Safe Mode (start tapping the F8 key at Startup, before the Windows logo screen)

Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Click Start, Programs and Accessories and open Windows Explorer.
Select a hard drive from the left hand side of the Windows Explorer window.
Select View the Entire contents of this drive.

Find and delete this file: C:\WINDOWS\SYSTEM\EXTERNAL.EXE

Also in safe mode navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.

Empty the Recycle Bin.

Reboot, post a new log.
 

·
Registered
Joined
·
14 Posts
Discussion Starter · #7 ·
The EXTERNAL DEPENDENCIES still showing below. Also, since I am already trying to remove my problems, if its not asking too much, can you please tell me what other things need to be remove while I am in that eradicating MODE. I don't have much money to donate if I keep on asking help. Sorry.

Logfile of HijackThis v1.99.1
Scan saved at 7:58:12 PM, on 6/24/2005
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMA POPUP STOP\ENIGMAPOPUPSTOP.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMAFIREWALL\ENIGMAFIREWALL.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aroundhawaii.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\Enigma Popup Stop\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Enigma Firewall] C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMAFIREWALL\EnigmaFirewall.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [XFILTER] C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMAFIREWALL\ESPFSDK.DLL
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [External Dependencies] External.exe
O4 - HKCU\..\Run: [AWMON] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE"
O4 - Startup: Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge Center\bin\silent.exe
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
 

·
Retired Moderator
Joined
·
84,301 Posts
Let's try it this way.

Go here: http://subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41

Download #17. KillBox

Save it to your desktop.

Run KillBox.exe.

Select the Delete on Reboot option.
In the Full Path of File to Delete field paste this path and click the red circle with the white X in it, when it asks you if you want to delete the file on reboot click Yes, when it asks you to reboot, click No.

C:\WINDOWS\SYSTEM\EXTERNAL.EXE

Close Killbox.

Run Hijack This again and put a check in the following:

O4 - HKLM\..\RunServices: [External Dependencies] External.exe

Close all applications and browser windows before you click "fix checked".

Reboot, post a new log.
 

·
Registered
Joined
·
14 Posts
Discussion Starter · #9 ·
I know I did all you told me to do and I did it twice but the file still there. They are really good giving problem to people. Please keep on helping me.

Logfile of HijackThis v1.99.1
Scan saved at 11:02:00 AM, on 6/25/2005
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMA POPUP STOP\ENIGMAPOPUPSTOP.EXE
C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMAFIREWALL\ENIGMAFIREWALL.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aroundhawaii.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\Enigma Popup Stop\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Enigma Firewall] C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMAFIREWALL\EnigmaFirewall.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [XFILTER] C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMAFIREWALL\ESPFSDK.DLL
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [External Dependencies] External.exe
O4 - HKCU\..\Run: [AWMON] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE"
O4 - Startup: Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge Center\bin\silent.exe
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
 

·
Retired Moderator
Joined
·
84,301 Posts
Okay I will take another stab. If this does not work, I will flag a Moderator to assist.

Boot into Safe Mode first.

Run Hijack This again. Put a checkmark next to this entry and hit "fix checked":

O4 - HKLM\..\RunServices: [External Dependencies] External.exe

Reboot.

If you still see the entry there, I have located a removal tool from Symantec's website.

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

Read the instructions first.
Then download and run the tool.

Let me know the outcome.
 

·
Registered
Joined
·
14 Posts
Discussion Starter · #11 ·
Is there any much easire way? What can you advice for me to do with my files so I can allow someone like you to take over my PC. I mean do I have to delete first my "name files" password? I don't even comprehend clearly what I just typed.
 

·
Registered
Joined
·
14 Posts
Discussion Starter · #14 ·
I GOT LUCKY! I ALSO ASKED HELP FROM OTHER FORUM LIKE YOURS.
EACH OF YOUR ADVICES DID NOT REMOVE MY PROBLEM. THEN, I TRIED TO
COMBINE BOTH OF YOUR ADVICES AND PRESTO! MY LAST HIJACKTHIS FILE
NO LONGER SHOW "[EXTERNAL DEPENDENCIES] EXTERNAL.EXE" I divided
my donation to you guys also. Thank you for starting this type
of help, I am learning too.

HERE IS WHAT I DID, HOPEFULLY TO HELP OTHERS WITH THE SAME PROBLEM.
SITUATION: After doing all the advices on both sides, I was able to
remove the file. But after running the HiJackThis, the same problem
appears again and again even I cannot find the files "external.exe"
anymore in the original locations.

I disabled my pop-up and firewall (not to be loaded on start-up).
Here are the advices:

First Disable Ad Watch,it can prevent some of the Fixes!
http://www.lavasofthelp.com/faq/adwatchauto.shtml

Please Download this Removal Tool From Symantec
http://securityresponse.symantec.com/avcenter/FixMytob.exe

Close all the running programs and Double-click the FixMytob.exe
file to start the removal tool.

Click Start to begin the process, and then allow the tool to run.

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Run the removal tool again!

I ALSO RUN THE HIJACKTHIS TOOL AND CHECK/FIXED THE PROBLEM.

Also in safe mode navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete
to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box.
The Temp folder will open. Click Edit > Select All then Edit >
Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.

Empty the Recycle Bin.
 

·
Registered
Joined
·
14 Posts
Discussion Starter · #16 ·
Noticed that it is attached to the Ad-Watch at start-up. I disabled the Ad-Watch at start-up and the HiJackThis did not find the problem. Now that I know where is at, what shall I do? Sorry again for the bother.
 

·
Registered
Joined
·
14 Posts
Discussion Starter · #18 ·
I thought I was able to remove the WORM, the log shows it's still here. If I load my Ad-Watch at start-up & run my HiJackThis, I still see the EXTERNAL DEPENDENCIES in the log. BUT if I disable my Ad-Watch at start-up and run the HiJackThis, the EXTERNAL DEPENDENCIES is not in the log. Also, noticed that my email wont receive/send if Ad-Watch is disabled. Below are 2 example log I mentioned:

Logfile of HijackThis v1.99.1
Scan saved at 7:38:59 PM, on 6/28/2005
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMA POPUP STOP\ENIGMAPOPUPSTOP.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMAFIREWALL\ENIGMAFIREWALL.EXE
C:\PROGRAM FILES\CHIKKA\CHIKKA.EXE
C:\PROGRAM FILES\CHIKKA\BNRREPO2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aroundhawaii.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\Enigma Popup Stop\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [Enigma Firewall] C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMAFIREWALL\EnigmaFirewall.exe
O4 - HKLM\..\Run: [XFILTER] C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMAFIREWALL\ESPFSDK.DLL
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge Center\bin\silent.exe
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll

Logfile of HijackThis v1.99.1
Scan saved at 7:44:42 PM, on 6/28/2005
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMA POPUP STOP\ENIGMAPOPUPSTOP.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMAFIREWALL\ENIGMAFIREWALL.EXE
C:\PROGRAM FILES\CHIKKA\CHIKKA.EXE
C:\PROGRAM FILES\CHIKKA\BNRREPO2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aroundhawaii.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\Enigma Popup Stop\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [Enigma Firewall] C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMAFIREWALL\EnigmaFirewall.exe
O4 - HKLM\..\Run: [XFILTER] C:\PROGRAM FILES\ENIGMA SOFTWARE GROUP\ENIGMAFIREWALL\ESPFSDK.DLL
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [External Dependencies] External.exe
O4 - Startup: Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge Center\bin\silent.exe
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\espfspi.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
Please disable AdWatch, as it may hinder the removal of some entries.
To disable AdWatch:

right-click the AW icon in the sys tray and select "Unload Ad-Watch" and also untick load adwatch at system start and automatic when you have finished cleaning open adaware and click on the adwatch button and then reverse the settings

then fix the entry and see how it goes
 

·
Registered
Joined
·
14 Posts
Discussion Starter · #20 ·
I stated on my reply above that my problem is attached to my Ad-Watch. Everytime I load it into my system whether at start up or manually loading it, the "External Dependencies/exe" will attach to my registry. To remove it, I will "unload" my Ad-Watch then run my HiJackThis and fix it. As long as I will not open my Ad-Watch, my problem will not appear from my log.

So I am not activating my Ad-Watch now until someone can help me with this problem.

I already donated for this forum when I THOUGHT my problem was fixed.
I don't see/know how your reply can help me.
 
1 - 20 of 21 Posts
Status
Not open for further replies.
Top