Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

ntoskml.exe Dr. Watson Post Mortem

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Patsy » June 18th, 2005, 10:53 pm

Wow... the thing is still in my computer. I followed your directions very carefully. Seemed to go so well, but not fixed yet. I'm tempted to redo the process, but will wait for your instruction.
------------------------------------------


Incident Status Location

Adware:Adware/Startpage.JY No disinfected Windows Registry
Patsy
Regular Member
 
Posts: 28
Joined: June 13th, 2005, 9:54 am
Advertisement
Register to Remove

Unread postby Patsy » June 18th, 2005, 11:43 pm

Let me tell you about this....there's a Bible teacher on the internet that I like to hear, so I download his lessons and listen to them as I get ready for sleep. Last night while I was listening to the downloads, the computer shut down and then started up again....

This morning, I clicked on the real player and tried to listen to yesterday's lesson, and couldn't even hear a single sound. When I checked it out tonight find the problem, I found all the volume levels had been muted.... Weird!!

Can't understand why folk would want to tear up other folks computers.
Patsy
Regular Member
 
Posts: 28
Joined: June 13th, 2005, 9:54 am

Unread postby Perculator » June 19th, 2005, 6:08 am

to solve this, i first need to know whether you formated your harddisk as fat or as ntfs

go to my computer
rightclick on your harddisk icon en somewhere in the screen it will tell you what file system you got.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby Patsy » June 19th, 2005, 5:34 pm

File system is NTFS.
Patsy
Regular Member
 
Posts: 28
Joined: June 13th, 2005, 9:54 am

Unread postby Patsy » June 19th, 2005, 6:44 pm

As I was waiting, I decided to go back and check the fat and the ntfs again. My c: drive is ntfs, but my recovery drive d: is fat 32.
Patsy
Regular Member
 
Posts: 28
Joined: June 13th, 2005, 9:54 am

Re: ntoskml.exe Dr. Watson Post Mortem

Unread postby Perculator » June 20th, 2005, 8:00 am

Download Pocket Killbox.
Unzip the files to a folder like c:\killbox\
Don't run the program, we'll do that later.

download this tool. or use mcafee stinger which you downloaded before, but do that in safe mode


    *Restart the computer.
    *as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.(a black and white screen)
    *Use the arrow keys to select the Safe mode menu item
    *press Enter.


run the symantec tool or mcafee stinger
wait till the tool has finished

Run Killbox (doubleclick Killbox.exe).

Run it, and click the radio button that says Delete a file on reboot. paste the folowing into the full path of file to delete box
C:\WINDOWS\system32\FLCSS.EXE

click the red circle with a white cross in it.

The program will ask you if you want to reboot; say YES

Please tell me if you still encounter problems.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby Patsy » June 20th, 2005, 10:56 pm

ALRIGHT!!!! I'm clean. I surely do thank you for your excellent instructions. I found them all extremely easy to follow.

Do I need to set a new restore point?
Patsy
Regular Member
 
Posts: 28
Joined: June 13th, 2005, 9:54 am

Unread postby Perculator » June 21st, 2005, 8:21 am

Ceratinly a good idea :lol:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

  1. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  2. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  3. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  4. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  5. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware, Malware, and Hijackers

  6. Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  7. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  8. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.


Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby Patsy » July 4th, 2005, 8:57 am

It went bad again.

Logfile of HijackThis v1.99.1
Scan saved at 7:45:07 AM, on 7/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\HIJACK THIS\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.chron.com/content/news/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\lhyj5c9v.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp psc 1000 series.lnk.disabled
O4 - Global Startup: hpoddt01.exe.lnk.disabled
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A22A058E-FA03-4678-AFCE-F2E1C96D65A9}: NameServer = 209.63.0.6 207.173.86.6
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Patsy
Regular Member
 
Posts: 28
Joined: June 13th, 2005, 9:54 am

Unread postby Perculator » July 4th, 2005, 5:05 pm

could you pleas give me a new pandalog also?
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby Patsy » July 4th, 2005, 6:23 pm

Panda online was clean as a whistle last night, but I will run another right now. Also, ran AVG and Adaware and was clean.
Patsy
Regular Member
 
Posts: 28
Joined: June 13th, 2005, 9:54 am

Unread postby Patsy » July 5th, 2005, 11:43 pm

Panda online still clean. Everything I run comes out clean.
Patsy
Regular Member
 
Posts: 28
Joined: June 13th, 2005, 9:54 am

Unread postby Perculator » July 6th, 2005, 7:39 am

Very well then,
Can you describe the problem you encounter?
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands

Unread postby Patsy » July 6th, 2005, 1:05 pm

I have a dialup connection, but I had been well pleased with the overall speed and performance of my machine since I bought it about three years ago.

About two months ago, my machine went down and I took it to repair shop. The guy said power surge had zapped it. He reloaded xp, but not much else (I didn't get any discs with my hp machine). As I didn't have a burner, I bought Roxio from Walmart. As soon as I loaded Roxio into my computer, it crashed. I did a system restore. I then downloaded a burner from the internet and another program to convert real audio to mp3 and a p2p program.

After you guys got me cleaned up and running good again, I changed some of my startup programs so my machine would load faster when I turned it on. I did this with Spybot... it has a tab to click that opens a page which lists programs that load on startup.

Right now my machine is so painfully slow that I can go make a pot of coffee and come back and it's still loading. Sometimes, the box says that it timed out.

So that's what happened. This is the Spybot startup list that has little check boxes to enable or disable all these items....
-------------------------------------------

Spybot-S&D Startup list report, 7/6/2005 9:39:01 AM

Located: HK_CU:Run, MSMSGS
file: "C:\Program Files\Messenger\msmsgs.exe" /background

Located: HK_CU:Run, MSMSGS (DISABLED)
file: "C:\Program Files\Messenger\msmsgs.exe" /background

Located: HK_CU:Run, Microsoft Works Update Detection (DISABLED)
file: c:\Program Files\Microsoft Works\WkDetect.exe

Located: HK_LM:Run, S3apphk
file: S3apphk.exe

Located: HK_LM:Run, gcasServ
file: "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

Located: HK_LM:Run, SunJavaUpdateSched
file: C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
MD5: 70DE314A16E5A486A0EF2425014685B2

Located: HK_LM:Run, Recguard
file: C:\WINDOWS\SMINST\RECGUARD.EXE
MD5: D892B4E7DEC77E7087BCAB3E6D673F4C

Located: HK_LM:Run, SCANINICIO
file: "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"

Located: HK_LM:Run, APVXDWIN
file: "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s

Located: HK_LM:Run, TkBellExe
file: C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

Located: HK_LM:Run, hpsysdrv (DISABLED)
file: c:\windows\system\hpsysdrv.exe
MD5: 06A1ECB63DF139EC639E084D4AB3C9D7

Located: HK_LM:Run, PS2 (DISABLED)
file: C:\WINDOWS\system32\ps2.exe
MD5: E932857433C9CC5792E04EBFB96B2FFF

Located: HK_LM:Run, NvCplDaemon (DISABLED)
file: RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

Located: HK_LM:Run, TkBellExe (DISABLED)
file: C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

Located: HK_LM:Run, PreloadApp (DISABLED)
file: c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

Located: HK_LM:Run, DDCActiveMenu (DISABLED)
file: "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

Located: HK_LM:Run, KBD (DISABLED)
file: C:\HP\KBD\KBD.EXE
MD5: F60D7BA291B9812AE9A77CF95689818E

Located: HK_LM:Run, IgfxTray (DISABLED)
file: C:\WINDOWS\System32\igfxtray.exe
MD5: 2245189E80CC284F0F9833A54B836F9B

Located: HK_LM:Run, HotKeysCmds (DISABLED)
file: C:\WINDOWS\System32\hkcmd.exe
MD5: 827F444CBDB208A5BEFA3B9D753D9293

Located: HK_LM:Run, nwiz (DISABLED)
file: nwiz.exe /install

Located: HK_LM:Run, DDCM (DISABLED)
file: "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background

Located: HK_LM:Run, THGuard (DISABLED)
file: "C:\Program Files\TrojanHunter 4.2\THGuard.exe"

Located: Startup (common), hp psc 1000 series.lnk (DISABLED)
file: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
MD5: 03163BAF3A5DBF8742804093931D7D32

Located: Startup (common), hpoddt01.exe.lnk (DISABLED)
file: C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
MD5: A564A22308A3F55235BA2478EE82992D

Located: Startup (common), SATARaid.lnk
file: C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
MD5: 2F999B116092128CA03B31F68E343A37
Patsy
Regular Member
 
Posts: 28
Joined: June 13th, 2005, 9:54 am

Unread postby Perculator » July 8th, 2005, 4:43 am

Go to
Start
Control Panel
Add/Remove Programs

and search in the list for
Wildtangent.

And click the change/remove button.

Run the cleanup program which i you downloaded earlier again.

and tell me if the problem is still there
User avatar
Perculator
Regular Member
 
Posts: 470
Joined: March 30th, 2005, 4:55 pm
Location: netherlands
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 26 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware