Popups

About Moya's forum, for site-related issues. Please start your site-related issue as a new topic and one of us will come along and advise.

Moderator: All Moderators

Postby Killiney » Mon Apr 07, 2008 10:49 am

My post before my previous post is missing the following:

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
Behind the innocent,
the last, the least and the lost
will be found in the storm

Northern Skyline - a fansite for Clannad/Moya/Enya get the latest news as soon as we get it
User avatar
Killiney
Addicted to Moya
 
Posts: 1986
Joined: Sat Aug 25, 2007 11:45 am
Location: Dover, England

Postby Angoid » Mon Apr 07, 2008 11:57 am

As Chris said, you can safely ignore all the sites on lines beginning with 127.0.0.1

They were probably put there by Spybot Search and Destroy or something similar, to protect you from them - they are malicious sites.

This does NOT mean that Killiney has visited any of them - they were merely put there pre-emptively by a legitimate program to stop them getting onto the computer.

It works by saying that the IP address of each of those sites is 127.0.0.1 - that happens to be a special address for your own computer! Thus if I tried to visit one, it would try to get it from your own computer, fail to find a Web server there, and come back with an error. Thus you're protected.

As they're legit, and we don't want links to those sites linked to from here, do you mind if we edit those posts to get rid of them? I needed to see the list just in case it did show anything up. Either you do the edit yourself or I'll do it on your behalf .... just give the word.

In your next post, can you post another log from HijackThis? If it contains all those 127.0.0.1 entries, then please feel free to edit them out before posting but please do not edit anything else in your log.
If you don't know what eschatology is then don't worry; it's not the end of the world.
Purveyor of fine sarcasm since 1966.
Angoid
Technical Administrator
 
Posts: 3674
Joined: Tue Mar 02, 2004 10:08 pm
Location: In the cave

Postby Killiney » Mon Apr 07, 2008 12:03 pm

Angoid wrote:As Chris said, you can safely ignore all the sites on lines beginning with 127.0.0.1

They were probably put there by Spybot Search and Destroy or something similar, to protect you from them - they are malicious sites.

This does NOT mean that Killiney has visited any of them - they were merely put there pre-emptively by a legitimate program to stop them getting onto the computer.

It works by saying that the IP address of each of those sites is 127.0.0.1 - that happens to be a special address for your own computer! Thus if I tried to visit one, it would try to get it from your own computer, fail to find a Web server there, and come back with an error. Thus you're protected.

As they're legit, and we don't want links to those sites linked to from here, do you mind if we edit those posts to get rid of them? I needed to see the list just in case it did show anything up. Either you do the edit yourself or I'll do it on your behalf .... just give the word.

In your next post, can you post another log from HijackThis? If it contains all those 127.0.0.1 entries, then please feel free to edit them out before posting but please do not edit anything else in your log.


Thanks Angus,

I think I understand the last paragraph. I think.
So you want me to do another HCheck scan and then post the log in here?
Behind the innocent,
the last, the least and the lost
will be found in the storm

Northern Skyline - a fansite for Clannad/Moya/Enya get the latest news as soon as we get it
User avatar
Killiney
Addicted to Moya
 
Posts: 1986
Joined: Sat Aug 25, 2007 11:45 am
Location: Dover, England

Postby Killiney » Mon Apr 07, 2008 12:29 pm

Here's the HCheck log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:09:19, on 07/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackCheck\HCheck.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [rvr] C:\WINDOWS\system32\rvr.exe
O4 - HKLM\..\Run: [uvese] C:\WINDOWS\system32\uvese.exe
O4 - HKLM\..\RunServices: [uvese] C:\WINDOWS\system32\uvese.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-U ... E_UNO1.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Wind ... lisher.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Print Spooler Service (hej7rla5aqambc) - Unknown owner - C:\WINDOWS\system32\uvese.exe (file missing)
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 12193 bytes
Behind the innocent,
the last, the least and the lost
will be found in the storm

Northern Skyline - a fansite for Clannad/Moya/Enya get the latest news as soon as we get it
User avatar
Killiney
Addicted to Moya
 
Posts: 1986
Joined: Sat Aug 25, 2007 11:45 am
Location: Dover, England

Postby ChrisRLG » Mon Apr 07, 2008 6:33 pm

can you edit all those host files entries out of your posts please.

Although they are save and keep you safe in your hosts file, they are very dangerious in your posts here where others may well click them.

If you have not edited them with 3 hours I will do it myself, as any visitor or member clicking on those links could get infected.
MS MVP 2005-6 to 2008-9

Please post the secret code: 'Shakey Lemon
User avatar
ChrisRLG
Technical Administrator
 
Posts: 837
Joined: Mon Nov 21, 2005 4:53 pm

Postby Killiney » Mon Apr 07, 2008 7:12 pm

ChrisRLG wrote:can you edit all those host files entries out of your posts please.

Although they are save and keep you safe in your hosts file, they are very dangerious in your posts here where others may well click them.

If you have not edited them with 3 hours I will do it myself, as any visitor or member clicking on those links could get infected.


How do I go about editing them out of my posts?

EDIT
I have deleted all of the log to avoid confusion in what websites need to be deleted, I hope this is satisfactory.
Behind the innocent,
the last, the least and the lost
will be found in the storm

Northern Skyline - a fansite for Clannad/Moya/Enya get the latest news as soon as we get it
User avatar
Killiney
Addicted to Moya
 
Posts: 1986
Joined: Sat Aug 25, 2007 11:45 am
Location: Dover, England

Postby Angoid » Tue Apr 08, 2008 12:15 pm

Download Pocket Killbox (on that page, click on 'Killbox Download LinK') and unzip it; save it to your Desktop.

Close all programs down (including this browser session - so you'll need to pring this post off first if possible). Run Hcheck again and scan your system, but this time, instead of saving the logfile, check off the following entriee using the checkboxes on the left-hand side:

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [rvr] C:\WINDOWS\system32\rvr.exe
O4 - HKLM\..\Run: [uvese] C:\WINDOWS\system32\uvese.exe
O4 - HKLM\..\RunServices: [uvese] C:\WINDOWS\system32\uvese.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -


Click on Fix Checked and come out of HijackThis.

Run KillBox (it has a red circle with a white cross in it), and click the radio button that says Delete a file on reboot.

For each of the files in the list below, enter them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

C:\WINDOWS\system32\rvr.exe
C:\WINDOWS\system32\uvese.exe


The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
Let the system reboot.

Then post another HijackThis log as you did before; we'll take another look then.

Bear with us on this ..... this is very often an 'iterative process' where we keep asking for logs, analysing them, giving instructions, and so on. It can take a few 'passes' to get you clear.
If you don't know what eschatology is then don't worry; it's not the end of the world.
Purveyor of fine sarcasm since 1966.
Angoid
Technical Administrator
 
Posts: 3674
Joined: Tue Mar 02, 2004 10:08 pm
Location: In the cave

Postby Killiney » Tue Apr 08, 2008 12:48 pm

Angoid wrote:Download Pocket Killbox (on that page, click on 'Killbox Download LinK') and unzip it; save it to your Desktop.

Close all programs down (including this browser session - so you'll need to pring this post off first if possible). Run Hcheck again and scan your system, but this time, instead of saving the logfile, check off the following entriee using the checkboxes on the left-hand side:

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [rvr] C:\WINDOWS\system32\rvr.exe
O4 - HKLM\..\Run: [uvese] C:\WINDOWS\system32\uvese.exe
O4 - HKLM\..\RunServices: [uvese] C:\WINDOWS\system32\uvese.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -


Click on Fix Checked and come out of HijackThis.

Run KillBox (it has a red circle with a white cross in it), and click the radio button that says Delete a file on reboot.

For each of the files in the list below, enter them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

C:\WINDOWS\system32\rvr.exe
C:\WINDOWS\system32\uvese.exe


The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
Let the system reboot.

Then post another HijackThis log as you did before; we'll take another look then.

Bear with us on this ..... this is very often an 'iterative process' where we keep asking for logs, analysing them, giving instructions, and so on. It can take a few 'passes' to get you clear.


Angus, thanks, I noticed the rvr.exe etc the other day on my antivirus software, I'll do this after I have had lunch and I can focus on what needs to be done, my minds all over the place at the moment.

Thanks.

Post scriptum
How do I unzip it?
Behind the innocent,
the last, the least and the lost
will be found in the storm

Northern Skyline - a fansite for Clannad/Moya/Enya get the latest news as soon as we get it
User avatar
Killiney
Addicted to Moya
 
Posts: 1986
Joined: Sat Aug 25, 2007 11:45 am
Location: Dover, England

Postby Angoid » Tue Apr 08, 2008 7:11 pm

You shouldn't have to unzip anything, but for future reference, whenever you do have a zipped file you can usually right-click it, and choose "Unzip" or "Unzip Here". Then click OK to the prompt.

The difference between Unzip and Unzip Here is that the former creates a new folder specifically for the unzipped files, whereas the other one doesn't.

If you know the zipped file (often referred to as an archive only contains one file), then using Unzip Here is usually the better one unless instructed otherwise.
If you don't know what eschatology is then don't worry; it's not the end of the world.
Purveyor of fine sarcasm since 1966.
Angoid
Technical Administrator
 
Posts: 3674
Joined: Tue Mar 02, 2004 10:08 pm
Location: In the cave

Postby Killiney » Tue Apr 08, 2008 9:29 pm

Angoid wrote:You shouldn't have to unzip anything, but for future reference, whenever you do have a zipped file you can usually right-click it, and choose "Unzip" or "Unzip Here". Then click OK to the prompt.

The difference between Unzip and Unzip Here is that the former creates a new folder specifically for the unzipped files, whereas the other one doesn't.

If you know the zipped file (often referred to as an archive only contains one file), then using Unzip Here is usually the better one unless instructed otherwise.


Angus, sorry for the delay, but my wireless router has been playing up, and I've only just got it fixed, and as its late, I'll do that first thing tomorrow.

Thanks any way.
Behind the innocent,
the last, the least and the lost
will be found in the storm

Northern Skyline - a fansite for Clannad/Moya/Enya get the latest news as soon as we get it
User avatar
Killiney
Addicted to Moya
 
Posts: 1986
Joined: Sat Aug 25, 2007 11:45 am
Location: Dover, England

Postby Angoid » Tue Apr 08, 2008 9:39 pm

No worries, Killiney ..... I'm now going to turn in anyway :)
If you don't know what eschatology is then don't worry; it's not the end of the world.
Purveyor of fine sarcasm since 1966.
Angoid
Technical Administrator
 
Posts: 3674
Joined: Tue Mar 02, 2004 10:08 pm
Location: In the cave

Postby Killiney » Wed Apr 09, 2008 10:02 am

Angoid wrote:No worries, Killiney ..... I'm now going to turn in anyway :)


Angus, my wireless routers completely mucked up for some reason. Grr. Not happy. With that aside, here I am lol. Anyway, down to business.

PS. The time's an hour out on the posts not that that's relevant
Behind the innocent,
the last, the least and the lost
will be found in the storm

Northern Skyline - a fansite for Clannad/Moya/Enya get the latest news as soon as we get it
User avatar
Killiney
Addicted to Moya
 
Posts: 1986
Joined: Sat Aug 25, 2007 11:45 am
Location: Dover, England

Postby Killiney » Wed Apr 09, 2008 10:17 am

Angus, in attempting to 'delete a file on reboot' using Pocket Killbox, when attemtping to delete C:\....uvese.exe, I get the message 'PendingFileRenameOperations Registry Data has been Removed by External Process!', please can you explain this?
Behind the innocent,
the last, the least and the lost
will be found in the storm

Northern Skyline - a fansite for Clannad/Moya/Enya get the latest news as soon as we get it
User avatar
Killiney
Addicted to Moya
 
Posts: 1986
Joined: Sat Aug 25, 2007 11:45 am
Location: Dover, England

Postby Angoid » Wed Apr 09, 2008 11:46 am

Aaarghhhh!!!! Put simply, it means one of two things:

1. Spybot Search and Destroy is actually protecting it. To overcome this, you need to turn 'TeaTimer' off. Take a look here for detailed instructions on how to do this. My apologies, I hadn't spotted before that you were running TeaTimer, and this can definitely interfere with a removal.

2. The malware is actively and aggressively resisting removal. What makes this sort harder is that the filenames it uses are random, which makes it all the harder to research.

Let's go with the TeaTimer option first. Turn it off according to those instructions I linked, and follow the former instructions again.

Leave TeaTimer turned off until we say you're clear .... then turn it back on again.

Let us know how it goes.
If you don't know what eschatology is then don't worry; it's not the end of the world.
Purveyor of fine sarcasm since 1966.
Angoid
Technical Administrator
 
Posts: 3674
Joined: Tue Mar 02, 2004 10:08 pm
Location: In the cave

Postby Killiney » Wed Apr 09, 2008 11:52 am

Angoid wrote:Aaarghhhh!!!!


Is that bad then?

Sorry. Couldn't resist, but as for your view on the thingy actively resisting removal, now I'm completely baffled, but we'll come to that in time.

Thanks anyway.

EDIT

When attempting to run Spybot S&D, I get a little dialog saying 'Loading' with a percentage bar, then it freezes for some reason.
Behind the innocent,
the last, the least and the lost
will be found in the storm

Northern Skyline - a fansite for Clannad/Moya/Enya get the latest news as soon as we get it
User avatar
Killiney
Addicted to Moya
 
Posts: 1986
Joined: Sat Aug 25, 2007 11:45 am
Location: Dover, England

PreviousNext

Return to Administrator

Who is online

Users browsing this forum: No registered users and 1 guest

cron