Register | Login
Views: 19364387
Main | Memberlist | Active users | ACS | Commons | Calendar | Online users
Ranks | FAQ | Color Chart | Photo album | IRC Chat
11-02-05 12:59 PM
0 user currently in Hardware/Software.
Acmlm's Board - I2 Archive - Hardware/Software - Stop comming back..... stupid. | |
Add to favorites | "RSS" Feed | Next newer thread | Next older thread
User Post
DarkSlaya
POOOOOOOOOOOORN!
Level: 88

Posts: 3820/4249
EXP: 6409254
For next: 241410

Since: 05-16-04
From: Montreal, Quebec, Canada

Since last post: 8 hours
Last activity: 5 hours
Posted on 07-16-05 05:35 AM Link | Quote
Meh, I've had some spywares for sometime, and they just won't get away (after my multiple attempts at getting rid of them).

HijackThis! Log. (Entries that I couldn't get rid of are bolded.)

Logfile of HijackThis v1.99.1
Scan saved at 20:32:57, on 2005-07-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Philippe\Bureau\Old\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://web.autbevlzrb.net/bU3CbdCkpsGYXdFeHEL7obacFz9ah08QWu7NqKmcyayulvG7BvDRN7NWvJFr4h8q.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kwtfdouatbvxi.us/bU3CbdCkpsGz2neqdyw7YGjxKdQWMLFCSocZ64xxsz4.jpg

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8BB1C8AD-FCD9-835B-BDA3-BDFC874CC49E} - C:\DOCUME~1\Philippe\APPLIC~1\SAVEPA~1\inside up.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [cdromstoproadbalm] C:\Documents and Settings\All Users\Application Data\LocksSupportCdromStop\Cdrom New.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Anti Ref] C:\DOCUME~1\Philippe\APPLIC~1\ThatFlag\Eq Sign Browse.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: ASP.NET Admin Service (aspnet_admin) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Fichiers communs\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Also, feel free to tell me what is supposed to be crap/spywares/programs with spywares in this.

There's also been a simillar Start Page Hijack on Firefox. Note that Spybot, Adaware scans did nothing to help, aswell as my HijackThis scan in safe mode.

There's also an banner that appears whenever I open IE, and it stays even if I close it (there's an [X] at the top of it, thought. I'll take a screenshot if I can).

Another question: Is it normal that there's always TWO instance of IExplore.exe running at a time? If I terminate one, it just comes back.


(edited by DarkSlaya on 07-15-05 08:37 PM)
(edited by DarkSlaya on 07-15-05 08:38 PM)
neotransotaku

Baby Mario
戻れたら、
誰も気が付く
Level: 87

Posts: 3568/4016
EXP: 6220548
For next: 172226

Since: 03-15-04
From: Outside of Time/Space

Since last post: 11 hours
Last activity: 1 hour
Posted on 07-16-05 05:54 AM Link | Quote
try the following

(1) update your definitions and rescan (i'm guessing you have done that)
(2) activate a command prompt
(3) open up task manager, go to processes tab and kill explorer.exe process
(4) kill the following processes (if they are running):

inside up.exe
cdrom new.exe
eq sign browse.exe

(5) using the command prompt, erase the following files:

% erase C:\DOCUME~1\Philippe\APPLIC~1\SAVEPA~1\inside up.exe
% erase "C:\Documents and Settings\All Users\Application Data\LocksSupportCdromStop\Cdrom New.exe"
% erase "C:\DOCUME~1\Philippe\APPLIC~1\ThatFlag\Eq Sign Browse.exe"

(6) from task manager, go to file->new task->"msconfig"
(7) go to start up tab
(8) any startup you do not recognize uncheck it

(9) from task manger, try to restart your computer (you have that ability with one of your menus). if not, then run "explorer" instead

HyperLamer
<||bass> and this was the soloution i thought of that was guarinteed to piss off the greatest amount of people

Sesshomaru
Tamaranian

Level: 118

Posts: 5796/8210
EXP: 18171887
For next: 211027

Since: 03-15-04
From: Canada, w00t!
LOL FAD

Since last post: 2 hours
Last activity: 2 hours
Posted on 07-16-05 09:29 PM Link | Quote
That's not going to work, you need to use safe mode and delete everything. You may have to turn off your computer at the Windows logo when it's starting up, though if you can find a better way you should use it

  1. Disconnect from the Internet by shutting your modem off, unplugging it, or whatever.
  2. Restart and go to Safe Mode with Command Prompt
  3. Run 'tasklist', look for any of those programs, or iexplore.exe.
  4. If you find them, run 'taskkill /F /IM [program.exe]', replacing '[program.exe]' with the program's name.
  5. Run tasklist again to make sure they're terminated. If not, you may have to run taskmgr and kill it that way, though this is less secure since they often replace it and it won't kill certain programs.
  6. Run these commands:
    • del C:\DOCUME~1\Philippe\APPLIC~1\SAVEPA~1\inside up.exe
    • del "C:\Documents and Settings\All Users\Application Data\LocksSupportCdromStop\Cdrom New.exe"
    • del "C:\DOCUME~1\Philippe\APPLIC~1\ThatFlag\Eq Sign Browse.exe"
    • C:\windows\PCHEALTH\HELPCTR\Binaries\msconfig

  7. Uncheck anything you don't recognize under Services and Startup. (You can hide the Microsoft services, I don't think they can spoof that.)
  8. Run 'regedit'.
  9. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main.
  10. Delete the Search Bar entry, and change Start Page to something good like Google or HyperNova Software.
  11. Do the same in HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main, if they exist.
  12. Run the command 'cd "C:\Documents and Settings\Philippe\Start Menu\Programs\Startup"'.
  13. Delete anything you don't recognize in there. These are shortcuts, so if it's not one of the programs mentioned before, you should hunt them out and nuke them too.
  14. Run 'shutdown -r -t 00' to reboot.
  15. Open the task manager and make sure none of these processes are running.
  16. Run Regedit again and make sure the keys you deleted are still gone.
  17. Open Firefox and reset the start page and anything else that's fishy. You might have to reinstall it. (Never seen one of these target FF before. )
  18. Re-connect and do whatever, and don't go back to whatever site you got this thing from!


This might disable some programs' auto-start options; you can just turn them back on.
DarkSlaya
POOOOOOOOOOOORN!
Level: 88

Posts: 3824/4249
EXP: 6409254
For next: 241410

Since: 05-16-04
From: Montreal, Quebec, Canada

Since last post: 8 hours
Last activity: 5 hours
Posted on 07-16-05 10:20 PM Link | Quote
That worked, HH. The multiple Iexplore.exe processes are gone, too. Thanks
HyperLamer
<||bass> and this was the soloution i thought of that was guarinteed to piss off the greatest amount of people

Sesshomaru
Tamaranian

Level: 118

Posts: 5814/8210
EXP: 18171887
For next: 211027

Since: 03-15-04
From: Canada, w00t!
LOL FAD

Since last post: 2 hours
Last activity: 2 hours
Posted on 07-17-05 01:16 AM Link | Quote
Well it better, it cleans out everything. The only way it could fail is if you didn't get all the files... or if taskkill didn't kill it (it doesn't sometimes) and taskmgr refused to, then you'd need a third-party task manager.
DarkSlaya
POOOOOOOOOOOORN!
Level: 88

Posts: 3825/4249
EXP: 6409254
For next: 241410

Since: 05-16-04
From: Montreal, Quebec, Canada

Since last post: 8 hours
Last activity: 5 hours
Posted on 07-17-05 02:06 AM Link | Quote
It came back from out of nowhere. I DOWNLOADED NOTHING, browsed my usual websites (I've browsed them since way before I've had this problem).

Guess I'm gonna do virus scan, since it seemed like something was downloaded in the background (shutdown my modem, having an IE window saying that it can't work offline. I DON'T USE IE)


Edit: Found it. The CdRomLock[insert long name here] crap had more stuff in the folder. Found an interesting list of random generated names from the Malware.


(edited by DarkSlaya on 07-16-05 05:31 PM)
Add to favorites | "RSS" Feed | Next newer thread | Next older thread
Acmlm's Board - I2 Archive - Hardware/Software - Stop comming back..... stupid. | |


ABII


AcmlmBoard vl.ol (11-01-05)
© 2000-2005 Acmlm, Emuz, et al



Page rendered in 0.007 seconds.