Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Can't remove WinTools from registry-Huntbar remains

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Bertha » April 27th, 2005, 6:38 am

Hey MM,

Well I need you to do as follows:

Boot into Safe Mode (F8 on Startup)

Then run another AdAware Scan allowign it to remove all that it finds

Then after the scan whilst still in Safe Mode empty all your Temporary Folders/Files

Run Cleanup to empty all your
Temporary Internet Folders as Hijackthis and other programs
leave a lot of junk behind:


http://cleanup.stevengould.org

Post the new log Back Here

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands
Advertisement
Register to Remove

Unread postby madmurph » April 27th, 2005, 12:35 pm

Hi Bertha- which log? under which account? Hayden? Thx. MM
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby madmurph » April 27th, 2005, 1:52 pm

CleanUp! kept finding files in use, asking for a logoff or restart. One of the files referred to a folder in the Windows folder called "Software Distribution" which could not be deleted in normal mode, so I restarted in Safe Mode and deleted that folder and its contents. It reappeared in normal mode. Also, a hidden folder, "RECYCLERS" is in the root directory. It is almost 500mb, containing many temporary files, eg., Dc.###.tmp, which causes "hits" in CleanUp! that cannot be deleted. Recommendations? Delete "RECYCLERS"?
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby Bertha » April 27th, 2005, 2:35 pm

Hey MM,

Im only concerned with Haydens account as the others were clean when I left them unless they too have also been infected again

It is NORMAL for CleanUp to say that it cant delete files and folder sbecuase they were in use

As for the ones you say you deleted, can you find the files and folders and right click on them, select properties and post back here what it says then Illl have a better idea of what they are

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby madmurph » April 27th, 2005, 2:54 pm

The folder "RECYCLER" (C:\RECYCLER) doesn't show any properties, just a creation date of July 11, 2003. It doesn't use a standard folder icon either, looks like the icon assigned by Windows to an unrecognized file. I can't see the contents, either, I only know what's in it by what CleanUp! showed on its scan. No properties on "Software Distribution" (C:\Windows\Software Distribution) either, except for size 1.4mb and today's creation date, since I deleted the original in Safe Mode. New scan with AdAware showed no suspect files, however, now a scan with SpyBot showed two HKLM entries for WildTangent, an HKCR entry for Amilli Service, an HKCR for iSearch, and of course, Huntbar. I am online, but have only visited this site, and CleanUp!'s. One other interesting glitch I have found: The "Recycle Bin" icon on Whitney's desktop won't show the empty icon, even though it is. I've tried changing the icon through appearance, but it still shows the "Full" icon. Is this connected? Are we having fun, yet? Cheers, MM
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby Bertha » April 27th, 2005, 2:58 pm

Hey MM,

Can you Log on as an Administrator to your computer and do a HJT Scan from there for me

Also post a new HJT Scan from Haydens account and anyone elses you feel is suffering

As for those folders I feel they are legit and should not be worried about especially considering the created date on the one of them

Please try to limit all internet activity particularly Surfing, playing games and downloading anything other than what I advise while we clean you up.

When clean we will provide you with tools that can help you keep clean, but until then the least you do on the internet the better.

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby madmurph » April 27th, 2005, 4:05 pm

I'm not doing any Internet surfing, other than to this site and one's you indicate. In fact, for the most part, I have been doing the scans disconnected from the network, using a different computer to download files and instructions, so there is a minimum amount of online use to the affected computer. SpyBot scan on reboot showed HKU and HKLM entries under WildTangent; and 2 HKU ennties under MyWay.MyBar. All the user accounts have administrative priviledges; but I can only log specifically onto Administrator under Safe Mode. Here's the HJT logs:

Admin (under the Mom & Dad account):

Logfile of HijackThis v1.99.1
Scan saved at 12:39:34 PM, on 4/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\SpyWare\New Folder\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://support.gateway.com/support/prof ... itStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



HJT for Hayden:

Logfile of HijackThis v1.99.1
Scan saved at 12:42:02 PM, on 4/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\SpyWare\New Folder\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpyWareWall] C:\PROGRA~1\SPYWAR~1\SPYWAR~2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://support.gateway.com/support/prof ... itStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby Bertha » April 27th, 2005, 5:19 pm

Hey MM,

I see no problems with either of those Hijackthis Logs

When you say you have a network what sort are you running, is it just one in the house, how many computers are connected to it have you scanned these?

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby madmurph » April 27th, 2005, 6:14 pm

I'm on a network behind a rather substantial firewall (not controlled by me). Originally, the computer was on a home cable modem. I just find it odd that these trojans, esp. say, WildTangent, keep showing back up on the scans when I'm not "surfing" anywhere that would cause the intrusion. There must be something lying resident on this computer, generating the files. I've never been prompted for a HJT Start Up Log; would that help? At this point, should I just save each user's docs, delete their accounts, then reenter them?
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby Bertha » April 28th, 2005, 5:46 am

No dont delete accounts

The other computers tat are on the network you are running, have you done scans on them such as a HJT Scan to see what is on those

If you havent htis could be your problem, you see an infected computer on a network will infect the other computers it is connected with

Please run some scans on all the computers in your network, HJT would help and Ill take a look

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby madmurph » April 28th, 2005, 10:31 am

On the down side, there are 34 other computers on this network, and I can't do HJT scans on all of them. However, on the plus side, they are all running anti-spyware programs and none of these exhibit any problems -- all their scans are clear. The point I was trying to make in my previous post is, this computer will generate these new files and show "hits" in one of the spyware programs, even when physically disconnected from the network. During the course of this troubleshooting, I have only connected back up to the network when absolutely necessary -- for a spyware update or a file download at your direction.
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby Bertha » April 28th, 2005, 5:30 pm

Hey MM,

Try this for me

Click start> run> type cmd and hit enter.

At the prompt type the following lines hitting Enter after each one:

cd \
cd c:\recycler
del desktop.ini


Reboot and test the recycle bin...Let me know if it is working right (showing Empty now).

(Thanks 3162)

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby madmurph » April 29th, 2005, 1:16 pm

hi bertha --
After changing to the RECYCLER directory, entering the DEL command caused a "file not found" reply. Under the RECYCLER directory when I typed a DIR command, it shows: Volume has no label, a serial number, directory C:\RECYCLER, then "file not found". Further note: The "full" icon on Recycle Bin is only under the Whitney account. However, on drive C, the folder icon is missing for RECYCLER (replaced with the generic file icon when Windows doesn't recognize something), regardless of which account is being used to view it. Cheers, MM
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby 3162 » April 29th, 2005, 2:13 pm

I will be reviewing this topic and return shortly.
In the meantime, please do not run any new apps, post any new logs etc
Thanks
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am

Unread postby 3162 » April 29th, 2005, 2:32 pm

I have more questions for you than answers, right now, but let's get some straightforward things cleared up first.

What specific problems are you experiencing with your machine at this point in time?
User avatar
3162
MRU Emeritus
MRU Emeritus
 
Posts: 648
Joined: March 20th, 2005, 7:10 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 269 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware