Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

funbangladesh

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby VopThis » November 30th, 2005, 2:53 pm

Re the JOTTI link how do I post a file cos I tried a lot and never succeeded.

Find the full path for the file in question (and copy that into JOTTI) or navigate (like you would in Explorer) to the file from JOTTI - likely something like:
C:\Win\sys32\unlodctr.exe (which is an odd looking path, by the way)


This Paintshop Pro (Jasc prog) runs extremely well if the PC is free of every hitch. But as soon as a virus or whatever crops in it freezes.

Certain programs, especially memory intensive ones, can fare very badly at the first signs of malware infection. They likely interfere with resources that Paintshop needs and you are put on notice accordingly?
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada
Advertisement
Register to Remove

Unread postby ommi » December 1st, 2005, 9:15 am

:D
Hi,
Thanks for your help. Do you think that I can download Win SP 1 &2 now?
I have just ran Panda and it found nothing. Does this mean that my PC is OK?
Do you think that I have any files that must be submitted to JOTTI?
;)
Joe
ommi
Regular Member
 
Posts: 36
Joined: November 23rd, 2005, 9:25 am

Unread postby VopThis » December 1st, 2005, 9:56 am

To help avoid serious infection again, please look carefully at this post for some excellent preventative measures. Prevention must be made the first line of defense to improve upon.


As a final cleanup step, it is often advisable to Reset and Re-enable your System Restore to remove any bad files that may have been backed up by Windows . The files in System Restore are protected to prevent any programs changing them. And, this is the only complete way to clean these files: (You will lose all previous restore points which could likely be infected, anyway.)

PLEASE NOTE: you will need to log into your computer with an account that has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
To Turn OFF System Restore.
  1. Click the Start button.
  2. Right-click My Computer, and then click Properties.
  3. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.
  4. Click Apply.

To Turn ON System Restore.
  1. Follow the steps in the previous section, but in step 3, uncheck Turn off System Restore or Turn off System Restore on all drives. Then click OK.
  2. Create new System Restore points.


(Windows ME)
See the following link for instructions:
http://service1.symantec.com/SUPPORT/ts ... ec_doc_nam




To reduce the re-infection potential for malware and protect your PC against spyware, here are a few helpful suggestions:

  1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft . This will patch many of the security holes through which attackers can gain access to your computer . You CANNOT complete this update using an alternate browser – you must use Internet Explorer.
    http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us
    http://www.microsoft.com/windows/ie/default.asp

  2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including AVG and Avast!.
    AVG: http://free.grisoft.com/doc/1
    Avast: http://www.avast.com/eng/avast_4_home.html

  3. In addition to using Ad-aware consider using another free malware scanning/removal program :
    Adaware SE: http://www.download.com/Ad-Aware-SE-Person...ubj=dl&tag=top5
    Spybot S&D: http://www.download.com/Spybot-Search-Dest...tml?tag=lst-0-1
    MS Antispyware beta: http://www.microsoft.com/athome/security/s...re/default.mspx

  4. Consider using a free firewall if you are not already using one. Some good free ones are:
    Sygate: http://smb.sygate.com/products/spf_standard.htm
    Zone Alarm: http://www.zonelabs.com/store/content/comp...n.jsp?lid=ho_za

    It is not a bad idea to also consider using a router/Hardware firewall device. A software firewall may occasionally need to be disabled or it gets/remains disabled by someone or something. Such an added layer of security consistency has a lot of merit to it.

  5. Consider using an alternate free browser for general web surfing but you must use IE for windows updates.
    Mozilla Firefox: http://www.mozilla.org/products/firefox/

  6. Consider increasing your browser security by using these programs:
    SpywareGuard will help protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
    SpywareBlaster will increase browser protection by blocking access to thousands of known malware sites by adding them to IE's restricted sites zone. It essentially blocks known- bad ActiveX program items from being installed or running on your computer. Download it here: http://www.javacoolsoftware.com/spywareblaster.html

  7. A HOSTS file can block Internet access to thousands of known-bad sites by not allowing you any easy browser access to such sites knowingly or unknowingly. Use HJT to determine if a current HOSTS file exists and any contents therein:
    • Run the HiJackThis tool and select ‘Open the Misc Tools section’.
    • Next select ‘Open host file manager’ button.
    • Use the ‘Open in Notepad’ button in XP/W2K or use WORDPAD if necessary [type wordpad.exe in the RUN box (Start>Run)] and load the FILE PATH identified in HJT.
    • Go to http://www.mvps.org/winhelp2002/hosts.txt . # Read the initial instructions #. Copy and paste the RELEVANT contents of that file into Notepad or Wordpad and save the updated file contents.




*Remember just like your primary anti-virus software, it is important to:
  • Keep all of these programs up-to-date, and
  • Use them on a regular basis.






I have just ran Panda and it found nothing. Does this mean that my PC is OK?

Re-run all your latest scan tools if you haven't already done so or run a new tool as suggested below. Doesn't hurt to check:

Please try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      - Extended (if available otherwise Standard)
    • Scan Options:
      - Scan Archives
      - Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.




Do you think that I can download Win SP 1 &2 now?

Suggest that you update everything except SP2 and see how that goes.


Do you think that I have any files that must be submitted to JOTTI?

Once you get familiar with the contents of your HJT log, then you may be in a better position to spot something new that needs investigating. JOTTI is normally a good tool when a Google search is not able to clearly identify the nature of any item under review.

Where you able to get a satisfactory second opinion on the unlodctr.exe file.
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Unread postby ommi » December 3rd, 2005, 1:21 pm

:lol:
Thanks once again for your help. Here is my "homework" result:

Did system restore delete and scheduled a new one

Windows patches installed SP 1

Installed AVG (Avast already installed)

Adaware & Spybod were already installed and so no new progs were installed.

Downloaded ZoneAlarm and running after updating as suggested.

Mozilla Firefox not downloaded cos I get mixed up when browsing. I had it once but kicked it out ;)

Installed SpywareGuard and running. Do you suggest I download the others too?

Re item 7 I was a bit confused what am I supposed to do!!

Re unlodctr.exe was scanned with Kaspersky on-line and found it clean.

These anti-virus progs are somewhat funny! I scan with one and finds everything OK then another is used and finds two malware. Removed OK. Yet another prog is used and finds another new two or three!! Funny isn't it???

:?
ommi
Regular Member
 
Posts: 36
Joined: November 23rd, 2005, 9:25 am

Unread postby ommi » December 3rd, 2005, 3:00 pm

Here is the Kaspersky scan details (funny more malware was found after all that hassel to remove them!!!

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, December 03, 2005 19:56:46
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 3/12/2005
Kaspersky Anti-Virus database records: 163095
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 31760
Number of viruses found: 3
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 5497 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Joe\winsos.exe/a Infected: Net-Worm.Win32.Randon.aa
C:\Documents and Settings\Joe\winsos.exe/b Infected: Net-Worm.Win32.Randon.aa
C:\Documents and Settings\Joe\winsos.exe/dlcl.edp Infected: Backdoor.IRC.Zapchast
C:\Documents and Settings\Joe\winsos.exe/hosts Infected: Trojan.Win32.Qhost
C:\Documents and Settings\Joe\winsos.exe Infected: Trojan.Win32.Qhost
C:\System Volume Information\_restore{B22D9EFC-8B1D-4299-88D0-76C4229F0FFA}\RP32\A0006341.exe/a Infected: Net-Worm.Win32.Randon.aa
C:\System Volume Information\_restore{B22D9EFC-8B1D-4299-88D0-76C4229F0FFA}\RP32\A0006341.exe/b Infected: Net-Worm.Win32.Randon.aa
C:\System Volume Information\_restore{B22D9EFC-8B1D-4299-88D0-76C4229F0FFA}\RP32\A0006341.exe/dlcl.edp Infected: Backdoor.IRC.Zapchast
C:\System Volume Information\_restore{B22D9EFC-8B1D-4299-88D0-76C4229F0FFA}\RP32\A0006341.exe/hosts Infected: Trojan.Win32.Qhost
C:\System Volume Information\_restore{B22D9EFC-8B1D-4299-88D0-76C4229F0FFA}\RP32\A0006341.exe Infected: Trojan.Win32.Qhost

Scan process completed.

PS The other progs didn't find any!!!
ommi
Regular Member
 
Posts: 36
Joined: November 23rd, 2005, 9:25 am

Unread postby VopThis » December 3rd, 2005, 5:33 pm

Think of all the tools that you have used to this point as 9 professional medical opinions as to your good health except that only the last doctor was able to detect a 'cancerous condition'.


Delete the following file (in SAFE MODE, if necessary):
C:\Documents and Settings\Joe\winsos.exe


Reset and Re-enable your System Restore again.
Code: Select all
C:\System Volume Information\_restore... entries
are backups of bad entries from winsos.exe



Run Kaspersky scan again.[/code]
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Unread postby ommi » December 4th, 2005, 11:30 am

Ran PC in safe mode and deleted winsos.exe (after a lot of goings and comings to find my way around he he)

Deleted restore points and enabled once more.

The Kaspersky report follows (C:\Sys Vol Info\_restore....

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, December 04, 2005 16:27:44
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 4/12/2005
Kaspersky Anti-Virus database records: 163252
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\System Volume Information\_restore{B22D9EFC-8B1D-4299-88D0-76C4229F0FFA}\

Scan Statistics:
Total number of scanned objects: 31
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 4 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.

Is this what was required?
ommi
Regular Member
 
Posts: 36
Joined: November 23rd, 2005, 9:25 am

Unread postby VopThis » December 4th, 2005, 11:47 am

Scan process completed.

Is this what was required?

YES.



Installed AVG (Avast already installed)

Run only one AV tool at a time or they may interfere with each other.

Installed SpywareGuard and running. Do you suggest I download the others too?

The more protection coverage, the better. The IE-Spyad is theonly one that I don't use.

Re item 7 I was a bit confused what am I supposed to do!!

Simply paste the HOSTS file line items into the HOSTS file. Your PC simple loads and uses that file to disallow surfing to any of the sites listed.


Is your PC behaving OK now?
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Unread postby ommi » December 5th, 2005, 9:22 am

127.0.0.1 localhost

This is what I got from HJT. I could not paste it in the HOST file. It wouldn't allow me (poor me!).

Yeah PC is behaving (while it lasts!)

Shall I download patch SP2 cos it is continually asking me to...

:roll:
ommi
Regular Member
 
Posts: 36
Joined: November 23rd, 2005, 9:25 am

Unread postby VopThis » December 5th, 2005, 9:49 am

Can you open the FILE PATH identified in HJT in NOTEPAD?

Go to http://www.mvps.org/winhelp2002/hosts.txt . Copy and paste (add) the RELEVANT contents of that file into Notepad and save the updated file contents.

#start of lines added by WinHelp2002
# [Misc A - Z]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 e.abnad.net
127.0.0.1 http://www.accoona.com #[Adware-Accoona][Adware.Atoolb][Panda.Accoona]
.
.
.
#end of lines added by WinHelp2002




If you cannot save that content, you may have an application running that is protecting the HOSTS file from hijack entries to that file. You need to locate that application and temporarily disable that protection activity if applicable.


Update to SP2 at your choosing. You want to be a clean as possible when you do and your PC trouble free for at least a few days prior.
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Unread postby ommi » December 6th, 2005, 3:25 pm

Hi, sorry to trouble you more but i just could not paste my entry into the HOSTS file. I saved the HJT scan in NOTEPAD but there I struck a wall (or firewall!!) The HOSTS site couldn't even let me do anything to it: insert, delete, change nothing. Here is my saved notepad.

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

There were no applications running except the AV and firewalls.

The last line in notepad is my HJT
ommi
Regular Member
 
Posts: 36
Joined: November 23rd, 2005, 9:25 am

Unread postby VopThis » December 7th, 2005, 12:15 am

Download the http://www.mvps.org/winhelp2002/hosts.txt to your desktop.

Disable/unplug your internet connection.


Temporarily disable you firewalls - are you running more than one?


Try updating again.


If still no joy, try in SAFE MODE (F8 key).
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Unread postby ommi » December 7th, 2005, 10:18 am

OK saved the HOSTS file in notepad plus my update. Now what else since it is saved on my desktop? Am I to do something with it or leave it just there? Excuse me if I seem so backward in these :cry:

Re firewalls I have only ZoneAlarm.
ommi
Regular Member
 
Posts: 36
Joined: November 23rd, 2005, 9:25 am

Unread postby VopThis » December 7th, 2005, 11:18 am

OK saved the HOSTS file in notepad plus my update.

If you opened up the HOSTS file in HJT and were able to add the MVPS contents, you should be able to test and verify that the blocking mechanism is now functional.


Go to a command Prompt screen:

Start>Run>cmd (hit ENTER)

Copy and Paste (right-click>paste) the following into the command window and hit ENTER:

PING acestats.com


Results should show as:

Pinging acestats.com [127.0.0.1] with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128




If still no joy, copy and paste the following bolded contents from each individual line and hit ENTER after each. Post those results back:

CD C:\
C:\>
DIR HOSTS /s


Sample results:
Volume in drive C is WDC1200
Volume Serial Number is 2A78-743C

Directory of C:\Program Files\Spybot - Search & Destroy\Includes

HOSTS SBS 27,093 05-12-04 1:03a Hosts.sbs
1 file(s) 27,093 bytes

Directory of C:\WINDOWS

HOSTS SAM 21 11-28-05 5:27p hosts.sam
HOSTS 328,114 11-28-05 5:27p hosts
HOSTS2~1 BAC 454,381 04-10-05 11:53p hosts.20050411-015349.backup
HOSTS2~2 BAC 454,460 04-11-05 1:53a hosts.20050411-015350.backup
4 file(s) 1,236,976 bytes

Total files listed:
5 file(s) 1,264,069 bytes
0 dir(s) 8,123.03 MB free
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Unread postby ommi » December 8th, 2005, 9:30 am

Executed what you asked for and what I got is this. OK or am I still going round in circles???

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>PING acestats.com

Pinging acestats.com [213.228.214.65] with 32 bytes of data:

Reply from 213.228.214.65: bytes=32 time=103ms TTL=52
Reply from 213.228.214.65: bytes=32 time=103ms TTL=52
Reply from 213.228.214.65: bytes=32 time=101ms TTL=52
Reply from 213.228.214.65: bytes=32 time=99ms TTL=52

Ping statistics for 213.228.214.65:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 99ms, Maximum = 103ms, Average = 101ms

C:\>
ommi
Regular Member
 
Posts: 36
Joined: November 23rd, 2005, 9:25 am
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware