Acmlm's Board - I2 Archive - Hardware/Software - Stop comming back..... stupid.
User | Post |
DarkSlaya
Posts: 3825/4249 |
It came back from out of nowhere. I DOWNLOADED NOTHING, browsed my usual websites (I've browsed them since way before I've had this problem).
Guess I'm gonna do virus scan, since it seemed like something was downloaded in the background (shutdown my modem, having an IE window saying that it can't work offline. I DON'T USE IE)
Edit: Found it. The CdRomLock[insert long name here] crap had more stuff in the folder. Found an interesting list of random generated names from the Malware. |
HyperLamer
Posts: 5814/8210 |
Well it better, it cleans out everything. The only way it could fail is if you didn't get all the files... or if taskkill didn't kill it (it doesn't sometimes) and taskmgr refused to, then you'd need a third-party task manager. |
DarkSlaya
Posts: 3824/4249 |
That worked, HH. The multiple Iexplore.exe processes are gone, too. Thanks |
HyperLamer
Posts: 5796/8210 |
That's not going to work, you need to use safe mode and delete everything. You may have to turn off your computer at the Windows logo when it's starting up, though if you can find a better way you should use it
- Disconnect from the Internet by shutting your modem off, unplugging it, or whatever.
- Restart and go to Safe Mode with Command Prompt
- Run 'tasklist', look for any of those programs, or iexplore.exe.
- If you find them, run 'taskkill /F /IM [program.exe]', replacing '[program.exe]' with the program's name.
- Run tasklist again to make sure they're terminated. If not, you may have to run taskmgr and kill it that way, though this is less secure since they often replace it and it won't kill certain programs.
- Run these commands:
- del C:\DOCUME~1\Philippe\APPLIC~1\SAVEPA~1\inside up.exe
- del "C:\Documents and Settings\All Users\Application Data\LocksSupportCdromStop\Cdrom New.exe"
- del "C:\DOCUME~1\Philippe\APPLIC~1\ThatFlag\Eq Sign Browse.exe"
- C:\windows\PCHEALTH\HELPCTR\Binaries\msconfig
- Uncheck anything you don't recognize under Services and Startup. (You can hide the Microsoft services, I don't think they can spoof that.)
- Run 'regedit'.
- Navigate to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main.
- Delete the Search Bar entry, and change Start Page to something good like Google or HyperNova Software.
- Do the same in HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main, if they exist.
- Run the command 'cd "C:\Documents and Settings\Philippe\Start Menu\Programs\Startup"'.
- Delete anything you don't recognize in there. These are shortcuts, so if it's not one of the programs mentioned before, you should hunt them out and nuke them too.
- Run 'shutdown -r -t 00' to reboot.
- Open the task manager and make sure none of these processes are running.
- Run Regedit again and make sure the keys you deleted are still gone.
- Open Firefox and reset the start page and anything else that's fishy. You might have to reinstall it. (Never seen one of these target FF before. )
- Re-connect and do whatever, and don't go back to whatever site you got this thing from!
This might disable some programs' auto-start options; you can just turn them back on. |
neotransotaku
Posts: 3568/4016 |
try the following
(1) update your definitions and rescan (i'm guessing you have done that) (2) activate a command prompt (3) open up task manager, go to processes tab and kill explorer.exe process (4) kill the following processes (if they are running):
inside up.exe cdrom new.exe eq sign browse.exe
(5) using the command prompt, erase the following files:
% erase C:\DOCUME~1\Philippe\APPLIC~1\SAVEPA~1\inside up.exe % erase "C:\Documents and Settings\All Users\Application Data\LocksSupportCdromStop\Cdrom New.exe" % erase "C:\DOCUME~1\Philippe\APPLIC~1\ThatFlag\Eq Sign Browse.exe"
(6) from task manager, go to file->new task->"msconfig" (7) go to start up tab (8) any startup you do not recognize uncheck it
(9) from task manger, try to restart your computer (you have that ability with one of your menus). if not, then run "explorer" instead
|
DarkSlaya
Posts: 3820/4249 |
Meh, I've had some spywares for sometime, and they just won't get away (after my multiple attempts at getting rid of them).
HijackThis! Log. (Entries that I couldn't get rid of are bolded.)
Logfile of HijackThis v1.99.1 Scan saved at 20:32:57, on 2005-07-15 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Winamp\winampa.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\VIAudioi\SBADeck\ADeck.exe C:\Program Files\Messenger Plus! 3\MsgPlus.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe C:\Program Files\Internet Explorer\iexplore.exe c:\progra~1\intern~1\iexplore.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Documents and Settings\Philippe\Bureau\Old\Stuff\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://web.autbevlzrb.net/bU3CbdCkpsGYXdFeHEL7obacFz9ah08QWu7NqKmcyayulvG7BvDRN7NWvJFr4h8q.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kwtfdouatbvxi.us/bU3CbdCkpsGz2neqdyw7YGjxKdQWMLFCSocZ64xxsz4.jpg O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {8BB1C8AD-FCD9-835B-BDA3-BDFC874CC49E} - C:\DOCUME~1\Philippe\APPLIC~1\SAVEPA~1\inside up.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [cdromstoproadbalm] C:\Documents and Settings\All Users\Application Data\LocksSupportCdromStop\Cdrom New.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized O4 - HKCU\..\Run: [Anti Ref] C:\DOCUME~1\Philippe\APPLIC~1\ThatFlag\Eq Sign Browse.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll O23 - Service: ASP.NET Admin Service (aspnet_admin) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Also, feel free to tell me what is supposed to be crap/spywares/programs with spywares in this.
There's also been a simillar Start Page Hijack on Firefox. Note that Spybot, Adaware scans did nothing to help, aswell as my HijackThis scan in safe mode.
There's also an banner that appears whenever I open IE, and it stays even if I close it (there's an [X] at the top of it, thought. I'll take a screenshot if I can).
Another question: Is it normal that there's always TWO instance of IExplore.exe running at a time? If I terminate one, it just comes back. |
|