bullseye17
asked on
Unable to remove trojans and viruses
I hope somebody can help with this. Â My PC has evidently been infected with one nasty virus (Or maybe a few at the same time). Â My problem is that no matter what I use to clean the PC I can't get the issue to go away. Â I've used AdAware, PestPatrol, HijackThis to name only a few. Â I don't know if maybe I'm not using them properly but none of them seems to work completely but it always appears as if they do.
The software clears the issue but all I have to do is reboot (sometimes it doesn't even require a reboot) and the software detects additional spyware, malware etc. Â Last night I thought I finally solved the issue with PestPatrol because the scan came back with 0 infected files and then while I was watching the screen (and IE wasn't even open at the time) Â all of sudden several adware windows opened in front of me. Â I'm at my wits end. Â Not sure what to do short of just rebuild the drive.
The system is WinXP Pro SP2. Â I'm on the net through a cable connection but it's behind a Linksys Router that by default has all unsolicited inbound internet requests denied. Â I've verified that this is still enabled on the firewall.
If need be I can give a list of which adware programs have been detected and cleaned but the list would be tremendous and they just keep coming back even after they've been deleted. Â What can I do????
The software clears the issue but all I have to do is reboot (sometimes it doesn't even require a reboot) and the software detects additional spyware, malware etc. Â Last night I thought I finally solved the issue with PestPatrol because the scan came back with 0 infected files and then while I was watching the screen (and IE wasn't even open at the time) Â all of sudden several adware windows opened in front of me. Â I'm at my wits end. Â Not sure what to do short of just rebuild the drive.
The system is WinXP Pro SP2. Â I'm on the net through a cable connection but it's behind a Linksys Router that by default has all unsolicited inbound internet requests denied. Â I've verified that this is still enabled on the firewall.
If need be I can give a list of which adware programs have been detected and cleaned but the list would be tremendous and they just keep coming back even after they've been deleted. Â What can I do????
click start >>Â run >>Â msconfig
Now go to the startup tab.
Let us know what start-up items are checked that you are not familiar with.
Now go to the startup tab.
Let us know what start-up items are checked that you are not familiar with.
If you don't have anti-virus software that has recently been updated
here is a free online one
HouseCall
http://housecall.trendmicro.com/
If you don't have anti-virus software at all here is a free
one you can download once everything gets cleared up.
( Chances are the install will fail if you have an infection but you can try it)
AVG
http://free.grisoft.com/freeweb.php/doc/2/
here is a free online one
HouseCall
http://housecall.trendmicro.com/
If you don't have anti-virus software at all here is a free
one you can download once everything gets cleared up.
( Chances are the install will fail if you have an infection but you can try it)
AVG
http://free.grisoft.com/freeweb.php/doc/2/
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks for the quick response mdiglio. Â Here's where I'm at with the msconfig. Â I was able to verify some of these at a site called bleepingcomputer.com. Â Here's what I found:
Here is a list of what the site considered to be malware/trojan/adware. Â Just not good to have running in general -
CSv10P070
wsxsvc
vmss
These are some additional ones listed in startup that didn't get a hit on the site but still look weird to me -
hhtfvc
kkblzc
Zgprgh
loae
hpcmpmgr
I also had one startup item that was simply named "none". Â The command also simply said "none". Â It didn't get a hit on the site but does seems unusual. Â Do I just disable them as a startup item? Â If so once disabled will the various software apps detect and delete them?
One other question for now regarding the detection of the malicious files. Â Is it unusual for a file to "disappear" or not be detected once it is picked up by anti-virus software? Â One of my issues with this is that my Mcafee will "detect" a virus but the file will not be able to be deleted or cleaned. Â When I search my drive for the file in question it's nowhere to be found.
Let me know what you think.
Here is a list of what the site considered to be malware/trojan/adware. Â Just not good to have running in general -
CSv10P070
wsxsvc
vmss
These are some additional ones listed in startup that didn't get a hit on the site but still look weird to me -
hhtfvc
kkblzc
Zgprgh
loae
hpcmpmgr
I also had one startup item that was simply named "none". Â The command also simply said "none". Â It didn't get a hit on the site but does seems unusual. Â Do I just disable them as a startup item? Â If so once disabled will the various software apps detect and delete them?
One other question for now regarding the detection of the malicious files. Â Is it unusual for a file to "disappear" or not be detected once it is picked up by anti-virus software? Â One of my issues with this is that my Mcafee will "detect" a virus but the file will not be able to be deleted or cleaned. Â When I search my drive for the file in question it's nowhere to be found.
Let me know what you think.
oops...I gorgot to tell you to disable system restore when you are doing your scans
right click my computer >>Â propeties >>Â system restore tab >>Â click 'turn off system restore'
I will look at those processes and get back to you
You can uncheck them from msconfig
you might also have to go into the registry start >>Â run >>Â regedit
expand hkey_local_machine\softwar e\microsof t\windows\ current version\run
and delete those entries especially the 'none' one
Hold off on doing that just yet though.
Is your Mcafee up to date ?
right click my computer >>Â propeties >>Â system restore tab >>Â click 'turn off system restore'
I will look at those processes and get back to you
You can uncheck them from msconfig
you might also have to go into the registry start >>Â run >>Â regedit
expand hkey_local_machine\softwar
and delete those entries especially the 'none' one
Hold off on doing that just yet though.
Is your Mcafee up to date ?
hpcmpmgr seems to be the only legit one
Have you run hijackthis and then posted the log file here?:
http://www.hijackthis.de/
If not do so.
the latest version of hijackthis can be downloaded here:
http://www.spychecker.com/program/hijackthis.html
Before we start doing anything else, have you ran a full scan with MS Antispyware yet ?
Have you run hijackthis and then posted the log file here?:
http://www.hijackthis.de/
If not do so.
the latest version of hijackthis can be downloaded here:
http://www.spychecker.com/program/hijackthis.html
Before we start doing anything else, have you ran a full scan with MS Antispyware yet ?
ASKER
I'll disable the system restore. Â I think I've done this previously but I'll verify. Â I'll also uncheck the nasties from msconfig but hold off on deleting anything from the registry.
Yes the AV is up to date. Â It automatically updates daily now that DATs are available that often.
In the post from greyknight17 I was also asked to run hijackthis and post the link to the analysis. Â Here is the link:
http://www.hijackthis.de/index.php#anl
For some reason my actual log did not carry over to the analysys page. Â Let me know if you would like me to post that rather lengthy text file here.
Thanks for the help so far and keep me posted.
Yes the AV is up to date. Â It automatically updates daily now that DATs are available that often.
In the post from greyknight17 I was also asked to run hijackthis and post the link to the analysis. Â Here is the link:
http://www.hijackthis.de/index.php#anl
For some reason my actual log did not carry over to the analysys page. Â Let me know if you would like me to post that rather lengthy text file here.
Thanks for the help so far and keep me posted.
First off to greyknight17 I'm sorry about repeating what you said.
I must have went right to the bottom and started reading...never saw yours :(
bullseye17 , We can't see anything from that link.
After you post your log >Â click anaylze >Â then scroll down to see the results
If still no joy then yes you can post it here
I must have went right to the bottom and started reading...never saw yours :(
bullseye17 , We can't see anything from that link.
After you post your log >Â click anaylze >Â then scroll down to see the results
If still no joy then yes you can post it here
ASKER
Let me at least post the text from the log file here. Â I was going to post the analysis that I saved but the HTML looked sort of ugly when I attempted to paste it here. Â Is there any way for me to attach a file to be uploaded? Â I may signing off for the evening but I'll probably check back when I can't sleep :-)
Anyway - here is the text. Â And the link I used to have it analyzed from greyknight17's original post is reprinted here:
http://www.hijackthis.deÂ
Logfile of HijackThis v1.99.1
Scan saved at 10:37:27 PM, on 2/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\spools v.exe
D:\Program Files\Network Associates\VirusScan\Avsyn mgr.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\MsPMSP Sv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\reals ched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpm gr.exe
C:\Program Files\Java\j2re1.4.2_05\bi n\jusched. exe
C:\Program Files\Musicmatch\Musicmatc h Jukebox\mm_tray.exe
C:\Program Files\Java\j2re1.4.2_05\bi n\jucheck. exe
D:\Program Files\Network Associates\VirusScan\VsSta t.exe
D:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Musicmatch\Musicmatc h Jukebox\MMDiag.exe
D:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\wsxsvc \wsxsvc.ex e
C:\WINDOWS\System32\vmss\v mss.exe
C:\WINDOWS\System32\Zgprbh .exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Network Associates\VirusScan\Vshwi n32.exe
D:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\n?tepa d.exe
C:\Documents and Settings\Rich\Application Data\loae.exe
C:\Program Files\MUSICMATCH\MUSICMATC H Jukebox\mim.exe
D:\Program Files\Network Associates\VirusScan\Avcon sol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshie ld.exe
D:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.ex e
D:\Program Files\HOTSYNC.EXE
C:\WINDOWS\System32\wuaucl t.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\PCHealth\HelpCt r\Binaries \MSConfig. exe
C:\Documents and Settings\Rich\Desktop\Hija ckThis.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.optonline.net/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E 2378282A1D 9} - C:\Program Files\CxtPls\cxtpls.dll (file missing)
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-0 00ACD002AE 3} - (no file)
O2 - BHO: (no name) - {066FB6E7-7300-07FF-7D80-2 187ED82EA9 F} - C:\WINDOWS\System32\ffrjv. dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - D:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIE Helper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - D:\Program Files\Spybot - Search &Â Destroy\SDHelper.dll
O2 - BHO: SDWin32 Class - {8B45261C-DFBF-4889-B9CA-A 7C33C37918 3} - C:\WINDOWS\System32\kkblz. dll
O2 - BHO: SDWin32 Class - {A73CEB99-6179-4694-A3AE-0 73B5DBFAB4 2} - C:\WINDOWS\System32\hhtfv. dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 1.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E 5C179C1AE4 1} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" Â -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpm gr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bi n\jusched. exe
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatc h Jukebox\mimboot.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatc h Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "D:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [hhtfvc] C:\WINDOWS\System32\hhtfvc .exe
O4 - HKLM\..\Run: [kkblzc] C:\WINDOWS\System32\kkblzc .exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc \wsxsvc.ex e
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\v mss.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Zgprbh .exe
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Hfwiy] C:\WINDOWS\System32\n?tepa d.exe
O4 - HKCU\..\Run: [Oteo] C:\Documents and Settings\Rich\Application Data\loae.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\HOTSYNC.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmse arch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmba cklinks.ht ml
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmca che.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1 \Office10\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmsi milar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar 1.dll/cmtr ans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_05\bi n\npjpi142 _05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_05\bi n\npjpi142 _05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0 0B0D0A1DE4 5} - D:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox. dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-3 6318989DB1 3} (PPSDKActiveXScanner.MainS creen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D 305C1750EF 3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0 050DA18DE7 1} (RdxIE Class) - http://software-dl.real.com/2832d7dabce82591a700/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106450693937
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-B FCD433CEE3 0} - http://www.surfsecret.com/inst/PPInstaller.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - D:\Program Files\Network Associates\VirusScan\Avsyn mgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshie ld.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm 12.exe
Anyway - here is the text. Â And the link I used to have it analyzed from greyknight17's original post is reprinted here:
http://www.hijackthis.deÂ
Logfile of HijackThis v1.99.1
Scan saved at 10:37:27 PM, on 2/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\spools
D:\Program Files\Network Associates\VirusScan\Avsyn
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\MsPMSP
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpm
C:\Program Files\Java\j2re1.4.2_05\bi
C:\Program Files\Musicmatch\Musicmatc
C:\Program Files\Java\j2re1.4.2_05\bi
D:\Program Files\Network Associates\VirusScan\VsSta
D:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Musicmatch\Musicmatc
D:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\wsxsvc
C:\WINDOWS\System32\vmss\v
C:\WINDOWS\System32\Zgprbh
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Network Associates\VirusScan\Vshwi
D:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\n?tepa
C:\Documents and Settings\Rich\Application Data\loae.exe
C:\Program Files\MUSICMATCH\MUSICMATC
D:\Program Files\Network Associates\VirusScan\Avcon
C:\Program Files\Common Files\Network Associates\McShield\Mcshie
D:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.ex
D:\Program Files\HOTSYNC.EXE
C:\WINDOWS\System32\wuaucl
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\PCHealth\HelpCt
C:\Documents and Settings\Rich\Desktop\Hija
R0 - HKCU\Software\Microsoft\In
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-0
O2 - BHO: (no name) - {066FB6E7-7300-07FF-7D80-2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: SDWin32 Class - {8B45261C-DFBF-4889-B9CA-A
O2 - BHO: SDWin32 Class - {A73CEB99-6179-4694-A3AE-0
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpm
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bi
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatc
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatc
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "D:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "D:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [hhtfvc] C:\WINDOWS\System32\hhtfvc
O4 - HKLM\..\Run: [kkblzc] C:\WINDOWS\System32\kkblzc
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\System32\wsxsvc
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\v
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Zgprbh
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Hfwiy] C:\WINDOWS\System32\n?tepa
O4 - HKCU\..\Run: [Oteo] C:\Documents and Settings\Rich\Application Data\loae.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\HOTSYNC.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-3
O16 - DPF: {4C39376E-FA9D-4349-BACC-D
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-B
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - D:\Program Files\Network Associates\VirusScan\Avsyn
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshie
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
This file is a friggin' virus....... I've dealt with it before, I understand your fustrations, this thing is evil, hard to get rid of...
spoolsv.exe is pure evil
C:\WINDOWS\system32\spools v.exe
below files are CRAP!
C:\WINDOWS\System32\Zgprbh .exe
C:\WINDOWS\System32\n?tepa d.exe
Delete these three files, boot into safemode, run full system scans, and when finished, pull the power cord out of the wall and force a hard shutdown!!! This spoolsv.exe lives in the memory...
Mugman
spoolsv.exe is pure evil
C:\WINDOWS\system32\spools
below files are CRAP!
C:\WINDOWS\System32\Zgprbh
C:\WINDOWS\System32\n?tepa
Delete these three files, boot into safemode, run full system scans, and when finished, pull the power cord out of the wall and force a hard shutdown!!! This spoolsv.exe lives in the memory...
Mugman
ASKER
Here's an update on where I am with this -
Mugman - Thanks for the heads up on spoolsv.exe but that file is actually OK as long as it is found in c:\windows\system32. Â It's when you find it in root, c:\windows or c:\winnt that it becomes a problem
That being said I think the worst of it is actually over. Â I can actually open an IE session without being inundated with crippling popups. Â Here's what I think I need to be able to close this question out.
One of the things I did was disable a number of entries in the startup tab of msconfig. But how do you delete these entries from startup completely? Directories? Â Are there registry entries that I need to delete? Â What do I do?
Also - What is the deal with 2o7.net???? Â This critter shows up constantly in pestpatrol scans after reboots. Â I can't get it to be gone no matter what.
Let me know if that's just the way it is sometimes. Â Am I expecting too much to be 100% free of this crap? Â Or is it just a reality of having a broadband internet connection that you just can't keep everything out anymore?
I'm sure I have additional to-do's to get this done but I can't think of them right now.
Mugman - Thanks for the heads up on spoolsv.exe but that file is actually OK as long as it is found in c:\windows\system32. Â It's when you find it in root, c:\windows or c:\winnt that it becomes a problem
That being said I think the worst of it is actually over. Â I can actually open an IE session without being inundated with crippling popups. Â Here's what I think I need to be able to close this question out.
One of the things I did was disable a number of entries in the startup tab of msconfig. But how do you delete these entries from startup completely? Directories? Â Are there registry entries that I need to delete? Â What do I do?
Also - What is the deal with 2o7.net???? Â This critter shows up constantly in pestpatrol scans after reboots. Â I can't get it to be gone no matter what.
Let me know if that's just the way it is sometimes. Â Am I expecting too much to be 100% free of this crap? Â Or is it just a reality of having a broadband internet connection that you just can't keep everything out anymore?
I'm sure I have additional to-do's to get this done but I can't think of them right now.
Hello,
No you're not expecting too much...100% removal is a good thing.
Yes for the startup items you can go into the registry like we discussed earlier
start >>Â run >>Â regedit
expand hkey_local_machine\softwar e\microsof t\windows\ current version\run
for the 207.net delete cookies from IE.
Then you should set the privacy settings to medium. tools >>Â internet options >>Â privacy tab
using notepad open your host file located here..c:\windows\system32\ drivers\et c
If your host file is clean you should only see one entry
127.0.0.1 Â Â Â localhost
add this entry beneath that one
127.0.0.1 Â Â 102.112.2o7.net
that address and many more 207.net addresses can be found here:
http://someonewhocares.org/hosts/
No you're not expecting too much...100% removal is a good thing.
Yes for the startup items you can go into the registry like we discussed earlier
start >>Â run >>Â regedit
expand hkey_local_machine\softwar
for the 207.net delete cookies from IE.
Then you should set the privacy settings to medium. tools >>Â internet options >>Â privacy tab
using notepad open your host file located here..c:\windows\system32\
If your host file is clean you should only see one entry
127.0.0.1 Â Â Â localhost
add this entry beneath that one
127.0.0.1 Â Â 102.112.2o7.net
that address and many more 207.net addresses can be found here:
http://someonewhocares.org/hosts/
bullseye17,
You say there is a legit file called spoolsv.exe ? I've only encounter this as a virus, if you say this file is legit, what software does it come with? Any Idea...
Mugman
You say there is a legit file called spoolsv.exe ? I've only encounter this as a virus, if you say this file is legit, what software does it come with? Any Idea...
Mugman
bullseye17,
Sounds like you've gone through a lot of effort to fight this one.
Words of wisdom for next go around (because you'll get hit again).
Backups...make a default configuration backup (use Ghost or TrueImage) then have incremental backups.
Most nasty infections come from custom malware/spyware that no tool can locate and remove. Â Folks these days are writing custom backdoors and trojans.
Fight the good fight when it seems beatable, but for this instance it probably would have taken you 15 minutes to Ghost your good image and 20 minutes to recover from your incrementals...
I wrote a guide that may help you next time:
http://spaces.msn.com/members/greyhat/Blog/cns!1pUk7QRF4x9-c8NiDSc_ZYKg!129.entry
HTH
Sounds like you've gone through a lot of effort to fight this one.
Words of wisdom for next go around (because you'll get hit again).
Backups...make a default configuration backup (use Ghost or TrueImage) then have incremental backups.
Most nasty infections come from custom malware/spyware that no tool can locate and remove. Â Folks these days are writing custom backdoors and trojans.
Fight the good fight when it seems beatable, but for this instance it probably would have taken you 15 minutes to Ghost your good image and 20 minutes to recover from your incrementals...
I wrote a guide that may help you next time:
http://spaces.msn.com/members/greyhat/Blog/cns!1pUk7QRF4x9-c8NiDSc_ZYKg!129.entry
HTH
ASKER
mugman21 - spoolsv.exe is a legitimate windows service found in c:\windows\System32 that is responsible for managing spooled print/fax jobs. Â There are viruses, trojans etc that are written with the same filename though. Â Like I said earlier the bogus files would be found elsewhere. Â Most typically they would be located in c:\, c:\windows or c:\winnt.
Phil - Yes this has been quite an ordeal. Â :-( Thanks for the heads up. Â I'll have to check out your guide.
mdiglio - Deleted any remaining cookies on the system. Â Privacy was already set to Medium so I raised it to Medium - High.
I also went to delete the startup entries from the registry but they were not there at all. Â But there are still in the startup - just disabled.
And for the hosts file I don't understand what adding the address to my hosts is supposed to do. Â Won't that just point the traffic from that address to my PC. Â I just need to understand it a little better.
That's it for now. Â Still pluggin' away!!
Phil - Yes this has been quite an ordeal. Â :-( Thanks for the heads up. Â I'll have to check out your guide.
mdiglio - Deleted any remaining cookies on the system. Â Privacy was already set to Medium so I raised it to Medium - High.
I also went to delete the startup entries from the registry but they were not there at all. Â But there are still in the startup - just disabled.
And for the hosts file I don't understand what adding the address to my hosts is supposed to do. Â Won't that just point the traffic from that address to my PC. Â I just need to understand it a little better.
That's it for now. Â Still pluggin' away!!
Hello,
putting that entry in the host file will tell your browser to go to the address 127.0.0.1 the next time it is told to access the 207.net site.
This will redirect it to your machine and come back as a page not found error.
To test it out you can add this line to the host file then go to the google website
127.0.0.1 Â Â Â Â Â www.google.com
Basically it will prevent you from ever going to that page again
putting that entry in the host file will tell your browser to go to the address 127.0.0.1 the next time it is told to access the 207.net site.
This will redirect it to your machine and come back as a page not found error.
To test it out you can add this line to the host file then go to the google website
127.0.0.1 Â Â Â Â Â www.google.com
Basically it will prevent you from ever going to that page again
ASKER
OK. Â I get it now. Â Thanks.
Now what about getting those entries out of the startup? Â Any ideas since there weren't any registry entries?
Now what about getting those entries out of the startup? Â Any ideas since there weren't any registry entries?
Hello,
See if these keys works for you
[HKLM\SOFTWARE\Microsoft\S hared Tools\MSConfig\startupreg]
[HKLM\SOFTWARE\Microsoft\S haredTools \MSConfig\ startupfol der]
Clean-up the MSCONFIG startup tab listings - Windows XP
http://windowsxp.mvps.org/MSCONFIG.htm
See if these keys works for you
[HKLM\SOFTWARE\Microsoft\S
[HKLM\SOFTWARE\Microsoft\S
Clean-up the MSCONFIG startup tab listings - Windows XP
http://windowsxp.mvps.org/MSCONFIG.htm
ASKER
Hello,
Getting ever closer to the end of this question. Â I've been able to remove those entries from the startup. Â The only thing still bothering me about this is that I still constantly get items found when running my scans.
Basically what I do is scan, clean what's found, reboot and then scan again. Â The biggest mystery to me right now is that #%$%@% 2o7.net. Â I added every entry for that address from the link at someonewhocares.com and the cookie still shows up on every scan. Â But when I ping the address in the cookie I get my loopback address just like I should.
The other thing I was wondering about is this - If I boot into safe mode and run Spybot I get no nasties found. Â If I reboot and run another scan it finds one or two items though. Â That seemed a little strange to me. Â Maybe I'll try another one of the tools available. Â I haven't tried the MS app yet. Â Although I have run Ad-Aware, Spybot, HijackThis and PestPatrol.
Let me know if you think there's anything else I can do.
Getting ever closer to the end of this question. Â I've been able to remove those entries from the startup. Â The only thing still bothering me about this is that I still constantly get items found when running my scans.
Basically what I do is scan, clean what's found, reboot and then scan again. Â The biggest mystery to me right now is that #%$%@% 2o7.net. Â I added every entry for that address from the link at someonewhocares.com and the cookie still shows up on every scan. Â But when I ping the address in the cookie I get my loopback address just like I should.
The other thing I was wondering about is this - If I boot into safe mode and run Spybot I get no nasties found. Â If I reboot and run another scan it finds one or two items though. Â That seemed a little strange to me. Â Maybe I'll try another one of the tools available. Â I haven't tried the MS app yet. Â Although I have run Ad-Aware, Spybot, HijackThis and PestPatrol.
Let me know if you think there's anything else I can do.
ASKER
OK. Â This just in......
So what I just did was restrict third party cookies.
Tools --> Internet Options --> Privacy. Â In the settings I went to the Advanced area and selected to prompt me when third party cookies wanted to be installed.
Sure enough I started to see requests from 2o7.net, DoubleClick and others. Â I'll probably leave the setting on prompt until I'm no longer fascinated with just how many requests come in and then change it to block third party cookies.
Do you know of any downside to doing this?
So what I just did was restrict third party cookies.
Tools --> Internet Options --> Privacy. Â In the settings I went to the Advanced area and selected to prompt me when third party cookies wanted to be installed.
Sure enough I started to see requests from 2o7.net, DoubleClick and others. Â I'll probably leave the setting on prompt until I'm no longer fascinated with just how many requests come in and then change it to block third party cookies.
Do you know of any downside to doing this?
Was it set to Medium under the Privacy tab?
I don't see any downside except that you will be prompted each time when these third party cookies want to be installed. Â Is your HijackThis log clean now? Â If not, give us a link to your log at http://www.hijackthis.de
I don't see any downside except that you will be prompted each time when these third party cookies want to be installed. Â Is your HijackThis log clean now? Â If not, give us a link to your log at http://www.hijackthis.de
ASKER
The setting was originally set to Medium and I changed it to Medium-High but I was still getting items that were showing up when running a scan.
So I went to the Advanced button in the Privacy settings tab and I was able to block/allow/prompt on First or Third party cookies. Â I saw that there was also an option to always allow session cookies that appears to be disabled by default.
To be honest I'm not sure what a session cookie is so I left that alone. Â I did change the Third-Party cookie option to prompt though just to see what sites were trying to place a cookie. Â So far I've only seen traffic from adware sites or from some site that wants to solicit me for something.
I'll scan again with HijackThis and let you know what happens.
btw - I'm thinking that my problem may be resolved I guess I'm just not sure of the impact is if I block all third party cookies.
So I went to the Advanced button in the Privacy settings tab and I was able to block/allow/prompt on First or Third party cookies. Â I saw that there was also an option to always allow session cookies that appears to be disabled by default.
To be honest I'm not sure what a session cookie is so I left that alone. Â I did change the Third-Party cookie option to prompt though just to see what sites were trying to place a cookie. Â So far I've only seen traffic from adware sites or from some site that wants to solicit me for something.
I'll scan again with HijackThis and let you know what happens.
btw - I'm thinking that my problem may be resolved I guess I'm just not sure of the impact is if I block all third party cookies.
OK, give us the new link to your log when ready.
You shouldn't block all third party cookies. Â Some sites will need to use these cookies to allow you access to login. Â If you block them, you might not be allowed to login at all.
You shouldn't block all third party cookies. Â Some sites will need to use these cookies to allow you access to login. Â If you block them, you might not be allowed to login at all.
ASKER
The HijackThis log is clean. Â Yeaaaaaa!!!! Â All scans with the other tools are actually coming back clean as well. Â My understanding of the third party cookies is that they are coming from a site other than the one that I am currently at. Â I'm going to try a few of the sites that I frequent to see if the changes affect anything.
Glad to hear it...sorry I was away from email for the weekend
ASKER
I'm soooooo sorry for taking so long to get back to this and post as resolved. Â Not my usual MO. Â Thanks to mdiglio and greyknight17 for sticking through this and helping me out so thoroughly. Â Additional thanks to everyone else who pitched in. Â I can't begin to express my thanks for the help. Â It was a real pain and the effort put forth just shows how great this site is. Â Thanks again to all!!
Do you have any anti-virus software?
I hate to give you a link to just another spyware removal software...
but that's what I'm going to do :)
Have you used MS Anti-Spyware?
It seems to be doing a far better job than the rest (for right now )
As with all software be sure to do an update before you run a Full scan
http://www.microsoft.com/athome/security/spyware/software/default.mspx