Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need Help To Remove All The Nuisanceware, Please

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Need Help To Remove All The Nuisanceware, Please

Unread postby Aditini » September 23rd, 2005, 2:34 pm

Hi, my OS is Win2000. Keep on getting pop-ups despite clearing the temp folders everytime going into the net, and clear the nuisance using Ad-ware, Spybot, Spyware Blaster and SpyGuard. :cry:

my hijack log is as follows;

Logfile of HijackThis v1.99.1
Scan saved at 2:22:33 AM, on 24/09/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\BootStrap Agent\Bsa.exe
C:\Program Files\Acer\LANScope\bin\IIDS.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINNT\system32\ncsvc.exe
c:\armour5\bin\ZANDA.EXE
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINNT\system32\regsvc.exe
C:\SAP46d\SapGui\srvany.exe
C:\WINNT\System32\SCardSvr.exe
C:\sap46d\sapgui\rfccom.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Intel\DMI\BIN\WIN32SL.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Acer\LANScope\bin\ssm.exe
C:\Program Files\Acer\LANScope\ci\cimgr\CiMgrLdr.exe
C:\ARMOUR5\Nvc\BIN\NVCSCHED.EXE
c:\armour5\bin\NJEEVES.EXE
C:\ARMOUR5\Nvc\BIN\nvcoas.exe
C:\WINNT\System32\rsvp.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Acer\LANScope\Bin\USM.exe
C:\Program Files\Acer\LANScope\Bin\Intel\USBMonitor.exe
C:\armour5\bin\ZLH.EXE
C:\WINNT\System32\dpmw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
c:\armour5\Nvc\bin\cclaw.exe
C:\Program Files\NetSeq\Secure Agent\Nsa2.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\lotusV95\wordpro\wordpro.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://workforce.petronas.com.my/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [User Space Manager] C:\Program Files\Acer\LANScope\Bin\USM.exe
O4 - HKLM\..\Run: [USBMonitor] C:\Program Files\Acer\LANScope\Bin\Intel\USBMonitor.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINNT\System32\zentray.exe
O4 - HKLM\..\Run: [Norman ZANDA] c:\armour5\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SecureLogin - Taskbar App] "C:\Program Files\Novell\SecureLogin\slproto.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Secure Agent.lnk = C:\Program Files\NetSeq\Secure Agent\Nsa2.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://pww.teamspace.petronas.com.my/qp2.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://workforce.petronas.com.my/dana- ... sSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06E31CB3-B5C9-47F9-B85F-044501EFDBDC}: Domain = petronas.com.my
O17 - HKLM\System\CCS\Services\Tcpip\..\{E1AE6609-0FEB-4871-A92C-A21024D345DB}: NameServer = 161.142.2.17 161.142.227.17
O17 - HKLM\System\CS1\Services\Tcpip\..\{06E31CB3-B5C9-47F9-B85F-044501EFDBDC}: Domain = petronas.com.my
O17 - HKLM\System\CS2\Services\Tcpip\..\{06E31CB3-B5C9-47F9-B85F-044501EFDBDC}: Domain = petronas.com.my
O20 - Winlogon Notify: AdminDebug - C:\WINNT\system32\en62l1jo1.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel Bootstrap Agent - Intel Corporation - C:\Program Files\Intel\BootStrap Agent\Bsa.exe
O23 - Service: Intel CI Manager - Intel(R) Corporation - C:\Program Files\Acer\LANScope\ci\cimgr\CiMgrLdr.exe
O23 - Service: Intel IIDS - Intel(R) Corporation - C:\Program Files\Acer\LANScope\bin\IIDS.exe
O23 - Service: Intel SSM - Intel(R) Corporation - C:\Program Files\Acer\LANScope\bin\ssm.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Virtual Com Port Service (neoNcSvc) - Unknown owner - C:\WINNT\system32\ncsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - c:\armour5\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - c:\armour5\bin\ZANDA.EXE
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\ARMOUR5\Nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\ARMOUR5\Nvc\BIN\NVCSCHED.EXE
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SAP Internet Graphics Server (SAP IGS Service) - Unknown owner - C:\SAP46d\SapGui\srvany.exe
O23 - Service: win32sl - Smart Technology Enablers - C:\Program Files\Intel\DMI\BIN\WIN32SL.EXE
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe

Thank you in advance for your help.
Aditini. p/s - i'm not a techy person though. Hope you can be patient with me if i didn't get any of your instructions later.:oops:
Aditini
Active Member
 
Posts: 3
Joined: September 21st, 2005, 3:25 am
Location: Kuala Lumpur
Advertisement
Register to Remove

latest version of VX2

Unread postby thatman » September 24th, 2005, 12:45 pm

Hi Aditini

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

When option1 has been completed move on to option2 below

Now run option 2
Close any programs you have open since this step requires a reboot.


From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. :)

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Kc
:lol:
User avatar
thatman
Active Member
 
Posts: 9
Joined: March 20th, 2005, 12:46 pm
Location: uk

Unread postby Aditini » September 26th, 2005, 8:56 am

Hi Thatman@Kc,

Thanks for your kind reply and guidance but I got stuck at "double-click the l2mfix.bat file" :( . After done so, nothing appear for me to choose option #1 from i.e. a window appear for less than a second and disappear.

Your further guidance as to what did i do wrong or didn't do is much appreciated.

Thanks.
Aditini
Aditini
Active Member
 
Posts: 3
Joined: September 21st, 2005, 3:25 am
Location: Kuala Lumpur

Unread postby thatman » September 26th, 2005, 9:43 am

Hi Aditini

When you doubleclick the l2mfix.exe, it then installs the fix into it's own folder called l2mfix

Find the folder on your system now open the l2mfix folder inside you will find the l2mfix.Bat click on the l2mfix.Bat this will then start the fix.

Kc ;)
User avatar
thatman
Active Member
 
Posts: 9
Joined: March 20th, 2005, 12:46 pm
Location: uk

Unread postby Aditini » September 26th, 2005, 10:55 am

Hi Thatman@Kc,

When I clicked on l2mfix.exe, the l2mfix folder was installed on my desktop and upon opening the folder, I could see the file l2mfix.dat but double clicking the same doesn't give me the MS-DOS window from which I am suppose to choose the option #1.

I've even tried to open l2mfix.dat using MS-DOS but to no avail. Anything else I should do :?:

Cheers
Aditini
Aditini
Active Member
 
Posts: 3
Joined: September 21st, 2005, 3:25 am
Location: Kuala Lumpur

Unread postby thatman » September 26th, 2005, 11:21 am

Hi Aditini

Which of these two locations did you download the l2mfix.exe from.
Delete the l2mfix.exe and folder, now download from the other location.

http://www.atribune.org/downloads/l2mfix.exe

http://www.downloads.subratam.org/l2mfix.exe

Now try the l2mfix again.


If it still will not work run the following fix below.

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware se.
Click Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Download Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. Don't run yet

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log and post the log.

Run Ad-aware se let it remove all it finds

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Reboot as normal.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.stevengould.org/cleanup/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingcomputer.com/forums/tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://enterprises.pandasoftware.com/pr ... panies.htm
Please post the log From Panda virus scan. We will need them to remove previous infections that have left files on your system.

Run HijackThis and post the new log.

Kc
;)
User avatar
thatman
Active Member
 
Posts: 9
Joined: March 20th, 2005, 12:46 pm
Location: uk

Unread postby NonSuch » October 10th, 2005, 4:32 pm

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 295 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware