Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

please help to get rid of this

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby stranger666 » June 23rd, 2005, 12:30 am

OK, that what I thought - but it looked too complicated to be true :)
Anyway, here is the message itself:
Image
And here is the ballon that pops up in the task bar:
Image[/URL]
stranger666
Regular Member
 
Posts: 19
Joined: June 16th, 2005, 6:46 pm
Advertisement
Register to Remove

Unread postby wng_z3r0 » June 23rd, 2005, 3:09 pm

hmm. lets see what ports are trying to be used...
temporarily disable firewall.
(make sure the windows one gets turned off as well...)
Now go to start->run
paste this line in:

netstat.exe -a -b >>c:\netstat.txt

Then go to the c:\drive and paste the contents of netstat.txt here

Then reenable your firewall.
wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby stranger666 » June 23rd, 2005, 10:06 pm

The key -b doesn't exist, but I looked in the help and did netstat.exe -a -r -s to give you more information. Here is the result:

Active Connections

Proto Local Address Foreign Address State
TCP MAIN:epmap MAIN:0 LISTENING
TCP MAIN:microsoft-ds MAIN:0 LISTENING
TCP MAIN:1025 MAIN:0 LISTENING
TCP MAIN:1069 MAIN:0 LISTENING
TCP MAIN:1073 MAIN:0 LISTENING
TCP MAIN:1110 MAIN:0 LISTENING
TCP MAIN:1125 MAIN:0 LISTENING
TCP MAIN:2642 MAIN:0 LISTENING
TCP MAIN:5000 MAIN:0 LISTENING
TCP MAIN:14424 MAIN:0 LISTENING
TCP MAIN:netbios-ssn MAIN:0 LISTENING
TCP MAIN:1069 205.188.5.228:5190 ESTABLISHED
TCP MAIN:1073 modemcable213.213-81-70.mc.videotron.ca:1633 ESTABLISHED
TCP MAIN:1171 CPE000b6a4052fd-CM0012c90cec36.cpe.net.cable.rogers.com:1854 TIME_WAIT
TCP MAIN:1173 84.94.52.141.cable.012.net.il:3535 TIME_WAIT
UDP MAIN:epmap *:*
UDP MAIN:microsoft-ds *:*
UDP MAIN:isakmp *:*
UDP MAIN:1026 *:*
UDP MAIN:1029 *:*
UDP MAIN:1099 *:*
UDP MAIN:1127 *:*
UDP MAIN:2642 *:*
UDP MAIN:ntp *:*
UDP MAIN:1043 *:*
UDP MAIN:1082 *:*
UDP MAIN:1900 *:*
UDP MAIN:ntp *:*
UDP MAIN:netbios-ns *:*
UDP MAIN:netbios-dgm *:*
UDP MAIN:1900 *:*
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 11 d8 06 1c 64 ...... Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter, Copper RJ-45 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.46 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.46 192.168.1.46 20
192.168.1.46 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.46 192.168.1.46 20
224.0.0.0 240.0.0.0 192.168.1.46 192.168.1.46 20
255.255.255.255 255.255.255.255 192.168.1.46 192.168.1.46 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

IPv4 Statistics

Packets Received = 1614
Received Header Errors = 0
Received Address Errors = 6
Datagrams Forwarded = 0
Unknown Protocols Received = 0
Received Packets Discarded = 0
Received Packets Delivered = 1614
Output Requests = 1919
Routing Discards = 0
Discarded Output Packets = 0
Output Packet No Route = 0
Reassembly Required = 0
Reassembly Successful = 0
Reassembly Failures = 0
Datagrams Successfully Fragmented = 0
Datagrams Failing Fragmentation = 0
Fragments Created = 0

ICMPv4 Statistics

Received Sent
Messages 5 2
Errors 0 0
Destination Unreachable 2 1
Time Exceeded 0 0
Parameter Problems 0 0
Source Quenches 0 0
Redirects 0 0
Echos 0 1
Echo Replies 3 0
Timestamps 0 0
Timestamp Replies 0 0
Address Masks 0 0
Address Mask Replies 0 0

TCP Statistics for IPv4

Active Opens = 128
Passive Opens = 0
Failed Connection Attempts = 33
Reset Connections = 16
Current Connections = 2
Segments Received = 990
Segments Sent = 1180
Segments Retransmitted = 75

UDP Statistics for IPv4

Datagrams Received = 617
No Ports = 4
Receive Errors = 0
Datagrams Sent = 642

Route Table
stranger666
Regular Member
 
Posts: 19
Joined: June 16th, 2005, 6:46 pm

Unread postby wng_z3r0 » June 23rd, 2005, 10:20 pm

I guess the -b switch is only for XP pro

Thanks for solving the issue by yourself. I'll look at the log now.
wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby stranger666 » June 23rd, 2005, 10:25 pm

I actually have the Pro version - so I dont know the reason for the -b not to work, but the log was posted - that's what matters :)
stranger666
Regular Member
 
Posts: 19
Joined: June 16th, 2005, 6:46 pm

Unread postby wng_z3r0 » June 23rd, 2005, 11:07 pm

ok. here's some ports to be concerned about: (not necessarily bad, I'm just not sure they're legit...)

Port 1025
http://www.linklogger.com/TCP1025.htm

port 1125
unknown...

port 5000
http://www.linklogger.com/TCP5000.htm

port 14424
unknown....

TCP MAIN:1069 205.188.5.228:5190 ESTABLISHED

this one concerns me because it is an established connection, but the IP doesn't come up with anything...


I am no expert on ports, so I am asking someone more knowledgeable.
Please hold.

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby stranger666 » June 23rd, 2005, 11:25 pm

I appreciate all you do. Will wait for the answer. The only thing is - are you sure it is the port to blame? Because the message (WARNING etc...) itself looks like a common spyware, but none of the tools we tried helped....
stranger666
Regular Member
 
Posts: 19
Joined: June 16th, 2005, 6:46 pm

Unread postby wng_z3r0 » June 23rd, 2005, 11:59 pm

to my untrained eye... it LOOKS legitimate... so might as well check right?

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby stranger666 » June 24th, 2005, 10:09 am

So do we do anything to the ports? If yes, than what? Or is there anything else to try to get rid of the annoying pop-up?
stranger666
Regular Member
 
Posts: 19
Joined: June 16th, 2005, 6:46 pm

Unread postby wng_z3r0 » June 24th, 2005, 8:57 pm

let's try this:
start->run
netstat.exe -a -o >>c:\netstat.txt

post the logfile from c:\netstat.txt


wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby stranger666 » June 24th, 2005, 10:30 pm

Here it is:


Active Connections

Proto Local Address Foreign Address State PID
TCP MAIN:epmap MAIN:0 LISTENING 1096
TCP MAIN:microsoft-ds MAIN:0 LISTENING 4
TCP MAIN:1025 MAIN:0 LISTENING 1196
TCP MAIN:1069 MAIN:0 LISTENING 1216
TCP MAIN:1079 MAIN:0 LISTENING 1112
TCP MAIN:1110 MAIN:0 LISTENING 1880
TCP MAIN:1125 MAIN:0 LISTENING 1880
TCP MAIN:1678 MAIN:0 LISTENING 1112
TCP MAIN:1686 MAIN:0 LISTENING 1112
TCP MAIN:1787 MAIN:0 LISTENING 1112
TCP MAIN:2642 MAIN:0 LISTENING 1112
TCP MAIN:3670 MAIN:0 LISTENING 1216
TCP MAIN:5000 MAIN:0 LISTENING 1428
TCP MAIN:netbios-ssn MAIN:0 LISTENING 4
TCP MAIN:netbios-ssn server:1285 ESTABLISHED 4
TCP MAIN:1069 205.188.5.228:5190 ESTABLISHED 1216
TCP MAIN:1079 140.135.205.68.cfl.res.rr.com:32656 ESTABLISHED 1112
TCP MAIN:1678 pcp08024885pcs.dalect01.va.comcast.net:2861 ESTABLISHED 1112
TCP MAIN:1686 stjhnf0112w-142162202255.nl.aliant.net:1214 ESTABLISHED 1112
TCP MAIN:1787 dsl.dynamic81215154186.ttnet.net.tr:1593 ESTABLISHED 1112
TCP MAIN:1921 server:netbios-ssn TIME_WAIT 0
UDP MAIN:epmap *:* 1096
UDP MAIN:microsoft-ds *:* 4
UDP MAIN:isakmp *:* 900
UDP MAIN:1026 *:* 1196
UDP MAIN:1030 *:* 1364
UDP MAIN:1223 *:* 1364
UDP MAIN:1706 *:* 1364
UDP MAIN:2642 *:* 1112
UDP MAIN:ntp *:* 1196
UDP MAIN:1039 *:* 1216
UDP MAIN:1613 *:* 1996
UDP MAIN:1900 *:* 1428
UDP MAIN:ntp *:* 1196
UDP MAIN:netbios-ns *:* 4
UDP MAIN:netbios-dgm *:* 4
UDP MAIN:1900 *:* 1428
stranger666
Regular Member
 
Posts: 19
Joined: June 16th, 2005, 6:46 pm

Unread postby wng_z3r0 » June 24th, 2005, 10:46 pm

lol... this is becoming a learning experience for me as well...
It's giving the PID..

So I need to know what the pid is
Please go to start->run
type this in:
tasklist.exe >>c:\tasklist.txt

then post the results of tasklist.txt here.
wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby stranger666 » June 24th, 2005, 10:56 pm

There we go:


Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 20 K
System 4 Console 0 256 K
smss.exe 756 Console 0 364 K
csrss.exe 820 Console 0 1,788 K
winlogon.exe 844 Console 0 828 K
services.exe 888 Console 0 3,084 K
lsass.exe 900 Console 0 1,296 K
svchost.exe 1096 Console 0 3,408 K
svchost.exe 1196 Console 0 16,364 K
svchost.exe 1364 Console 0 1,944 K
svchost.exe 1428 Console 0 3,764 K
explorer.exe 1652 Console 0 20,084 K
spoolsv.exe 1748 Console 0 7,016 K
schedul2.exe 1840 Console 0 1,612 K
kavsvc.exe 1880 Console 0 11,948 K
KodakCCS.exe 1900 Console 0 2,948 K
nvsvc32.exe 1924 Console 0 2,644 K
svchost.exe 2004 Console 0 2,816 K
wdfmgr.exe 236 Console 0 1,472 K
vsmon.exe 352 Console 0 7,808 K
zlclient.exe 516 Console 0 3,492 K
volume.exe 524 Console 0 3,380 K
TrueImageMonitor.exe 636 Console 0 2,136 K
schedhlp.exe 668 Console 0 2,852 K
kav.exe 680 Console 0 808 K
swdoctor.exe 176 Console 0 38,828 K
ctfmon.exe 812 Console 0 3,260 K
hpoojd07.exe 1020 Console 0 6,712 K
Icq.exe 1216 Console 0 8,572 K
hpoevm07.exe 1296 Console 0 3,652 K
hposts07.exe 1556 Console 0 5,044 K
hpofxm07.exe 1608 Console 0 5,148 K
Far.exe 4008 Console 0 1,164 K
IEXPLORE.EXE 1996 Console 0 23,612 K
rdsndin.exe 2724 Console 0 3,080 K
ntfsnlpa.exe 3880 Console 0 3,256 K
IEXPLORE.EXE 3204 Console 0 3,304 K
cmd.exe 2732 Console 0 2,804 K
wmiprvse.exe 628 Console 0 4,096 K
Far.exe 1420 Console 0 3,812 K
tasklist.exe 2568 Console 0 4,060 K
stranger666
Regular Member
 
Posts: 19
Joined: June 16th, 2005, 6:46 pm

Unread postby wng_z3r0 » June 25th, 2005, 11:06 pm

ok: I don't like this process by the looks of it:
icq.exe

please search for icq.exe, right click it, select properties, then give me the vendor info... release version... modified date, created date.... etc etc...where the file is located...etc..etc..etc

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby stranger666 » June 26th, 2005, 12:24 am

Well, icq.exe is a process for a very popular application - internet pager, I'm surprised you haven't heard of it..... http://www.icq.com - all the info....
stranger666
Regular Member
 
Posts: 19
Joined: June 16th, 2005, 6:46 pm
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 468 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware