Curse

Age · Jul 22, 2008, 02:37 AM // 02:37

The only problems I can't do is update to service packs 3 and use my cd rewriter as well my system restore only goes back to June.I can do what Tarun suggest execpt at this point is do any downloading as I am on my other computer atm I can that tommorow.

What download accelerator I uninstalled getright and deleted the intaller and did a disk clean.

Where do I find this file as I can just type it in the start>run>box?

Lord Sojar · Jul 22, 2008, 03:37 AM // 03:37

Cozit is a low priority worm that came with GetRight at one point. It is more a spyware then a worm, but the way it functions forces classification of it as a worm.

Age · Jul 22, 2008, 03:59 AM // 03:59

I must have an older version of XP because I can't type in those .exe commands in the run>start.This is what this person has said.

This bad file

Tarun · Jul 22, 2008, 05:04 AM // 05:04

You could give Dial-a-fix a shot, and if you can, run LSPFix too.

http://wiki.lunarsoft.net/wiki/Dial-a-fix
http://cexx.org for LSPFix

ducktape · Jul 22, 2008, 05:01 PM // 17:01

Ok, whatever you do, PLEASE UNINSTALL THAT VERSION OF VNC IMMEDIATELY!!!. The version you have is vulnerable to a security exploit that lets people into your PC and they can do literally anything to it when they are in. You need any version of VNC that is newer than 4.1.1 in order to keep from getting re-hacked.

We had lots of problems with this at my work for a while. Upgraded everyone's VNC and the problem went away. Until that damn flash exploit last month, anyways.

Speaking of which, go to C:\windows\system32\macromed\flash and make sure you have a file in there called flash9f.ocx - if you have flash9e.ocx or anything else, you have a version of flash player that is a cootie's best friend and will win you lots of malware just from browsing the internet. To update your flash, you can just run the FlashUtil9.exe file in the same folder to update your flash. If your flash is really ancient, there might be an exe named GetFlash.exe sitting there instead, run that.

Age · Jul 22, 2008, 08:27 PM // 20:27

I know I still have to that get rid of VNC and I have updated to the new version of flash atleast i should have.This is what I have done so far I updated to Spybot S&D 1.8 from 1.4 and Lavasoft Adware 2008 from 2007.I was getting 2 Trojan on with Spybot 1.4.

What I like to get rid of is the file No. 10 as Hi Jack this can't do it and it says go to this site and I get 404 error or use S&D which I did and it is still there..This my latest report btw.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:12 PM, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe (file missing)

--
End of file - 3728 bytes

I am redownloading XPSP3 and will do that lunarsownloader another day if this doesn't work out to well.I need my ISP cable on my good newer PC.

Tarun · Jul 22, 2008, 08:50 PM // 20:50

<font color="blue">Generated by Tarun of Lunarsoft's HijackThis Converter v0.53 Beta.</font>

Default-color items are optional, red are known to be malicious.

Changed registry value
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Created extra registry value where only one should be
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Enumeration of suspicious auto-loading registry entries
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

Broken Internet access. To fix these you will need LSPFix
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

Downloaded Program Files item
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab

Aside from needing SP3, you should also update to IE7 for added security.

Age · Jul 22, 2008, 09:40 PM // 21:40

I know about No.10 as well as the rest of those and thanks for that tool.To get rid of them.Thanks

Snograt · Jul 23, 2008, 02:22 PM // 14:22

Ooh, a HJT log analyser!

Is that usable by bog standard end users to any extent? Or does it still require deep down knowledge of HJT?

Is it available?

samba · Jul 23, 2008, 03:10 PM // 15:10

Okay now.... :E

You can fix this:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

And these you can fix if you dont need them:
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
They are no viruses.

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll DONT FIX THIS! It's legit...

Go to www.bleepingcomputer.com or www.malwareremoval.com and go to malware removal school and then you'll learn how to use hijackthis..

Btw, spybot search & destroy and ad-aware are both just so useless, i'd rather use malwarebytes anti-malware...

zamial · Jul 23, 2008, 07:21 PM // 19:21

HJT is a awsome program but can be harmful to your system. In this instance you can turn into your own worst enemy.

There is no school, that I have ever heard of, that offers a malware removal course. There are however many online lists of HJT log files. ALWAYS compare a few lists to be more positive.

ad-aware se and spybot s&d are indusrty TRUSTED programs. There are many other programs available, some even put malware on your computer for you, isn't that nice.

samba · Jul 23, 2008, 08:12 PM // 20:12

www.malwareremoval.com
www.geekstogo.com
www.bleepingcomputer.com

Above me you can see few links to malware removal schools(you have to search from the a lil to find it).

I'm actually studying at malwareremoval, and I have gratuated from www.virustorjunta.fi (finnish malware-removal site) as a Virus Expert.

zamil, ad-aware and spybot s&d are total bull****. If you download rogue programs from the internet it's your own fault. Use trusted programs, always research if you find a new one. Like Malwarebytes Anti-Malware and online scanners.

Don't play with hjt if you aren't 100% SURE that you know what you are doing.. Even the biggest experst make mistakes these days, and it can ruin your whole computer.

Tarun · Jul 23, 2008, 09:09 PM // 21:09

Spybot still does an outstanding job.

Websites that train you don't mean much in my opinion, real world experience is much more valuable.

Age · Jul 24, 2008, 12:48 AM // 00:48

What I really need to be doing to get xpsp3 installed is this.
http://support.microsoft.com/kb/949377

I still can't get my cd writer to work though and I don't use that often that is hardware.

It would seem no 10 is legit but I like the fact that web based school tells you to use tool bars where most malaware resides itself.

samba · Jul 24, 2008, 11:35 AM // 11:35

Quote:

Originally Posted by Tarun

Spybot still does an outstanding job.

Websites that train you don't mean much in my opinion, real world experience is much more valuable.

LOL then you're wrong, after about six to twelwe months at www.malwareremoval.com, you'll be able to remove all kinds of nasties with all kinds of 'cool' programs. You'll not learn that in the 'real world experience'

Real world experience= you try, you fail. At school it's no harm if you fail, at real situation it can really cost you.

Tarun · Jul 24, 2008, 04:41 PM // 16:41

If I'm wrong, can you prove it? I'd like to see how I'm wrong about this.

Real world experience is far more valuable than any "forum training" because you actually deal with the malware yourself. You do much more than just sit there and say "Oh run this scanner and download this" with your pre-typed segment of text. My experience dealing with malware and other computer problems more than quadrupled because of my tech job. You can diagnose and solve problems faster and better with real world experience. Ever heard of the malware Elite Toolbar? Back when it was new a few years ago there were no scanners that detected it. HijackThis would have a couple items of it listed, but aside from that there was no detections for it at all. Due to real world experience you can easily navigate to the directory and remove all of the malware elements.

You won't learn that with real world experience? Really? Have you tried? Because if you had then you would know good and well that the experience from the real world takes you farther, and you can remove malware better and faster. Real world experience takes you beyond looking at a HijackThis log and pasting your pre-typed text from your "school" forums.

These forum "schools" simply tell you to look for certain things in HijackThis. They don't help you to clearly identify any of the symptoms that a user reports. Real world experience lets you look at the entire system. You feel the symtpoms, see them with your own eyes. You can handle things from Safe Mode, track the paths of malware and remove them by hand if any scanner or tool fails.

To say Spybot is useless is uneducated at best. While I'm not saying you use one program to kill all malware, I am saying that you need more than one and quite often Spybot will find traces that other scanners do not find. While Spybot is not the first I run it's usually last due to the slow speed, though with 1.6 it has improved. It's true Spybot could be better, but it is not useless.

You shouldn't "need" all of these "cool programs" just to remove malware. It's ludicrous at how many scanners people think they need to remove the infections. Oh but wait, running all five of these scanners didn't work so now we have to make the user run this tool which can potentially damage the system. Combofix is a prime example, where it destroyed system32 directories because of a rootkit infection. Who was it that instructed them to run it? Those who "graduate" from these malware removal "schools" and then act like they're technicians with experience, when they are self-appointed technicians and nothing more. Now don't get me wrong, some of them are very nice and helpful people (such as screen317), but many get over-inflated egos and believe they are experts.

I wonder why you pretty much duplicated what I had already posted for Age's log? Was there any purpose? None that I can see, except maybe a +1 to your post count. It gets messy when many types of people try to clean and diagnose these issues. If someone is already being helped, leaving them to the technician assisting them is best. If something is overlooked, sure; go ahead and point it out, otherwise let the technicians already assisting the user handle it.

samba93, if you want to continue this discussion, PM me or start another thread. This thread is not where it belongs.

<hr />
Age, sorry that your post has been driven off topic by a few. I wish I could help clean this thread up so Age has one thing to focus on, and not have to be concerned about other posts. If it continues, we can handle any unnecessary posts.

If you need any more help, let us know. The Technicians are here to help you!

Painbringer · Jul 24, 2008, 05:55 PM // 17:55

Tarun

Just a question on an entry you pointed out

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

I read about a virus masking this entry on Bleeping Computers and Major Geeks, but it did not go into detail on how to tell if it is legit or the virus. Do you know of anyway to check?

The entry was in my logs as well.

Tarun · Jul 24, 2008, 06:18 PM // 18:18

Have the user upload it to Jotti and VirusTotal is one way. If you're on the client machine you can do the same, or check the file itself manually.

http://www.sysinfo.org/startuplist.p...eroFilterCheck

I pointed it out mainly because it's not needed. I believe StartUpLite also recommends removing it.

Age · Jul 24, 2008, 10:48 PM // 22:48

It is ok I still believe in spybot as most use it and is highly recommended more than others.It is good to check for newer versions every few months.

Age · Jul 31, 2008, 11:13 PM // 23:13

I tried lunardownloader worked good and didn't take to long to do a scan it cleaned up somethings but my older pc is still messed up.It can't use both A and D drive and read from them as well.I am going to have to do file transfer wizzard and then do a windows recovery.

Those 2 trojons did a lot of damage.