|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#1
May 7th, 2005, 03:36 PM
|
||||
|
||||
|
My Desktop Background's Changed Into A Virus Warning Banner
threads split
__________________
Nigel ..Seeking code free nirvana... Nigel Fernandes Blog Never argue with fools. They will bring you down to their level and beat you with experience.  Manchester United Forever  
Last edited by oneMSBi : May 21st, 2005 at 12:59 PM. Reason: threads split
|
|
#2
May 9th, 2005, 07:45 AM
|
||||
|
||||
|
Figured I wouldn't start a new thread...
I seem to have the same problem...
Yesterday, in Outlook, I accidentally clicked the mouse in an e-mail that was obviously spam. I ended up getting infected with about 20 virii, and boatloads of spyware. After running AVG & Ad-Aware several times throughout Safe Mode and normal mode, both programs are coming up clean. Still have problems. The main problem is that my entire desktop background disappeared and has become what looks like a BSOD. It isn't a BSOD, though, it's a desktop, but it's all blue and in the center there is a message saying: Quote:
I know this sounds official, but it's BS. It was caused by whatever has been installed on my machine. AVG & Ad-Aware are again saying that everything's cool. Any help, please? TIA! Chris
__________________
Pop, pop, fizz, fizz, oh what a relief it is!
|
|
#3
May 9th, 2005, 08:00 AM
|
||||
|
||||
|
I downloaded & ran HijackThis. I'm new to this program, and don't know anything about it. Here's the log:
Logfile of HijackThis v1.99.1 Scan saved at 9:07:29 AM, on 5/9/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\devldr32.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\devldr32.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Sony Handheld\HOTSYNC.EXE C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\acrotray.exe C:\Program Files\BOINC\boincmgr.exe C:\WINDOWS\system32\?ti2evxx.exe C:\Program Files\BOINC\projects\setiathome.berkeley.edu\setiathome_4.09_windows_intelx86.exe C:\Program Files\BOINC\projects\setiathome.berkeley.edu\setiathome_4.09_windows_intelx86.exe c:\windows\system32\lqjumt.exe C:\unzipped\hijackthis\HijackThis.exe C:\DOCUME~1\Chris\LOCALS~1\Temp\62.tmp\thnall1ac.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\addyj.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\addyj.dll/sp.html#12345 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/ R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/ O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com O1 - Hosts: 127.0.0.3 x.full-tgp.net O1 - Hosts: 127.0.0.3 counter.sexmaniack.com O1 - Hosts: 127.0.0.3 autoescrowpay.com O1 - Hosts: 127.0.0.3 www.autoescrowpay.com O1 - Hosts: 127.0.0.3 www.awmdabest.com O1 - Hosts: 127.0.0.3 www.sexfiles.nu O1 - Hosts: 127.0.0.3 awmdabest.com O1 - Hosts: 127.0.0.3 sexfiles.nu O1 - Hosts: 127.0.0.3 allforadult.com O1 - Hosts: 127.0.0.3 www.allforadult.com O1 - Hosts: 127.0.0.3 www.iframe.biz O1 - Hosts: 127.0.0.3 iframe.biz O1 - Hosts: 127.0.0.3 www.newiframe.biz O1 - Hosts: 127.0.0.3 newiframe.biz O1 - Hosts: 127.0.0.3 www.vesbiz.biz O1 - Hosts: 127.0.0.3 vesbiz.biz O1 - Hosts: 127.0.0.3 www.pizdato.biz O1 - Hosts: 127.0.0.3 pizdato.biz O1 - Hosts: 127.0.0.3 www.aaasexypics.com O1 - Hosts: 127.0.0.3 aaasexypics.com O1 - Hosts: 127.0.0.3 www.virgin-tgp.net O1 - Hosts: 127.0.0.3 virgin-tgp.net O1 - Hosts: 127.0.0.3 www.awmcash.biz O1 - Hosts: 127.0.0.3 awmcash.biz O1 - Hosts: 127.0.0.3 buldog-stats.com O1 - Hosts: 127.0.0.3 www.buldog-stats.com O1 - Hosts: 127.0.0.3 fregat.drocherway.com O1 - Hosts: 127.0.0.3 slutmania.biz O1 - Hosts: 127.0.0.3 www.slutmania.biz O1 - Hosts: 127.0.0.3 toolbarpartner.com O1 - Hosts: 127.0.0.3 www.toolbarpartner.com O1 - Hosts: 127.0.0.3 www.megapornix.com O1 - Hosts: 127.0.0.3 megapornix.com O1 - Hosts: 127.0.0.3 www.sp2****ed.biz O1 - Hosts: 127.0.0.3 sp2****ed.biz O1 - Hosts: 127.0.0.3 greg-tut.com O1 - Hosts: 127.0.0.3 www.greg-tut.com O1 - Hosts: 127.0.0.3 nylonsexy.com O1 - Hosts: 127.0.0.3 www.nylonsexy.com O1 - Hosts: 127.0.0.3 vparivalka.com O1 - Hosts: 127.0.0.3 www.vparivalka.com O1 - Hosts: 127.0.0.3 iframeprofit.com O1 - Hosts: 127.0.0.3 www.iframeprofit.com O1 - Hosts: 127.0.0.3 topsearch10.com O1 - Hosts: 127.0.0.3 www.topsearch10.com O1 - Hosts: 127.0.0.3 statscash.biz O1 - Hosts: 127.0.0.3 www.statscash.biz O1 - Hosts: 127.0.0.3 vxiframe.biz O1 - Hosts: 127.0.0.3 www.vxiframe.biz O1 - Hosts: 127.0.0.3 crazy-toolbar.com O1 - Hosts: 127.0.0.3 www.crazy-toolbar.com O1 - Hosts: 127.0.0.3 topcash.biz O1 - Hosts: 127.0.0.3 www.topcash.biz O1 - Hosts: 127.0.0.3 loadcash.biz O1 - Hosts: 127.0.0.3 www.loadcash.biz O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: (no name) - {60ACA3AA-6A33-4793-38D6-62837AB5F89A} - C:\WINDOWS\System32\zoacfjdp.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe O4 - HKLM\..\Run: [pxmmlm] c:\windows\system32\lqjumt.exe O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe O4 - Startup: seti0.lnk = C:\seti0\seti.exe O4 - Startup: seti1.lnk = C:\seti1\seti.exe O4 - Startup: seti2.lnk = C:\seti2\seti.exe O4 - Startup: seti3.lnk = C:\seti3\seti.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe O4 - Global Startup: Shortcut to acrotray.exe.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\acrotray.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Microsoft AntiSpyware helper - {F74B0AE2-E425-4673-8B75-7EA2813264CD} - (no file) (HKCU) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F74B0AE2-E425-4673-8B75-7EA2813264CD} - (no file) (HKCU) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.skoobidoo.com O15 - Trusted Zone: *.slotchbar.com O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.skoobidoo.com (HKLM) O15 - Trusted Zone: *.slotchbar.com (HKLM) O15 - Trusted Zone: *.windupdates.com (HKLM) O15 - Trusted IP range: 81.222.131.59 O16 - DPF: ChatSpace Full Java Client 3.1.0.228 - http://webboard.uml.edu:6667/Java/cfs31228.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1092975541812 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup155.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: BOINC - Space Sciences Laboratory - C:\Program Files\BOINC\boinc.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe HUGE log, sheesh. Sorry... Any help deciphering this? Chris
|
|
#4
May 9th, 2005, 09:22 AM
|
||||
|
||||
|
Okay, it looks like you have an HP system, run Seti@home, and own a Palm OS PDA, correct?
These processes are not good, need to kill and hopefully we'll find what initiates them here: C:\WINDOWS\system32\?ti2evxx.exe c:\windows\system32\lqjumt.exe This one is a known Trojan: C:\DOCUME~1\Chris\LOCALS~1\Temp\62.tmp\thnall1ac.exe Don't know what these are, but they look mighty suspicious as search URLs generally don't redirect to a local .dll: R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\addyj.dll/sp.html#12345 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\addyj.dll/sp.html#12345 For that matter, these are the result of your trojan as well: R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/ R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/1/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.searchv.com/1/ Kill all those O1 - Hosts items as well, I'm not going to list tem here in favor of saving space  These need to go: O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: (no name) - {60ACA3AA-6A33-4793-38D6-62837AB5F89A} - C:\WINDOWS\System32\zoacfjdp.dll O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe O4 - HKLM\..\Run: [pxmmlm] c:\windows\system32\lqjumt.exe If you use Google Toolbar, then keep these: O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html Get rid of all those O9 "no file" entries... Unless you put these entries into trusted zones, I'd get rid of them. O15 - Trusted Zone: *.skoobidoo.com O15 - Trusted Zone: *.slotchbar.com O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.skoobidoo.com (HKLM) O15 - Trusted Zone: *.slotchbar.com (HKLM) O15 - Trusted Zone: *.windupdates.com (HKLM) O15 - Trusted IP range: 81.222.131.59 Don't know what this is, you could delete it and if it's a valid Java app, then you might have to reinstall that app: O16 - DPF: ChatSpace Full Java Client 3.1.0.228 - http://webboard.uml.edu:6667/Java/cfs31228.cab Not familiar with ZoneIntro, these could be part of your trojan problem: O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1092975541812 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup155.cab Get rid of this service: O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe Is this the entire log? Lot of stuff there, you might be better off just backing up your data and reinstalling windows.
|
|
#5
May 9th, 2005, 03:37 PM
|
||||
|
||||
|
Hello,
Thanks for the info. I have killed everything in HJT that you mentioned, except for a few things that I know are ok, these being two of them: O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe Those are ok. Everything is pretty much fine, except for two things. I THINK this is all that's left, but God only knows. One step at a time. In HJT, I jeep killing this: O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe ...and I even deleted the file manually, but it keeps coming back, although it is not being displayed in the task manager. That, and my desktop is still this BSOD-lookalike that I can't change. Here's a screenshot.  Any more help would be greatly appreciated! Chris
|
|
#6
May 9th, 2005, 03:39 PM
|
||||
|
||||
|
Newest HJT log is:
Logfile of HijackThis v1.99.1 Scan saved at 4:48:12 PM, on 5/9/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\BOINC\projects\setiathome.berkeley.edu\setiathome_4.09_windows_intelx86.exe C:\Program Files\BOINC\projects\setiathome.berkeley.edu\setiathome_4.09_windows_intelx86.exe C:\WINDOWS\System32\devldr32.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Sony Handheld\HOTSYNC.EXE C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\acrotray.exe C:\Program Files\BOINC\boincmgr.exe C:\WINDOWS\System32\devldr32.exe C:\unzipped\Optimized_Thunderbird\Thunderbird\thunderbird.exe C:\Program Files\Internet Explorer\iexplore.exe c:\windows\system32\ukpybe.exe C:\unzipped\hijackthis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [wxxnznc] c:\windows\system32\ukpybe.exe O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe O4 - Global Startup: Shortcut to acrotray.exe.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\acrotray.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O16 - DPF: ChatSpace Full Java Client 3.1.0.228 - http://webboard.uml.edu:6667/Java/cfs31228.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1092975541812 O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup155.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: BOINC - Space Sciences Laboratory - C:\Program Files\BOINC\boinc.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing) Thanks! This has been a REAL bitch... Chris
|
|
#7
May 9th, 2005, 05:53 PM
|
|||
|
|||
|
Yes, I've done all of that.
And I've come to a conclusion which to be the root of this problem I'm having. I've tried deleting these files using the killbox, but it didn't work, I mean these files are still there: C:\WINNT\inf\acftp.exe C:\Documents and Settings\SONYVA~1\Local Settings\Temp Then I scanned and fixed the following entries with the hijack this, but again, it still doesn't give any effect at all either: O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\SONYVA~1\LOCALS~1\Temp\ptfca.dat O4 - HKLM\..\RunOnce: [*acftp] C:\WINNT\inf\acftp.exe rerun O20 - Winlogon Notify: acftp - C:\DOCUME~1\SONYVA~1\LOCALS~1\Temp\ptfca.dat What else can I do if these files wouldn’t delete even by using killbox? C:\WINNT\inf\acftp.exe C:\Documents and Settings\SONYVA~1\Local Settings\Temp I’m quiet positive if the problem comes from these 2 files, so please let me know how to force-delete files that are running and can never seem to be deleted. Please don’t tell me if I’m gonna finally have to totally restore my OS again from the beginning, cuz I’ve lost my CD for that.
|
|
#8
May 9th, 2005, 05:58 PM
|
|||
|
|||
|
Hi,
how do you take screen shot from your comp like that? can u teach me how to do that? Quote:
|
|
#9
May 9th, 2005, 07:02 PM
|
||||
|
||||
|
Hit the Print Screen Button, open Paint and paste... you'll get an image of what was on your screen when you hit the print screen button.
Geek33, try turning off active desktop. Then boot into safe mode and try removing those files from there.
|
|
#10
May 10th, 2005, 12:01 AM
|
||||
|
||||
|
ok both of you need to boot into safe mode, and pop your windows cd into the drive. next run this command from the run prompt-----> "sfc /scannow".
this will check all your windows system files. then run hijackthis and clean out what ever the logs show you and have been mentioned before. post your logs back here after that. And we'll take a look see... i think Worldbuilder has a trojaned explorer on his system (among other things).
|
|
#11
May 10th, 2005, 06:50 AM
|
||||
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
