Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help: Virus 17pholmes2000171.exe


  • Please log in to reply
11 replies to this topic

#1 Jack Frost

Jack Frost

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 01 February 2008 - 06:51 PM

I'm using a friends connection at this point just to see if I can find anyone who knows how to remove 17PHolems2000171.exe so that I can get my Internet connection working again.

It's one of those viruses disguised as an anti-virus program things. I can't find anything on it in the file databse here, but I've gotten great advice on how to remove viruses from this site in the past.

Thanks in advance.


{Mod Edit:Moved to more appropriate forum~~Boopme}

Edited by boopme, 01 February 2008 - 06:59 PM.
Moved from XP Home & Pro


BC AdBot (Login to Remove)

 


#2 Jack Frost

Jack Frost
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 01 February 2008 - 07:31 PM

Well, let's also add to the list:

rxjddnvj.exe
uaqxtg.exe

I can't find anything on these two anywhere exept for unfinished requests for help on the first one in your forums.

The second one doesn't even come up with anything in a google search.

I can't provide a HiJackThis log because this is not the computer that's infected, and it's not near me at the moment.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:19 AM

Posted 01 February 2008 - 07:57 PM

Hello and welcome, you're right info is bleak.
Please do this
upload and submit the file to Jotti's malware scan and/or Virustotal
Post back the results they send you.
We will move on from there
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Jack Frost

Jack Frost
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 01 February 2008 - 09:43 PM

What file are you referring to?

And keep in mind that it's killed my net connection so I can't upload anything.

I'm typing this from a friend's computer.

Edited by Jack Frost, 01 February 2008 - 09:43 PM.


#5 Jack Frost

Jack Frost
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 01 February 2008 - 09:45 PM

I will try to check back as soon as I'm able...

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:19 AM

Posted 01 February 2008 - 10:38 PM

Yep my bad .. I read that and lost it.
Try to copy the file 17PHolems2000171.exe to a disk. Then upload it off the disk (using the browse feature) to Jotti.

I'm looking at getting A HJT another way

EDIT:
Go to this Tutorial, Step 9 will explain how to install and run HiJackThis.
Preparation Guide for use before posting a HijackThis Log You'll want to print it as you'll have no net at the PC.
Copy the HijackThis Download Link on step 9 to a cd. Then install that to the hard Drive of the infected PC.

Edited by boopme, 01 February 2008 - 11:32 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Jack Frost

Jack Frost
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 04 February 2008 - 12:36 PM

Okay, so I couldn't find any of the executables listed so I could put them on a disc, but I was unable to find anything. However, I do have the torrent file I believe is the culprit that installed the virus on my system in the first place. Would that help? Should I upload it anywhere?

I already had HiJackThis on my computer so I do have the log already (it was generated on 2-2-08).

Someone had given me the advice that SmithFraudfix would help so I reluctantly shut down my computer and went into Safe Mode. However, the virus persisted even in Safe Mode and now when I log in properly, my desktop is a message about Fatal Errors on my computer and to download more anti-virus software. Oh, and it tells me now that 'Task Manager has been disabled by admin', which of course it hasn't (got any ideas how to get that back?). It's funny too because before I rebooted I was able to kill those processes with my Task Manager (so the designer wasn't even clever enough to make the the virus resistant to that), which stopped the pop-ups but still choked my Internet connection.

I get the feeling that if I let it do what it wants, it'll let me have Internet access, but I'm not really willing to allow that, so here we are again...

Any advice?

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:19 AM

Posted 04 February 2008 - 01:25 PM

You may have killed the malware processes but they came back after rebooting.

Most Internet connectivity problems arise out of corrupt Winsock settings due to the installation of a networking software or Malware infestation. Check with your ISP provider first and if they insist that your connection is coming through, the problem must be at your end.

If your using Windows XP SP2, log on as an administrator.
Go to Start > Run and type: cmd
Press OK or Hit Enter. A dos Window will appear.
At the command prompt, type or copy/paste: netsh winsock reset
Hit Enter.
When the program is finished, you will receive the message: "Successfully reset the Winsock Catalog. You must restart the machine in order to complete the reset."
Close the command box and reboot your computer.

Go to Start > Run > type: cmd
Press OK or Hit Enter.
At the command prompt, type or copy/paste: ipconfig /flushdns
Hit Enter.
Close the command box.

Configure TCP/IP to use DNS. Go to Start > Control Panel, and choose Network Connections.
Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and and choose Properties.
Double-click on the Internet Protocol (TCP/IP) item.
Select the radio button that says "Obtain DNS servers automatically".
Click OK twice to get out of the properties screen and restart your computer.

CAUTION: It is possible that your Internet Service Provider requires specific settings here. Make sure you know if you need specific DNS settings here or not before you make these changes or you may lose your internet connection. If you are sure you do not need a specific DNS address, you may proceed.

If you cannot get your Internet working, you are going to need access to another computer (family member, friend, etc) with an Internet connection. Then download the program I recommend and save to a USB stick or CD. Then you can transfer directly to the infected computer where you can use it. If you cannot copy files to your USB drive, make sure its not "Write Protected". Some flash drives have a switch on the side which could have accidentally been moved to write protect.

Download and save:
FileASSASSIN.zip (this tool is compatible with Win 2000/NT/XP/Vista only).
MsnCleaner.zip. In addition to removing infected files, it will remove certain restrictions on your system often disabled by malware.

After transfer to your machine, do this:
  • Extract (unzip) MsnCleaner.zip to your desktop. (click here if your not sure how to do this) but DO NOT use it yet.
  • Reboot your computer in "Safe Mode" using the F8. To do this restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A boot menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
  • Double-click MsnCleaner.exe to run the tool.
  • Click the "Analyze" button.
  • A report will be created after the scan and will be saved to C:\MsnCleaner.txt.
  • If it finds an infection, click the "Deleted" button.
  • Reboot normally and post the contents of MsnCleaner.txt in your next reply.
Now continue as follows for any malware files that remain:
  • Create a new folder on your C:\ drive called FileASSASSIN and extract (unzip) the file to that folder. (Click here for information on how to do this if not sure. Win 9x/2000 users click here.)
  • Open the folder and double-click on FileASSASSIN.exe.
  • Select the bad file to delete by dragging it onto the text area or select it using the (...) browse button.
  • Select a removal method. Start with the default "Attempt FileASSASSIN's method of file removal"
  • Click delete and the removal process will begin.
  • If that did not work, start the program again, select the file(s) the same way as before and this time check "Use delete on reboot function from windows."
Note: If you cannot find the file(s), you may have to Reconfigure Windows XP to show hidden files, folders.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Jack Frost

Jack Frost
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 04 February 2008 - 01:50 PM

Wow, thanks quietman7 for the info!

I will attempt the fixes as soon as I get home. :thumbsup:

Out of curiosity, should I try and remove the malware before messing with the DNS settings to see if removing the malware reestablishes my connection, or it is important I do the DNS step before removing the malware?

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:19 AM

Posted 04 February 2008 - 01:55 PM

You can try fixing your Internet connection first. If it works, you can download the tools for the next step. If not, proceed as instructed and try fixing your net connection afterwards.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Jack Frost

Jack Frost
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 04 February 2008 - 07:33 PM

Well, so far so good.

At the moment my net access has been restored and the pop-ups have stopped, so that's excellent news.

Here is the MSNCleaner.txt you requested:

- Logfile MSNCleaner 1.5.5 by www.forospyware.com
- Created Logfile: 2/4/2008 on 2:22:15 PM
- Operative System: Windows XP
- Boot mode: Safe mode
_________________________________________

Detected files: 6
Deleted file: 3
Undeleted Files: 3

C:\log.txt <--- Deleted
C:\WINDOWS\images.zip <--- Deleted
C:\WINDOWS\nsreg.dat <--- Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll <--- Delete on Reboot
C:\WINDOWS\system32\wsnpoem\video.dll <--- Delete on Reboot
C:\WINDOWS\system32\ntos.exe <--- Delete on Reboot

Host file Restored

_________________________________________
Delete on Reboot

C:\WINDOWS\system32\wsnpoem\audio.dll <--- Deleted
C:\WINDOWS\system32\wsnpoem\video.dll <--- Deleted
C:\WINDOWS\system32\ntos.exe <--- Deleted

Thanks so much quietman7, you and bleepingcomputer.com in general awesome.

Cheers!

P.S. - I forgot to ask, it still tells me my Task Manager has been disabled by admin. How can I get my task manager back?

Edited by Jack Frost, 04 February 2008 - 07:34 PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:19 AM

Posted 05 February 2008 - 08:01 AM

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
The "Task Manager has been disabled by your administrator" message occurs if there is a restriction in the registry. Sometimes this restriction is created by a malware infection. The DisableTaskMgr value becomes (1) instead of (0). In XP Pro it may be blocked via the "Local Group Policy" or "Domain Group Policy".

Usually MsnCleaner fixes this when run. Since it didn't see Task Manager has been disabled by your administrator and MS Article ID: 555546.
This step involves making changes in the registry. Always back up your registry before making any changes. If you are not familiar with working in the registry, then you should NOT attempt to make any changes on your own. Improper changes to the registry could adversely affect your computer and render it inoperable.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users