Post reply

Name:
Email:
Subject:
Message icon:

Verification:
Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

shortcuts: hit alt+s to submit/post or alt+p to preview


Topic Summary

Posted by: rzamriv
« on: 15. July 2009., 16:52:24 »

Hi, if you problem is only the shortcut in your desktop, you have to create a reg file, only copy the next text in a txt file and rename to reg file: for example IEicon.txt to IEicon.reg, double click and F5 or restart your system, listo!!!!

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{871c5380-42a0-1069-a2ea-08002b30309d}"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{871c5380-42a0-1069-a2ea-08002b30309d}"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{871C5380-42A0-1069-A2EA-08002B30309D}"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
"{871C5380-42A0-1069-A2EA-08002B30309D}"=dword:00000000

[-HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder]

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder]
"Attributes"=dword:00000024
"HideFolderVerbs"=""
"WantsParseDisplayName"=""
"HideOnDesktopPerUser"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoInternetIcon"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoInternetIcon"=-
Posted by: CMTech
« on: 30. May 2009., 22:19:59 »

VNC is cool but not everyone trusts it on forums...
Posted by: F3RL
« on: 30. May 2009., 14:09:36 »

Always backup or clone your data and store with TrueCrypt with hard-to-guess password.

I would first use Acronis Disk Cleanser to completely wipe with 3-overwrite algorithm to make sure malware or virus is cleared since some nasty ones does not get deleted even after format. Then re-install the operating system without ethernet cable plugged in. If I or we had VNC it would be much easier to know and fix the problems of forum users.
Posted by: CMTech
« on: 29. May 2009., 17:25:06 »

One trick that most viruses like doing is messing up your internet connection. They do this by changing proxy settings in internet explorer initialy which leads to firefox and other browsers being affected. Please can you check to see if the virus has changed your firefox proxy settings, if it's looping back to 127.0.0.1 then remove that entry!

Edit: Just had thought that conficker will probably be way more advanced, but this is worth a try.
Posted by: georgecloner
« on: 07. April 2009., 09:24:14 »

Try "System Restore" and restore it to a much "later" date (that is before you got the virus).

If not possible, download "BArtPE" to create a bootable emergency disc(http://www.pcworld.com/downloads/file/fid,63901/description.html). In BArtPE's environment look for these files "system", "software", "sam", "security", "default"  in folder "C:\System Volume Information"

Files are restore points from your Snapshot folder, example:

C:\System Volume Information\_restore{D86480E3-73EF-47BC-A0EB-A81BE6EE3ED8}\RP1\Snapshot

Files from the snapshot folder (of a later restore date) try to overwrite your system files in "c:\windows\system32\config\", respectively "system", "software", "sam", "security", "default"  (You cannot overwrite these files if you are in Windows environment, rather in Recovery Console and BartPE)

I already tried these operation recovering from bad system files with regards'--- BSOD.

Hope this helps.

Regards,

George
Posted by: Samker
« on: 07. April 2009., 07:31:19 »

SB, this is very difficult "infection".

Try to install and run at least this Microsoft Tool via memory stick.

I also need new HJT log.

Posted by: Savage Belief
« on: 07. April 2009., 00:23:08 »

Boy, this is nasty.  I can't even pull up task manager.  Or services.  When I try to run services.msc I get an error that it can't find mmc.exe. 

The plot thickens...
Posted by: Savage Belief
« on: 07. April 2009., 00:15:34 »

It's kinda funny.  I can't get to any of those pages to download any of those tools.  I get page load errors in Mozilla.  Well, it's funny because it's not my PC.  If it was mine I'd be pissed.

So what next?  I'm thinking replace the HDD.  I could probably pick up a 40 gig one for about $20 at Fry's. ;D ;D
Posted by: Samker
« on: 06. April 2009., 13:29:51 »

SB, please follow my next instructions and after them provide us new fresh logs (try again Kaspersky):


1. Download and Run Full Scan with Microsoft Removal Tool: http://scforum.info/index.php/topic,4510.0.html

2. Download, Install, Update and Run Full Scan with Malwarebytes' Anti-Malware: http://scforum.info/index.php/topic,2201.0.html

3. My recommendation is also to uninstall current AntiVirus and install AVG (Free Version): http://free.avg.com/download-avg-anti-virus-free-edition
After that, Update your AntiVirus and also run Full Scan.


That's all for now, I'll wait your next reply (logs).

Best Regards,

Samker
Posted by: Samker
« on: 06. April 2009., 06:14:43 »

Thanks SB,

We will analyze your HJT log in the next few hours and provide you new instructions.

Regards,

S.

Posted by: Savage Belief
« on: 06. April 2009., 03:49:38 »

Ok, I managed to find Kapersky on cnet but it will not install.  The same situation as Avira.  I hope the hijackthis log helps.
Posted by: Savage Belief
« on: 06. April 2009., 01:53:26 »

Oh, BTW I ran a StopSign scan and this PC also has Win32.Virut.30

Since Stop Sign wants money to clean it I attempted to load Avira but it will not install.  It runs through the start of the install process but then stops.
Posted by: Savage Belief
« on: 06. April 2009., 01:48:30 »

I can't get to the Kapersky site to DL the software but here's the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:44:02 PM, on 4/5/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\eAcceleration\Station\station_bk.exe
C:\WINDOWS\System32\wpabaln.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Airlink101 Airlink101 WLAN Monitor] C:\Program Files\Airlink101\Airlink101 WLAN Monitor\WLANmon.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
O4 - HKLM\..\Run: [SoftwareStation] "C:\Program Files\eAcceleration\Station\station.exe" /b Startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6F6F8F8-7545-4A00-8343-2A1EF5E4B202}: NameServer = 72.223.11.96
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: DelSrv Service Controler - Unknown owner - C:\WINDOWS\system32\drivers\DelSrv.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: eAcceleration Notification Service (eac_notifysvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: eAcceleration Product Manager Service (eac_productsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_productsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\System32\imapi.exe (file missing)
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\System32\msiexec.exe (file missing)
O23 - Service: Network DDE (NetDDE) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Network DDE DSDM (NetDDEdsdm) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\System32\locator.exe (file missing)
O23 - Service: QoS RSVP (RSVP) - Unknown owner - C:\WINDOWS\System32\rsvp.exe (file missing)
O23 - Service: Smart Card Helper (SCardDrv) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: StopSign Antivirus Security Center Provider (sstsmonsvc) - eAcceleration Corp - C:\PROGRA~1\EACCEL~1\FRAMEW~1\eac_svc.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: Windows Hosts Controller - Unknown owner - C:\WINDOWS\Fonts\unwise_.exe

--
End of file - 4700 bytes
Posted by: Samker
« on: 05. April 2009., 21:07:33 »

Hi Savage Belief,

Don't worry we will help you with this, please follow next instruction so we can do that ASAP:

1. Provide us all possible details related to yours problems / infection.

2. Run Kaspersky Online AntiVirus Scan: http://scforum.info/index.php/topic,734.0.html

3. Download & run HijackThis: http://scforum.info/index.php/topic,785.0.html

4. Provide us logs from HijackThis & AntiVirus Online Scan


We will wait your reply (with logs).

Regards,

SCF Team
Posted by: Savage Belief
« on: 05. April 2009., 18:35:37 »

Hey all,

I'm working on my in-laws PC today and we re-installed XP because their system was bogged down with all kinds of crap so a clear and install was the quickest solution.  Granted, my mom in-law did the reinstall so I don't know if she deleted the partition before the install, but when I tried to activate Windows it wouldn't connect to their servers (or anyother Microsoft site for that matter).  So I figured it had the conficker.  So I downloaded the bd tools cleaner and rebooted.  When it came back up and I tried to connect to the internet it told me it couldn't find IEXPLORE and asked me if I wanted to fix it, so I did.  Then the IE shortcut I was using disappeared.

So now I'm stuck.  What now?
Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising