Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

detecting but not removing


  • Please log in to reply
6 replies to this topic

#1 debs

debs

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:32 PM

Posted 14 April 2005 - 07:32 AM

Dear All,

I'm new to this site, and Spyware as of this week. Having looked at the other topics, I know you guys can pull this one out for me!

I am running Norton and Antispyware (installed after problem arose)

When I start up my pc, after about 1-2 mins my internet dialler pops up and prompts me to connect. If I go to settings it shows it is trying to go to a website clon.biz (can't remember if the dialler number changes - don't think so)

Antispyware now recognises the attempted change of setting, and is blocked to not allow it. However it still happens everytime I start up, and really I want to to go away.

I have run a full scan, nothing.
I have looked in obvious places (startup menu etc) - nothing

As a computer dunce I'm unsure about stoping any processes or applications as they all appear to be recognised.

Any ideas????

Ta!

BC AdBot (Login to Remove)

 


#2 bradly

bradly

  • Deactivated
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 14 April 2005 - 11:05 AM

Download Autoruns from here:

http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

Run it.

Then Click FILE - SAVEAS - and save it as a txt file. Then post the text file here.

Edited by bradly, 14 April 2005 - 11:05 AM.

Shrinkwrapped - Free PC Therapy

#3 debs

debs
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:32 PM

Posted 15 April 2005 - 03:00 AM

OK thanks - here is the file.
The file sysinit32m.exe looks odd - and the dtaes ties with the start of the problem.
What do you think?

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

+ C:\WINDOWS\system32\userinit.exe Userinit Logon Application Microsoft Windows XP Publisher c:\windows\system32\userinit.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

+ Explorer.exe Windows Explorer Microsoft Windows XP Publisher c:\windows\explorer.exe

+ sysinit32m.exe c:\windows\system32\sysinit32m.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ ccApp Common Client CC App Symantec Corporation c:\program files\common files\symantec shared\ccapp.exe

+ ccRegVfy Common Client Registry Integrity Verifier Symantec Corporation c:\program files\common files\symantec shared\ccregvfy.exe

+ gcasServ Microsoft AntiSpyware Service Microsoft Corporation c:\program files\microsoft antispyware\gcasserv.exe

+ RealTray RealPlayer (Not verified) RealNetworks, Inc. c:\program files\real\realplayer\realplay.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

+ MSMSGS Messenger (Not verified) Microsoft Corporation c:\program files\messenger\msmsgs.exe

+ Symantec NetDriver Monitor Symantec Security Drivers Install Monitor Symantec Corporation c:\program files\symnetdrv\sndmon.exe

Task Scheduler

+ Symantec NetDetect.job Symantec NetDetect (Not verified) Symantec Corporation c:\program files\symantec\liveupdate\ndetect.exe

#4 bradly

bradly

  • Deactivated
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 15 April 2005 - 09:34 AM

Yes, sysinit32m.exe would be your problem.

FIRST: Boot into SAFEMODE: http://www.pchell.com/support/safemode.shtml
- if you have win 2K or XP AND have Cable or DSL, choose "Safe Mode With Networking" so that you can do step #4 in SafeMode


1. Uncheck this key with autoruns:

+ sysinit32m.exe c:\windows\system32\sysinit32m.exe


2. Then open up regedit (Start - Run - and type "regedit", press Enter).

- Navigate here: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

- Double click on "Shell", and the VALUE should only be "Explorer.exe". So delete everything BUT that value.


3. Now download, save, and Run Pocket Killbox: http://pctherapy.ca/opiate/Killbox/KillBox/KillBox.exe

- put a checkmark in "End Explorer Shell While Killing File".
- then type the path (c:\windows\system32\sysinit32m.exe) in the text box of "Full Path".
- Reboot.


4. After the reboot, go to housecall and do a complete virus scan: http://housecall.trendmicro.com/housecall/start_corp.asp
- have it Clean or Delete anything it finds.


5. Navigate back to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell.
- Make sure Explorer.exe is the only value.


Let me know.
Shrinkwrapped - Free PC Therapy

#5 debs

debs
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:32 PM

Posted 15 April 2005 - 10:08 AM

OK thanks a lot.
I'll let you know (Monday most likely)

#6 debs

debs
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:32 PM

Posted 18 April 2005 - 03:11 AM

OK I think we are back to normal now. I wasn't about to run all the fixes as I have no phone line for internet at the moment.
Still there have been no problems since....
Cheers
:thumbsup:

#7 bradly

bradly

  • Deactivated
  • 48 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 18 April 2005 - 09:22 AM

That's good to hear!! ;)
Shrinkwrapped - Free PC Therapy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users