| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 64674 | 2005-12-23 01:05:00 | W32.Sinnaka.A@mm or Spy Trooper | cookiemonster (9463) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 415066 | 2006-05-03 06:54:00 | Hi cookiemonster Lets roll back a bit and check that all these files are gone . . . ---------------------------------------------------------------- SHOW HIDDEN FILES AND FOLDERS . To show hidden files instructions (WinXP) Doubleclick My Computer | Tools | Folder Options | View tab Select Show Hidden Files and Folders Uncheck Hide extensions for known file types Uncheck Hide protected operating system files (Recommended) Select Apply to All Folders | Yes | Apply | OK ------------------------------------------------------------------ Please start by going into SAFE MODE . During reboot, tap the F8 key . Select Safe Mode and then run "Hijack This" ------------------------------------------------------------------ Open Windows Explorer and delete the following highlighted file/s Common Files\Microsoft Shared\Web Folders\ibm00001 . exe" C:\Documents and Settings\Phil\ordervfxp . exe C:\Program Files\bmkhapv . exe C:\WINDOWS\System32\b4f29238 . exe C:\WINDOWS\System32\0mcamcap . exe C:\WINDOWS\smss . exe Do not remove same named file from the System32 directory C:\WINDOWS\winlogon . exe Do not remove same named file from the System32 directory C:\WINDOWS\ieredir . exe C:\WINDOWS\System32\0mcamcap . exe C:\WINDOWS\System32\dcom_16 . dll C:\Documents and Settings\Phil\Local Settings\Temp\EI40_\msxml4 . cab ------------------------------------------------------------------- When finished please post a new log . . . . . . |
Pancake (6359) | ||
| 415067 | 2006-05-03 08:34:00 | Open Windows Explorer and delete the following highlighted file/s Common Files\Microsoft Shared\Web Folders\ibm00001.exe" C:\Documents and Settings\Phil\ordervfxp.exe C:\Program Files\bmkhapv.exe C:\WINDOWS\System32\b4f29238.exe C:\WINDOWS\System32\0mcamcap.exe C:\WINDOWS\smss.exe Do not remove same named file from the System32 directory C:\WINDOWS\winlogon.exe Do not remove same named file from the System32 directory C:\WINDOWS\ieredir.exe C:\WINDOWS\System32\0mcamcap.exe C:\WINDOWS\System32\dcom_16.dll C:\Documents and Settings\Phil\Local Settings\Temp\EI40_\msxml4.cab Where on earth are the above found???more detail please C:yuck::yuck:kiem:waughh:nster |
cookiemonster (9463) | ||
| 415068 | 2006-05-03 08:42:00 | eg C:\WINDOWS\System32\b4f29238.exe: Go start, My Computer, C:, Windows folder, System32 folder, find the file called b4f29238.exe, then delete it. Remember to do this in safe mode. |
roddy_boy (4115) | ||
| 415069 | 2006-05-03 08:57:00 | Found a few of those files not all :eek: HJT File below Logfile of HijackThis v1.99.1 Scan saved at 7:46:18 PM, on 5/3/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\HijackThis 1.99.1\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = xtramsn.co.nz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SysTray] C:\Program Files\bmkhapv.exe O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Phil\Local Settings\Temp\EI40_\msxml4.cab O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:) :)kiem:)nster |
cookiemonster (9463) | ||
| 415070 | 2006-05-03 09:08:00 | Run HJT and these should be able to be removed now . . . R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32 . html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32 . html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32 . html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32 . html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32 . html Bring up your taskmanager by pressing Control + Alt + Delete, in some Windows versions select the 'Processes' tab . Then click on 'Paytime . exe' and end the task . Delete paytime . exe, if the file is there,which you should find under c:WindowsSystem32 |
Pancake (6359) | ||
| 415071 | 2006-05-03 09:39:00 | How do u delet those files in HJT?? Also that paytime.exe wasnt found?? Did I mess some up or miss somethink? HJT file Logfile of HijackThis v1.99.1 Scan saved at 8:32:26 PM, on 5/3/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HijackThis 1.99.1\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = xtramsn.co.nz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SysTray] C:\Program Files\bmkhapv.exe O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Phil\Local Settings\Temp\EI40_\msxml4.cab O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:waughh::waughh:kie m:nerd:nster |
cookiemonster (9463) | ||
| 415072 | 2006-05-03 09:55:00 | Have "Hijack This" fix all the those items by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html |
Pancake (6359) | ||
| 415073 | 2006-05-03 10:39:00 | SPYWARE BROWSER PROTECTION ALERT an attempt to change IE settings has been detected . Warning!Your IE default page has changed! Your IE current user default page has changed from c:\secure32 . html to <none> what would you like to do? Restore old value Keep new value? C:xmouth::xmouth:kiem:xmouth:nster |
cookiemonster (9463) | ||
| 415074 | 2006-05-03 10:48:00 | Keep new value and post a new HJT log.. | Pancake (6359) | ||
| 415075 | 2006-05-03 11:11:00 | HJT file as below: Logfile of HijackThis v1.99.1 Scan saved at 10:00:07 PM, on 5/3/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HijackThis 1.99.1\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/ O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [SysTray] C:\Program Files\bmkhapv.exe O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Phil\Local Settings\Temp\EI40_\msxml4.cab O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:lol::lol:kiem;)nster |
cookiemonster (9463) | ||
| 1 2 3 4 5 6 7 8 | |||||