If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#91
|
|||
|
|||
programs stop reponding
Hi Kim,
Thanks for the feedback. This: O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) appears to be malware according to this page: http://www.pestpatrol.com/PestInfo/w..._installer.asp follow the instructions in this page for its removal. But before, export the registry using Start run regedit File Export and create a restore point. You might also want to post your Hijack This log he http://www.cybertechhelp.com/forums/ for more opinions. That one is the main suspect. After you have done this, let's see if you can get to Yahoo Games. Good luck On Mon, 12 Apr 2004 12:46:05 -0700, Kim M. wrote: I finally was able to get HiJackThis to download and here is what it found. Again, thank you soooo much for all the help and I hope you will be able to make some suggestions that will fix the new problems. I am now able to get to Google but Yahoo Games still won't open for the tables and it won't open some websites. I had to go back and restore to yesterday just to be able to download this software but again I still have these other problems that I can't take care of yet (i.e. trojans, etc.). Thank you, Kim M. P.S. I can't tell you how grateful I am for all your help, again, THANK YOU!! Logfile of HijackThis v1.97.7 Scan saved at 3:37:09 PM, on 4/12/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\DiskeeperWorkstation\DKService.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\toshiba\ivp\ISM\pinger.exe C:\PROGRA~1\EzButton\CP888M1.EXE C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\rmctrl.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\WinRAR\WinRAR.exe c:\Temp\Rar$EX12.032\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R3 - Default URLSearchHook is missing O1 - Hosts: 217.116.231.7 aimtoday.aol.com12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ISM\pinger.exe /run O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [CP888M1] C:\PROGRA~1\EzButton\CP888M1.EXE O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe" /wait O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/game...ts/y/it1_x.cab O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/game...ts/y/et1_x.cab O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/game...ts/y/st2_x.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7...ll/xscan53.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab |
Ads |
#92
|
|||
|
|||
programs stop reponding
I downloaded the PestPatrol software and located the malware file but now the program is telling me that I have to purchase the licensed version to be able to quarantine of delete the file. I really don't want to spend the $40 to get this problem fixed...
is there any way that I can delete or quarantine it for free? I know it sounds like I am cheap but I had just purchased a copy of the "revered" Norton Internet Security just to find that it is not protecting me from the 6 odd trojans that have been found. If I sound bitter, it's because I am now. Until now, I just ASSumed that Norton knew about every virus and trojan known to man but you can now see where that got me...Thanks, Kim |
#93
|
|||
|
|||
programs stop reponding
Hi Kim,
On Mon, 12 Apr 2004 17:56:02 -0700, Kim M. wrote: I downloaded the PestPatrol software and located the malware file but now the program is telling me that I have to purchase the licensed version to be able to quarantine of delete the file. I really don't want to spend the $40 to get this problem fixed.. .is there any way that I can delete or quarantine it for free? I know it sounds like I am cheap but I had just purchased a copy of the "revered" Norton Internet Security just to find that it is not protecting me from the 6 odd trojans that have been found . If I sound bitter, it's because I am now. Until now, I just ASSumed that Norton knew about every virus and trojan known to man but you can now see where that got me...Thanks, Kim You don't have to buy the software. Especially when you can use ad-aware and spybot which are free to do your routine scans for malware. To get rid of this specific malware, you can do it yourself, manually, if you follow the instructions of this page: http://www.pestpatrol.com/PestInfo/w..._installer.asp You only have to delete some registry keys: HKEY_CLASSES_ROOT\clsid\{1d6711c8-7154-40bb-8380-3dea45b69cbf} HKEY_CLASSES_ROOT\webp2pinstaller.installer HKEY_CLASSES_ROOT\webp2pinstaller.installer.1 HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{1d6711c8-7154-40bb-8380-3dea45b69cbf} Make a copy of it before you start (Start Run regedit File Export) and create a restore point for added safety. Good luck |
#94
|
|||
|
|||
programs stop reponding
Hi Kim,
Comments inline. On Tue, 13 Apr 2004 19:31:03 -0700, Kim M. wrote: I was able to follow the directions on the pestpatrol page and delete the files from the registry keys. I also posted my HiJack This log and this was what they posted back so far... R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10 R3 - Default URLSearchHook is missing O1 - Hosts: 217.116.231.7 aimtoday.aol.com12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com Am I supposed to delete these as well or not? I have posted the same question back to the site but have not yet received a reply. I am re-running the virus scans and adware and so far I still have these trojans: Let's wait until you receive a reply. File: C:\Documents and Settings\citrus\Local Settings\Temporary Internet Files\Content.IE5\OV5RMUNL\dw[1].exe Virus: Tool:PornDialer.EA Status: Infected File: C:\Temp\bii.cab-biprep.exe Virus: TrojanSpy/Win32.BiSpy.A Status: Infected File: C:\Temp\biprep.exe Virus: TrojanSpy/Win32.BiSpy.A Status: Infected These files in temporary folders are not used by the system and so safe to delete. File: C:\WINDOWS\system32\benceed.dll Virus: TrojanDownloader:Win32/Rameh.A Status: Infected I don't have this file in my system. If you're apprehensive about deleting it, change its name and move it to a folder of your choosing (like Pest folder or so) and wait for a few days, if your system works fine, then delete it. I am hesitant to delete or quarantine these files because of all the problems I ran into the last time I did so. Is there any way of telling if a file is required or not? Thank you,everyone, again for all the help. If a file is in a temporary folder, it's not used by the system and should be safe to delete. Files in the System32 folder are different, though, and require searching the name of the file in google and making sure they are not a system file. P.S. I am now able to get into Yahoo games and Google so most of the bugs seem to be fixed. Good, then we are on the right track Good luck |
#95
|
|||
|
|||
programs stop reponding
Hi Kim,
Comments inline. On Tue, 13 Apr 2004 19:31:03 -0700, Kim M. wrote: I was able to follow the directions on the pestpatrol page and delete the files from the registry keys. I also posted my HiJack This log and this was what they posted back so far... R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10 R3 - Default URLSearchHook is missing O1 - Hosts: 217.116.231.7 aimtoday.aol.com12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com Am I supposed to delete these as well or not? I have posted the same question back to the site but have not yet received a reply. I am re-running the virus scans and adware and so far I still have these trojans: Let's wait until you receive a reply. File: C:\Documents and Settings\citrus\Local Settings\Temporary Internet Files\Content.IE5\OV5RMUNL\dw[1].exe Virus: Tool:PornDialer.EA Status: Infected File: C:\Temp\bii.cab-biprep.exe Virus: TrojanSpy/Win32.BiSpy.A Status: Infected File: C:\Temp\biprep.exe Virus: TrojanSpy/Win32.BiSpy.A Status: Infected These files in temporary folders are not used by the system and so safe to delete. File: C:\WINDOWS\system32\benceed.dll Virus: TrojanDownloader:Win32/Rameh.A Status: Infected I don't have this file in my system. If you're apprehensive about deleting it, change its name and move it to a folder of your choosing (like Pest folder or so) and wait for a few days, if your system works fine, then delete it. I am hesitant to delete or quarantine these files because of all the problems I ran into the last time I did so. Is there any way of telling if a file is required or not? Thank you,everyone, again for all the help. If a file is in a temporary folder, it's not used by the system and should be safe to delete. Files in the System32 folder are different, though, and require searching the name of the file in google and making sure they are not a system file. P.S. I am now able to get into Yahoo games and Google so most of the bugs seem to be fixed. Good, then we are on the right track Good luck |
#96
|
|||
|
|||
programs stop reponding
Kim
The adaware and such programs will probably identify the Yahoo files as a problem. You may have them quarantined which is why your Yahoo games won't work. Get a copy of Spybot and try it (it was the last one I tried and I wish I had used it first since i t gives valuble info on the files identified by it). Sorry I wasn't able to get back on here before now. It took me longer to "clean" my brother's computer than I expected. I still am not positive as to the exact "culprit" but I think it may have been a dialer program EGHTML. I would quarantine bad files and then they would multiply so I think a dialer must have been downloading as I was cleaning. Anyway, the initial solution by Roger -- uncheck enable 3rd party extensions -- works to let the infected computer's IE work and connect to the net. But it doesn't get rid of the offending items. His IE Homepage was still hijacked to : res://mshp.dll/ind ex#37049 As a side note, you should disable the "System Restore" before using the antivirus scanners. Not sure about before using Adaware and Spybot. I did it on his computer just to be sure. Steps I took in disinfecting his computer: (Yeah it was overkill but I wanted to see what these programs did and how they compared): 1. Ran CWShredder program 2. Ran Adaware Program (update before running to latest ref file ) The Smartscan identified 9 processes, 418 Registry Keys, 32 Reg Values, 305 files and 35 folders as possibly "bad". Everything identified as "Malware" I removed. I also removed some of the dataminers and "objects" I could determine wasn't needed. 3. I rebooted in safe mode and reran Adaware. Had 0 Processes, 65 Reg Keys, 5 Reg Values, 22 files and 4 folders now identified. Many were ok. One I didn't know about was "Promulgate". After he came home, it was deleted also. 4. I restarted in Normal Mode and ran the Free online Virus checker from pandasoftware 5. It identified Trj/Virtumonde.A as being a virus on his machine. Symantec (Norton's antivirus does not identify it as a virus but rather as Adware). I know because I ran his NAV and it didn't identify it so I checked definitions and it lists the file as adware and your normal NAV doesn't deal with it. 6. I reran Adware (I had not yet removed Virtumonde) and this time I used custom mode and had it scan everything. It now found 66 Reg Keys, 5 Reg Values, 661 files and 16 folders. The most prevalent object was LOP.com malware. 7. I installed and ran Spybot. It identified the Egroup dialer as still being present even though I had sought to remove it using Adaware. Spybot is useful because it has a function to identify exactly what the program is that it suspects is a problem s o you can decide if it is or isn't. I removed all files I knew from the defs were not needed. 8. I manually removed the Virtumonde infection 9. Rescanned and his computer was clean. 10. Enabled 3rd party extensions and the computer still had no problems. Tim |
#97
|
|||
|
|||
programs stop reponding
Kim
The adaware and such programs will probably identify the Yahoo files as a problem. You may have them quarantined which is why your Yahoo games won't work. Get a copy of Spybot and try it (it was the last one I tried and I wish I had used it first since i t gives valuble info on the files identified by it). Sorry I wasn't able to get back on here before now. It took me longer to "clean" my brother's computer than I expected. I still am not positive as to the exact "culprit" but I think it may have been a dialer program EGHTML. I would quarantine bad files and then they would multiply so I think a dialer must have been downloading as I was cleaning. Anyway, the initial solution by Roger -- uncheck enable 3rd party extensions -- works to let the infected computer's IE work and connect to the net. But it doesn't get rid of the offending items. His IE Homepage was still hijacked to : res://mshp.dll/ind ex#37049 As a side note, you should disable the "System Restore" before using the antivirus scanners. Not sure about before using Adaware and Spybot. I did it on his computer just to be sure. Steps I took in disinfecting his computer: (Yeah it was overkill but I wanted to see what these programs did and how they compared): 1. Ran CWShredder program 2. Ran Adaware Program (update before running to latest ref file ) The Smartscan identified 9 processes, 418 Registry Keys, 32 Reg Values, 305 files and 35 folders as possibly "bad". Everything identified as "Malware" I removed. I also removed some of the dataminers and "objects" I could determine wasn't needed. 3. I rebooted in safe mode and reran Adaware. Had 0 Processes, 65 Reg Keys, 5 Reg Values, 22 files and 4 folders now identified. Many were ok. One I didn't know about was "Promulgate". After he came home, it was deleted also. 4. I restarted in Normal Mode and ran the Free online Virus checker from pandasoftware 5. It identified Trj/Virtumonde.A as being a virus on his machine. Symantec (Norton's antivirus does not identify it as a virus but rather as Adware). I know because I ran his NAV and it didn't identify it so I checked definitions and it lists the file as adware and your normal NAV doesn't deal with it. 6. I reran Adware (I had not yet removed Virtumonde) and this time I used custom mode and had it scan everything. It now found 66 Reg Keys, 5 Reg Values, 661 files and 16 folders. The most prevalent object was LOP.com malware. 7. I installed and ran Spybot. It identified the Egroup dialer as still being present even though I had sought to remove it using Adaware. Spybot is useful because it has a function to identify exactly what the program is that it suspects is a problem s o you can decide if it is or isn't. I removed all files I knew from the defs were not needed. 8. I manually removed the Virtumonde infection 9. Rescanned and his computer was clean. 10. Enabled 3rd party extensions and the computer still had no problems. Tim |
#98
|
|||
|
|||
programs stop reponding
Kim
I sent you an email with the programs Ad_aware Spybot Search and Destroy hijackthis pandasoftware free internet virus scanner which I used to remove the pest from my brother's comnputer and they are all free and can be downloaded from the net. Tim PS: If anyone actually identifies the precise pest I'd love to know. My brother had too many on his computer for me to isolate which one was the culprit for this problem |
#99
|
|||
|
|||
programs stop reponding
I was able to follow the directions on the pestpatrol page and delete the files from the registry keys. I also posted my HiJack This log and this was what they posted back so far...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10 R3 - Default URLSearchHook is missing O1 - Hosts: 217.116.231.7 aimtoday.aol.com12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com Am I supposed to delete these as well or not? I have posted the same question back to the site but have not yet received a reply. I am re-running the virus scans and adware and so far I still have these trojans: File: C:\Documents and Settings\citrus\Local Settings\Temporary Internet Files\Content.IE5\OV5RMUNL\dw[1].exe Virus: Tool:PornDialer.EA Status: Infected File: C:\Temp\bii.cab-biprep.exe Virus: TrojanSpy/Win32.BiSpy.A Status: Infected File: C:\Temp\biprep.exe Virus: TrojanSpy/Win32.BiSpy.A Status: Infected File: C:\WINDOWS\system32\benceed.dll Virus: TrojanDownloader:Win32/Rameh.A Status: Infected I am hesitant to delete or quarantine these files because of all the problems I ran into the last time I did so. Is there any way of telling if a file is required or not? Thank you,everyone, again for all the help. Kim M. P.S. I am now able to get into Yahoo games and Google so most of the bugs seem to be fixed. |
Thread Tools | |
Display Modes | |
|
|