Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

please help to get rid of this

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

please help to get rid of this

Unread postby stranger666 » June 16th, 2005, 6:51 pm

Hi All!
Recently I picked up some malware - every now and then the message box would come up saying "WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords.
Do you want to learn how to protect your computer?"
Could someone tell me how to get rid of it? This is my hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 6:51:55 PM, on 6/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programs\Inet\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Programs\Music\Audio Sliders 2\volume.exe
C:\Programs\Utilities\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Programs\Utilities\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programs\Image\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\Programs\Image\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Programs\Inet\ICQ\ICQ.exe
C:\Programs\Image\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programs\Image\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Programs\Music\Winamp\winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Programs\Utilities\Far\Far.exe
F:\System\Utilz\Spyware Removal Stuff\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Programs\UTILIT~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programs\Image\Acrobat 6.0 Writer\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Programs\UTILIT~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Internet Explorer Hot Fix - {F1B11C5A-0DD9-49FC-A91F-05114CA4E4CC} - C:\WINDOWS\System32\grmhg.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programs\Image\Acrobat 6.0 Writer\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programs\Inet\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Audio Sliders Launch] "c:\Programs\Music\Audio Sliders 2\volume.exe" /s
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Programs\Inet\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Programs\Utilities\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programs\Utilities\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programs\Utilities\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Programs\Image\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Programs\MSOFFI~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Programs\UTILIT~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programs\Inet\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programs\Inet\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programs\MSOFFI~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programs\Inet\YAHOO!~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programs\Inet\YAHOO!~1\YPager.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CA1866-B2B5-44B3-BAB0-F146EB898EBD}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{4445E147-ACD6-421A-AA05-5959F607536E}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B4EA2E1-9A50-4FED-A5C3-F97FE4DCB0DF}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{A396273E-8FA3-4539-9CFB-F17ECBF9C028}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD5A70D4-B560-4E13-B7F1-289745C21FCC}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{37CA1866-B2B5-44B3-BAB0-F146EB898EBD}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{37CA1866-B2B5-44B3-BAB0-F146EB898EBD}: NameServer = 69.50.184.84,195.225.176.37
O23 - Service: Acronis Scheduler2 Service - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Programs\Utilities\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks everyone!
stranger666
Regular Member
 
Posts: 19
Joined: June 16th, 2005, 6:46 pm
Advertisement
Register to Remove

Unread postby wng_z3r0 » June 16th, 2005, 10:01 pm

To start with I would like you to do this

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Do a virus scan here.
If you get report of files that can’t be cleaned / deleted please write down the filenames and locations and post that in your reply.

Then please do this since it’s better to use automated tools to get rid of the bad stuff use these 2 programs first before doing the final cleaning with HJT

First is Spybot S & D available from here.

1. Downloaded and Install Spybot S&D, accepting the Default Settings

2. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.

3. Close ALL windows except Spybot S&D

4. Click the button to ‘Search for Updates’ then download and install the Updates.

5. Next click the button ‘Check for Problems'

6. When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window

7. Make certain there is a check mark beside all of the RED entries ONLY.

8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.

9. REBOOT to complete the scan and clear memory.


Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step.

Open adaware and Click the "Check for updates now" line on the main screen. CLick the "Connect" button on the webupdate screen.

If an update is available download it and install it. Click the "Finish" button to go back to the main screen.

Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Make sure the "Automatically quarantine objects prior to removal" setting is checked green and then click "Proceed" to save your changes.

Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Leave the option for low-risk threats unchecked also. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a green checkmark:

  • Scan within archives

Then click on the "Tweak" Button to open up the tweak settings.

Open up the Scanning Engine section and make sure all of the following are On with a green checkmark:
  • Scan registry for all users instead of current user only
Make sure the following is unchecked with a red X:
  • Unload recognized processes & modules during scan.
Open up the Cleaning Engine section and make sure all of the following are On with a green checkmark:

  • Always try to unload modules before deletion
  • During Removal, unload Explorer and IE if necessary
  • Let Windows remove files in use at next reboot.

Click the "Proceed" button to save settings. Click next to begin the scan. When the scan is completed, the Performing System Scan screen will change name to "Scan Complete".

Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. Then all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.

Run the scan, and then reboot.

Then,

You are using an outdated version of hijackthis.

Please download the latest version from the following link:

HijackThis Download Site

Once it is downloaded, extract the zip file to c:\hjt and navigate to the c:\hjt folder. Now double-click on hijackthis.exe and when the window opens, Press the Scan now and save a logfile button and then when it is done, copy and paste the contents of the notepad it opens as a reply to this post.
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

did all as advised

Unread postby stranger666 » June 18th, 2005, 10:29 pm

Did all of the above - the virus scan and Spybot returned no problems, AdAware would find 14 problems and then freeze up at some point - so I hit Cancel after it found the 14th problem (it's a maximum before it freezes up) and fixed them. Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:26:13 PM, on 6/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programs\Inet\ZoneAlarm\zlclient.exe
C:\Programs\Music\Audio Sliders 2\volume.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Programs\Utilities\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Programs\Utilities\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programs\Image\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\Programs\Image\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Programs\Inet\ICQ\ICQ.exe
C:\Programs\Image\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programs\Image\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Programs\Utilities\Far\Far.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Programs\UTILIT~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programs\Image\Acrobat 6.0 Writer\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Programs\UTILIT~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Internet Explorer Hot Fix - {F1B11C5A-0DD9-49FC-A91F-05114CA4E4CC} - C:\WINDOWS\System32\grmhg.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programs\Image\Acrobat 6.0 Writer\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programs\Inet\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Audio Sliders Launch] "c:\Programs\Music\Audio Sliders 2\volume.exe" /s
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Programs\Inet\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Programs\Utilities\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programs\Utilities\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programs\Utilities\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Programs\Image\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Programs\MSOFFI~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Programs\UTILIT~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programs\Inet\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programs\Inet\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programs\MSOFFI~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programs\Inet\YAHOO!~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programs\Inet\YAHOO!~1\YPager.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CA1866-B2B5-44B3-BAB0-F146EB898EBD}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{4445E147-ACD6-421A-AA05-5959F607536E}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B4EA2E1-9A50-4FED-A5C3-F97FE4DCB0DF}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{A396273E-8FA3-4539-9CFB-F17ECBF9C028}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD5A70D4-B560-4E13-B7F1-289745C21FCC}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{37CA1866-B2B5-44B3-BAB0-F146EB898EBD}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{37CA1866-B2B5-44B3-BAB0-F146EB898EBD}: NameServer = 69.50.184.84,195.225.176.37
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Programs\Utilities\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

You think the virus is killed now?

Thanks!
stranger666
Regular Member
 
Posts: 19
Joined: June 16th, 2005, 6:46 pm

additional

Unread postby stranger666 » June 18th, 2005, 11:09 pm

I also have another problem - I cannot empty the Trash (it says 'Cannot delete file') and on one of the drives I have the same problem, but it is an undeleted file (not in the Trash yet). Is there a solution for that?

Thanks.
stranger666
Regular Member
 
Posts: 19
Joined: June 16th, 2005, 6:46 pm

Unread postby wng_z3r0 » June 19th, 2005, 1:10 am

well some of the stuff has been killed.. but we'll kill every last nasty on your computer :D
Please download the following programs:
Note: don't run them yet! There is an order we need to follow


Mcafee Stinger


Now, please print these instructions. Then close all programs (especially your internet browser!!)

Doubleclick on HijackThis.
Then click on the button that says run a system scan
Then place a check next to the following items and click "fix"

O2 - BHO: Internet Explorer Hot Fix - {F1B11C5A-0DD9-49FC-A91F-05114CA4E4CC} - C:\WINDOWS\System32\grmhg.dll (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{37CA1866-B2B5-44B3-BAB0-F146EB898EBD}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{4445E147-ACD6-421A-AA05-5959F607536E}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B4EA2E1-9A50-4FED-A5C3-F97FE4DCB0DF}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{A396273E-8FA3-4539-9CFB-F17ECBF9C028}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD5A70D4-B560-4E13-B7F1-289745C21FCC}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{37CA1866-B2B5-44B3-BAB0-F146EB898EBD}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{37CA1866-B2B5-44B3-BAB0-F146EB898EBD}: NameServer = 69.50.184.84,195.225.176.37




Run Stinger.

I will restore your recycle bin in just a little bit... hang on :D


Post a new HJT log when done.
wng
Last edited by wng_z3r0 on June 19th, 2005, 4:30 pm, edited 2 times in total.
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

question

Unread postby stranger666 » June 19th, 2005, 11:27 am

OK, I'll do that. But the only thing is - Audio Sliders (one of the 2 entries you suggest to get rid of) is an actual program that I install - it allows you to control volume and other stuff from keyboard, without reaching your mouse. Do you really think it can be a threat?
stranger666
Regular Member
 
Posts: 19
Joined: June 16th, 2005, 6:46 pm

Unread postby wng_z3r0 » June 19th, 2005, 12:36 pm

lemme double check.

edit: ok.. the source I was basing that of said it was malware, but a majority of other sites say it's clean... I have revised the instructions that I posted.

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

more

Unread postby stranger666 » June 19th, 2005, 10:05 pm

OK, did all of the above, here is the log

Logfile of HijackThis v1.99.1
Scan saved at 10:02:16 PM, on 6/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programs\Inet\ZoneAlarm\zlclient.exe
C:\Programs\Music\Audio Sliders 2\volume.exe
C:\Programs\Utilities\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Programs\Utilities\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programs\Image\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\Programs\Image\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Programs\Image\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programs\Image\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Programs\Inet\ICQ\Icq.exe
C:\Programs\Utilities\Far\Far.exe
C:\Programs\Inet\Kazaa Lite K++\KazaaLite.kpp
C:\Programs\Music\Winamp\winamp.exe
C:\Different\Downloads\s-t-i-n-g-e-r.exe
C:\Programs\Inet\Radmin\radmin.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Programs\UTILIT~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programs\Image\Acrobat 6.0 Writer\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Programs\UTILIT~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programs\Image\Acrobat 6.0 Writer\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programs\Inet\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Audio Sliders Launch] "c:\Programs\Music\Audio Sliders 2\volume.exe" /s
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Programs\Inet\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Programs\Utilities\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programs\Utilities\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KAZAA] "C:\Programs\Inet\Kazaa Lite K++\kpp.exe" "C:\Programs\Inet\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programs\Utilities\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Programs\Image\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Programs\MSOFFI~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Programs\UTILIT~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programs\Inet\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programs\Inet\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programs\MSOFFI~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programs\Inet\YAHOO!~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programs\Inet\YAHOO!~1\YPager.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Programs\Utilities\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Stinger only gave me a number of clean files (after I ran it) - and nothing else, I guess that means everything is OK, right?
So I will watch if the nasty message appears, and we still have the unemptyable :) Recycle Bin and undeletable file issue.
Also - is there a we-site that tells you if a certan entry in the HJT log is bad and needs to be fixed (you mentioned some kind of SOURCE - where is that?)
Thanks again
stranger666
Regular Member
 
Posts: 19
Joined: June 16th, 2005, 6:46 pm

Unread postby wng_z3r0 » June 19th, 2005, 10:37 pm

There's not a "site" per say... It takes alot of work to analyze logs, and I use a variety of sites. Most of all google... lol

ok. try fixing your recycle bin by doing the following:
1.) Go to command prompt and type the following hitting enter after each line.

cd \
cd recycler
del desktop.ini


Assuming no errors...reboot and test.

If still not fixed...:

2.) Download the following registry repair file:

http://www.kellys-korner-xp.com/regs_ed ... clebin.reg

Save tio desktop and run it. Say yes to the merge prompt.

Reboot and test with blank file

if still borked...

Open a command prompt.

At the prompt, type the following hitting enter after each line.

cd\
cd Recycler
attrib -h info*.*
Del info*.*


Assuming one or more files were deleted, reboot, then test if it's fixed.

If not, go back to a command prompt and type:

cd\ [hit enter]
attrib -h -s c:\recycler [Enter]
del c:\recycler [enter]

Reboot. **this last action deletes everything in the bin as well**

Test it and it should work.


Any other symptoms?
wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby stranger666 » June 21st, 2005, 11:39 am

OK, the Recycle Bin seems to be half-way fixed - it looks and works fine, but the actual file that was causing the problem is still in G:\Recycler. And that issue actually reminds me of a very interesting problem - access to the NTFS file system from DOS, meaning when Windows is not loaded, because if I had FAT32 I would not have any problems booting up in DOS, loading something like Norton Commander and deleting anything I want. Is there a some kind of utility program that would allow me to do that with NTFS file system?

And also the main virus (or spyware) with the big "WARNING....." message is still there...Here is the HJT log if you need it:

Logfile of HijackThis v1.99.1
Scan saved at 11:39:35 AM, on 6/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programs\Inet\ZoneAlarm\zlclient.exe
C:\Programs\Music\Audio Sliders 2\volume.exe
C:\Programs\Utilities\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Programs\Utilities\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programs\Inet\Kazaa Lite K++\KazaaLite.kpp
C:\Programs\Image\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\Programs\Inet\ICQ\ICQ.exe
C:\Programs\Image\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Programs\Image\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programs\Image\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Programs\Utilities\Far\Far.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cmd.exe
C:\HJT\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Programs\UTILIT~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programs\Image\Acrobat 6.0 Writer\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Programs\UTILIT~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programs\Image\Acrobat 6.0 Writer\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programs\Inet\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Audio Sliders Launch] "c:\Programs\Music\Audio Sliders 2\volume.exe" /s
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Programs\Inet\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Programs\Utilities\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programs\Utilities\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KAZAA] "C:\Programs\Inet\Kazaa Lite K++\kpp.exe" "C:\Programs\Inet\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programs\Utilities\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Programs\Image\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Programs\MSOFFI~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Programs\UTILIT~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programs\Inet\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programs\Inet\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programs\MSOFFI~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programs\Inet\YAHOO!~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programs\Inet\YAHOO!~1\YPager.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Programs\Utilities\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Anything else we can do?
THanks.
stranger666
Regular Member
 
Posts: 19
Joined: June 16th, 2005, 6:46 pm

Unread postby wng_z3r0 » June 21st, 2005, 1:52 pm

ok:
1. go to start->run
2.type in:
desk.cpl

hit enter

then click on the desktop tab.
click on "customize desktop"
click on the web tab.
Delete everything there you don't recognize.

Then, do this to restore your recycle bin:

.) Go to command prompt and type the following hitting enter after each line.

g:
cd recycler
del desktop.ini

Assuming no errors...reboot and test.

If still not fixed...:

2.) Download the following registry repair file:

http://www.kellys-korner-xp.com/regs_ed ... clebin.reg

Save tio desktop and run it. Say yes to the merge prompt.

Reboot and test with blank file

if still borked...

Open a command prompt.

At the prompt, type the following hitting enter after each line.

g:
cd Recycler
attrib -h info*.*
Del info*.*

Assuming one or more files were deleted, reboot, then test if it's fixed.

If not, go back to a command prompt and type:

g: [hit enter]
attrib -h -s c:\recycler [Enter]
del g:\recycler [enter]

Reboot. **this last action deletes everything in the bin as well**

Test it and it should work.

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby stranger666 » June 21st, 2005, 8:01 pm

Looks like the RecycleBin is taken care of - thanks a lot! But this annoying pop-up virus ("WARNING.....etc") is still there....what can we do next? And did you come up with anything about accessing NTFS under DOS?
Thanks.
stranger666
Regular Member
 
Posts: 19
Joined: June 16th, 2005, 6:46 pm

Unread postby wng_z3r0 » June 21st, 2005, 10:31 pm

can I get a screenshot of this popup?
NTFS support for dos:
http://www.sysinternals.com/Utilities/NtfsDos.html

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby stranger666 » June 22nd, 2005, 11:53 pm

Sorry, you'll probalby think I'm stupid - but how do you use the image button to paste an image?[/img]
stranger666
Regular Member
 
Posts: 19
Joined: June 16th, 2005, 6:46 pm

Unread postby wng_z3r0 » June 23rd, 2005, 12:03 am

no problem.

say the image was here:

http://test.com/test.jpg

then you would do this:
Code: Select all
[img]http://test.com/test.jpg[/img]


wng

edit: if you need a place to upload the image,
try here:
http://imageshack.ws

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 480 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware