it all started with ipmon.exe

[2kg4u]

I ran the procedure posted by Howard_hopkinso. Uploaded HJT, AVG antispyware report and combofix log. AVG antiroot scan was clean.

Several of my drivers will not work (wireless LAN, USB, printers, sound card, etc.), and I get error messages when I try to reload them. Random sites keep popping up when on the internet (IE).

Compaq notebook V2310US, Windows XP SP2, 1 Gb Ram.

This is nasty and I know the easy way would be to reformat, but this thing has me pissed off and I want someone's help to beat it.

Roy

Whatever is going on in my puter, it also deleted all my system restore points.

 

[howard_hopkinso]

Hello and welcome to Techspot.

All items in your AVG Antispyware log say "No Action Taken". That`s because you haven`t told AVG Antispyware to quarantine it`s results as per the instructions. See this pictorial guide.

Also, you haven`t posted the Combofix log, but instead have posted the Combofix quarantine log.

I have therefore removed your logfiles, so that you will be able to reattach them without problems.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread.

Regards Howard :wave: :wave:

This thread is for the use of 2kg4u only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[2kg4u]

Thanks Howard. I will repost everything tonight when I get home.

 

[2kg4u]

updated scans

updated HJT, and logs for combofix and avg antispyware are attached. AVG antiroot scan was clean.


Roy
5/28/54

 

[howard_hopkinso]

Delete all files in AVG Antispyware quarantine.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop. The Avenger script is attached to the bottom of this post.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT and Combofix log.

Regards Howard

This thread is for the use of 2kg4u only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[2kg4u]

avanger run, fresh logs attached

I ran Avenger (your instuctions were perfect) and have attached the log, as well as fresh logs from combofix and HJT.

Roy

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ipmon.exe
Size Sign.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [ipmon] ipmon.exe

O4 - HKCU\..\Run: [Thirdford] C:\DOCUME~1\ERIC~1.ERI\APPLIC~1\POLLSO~1\Size Sign.exe

O4 - HKUS\S-1-5-21-117609710-1078081533-725345543-1005\..\Run: [Thirdford] C:\DOCUME~1\ERIC~1.ERI\APPLIC~1\POLLSO~1\Size Sign.exe (User '?')

O20 - Winlogon Notify: winjrs32 - winjrs32.dll (file missing)

O20 - Winlogon Notify: winwil32 - winwil32.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\DOCUME~1\ERIC~1.ERI\APPLIC~1\POLLSO~1<Delete the entire folder.

ipmon.exe<Search your system for this file and delete all instances found.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of 2kg4u only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[2kg4u]

fresh HJT

processes tab ...... ipmon.exe and size sign.exe not observed
HJT ... all 6 you listed observed, checked, and fixed
1 folder deleted
1 instance of ipmon.exe found and deleted
fresh HJT attached

Roy

 

[howard_hopkinso]

Very well done, your HJT log is now clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of 2kg4u only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[2kg4u]

my drivers are working

I turned system restore off and on.

Drivers are not working for sound, wireless, USB, and all printers. Won't allow me to add printers (operation could not be completed. The print spooler service is not running). I get an error message when I load the drivers CD (Application installer has encountered a problem and needs to close) and I get the same error message when I try to load the install.exe from the drivers CD when I access it from explorer.

For example, when I open sounds and audio devices in the control panel, it tells me there is no audio device. When I try to load the audio drivers from the CD I get the above error message. When I try to load the sound driver from Compaq's website, it downloads okay but when I try to intall it I get a message that the install failed.

If the nasties have been removed from my puter, is it possible there was a key operating component damaged or deleted by the nasties before you banished them?

Roy

 

[howard_hopkinso]

Yes, it`s entirely possible for the infections you had to have damaged your OS.

Try doing a Windows repair as per this thread HERE and see if it helps.

Regards Howard

 

[2kg4u]

don't have operating system disk

Can't find my operating system disk. I had a suspicion we were headed for this so I ordered a new one yesterday which should be here late next week. Please put me on the back burner for now, and when I get the new disk I will try to repair the damage, and send you a note letting you know how I made out.

Thank you so much for your help. It is much appreciated.

Roy

 

[howard_hopkinso]

Ok, in the meantime, let`s see if we can get your print spooler service running.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it.

Scroll down and look for Print Spooler, double click on it and set the startup type to automatic and click applt. Click start button and click ok. Close the window. See if you can now install your printer.

Now go into your device manager and make sure noting is set to diabled or has a yellow question or exclamation mark next to it. let me know what you find.

Regards Howard

 

[2kg4u]

might be fixed??????

While I was waiting for your response, I ran searches on some of the error messages I was seeing, and the answers lead me into control panel, administrative tools, component services, services (local)...... I searched the list for all disabled components, read the desciptions to see which ones sounded like I needed them, set them from disabled to automatic, and started them.

I don't know if everything is fixed, but I am now showing printers and my puter will now read and load the drivers off the drivers CD. I am in the process of loading all drivers.

I will let you know how I make out.

Roy

 

[howard_hopkinso]

That`s great news and hopefully, you`re now good to go.

I still think it`s a good idea to get a Windows disk, if only for future reference.

Regards Howard

This thread is for the use of 2kg4u only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[2kg4u]

thanks again Howard

Thanks Howard. I can't tell you how much I appreciate your help. This is now my second favorite forum, and I will visit on a regular basis. (I have a 500+ HP trans am and am always using LS1tech forum for help with it).

I have the windows disk on order. I will post a note when all is installed and let you know how I made out.

Roy

 

[2kg4u]

final follow up

Thanks Howard. All is clean and functioning as it should. I appreciate your help.

Roy