Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Chris, Mike at the Dell forum said you could help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Chris, Mike at the Dell forum said you could help

Unread postby Dirtsurfer » January 27th, 2005, 2:30 pm

Here is my problem,
I keep getting alot of new favorites added to my favorites and a tool-search bar will apeer at the bottom of my screen. I can et rid of the tool-search bar only by using alt-F4,bit not the favorites, and also when this thing kicks in it starts shooting popups like mad.

I ran the programs that you said and Bitdefender seemed to take care of it, except it all still shows up on my son's pages.

So, here is my log. Thanks for any help you can provide.

Gary

Logfile of HijackThis v1.99.0
Scan saved at 11:22:58 AM, on 1/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\StarBand\Mission Control\TaskBarClient.exe
C:\Program Files\StarBand\Mission Control\HsuGui\HsuGuiControl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdswitch.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Gilat\QMS\QMS.exe
C:\Program Files\Gilat\GSU\GSU.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
C:\PROGRA~1\GILAT\INTERN~1\AS_Agent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe
C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
C:\Program Files\Gilat\NetAgent.exe
C:\PROGRA~1\StarBand\MISSIO~1\evrep.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Gary\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.starband.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://register.starband.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.starband.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by StarBand
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TaskBarClient] C:\Program Files\StarBand\\Mission Control\TaskBarClient.exe
O4 - HKLM\..\Run: [NettGain2000 Verifier] C:\Program Files\Flash Networks\NettGain2000\Bst\NettGain2000 Verifier.exe
O4 - HKLM\..\Run: [HsuGuiControl] C:\Program Files\StarBand\\Mission Control\HsuGui\HsuGuiControl.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
O4 - HKLM\..\RunServices: [NettGain2000] C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://register.starband.net
O15 - Trusted Zone: *.adorons.com
O15 - Trusted Zone: *.ebay.com
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspace.com/Java/cfs40300.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/ ... 1/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: BitDefender Scan Server - Unknown - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Gilat Quality Measurement Service - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\QMS\QMS.exe
O23 - Service: Gilat host software update service - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\GSU\GSU.exe
O23 - Service: Gilat Network Agent Service - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\NetAgent.exe
O23 - Service: Gilat IBQoS Agent - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\IBQoS\ibqossvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RPAService - Unknown - C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: BitDefender Virus Shield - Unknown - C:\Program Files\Softwin\BitDefender8\vsserv.exe
O23 - Service: WgwService - Unknown - C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe
O23 - Service: BitDefender Communicator - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
Dirtsurfer
Active Member
 
Posts: 5
Joined: January 26th, 2005, 12:59 pm
Advertisement
Register to Remove

Unread postby ChrisRLG » January 27th, 2005, 4:25 pm

I can't see anything in that log that should give you problems of that nature.

So we need to look a little deeper.

RootKit Detector: http://www.haxorcitos.com/ficheros/RKDetectorv0.62.zip

Get that rootkit detector run it and post the log it produces for me to see.

Also please some more info :-

Can you also list any site URL's that you get sent too, or which popup on your screen.

What file do you endtask to remove the extra toolbar when you use ctrl-alt-del.

Can you give me a link back to the topic at Dell so I can see what Mike tried.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Link

Unread postby Dirtsurfer » January 27th, 2005, 4:55 pm

Dirtsurfer
Active Member
 
Posts: 5
Joined: January 26th, 2005, 12:59 pm

Unread postby ChrisRLG » January 27th, 2005, 5:17 pm

Thanks - I will check that - do that rootkit check - and if you can give that other info as well.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Haveing Trouble with Rootkit detector

Unread postby Dirtsurfer » January 27th, 2005, 5:33 pm

Chris,
When I run it the window shuts down as soon as it's done and I can't get it to you.
Gary

Here is some URL's
Favorite http://srch.lop.com/search/search.cgi?a ... =bookmarks

tool-search http://searchweb2.com/passthrough/newpass2.html

popup http://www.carloanauthority.com/Images/hp-cla-1.gif
Dirtsurfer
Active Member
 
Posts: 5
Joined: January 26th, 2005, 12:59 pm

Unread postby ChrisRLG » January 27th, 2005, 6:26 pm

Sorry should have told you to run in a DOS prompt window (or command prompt).

create a folder in the c: Drive as c:\rootkit

Find the dos prompt program in your menu

OR

Start, Run, cmd (enter)

then

cd c:\rootkit

Then


rootkit.exe

This will leave the window open for you to copy and paste.
To copy and paste - use 'alt' 'space' to open the menu for the window.
edit - select all - edit - copy

then paste as a reply here.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » January 27th, 2005, 6:52 pm

Sorry that iwas a little wrong
================
Sorry should have told you to run in a DOS prompt window (or command prompt).

create a folder in the c: Drive as c:\rootkit
Then move the files from the zip to that folder

Find the dos prompt program in your menu

OR

Start, Run, cmd (enter)

then

cd c:\rootkit

Then


rkdetector.exe

This will leave the window open for you to copy and paste.
To copy and paste - use 'alt' 'space' to open the menu for the window.
edit - select all - edit - copy

then paste as a reply here.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Computing for dummys

Unread postby Dirtsurfer » January 27th, 2005, 7:16 pm

Chris,

I can't seem to get that to work. I have the rootkit file in my doc. but it wont let me name it c:\rootkit. It wont do it in my computer c: either.

Gary
Dirtsurfer
Active Member
 
Posts: 5
Joined: January 26th, 2005, 12:59 pm

Unread postby ChrisRLG » January 27th, 2005, 7:26 pm

OK

only one line in the log looks out of place

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe

So open hijakthis check that item, and close all other windows, and click 'fix checked'.

Then reboot

Try and see if that cures your problems - if it does it meens you have an infected media player - you will need to delete that file and get a new copy from the windows download site.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » January 27th, 2005, 7:28 pm

Also run this program first :-

Next download CWShredder, install and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, please delete it and download the latest version. Reboot when done.

Then post back with a new HJT log please.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Here Goes nothing

Unread postby Dirtsurfer » January 27th, 2005, 7:33 pm

I didn't have a\ after rootkit

. .. ...: Rootkit Detector Profesional 2004 v0.62 :... .. .
Rootkit Detector Profesional 2004
Programmed by Andres Tarasco Acuna
Copyright (c) 2004 - 3wdesign Security
Url: http://www.3wdesign.es


-Gathering Service list Information... ( Found: 292 services )
-Gathering process List Information... ( Found: 46 process )
-Searching for Hidden process Handles. ( Found: 0 Hidden Process )
-Checking Visible Process.............
c:\program files\gilat\gsu\gsu.exe
c:\program files\norton antivirus\navapsvc.exe
c:\docume~1\gary\applic~1\16cake~1\wma title media.exe
c:\progra~1\softwin\bitdef~1\bdnagent.exe
c:\windows\explorer.exe
c:\program files\starband\mission control\taskbarclient.exe
c:\program files\starband\mission control\hsugui\hsuguicontrol.exe
c:\program files\common files\symantec shared\ccapp.exe
c:\program files\softwin\bitdefender8\bdswitch.exe
c:\windows\system32\smss.exe
c:\program files\softwin\bitdefender8\vsserv.exe
c:\program files\messenger\msmsgs.exe
c:\windows\system32\csrss.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\services.exe
c:\windows\system32\lsass.exe
c:\windows\system32\svchost.exe
c:\program files\gilat\netagent.exe
c:\windows\system32\svchost.exe
c:\program files\creative\sblive\diagnostics\diagent.exe
c:\windows\system32\nvsvc32.exe
c:\program files\gilat\internet page accelerator\rpaservice.exe
c:\progra~1\gilat\intern~1\as_agent.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\program files\flash networks\nettgain2000\bst\srvany.exe
IDENTIFIED AS: SRVANY.exe Service Installer
c:\windows\system32\cmd.exe
c:\windows\system32\svchost.exe
c:\windows\system32\mspmspsv.exe
c:\program files\flash networks\nettgain2000\bst\wgwmngr.exe
c:\program files\common files\softwin\bitdefender communicator\xcommsvr.exe
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\spoolsv.exe
c:\program files\common files\symantec shared\security center\symwsc.exe
c:\program files\common files\symantec shared\ccevtmgr.exe
c:\windows\system32\cisvc.exe
c:\windows\system32\ctsvccda.exe
c:\program files\gilat\qms\qms.exe
c:\windows\system32\alg.exe
c:\progra~1\starband\missio~1\evrep.exe
c:\program files\softwin\bitdefender8\bdmcon.exe
c:\program files\outlook express\msimn.exe
c:\program files\common files\softwin\bitdefender scan server\bdss.exe
c:\rootkit\rkdetector.exe
-------------------------------------------------------------------------------
-Searching again for Hidden Services..
-Gathering Service list Information... ( Found: 0 Hidden Services)
-Searching for wrong Service Paths.... ( Found: 0 wrong Services )
-Searching for Rootkit Modules........
-------------------------------------------------------------------------------
*SUSPICIOUS MODULE!! c:\windows\system32\sockspy.dll
-------------------------------------------------------------------------------
-Trying to detect hxdef with TCP data..( Found: 0 running rootkits)
-Searching for hxdef hooks............ ( Found: 0 running rootkits)
-Searching for other rootkits......... ( Found: 0 running rootkits)

C:\Documents and Settings\Gary>
Dirtsurfer
Active Member
 
Posts: 5
Joined: January 26th, 2005, 12:59 pm

Unread postby ChrisRLG » January 27th, 2005, 7:48 pm

That looks clean - do the media player instuctions above.

BTW I will be going to bed now - so will catch up tomorrow.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » January 28th, 2005, 7:50 am

I see Mike at Dell has not yet given up with you - it is not adviseable to try suggestions from more than one person at a time - so come back here if Mike is unable to get you clean. (When he gives up)
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » February 9th, 2005, 9:47 am

As mike seems to have you clean - I will archive this topic now.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 43 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware