Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Remove Spyware Or Virus (merged)


  • This topic is locked This topic is locked
9 replies to this topic

#1 Brokenpcman

Brokenpcman

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 03 November 2005 - 06:42 PM

Hello guys, I've been having major probs with spyware and or viruses and wondered if u could help me with it?

I have loads of spyware on my computer and used Ad Aware Personal SE to get rid of the stuff and it done most of it. The spyware it got rid of was : DyFuCa , Adtomi, Softomate, When.u, AltnetBDE, Blazefind, eUniverse, Intexusdial, Alexa, tracking Cookie.

The adaware found another spyware item but won't delete it, it is called Backdoor Prorat 16. I have no control over this file and no virus or spyware programs can delete it. The program reappears scan after scan after scan. It has shutdown my ability to install a firewall program and virus programs don't install either. I had no firewall or virus protection running on the computer b4 this happened and when i try to install either firewall or virus removal programs to get rid of it, they don't install at all. The Adaware program can find the registry keys for the prorat program but can delete it. I have tried reinstalling all my software from scratch but the prorat remains in the registry. I have tried registry cleaners but this can't find the items in question. The thing seems to have shutdown my windows search program so that i can't find the files on the hard drive.

I have used the Hi Jack This program and the log file is as follows :

Logfile of HijackThis v1.99.1
Scan saved at 16:05:19, on 03/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\pctspk.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.exe
E:\WINDOWS\services.exe
E:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
E:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
E:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.barafranca.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\system32\fservice.exe
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - E:\WINDOWS\system32\emy.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - E:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] E:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "E:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\RunOnce: [r4pub7.exe] E:\WINDOWS\System32\r4pub7.exe /k
O8 - Extra context menu item: &AOL Toolbar search - res://E:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - E:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - E:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Party Poker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Party Poker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - E:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - E:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)

The r4pub7.exe is the only file which looks suspicious to me but i don't know a lot about this kinda stuff.

Below is the log file for adaware which shows th registry keys 4 it and some other things :

ArchiveData(auto-quarantine- 2005-11-03 16-27-01.bckp)
Referencefile : SE1R72 26.10.2005
======================================================

MRU LIST
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=MRU FileReference : E:\Documents and Settings\Alex\recent\hijackthislog.lnk
obj[2]=MRU RegReference : software\microsoft\directdraw\mostrecentapplication name
obj[3]=MRU RegReference : S-1-5-21-1993962763-854245398-1060284298-1014\software\microsoft\internet explorer download directory
obj[4]=MRU RegReference : S-1-5-21-1993962763-854245398-1060284298-1014\software\microsoft\windows\currentversion\applets\regedit lastkey
obj[5]=MRU RegReference : S-1-5-21-1993962763-854245398-1060284298-1014\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru\*
obj[6]=MRU RegReference : S-1-5-21-1993962763-854245398-1060284298-1014\software\microsoft\windows\currentversion\explorer\recentdocs\.txt
obj[7]=MRU RegReference : S-1-5-21-1993962763-854245398-1060284298-1014\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru\txt

BACKDOOR.PRORAT.16
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[7]=Regkey : software\microsoft\active setup\installed components\{5y99ae78-58tt-11dw-be53-y67078979y}
obj[8]=RegValue : software\microsoft\windows\currentversion\policies\explorer\run "DirectX For Microsoft® Windows"
obj[11]=Regkey : software\microsoft\windows nt script host\microsoft dxdiag\winsettings
obj[12]=RegValue : software\microsoft\windows nt script host\microsoft dxdiag\winsettings "FW_KILL"
obj[13]=RegValue : software\microsoft\windows nt script host\microsoft dxdiag\winsettings "XP_FW_Disable"
obj[14]=RegValue : software\microsoft\windows nt script host\microsoft dxdiag\winsettings "XP_SYS_Recovery"
obj[15]=RegValue : software\microsoft\windows nt script host\microsoft dxdiag\winsettings "ICQ_UIN"
obj[16]=RegValue : software\microsoft\windows nt script host\microsoft dxdiag\winsettings "ICQ_UIN2"
obj[17]=RegValue : software\microsoft\windows nt script host\microsoft dxdiag\winsettings "Kurban_Ismi"
obj[18]=RegValue : software\microsoft\windows nt script host\microsoft dxdiag\winsettings "Mail"
obj[19]=RegValue : software\microsoft\windows nt script host\microsoft dxdiag\winsettings "Online_List"
obj[20]=RegValue : software\microsoft\windows nt script host\microsoft dxdiag\winsettings "Port"
obj[21]=RegValue : software\microsoft\windows nt script host\microsoft dxdiag\winsettings "Sifre"
obj[22]=RegValue : software\microsoft\windows nt script host\microsoft dxdiag\winsettings "Hata"
obj[23]=RegValue : software\microsoft\windows nt script host\microsoft dxdiag\winsettings "KSil"
obj[24]=RegValue : software\microsoft\windows nt script host\microsoft dxdiag\winsettings "LanNotifie"
obj[25]=RegValue : software\microsoft\windows nt script host\microsoft dxdiag\winsettings "Tport"
obj[26]=RegValue : software\microsoft\windows nt script host\microsoft dxdiag\winsettings "ServerVersionInt"
obj[27]=RegData : software\microsoft\windows nt\currentversion\winlogon "Shell"

WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[9]=RegData : software\microsoft\windows nt\currentversion\winlogon "Shell"

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[10]=IECache Entry : Cookie:alex@statse.webtrendslive.com/


This is all the info i can provide on my problem and would really appreciate any help at all . Thanx very much 4 ur time and hope u can help me with this problem.

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:15 PM

Posted 03 November 2005 - 07:50 PM

Hello,

Any reason why your windows isn't up to date? You don't have even ServicePack1 installed!
Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems.
Please visit http://windowsupdate.microsoft.com and update to Service Pack 1.
When your system is clean afterwards, then update to SP2, because updating to SP2 CAN cause problems as long as you are infected.

Please perform my next instructions in exactly the same order I'm asking you without missing any step!!

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\system32\fservice.exe
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - E:\WINDOWS\system32\emy.dll
O4 - HKLM\..\RunOnce: [r4pub7.exe] E:\WINDOWS\System32\r4pub7.exe /k
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Party Poker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Party Poker\PartyPoker.exe (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold:

E:\windows\services.exe
E:\windows\system32\reginv.dll
E:\windows\system32\fservice.exe
E:\windows\system32\winkey.dll
E:\windows\system\sservice.exe
E:\windows\system32\wininv.dll
E:\WINDOWS\System32\r4pub7.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are present!

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.
Click No at the Pending Operations prompt.

Your computer must reboot now.

Open notepad and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\Explorer\Run]
"DirectX For Microsoft® Windows"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"


Save this as fix.reg Choose to save as *all files and place it on your desktop.
This is how the regfix must look afterwards: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Delete next folder:

C:\Program Files\Party Poker

Install an antivirus and firewall. (normally you must be able to install them now)

AVG, Bitdefender OR Avast are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decreases the reliability of it seriously!
Zonealarm, Kerio OR Sygate are FREE firewalls.

Understanding and using firewalls

Perform a full scan with your antivirus and let it delete everything it is finding.
Then perform next online scanner:

Kaspersky Online Scanner

Click "Launch Kaspersky Anti-Virus Web Scanner"
You will be prompted if you want to install an ActiveX component from Kaspersky, click yes.
This will start downloading the latest definition files.
Once the files have been downloaded click on "Next"

* Click "Scan Settings"
Select the following in Scan Settings (normally they are already selected by default)

°Scan using the following Anti-Virus database: Standard

°Scan Options: Scan Archives
Scan Mail Bases

* Click OK
* Under select a target to scan, select "My Computer"

* This program will start to scan your system.
The scan will take a while so be patient and let it run.
When the scan is done, it will show a list of infected files found.

* Click on the "Save as Text"- button:
Save the scan log and post it along with a new HijackThis Log

Edited with extra instructions

Edited by miekiemoes, 03 November 2005 - 07:59 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Brokenpcman

Brokenpcman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 04 November 2005 - 09:13 PM

RE: Topic Title = Can't remove spyware or virus
Topic Description = Problem with Backdoor Prorat 16

Reply from Brokenpcman>>>>>>>>>>>>

First of all thanks very very much for ur help. I am unable to install any of the service pack upgrades from windows update, i have downloaded SP1 but was unable to install it, It said i have to contact Microsoft becoz the Windows XP software on my machine maybe pirated software. The windows was on the machine when i bought it from my cousin so i have to speak to them about that. I have followed ur instructions step by step all steps were completed successfully, but the Kaspersky Online Scanner i was unable to use becoz it can only b used thru I.E. and for some reason when i press the "Accept button" to get it nothing happens, when i try any other buttons on different sites i get the same, nothing happens. It seems the buttons are disabled as nothing shows on the address info bar at the bottom left of the screen. It has also disabled the search facility within windows so that i can't look 4 files. Other than this i have no problems now, the backdoor prorat 16 is gone. The adaware can't find any other spyware. I have installed both a firewall (Zone Alarm) and a virus killer (AVG) both are running perfectly and the virus killer deleted some files when i used it.

Following is a NEW Hijack This log :

Logfile of HijackThis v1.99.1
Scan saved at 21:23:51, on 04/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
E:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\WINDOWS\system32\pctspk.exe
E:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
E:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
E:\Program Files\VoyagerTest\fts.exe
E:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\AOL9~1.0\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.barafranca.com/
O2 - BHO: PosHelp - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - E:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [DSLSTATEXE] E:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] E:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "E:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] E:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\AOL9~1.0\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://E:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - E:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - E:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEABD121-729A-4014-B99D-F3C1A699595D}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - E:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\AOL9~1.0\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - E:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanx again 4 fixing my pc, I appreciate ur help very much and would be grateful for any further advice should i need it.

Brokenpcman :thumbsup:

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:15 PM

Posted 05 November 2005 - 01:31 AM

Hello,

Please don't start a new thread with your log, because I had to merge your posts. Just reply in this thread. :thumbsup:

It seems like your jscript got corrupted, missing or not registered anymore. Also, it seems like you are having the same problem when you use the search function in Windows..

Let's try next..
Copy and paste next commands one by one in the field:

regsvr32 urlmon.dll click ok

regsvr32 jscript.dll click ok

regsvr32 wshom.ocx click ok

After every line, you need to get the message: "DllRegisterServer ... succeeded" afterwards.

If it says something else, like missing or anything, please let me know in your next reply.
I am so sorry to hear that your version of windows is not a legal version.. :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Brokenpcman

Brokenpcman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 06 November 2005 - 12:01 PM

Hello,

Please don't start a new thread with your log, because I had to merge your posts. Just reply in this thread. :thumbsup:

It seems like your jscript got corrupted, missing or not registered anymore. Also, it seems like you are having the same problem when you use the search function in Windows..

Let's try next..
Copy and paste next commands one by one in the field:

regsvr32 urlmon.dll click ok

regsvr32 jscript.dll click ok

regsvr32 wshom.ocx click ok

After every line, you need to get the message: "DllRegisterServer ... succeeded" afterwards.

If it says something else, like missing or anything, please let me know in your next reply.
I am so sorry to hear that your version of windows is not a legal version.. :flowers:



>>>>>>>>>>>>>>>>>>>>reply from brokenpcman

Sorry for delay with reply but my machine is now running very slow. And i had to reinstall my connection program.

I entered the 3 codes above and was successfull with all 3, all buttons are working again as is the Windows search facility.

I used the Kaspersky Scanner and it found another trojan virus, the log follows :

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, November 06, 2005 02:34:31
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 6/11/2005
Kaspersky Anti-Virus database records: 148792
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 23468
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 12697 sec

Infected Object Name - Virus Name
E:\Documents and Settings\All Users\Application Data\Bleh Great Show Hold\aim slow.exe Infected: Trojan-Downloader.Win32.Swizzor.bz

Scan process completed.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Hijack This log follows :

Logfile of HijackThis v1.99.1
Scan saved at 16:46:40, on 06/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\WINDOWS\system32\pctspk.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
E:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
E:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
E:\Program Files\VoyagerTest\fts.exe
E:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\AOL9~1.0\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.barafranca.com/
O2 - BHO: PosHelp - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - E:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [DSLSTATEXE] E:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] E:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "E:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] E:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\AOL9~1.0\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://E:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - E:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - E:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEABD121-729A-4014-B99D-F3C1A699595D}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - E:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\AOL9~1.0\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - E:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe


>>>>>>>>>>>>>>>>>>>>>>

Once again thanx very much 4 ur help, I appreciate it very much. :trumpet:

Brokenpcman

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:15 PM

Posted 06 November 2005 - 12:19 PM

Hello,

delete next folder:

E:\Documents and Settings\All Users\Application Data\Bleh Great Show Hold

For that, you need to show your hidden files and folders:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Good your buttons and search work again.

Now you tell me that your system is really slow. Well, I actually wonder why you install on necessary programs on your C:\ and E:\
Your OS is installed on your E:\
Your firewall and Antivirus on your C:\, your BT Voyager 105 ADSL Modem again on your E:\
I've seen in a lot of cases that this can cause a slowdown.

Since when did the slowdowns actually start?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Brokenpcman

Brokenpcman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 06 November 2005 - 01:19 PM

Hello,

delete next folder:

E:\Documents and Settings\All Users\Application Data\Bleh Great Show Hold

For that, you need to show your hidden files and folders:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Good your buttons and search work again.

Now you tell me that your system is really slow. Well, I actually wonder why you install on necessary programs on your C:\ and E:\
Your OS is installed on your E:\
Your firewall and Antivirus on your C:\, your BT Voyager 105 ADSL Modem again on your E:\
I've seen in a lot of cases that this can cause a slowdown.

Since when did the slowdowns actually start?



>>>>>>>>>>>>>>>>>>>>>>>>>>>Reply From Brokenpcman

I have successfully deleted the folder above as advised. I then switched systems files and folders to hide again.

The machine was slow b4 as I only have 64mb of memory in it. But after Kaspersky scan last night it has been really slow, my internet connection failed also and i had to reinstall Aol Connectivity Services to get back on the net.

As for the drives C + E, when I bought the computer from my cousin, They didn't give me any XP disks or backup Disks or anything so I can't reinstall Windows on drive C. The hard drive is split into 2 partitions one has 1.2gb the other has 15.5gb, whoever installed Windows put it in the small partition. Now when I install something it puts some parts on E drive and some parts on C drive. The E drive has only 75mb of space on it and I keep getting low hard drive space messages. I have tried to install everything I get on drive C but it still puts some files in drive E.

Is there any way of moving all Windows files to drive C without damaging windows or extending the size of the partition drive E?

Thanx again 4 ur help.

Brokenpcman :thumbsup:

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:15 PM

Posted 06 November 2005 - 01:29 PM

No, leave it as it is now.

The slowness of your system is due to the memory. Moving them now will make things worse.
Especially now you installed an antivirus and firewall, this takes a lot of sources as well and makes things so slow.

I can suggest to uninstall AVG and install NOD32 instead, which is lighter in resources. http://www.eset.com/home/home.htm
But actually, the best solution is to put more extra ram in your system, because 64mb is way too low to run things properly on XP. You have to have at least 256mb.
And I do suggest you buy a legal version of XP as well, because then you'll be able to update and stay protected. :thumbsup:

Edited by miekiemoes, 06 November 2005 - 01:30 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Brokenpcman

Brokenpcman
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 06 November 2005 - 01:39 PM

No, leave it as it is now.

The slowness of your system is due to the memory. Moving them now will make things worse.
Especially now you installed an antivirus and firewall, this takes a lot of sources as well and makes things so slow.

I can suggest to uninstall AVG and install NOD32 instead, which is lighter in resources.
But actually, the best solution is to put more extra ram in your system, because 64mb is way too low to run things properly on XP. You have to have at least 256mb.
And I do suggest you buy a legal version of XP as well, because then you'll be able to update and stay protected. :thumbsup:


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

THanx again 4 all ur help on the virus and malware, it was really appreciated. I will try the NOD32 program and I will also try and get some ram and a new XP. Cheers again 4 all ur help.

Brokenpcman :flowers:

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:15 PM

Posted 06 November 2005 - 01:47 PM

Glad I could help. :thumbsup:

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users