Abebot, trojans, need help

Status
Not open for further replies.
W

wannabee

Posts: 28   +0
Good morning all. I have just kidnapped a very sick Dell desktop dimension 2400 from a friend of mine who could no longer get it to boot, and who last remembers seeing an abebot error when running mcafee virus scan, only to have her system completely "crap out" on her within a few hours. I have uninstalled mcafee, installed and updated norton internet security and scanned with no errors found. I installed and ran adaware 2007, which found 4 critical errors with a TAI of 4-10 and removed them, and installed Avast antivirus as well, only thing is I am still having concerns with no longer being able to run avast (error states Avast: the AVVM system detects an RPC error) and when I ran zone alarm it stated that although I have a pretty yellow bar in my taskbar, with a green checkmark for norton, the zone alarm program doesn't show me running it on this machne, and i can't turn it on from their dashboard. When I open norton it shows i am up to date with virus definitions and all green check marks. Spybot is continually popping up requests to change browser settings, trying to add a hex:value (series of numbers after hex: that vary from time to time, all separated by commas. When the computer starts up, I get a dialog box with red x that states the computer cannot find file www . privacy_center......htm Also, I encounter an issue when I open the web browser that no matter what I change the home page address to, it defaults back to www . softwarereferral . com/ home page (which doesn't load at all)

I am attaching the latest hjt file, for your review, this was NOT done post adaware restart, but after adaware scan.

The first avast scan of the registry (took about 4 hours to scan entire startup process, found 7 trojan entries, one of which is affecting a program file in her comcast provider directory. I personally have the computer on my verizon fios line here.

Any help would be appreciated. I am trying to get this back to her asap and if you have any advice on how she can prevent her kids from slipping and clicking on bad popups, i'm sure she'd appreciate it.

Sorry for the ramble...its now 2am and i've been at this for a while.

all windows updates have been done. System is windows xp running ie 7 (although I am thinking of installing mozilla while its visiting)
 
This is a very sick pc, you may have made it worse by running 2 AV systems,

Follow these steps in this order.

The first thing that I need you to do for me is completely unistall Norton if you have not done so already

Disable Teatimer
Please disable Teatimer as it may interfere with the fix.
First:
  • Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
  • Choose Exit Spybot S&D Resident
Second:
  • Open Spybot S&D
  • Click Mode, check Advanced Mode
  • Go To Left Panel, Click Tools, then also in left panel, click Resident
  • If your firewall raises a question, say OK
  • Uncheck the box labeled Resident Tea-Timer and OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Once your log is clean you can re-enable those settings in TeaTimer.

Copy and paste ALL the following text in the code box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop
Clipboard01reg.gif
and agree to merge the

information into the registry,then restart your pc.
Code: 
REGEDIT4
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

DELDOMAINS

Download Deldomains.
  • Save it to your desktop.
  • Right-click DelDomains.inf and select: Install (no need to restart)
  • You may not see any noticeable changes or prompts; this is normal.
Note: The DelDomains.inf file will remove ALL entries in the Trusted, Restricted, and Enhanced Security Configuration Zones. Any entries that you had will need to be entered again. You will have to reimmunize with SpywareBlaster, and/or Spybot after doing this, and reinstall IESpyads if you use any of these programs.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally attach the Report.txt back on the forum

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please attach the contents of C:\vundofix.txt
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please Download VirtumundoBeGone by secured2k
  • Save the file to your desktop
  • Close all running programs (including your Internet Browser)
  • Double-click VirtumundoBeGone.exe on the desktop
  • Read the introductory information, and then click Continue
  • Click Start
  • When asked if you want to continue, click Yes to run the fix
  • Click "Save Log"

Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.

The log created by VirtumundoBeGone called VBG.TXT will be on located on your desktop. Please retain VBG.TXT.

Empty Recycle Bin.

Reboot and attach the VBG.TXT into this thread.
Also please describe how your computer behaves at the moment.

Please download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please attach that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Run a fresh HijackThis scan after completing these steps.
 
Upates to system

Thank you for getting back to me so quickly. I am almost "done" in the process and noticing a few good things. The errors I saw on startup are gone, and the computer is moving faster, also the software referral start page looks like it might be gone for good. I am attaching report.txt and the new hijackthis log file I just ran, as well as the virtumondo report. the vundo program found notihing so there is no log to attach. Almost clean?

If yes, what can I suggest to her to not get herself in this predicament again?

Thanks so much!!!

Next step is to run smitfraud...i'll keep you updated!! Thanks again
 
one more thing

swore i wouldn't be one of those "incessant" posters filling you with too many unnecessary details, but thought you shoud know. after running vbg, emptying recycle bin and restarting, still not seeing errors but system seems to be running a bit more sluggish than immediately before i ran vbg. MSN.com was slow to load this time (had been loading rather quickly) and just seems that there is a lag now after running it, even though I didn't encounter the blue screen of death.

Just restarted one more time, and going to see if i can get the smitfraud page to load this time.

thanks
 
Leave Smitfraud for now,

Fix entries using HiJackThis
  • Launch HiJackThis
  • Click the Do a system scan only button
  • Put a check next to the entries listed below
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wytpc.dll/sp.html#28129
O2 - BHO: PC-Antispyware Site Blocker Button - {10F0C2A9-8E38-43e3-204D-45524C494E20} - C:\Program Files\PC-Antispyware\IeExtension.dll (file missing)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: (no name) - {D8010B5A-E220-B876-B855-D2861F450A0C} - C:\WINDOWS\system32\mfcvj32.dll (file missing)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C: one.MHT!http://www.t058.com//inst//x.chm::/open.exe
O21 - SSODL: SetupCheck - {6fe3f75e-1210-4c30-8c77-8bf0e54cb703} - C:\WINDOWS\Installer\{6fe3f75e-1210-4c30-8c77-8bf0e54cb703}\SetupCheck.dll (file missing)
O21 - SSODL: ChkCD - {36b1477b-8cdb-4aeb-b348-ad04be317673} - C:\WINDOWS\Installer\{36b1477b-8cdb-4aeb-b348-ad04be317673}\ChkCD.dll (file missing)
O23 - Service: Network Security Service ( 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\nttv.exe (file missing)
O24 - Desktop Component 0 : Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

  • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
  • Click the Fix checked button and close HiJackThis
  • Reboot HijackThis if necessary

Check for and Delete Files and Folders
  • Right Click on the start button and chose explore
  • Show all hidden files and folders, see how HERE
  • Navigate to the following files and folders and delete them(if still present)
C:\Program Files\PC-Antispyware\IeExtension.dll<---------This File
C:\WINDOWS\system32\mfcvj32.dll<---------This File
C:\WINDOWS\nttv.exe<---------This File
C:\WINDOWS\privacy_danger<---------This Folder
  • Empty the recycle bin.
If that does not work then repeat the process in safe mode. See how to boot into Safe mode HERE.
***DO NOT USE MSCONFIG TO BOOT INTO SAFE MODE***

Update your Java Runtime Environment
  • First try going to Start -> Control Panel -> double click Java
  • Select the Update TAb at the top
  • Click the Check for Updates button at the bottom
  • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
  • After it installs the newest version Go back to Control Panel -> Add/remove programs
  • Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.
  • Click the following link
    Java Runtime Environment 6 Update 5
  • The 4th option down is the one you want (click Download)
  • Check the box to agree to terms of service
  • Check the box for your operating system and click 'Download selected'at the bottom
  • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
  • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

Run HijackThis again and post a fresh log.
 
and so it goes

ran smitfraud....see attached rapport.txt

Deleted selected hjt files. Used explorer to find any "straggler" files, and found none.

Installed newest Java, used add/remove to get rid of 3 old java installations. Used explorer to remove one remaining folder in program files.

Restarted, reran hijack this, and attached new2 log.

One side note...in windows folder i see MANY folders/files at top of file list that start with a $....notice some are files that have uninstall in the title....can i simply trash this junk, or is it a sign of something more sinister?
 
Same Abebot - Trojan downloader. xs problem

Hi All,
I've been struggling here all day with these warning messages! I was sure glad to come across this forum and hopefully I can get some help. I'm REALLY green at all this. Hopefully I will figure out how to attach the Hijack file. I'll be working on the rest of the instructions after I post this. Thanks for any help/guidance you can give.
.
Carolnewbee
 
and now the drives....

kritius,

I just finished posting my thank you and began to collect the picture files on her desktop to one folder, in order to burn them to disk and provide her with a backup for her photos. Major roadblock. The two drives that are operational (they open, the green light flashes when a cd is installed) one is a sony cd-rw crx216e and the other is samsung dvd-rom sd-616E, both factory installed, are not listed in "my computer" and show as not operating in device manager. When I look at the properties in device manager the error reads "Windows cannot start this hardware device because its configuration (in the registry) is incomplete or damaged. (Code 19).

I have run the troubleshooter, uninstalled, restarted and attempted to reinstall the drives, but no luck. Drives are still not recognized and i have pretty yellow exclamation points next to the name of each within my device manager.

I really hope they enjoyed whatever popup they clicked on or file they "shared" in order to trash this thing so hard.

Silver lining.....seems the A: drive is working fine...now if only her pictures were less than a meg and a half, i could copy them one at a time :)

Might be time to pull out the flash drive....think i have a junk 64mb one lying around here somewhere.

This situation tied into the same troubles? Any ideas how to get around it?
 
carolnewbee

you will want to start a new thread so that your problem is picked up on it's own. back out of my posting and click on the post (start) new thread button near the top of the thread listings

Good luck!!!
 
Lets get this all clean first and then we'll worry about other issues, they may have been resolved at the end, I will also post instructions on keeping safe and stuff at the end.

Boot into safe mode,

Fix entries using HiJackThis
  • Launch HiJackThis
  • Click the Do a system scan only button
  • Put a check next to the entries listed below
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O23 - Service: Network Security Service ( 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\nttv.exe (file missing)

  • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
  • Click the Fix checked button and close HiJackThis
  • Reboot HijackThis if necessary

Then, (if this bit doesnt work then dont worry)

HOW TO DELETE AN NT SERVICE USING HJT

Open HijackThis and click on Config, then Misc Tools, and then press the Delete an NT service.. button. When it opens you should then enter the service name and press OK.

O23 - Service: Network Security Service ( 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\nttv.exe (file missing)

Close HijackThis.

Show all hidden files and folders,

Find and Delete Suspect File
Using Start > Search > All Files and Folders
Click Advanced Options and make sure the following are ticked Search system folders, Search hidden files and folders, Search subfolders
Enter nttv.exe in the 'All or part of file name' box
Select C: in the 'Look in' dropdown box
Click Search Now
Right-click on nttv.exe and select Delete
Repeat for each copy of the file
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.


Still in safe mode,

Please download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Reboot into normal mode,

Create an uninstall list
  • Launch Hijackthis
  • Click the Open the Misc Tools section button
  • Click the Open Uninstall Manager button.
  • Click the Save list button.
  • Attach this log in your next reply

Download and Run ComboFix
Before you download the newest version of ComboFix please make sure there's no older version of ComboFix on your desktop! If there is one, please delete it.

Download Combofix from any of the links below, and save it to your desktop:
https://www.techspot.com/downloads/5587-combofix.html
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

For information regarding this download, please visit this webpage:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: It is important that it is saved directly to your desktop!

Now close any open browsers. Also close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts. Do not mouseclick combofix's window while it's running. That may cause it to stall.

When finished, it will produce a report for you. This report will also be saved in C:\ComboFix.txt attach that report along with a fresh HJT log.

So thats,
1)Smitfraud report,
2)HJT unistall list
3)Combofix scan
4)Fresh HijackThis log
 
Gotcha

Got your post, sorry for the delay, had to work all day and just got home. Searching for nttv.exe and nothing is found, hjt wouldn't let me remove the 023 entry by "fixing" or through config.

Working on smitfraud now, using my laptop to communicate while the sick pc does it's thing without ethernet cable attached. Hopefully with the time difference I have you here long enough to get you the results :)

Thanks
 
Ill have to look over them tommorow, the combofix one is the imortant one though, its the big guns for getting rid of this.
 
Reports 4/3 9pm

Here we go.

Smitfraud report (cut and paste)

Note: when program first started running, i saw an error reading swg.exe is not a valid file type...doesn't look like that part of the program worked...but at this point who knows...

SmitFraudFix v2.309

Scan done at 19:49:55.79, Thu 04/03/2008
Run from C:\Documents and Settings\Christine\My Documents\Fixes\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Christine


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Christine\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\CHRIST~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CS1\Services\Tcpip\..\{A6B8E890-E6C7-44F5-85B9-568BB5C46D38}: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A6B8E890-E6C7-44F5-85B9-568BB5C46D38}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.71.226 68.87.73.242
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End




Ran HJT and created saved an uninstall list (might be worth knowing that this computer is hard-wired to the internet here at my home, and has never had any kind of wireless modem attached, so the wireless entry jumped out at me...only thing wireless near this thing is my backup/junky laptop across the room)

3D Groove Playback Engine
Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 7.0.7
AIM 6
AT&T WorldNet Setup
avast! Antivirus
BCM V.92 56K Modem
Broadcom Management Programs
CCScore
Comcast High-Speed Internet Install Wizard
CR2
DelDomains TRIAL VERSION
Dell Digital Jukebox Driver
Dell Solution Center
DellSupport
Desktop Doctor
DS21Patch
DVDSentry
EPSON Scan
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
ESSvpaht
ESSvpot
Google Toolbar for Internet Explorer
Harry Potter II
HijackThis 2.0.2
HLPIndex
HLPSFO
Hotfix for Windows XP (KB915865)
hp deskjet 950c series
hp deskjet 950c series (Remove only)
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java(TM) 6 Update 5
JumpStart Kindergarten v2.4b
JumpStart Preschool
Kodak EasyShare printer dock
Kodak EasyShare software
KSU
Learn2 Player (Uninstall Only)
Learning Games Desktop Icon Installer
Macromedia Shockwave Player
Madeline Thinking Games
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Visual C++ 2005 Redistributable
Modem Helper
MSXML 4.0 SP2 (KB936181)
Notifier
OfotoXMI
OptiPix Pro
OTtBP
OTtBPSDK
PowerDVD
PrintMaster Gold 4.00
QuickTime
QuickTime 3.0
RealOne Player
Rhapsody Player Engine
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
SFR
SFR2
SHASTA
SKIN0001
SKINXSDK
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
Spellbound!
Spybot - Search & Destroy
The Cat in the Hat
The Treasure on Bing-Bong Island
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Viewpoint Media Player
Virtools 3D Life Player
VPRINTOL
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WIRELESS
ZoneAlarm
ZoneAlarm Spy Blocker



Attached combo fix log and fresh hjt scan
 
Hi,

Just to let you know I havent forgotten about you and im writing a fix out now which ill post later.
 
No problem...it's been a hell of a week in retail land and I had a blast enjoying life NOT behind a sick computer....i'll be on my time, all day sunday....hope you had a great and relaxing weekend!
 
Fix entries using HiJackThis
  • Launch HiJackThis
  • Click the Do a system scan only button
  • Put a check next to the entries listed below
O23 - Service: Network Security Service ( 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\nttv.exe (file missing)

  • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
  • Click the Fix checked button and close HiJackThis
  • Reboot HijackThis if necessary

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please attach the log into your next reply.
  • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
 
Sunday scans

Attached


Malware bytes log (16 infections found and removed...scanned again and nothing found)

HJT log post malwarebytes scan

Still not finding "nttv.exe" in searching c drive and not able to "fix" that entry in hijack this

Desktop ini file that showed up on my desktop sometime during the malware scan. Not sure if I can just dump it, at this point, I don't want to risk pushing us backwards without checking with you.

I know that you like to hear how computer is performing during this process...just thought I'd let you know that for the first time I am encountering zonealarm popups stating that windows32... is trying to obtain server access. This error never happened before...must be from clearing out the trusted sites? I take it as a good sign that i am allowed to block them

As I type this....zone alarm just let me know that it protected me from local network access against my computer. I'll just keep blocking first, until I know I can trust it.
 
Is it a bad sign that we haven't touched base in a couple days? (kidding)

We're a little slow here this morning, took a while when I tried to start it up, and when I moved to hotmail to check for new post alerts, I noticed a security warning telling me I was about to leave a secure connection. Brain is sleepy, so I could be wrong but I don't remember seeing that on other systems when I check my "junk" account.

Just keeping you in the loop, take your time, I have tons of free time to tinker this week. (sigh)
 
Sorry about that, its been pretty busy here and in work, i just need to check some things out and I should hopefully reply tonight.
 
Status
Not open for further replies.

Similar threads

losdavos
Malware removal help, please and thank you!
Replies
1
Views
791
losdavos
losdavos
M
Virus warning popup
Replies
1
Views
527
Mark Fuller
M
lilithgrace
Help? Everis e2011
Replies
0
Views
475
lilithgrace
lilithgrace

Latest posts

Back