Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Controlling my internet address & removing it


  • This topic is locked This topic is locked

#76
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Classy2

Did you download the windows update's you will just keep getting reinfected over and over.

Rerun ewido, and a virus scan

Post a new HJT.Log and any information from the virus scan's

Kc :tazz:
  • 0

Advertisements


#77
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
To my great technican, Kc,
I am sorry to inform you that Windows Update will not work!
Every page I read about me back to the UPDATE PAGE where it needs to scan but does nothing! Even the column on the left says; " Install now" is dimmed"
Im not sure if theres something else to try but I thought if I needd any patches I wouldnt be able to download them.

Here are Trojans that even though thier in vault, sometimes DELTED they keep reappearing.
Trojan horse
NAME--Win32:Qoologic-B
VPS version 0516-2, 04/19/2005
path cuddles\local settings\Temporary internet
C;\DOCUME~1Cuddles\LOCALS~1\Temp\tp7453.exe

FILE winup2date.dll
Path C:Windows\System32
Infection; Spyware.Small.et
How do I DELETE THESE PERMENATLY?

Trojan horse
NAME--Win32:Qoologic-B
VPS version 0516-2, 04/19/2005
path cuddles\local settings\Temporary internet
C;\DOCUME~1Cuddles\LOCALS~1\Temp\tp7453.exe

FILE winup2date.dll
Path C:Windows\System32
Infection; Spyware.Small.et

Here is my HJT Log ran in safe mode;

Logfile of HijackThis v1.99.1
Scan saved at 10:36:52 PM, on 4/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presari...&c=2c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presari...&c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://store.presari...&c=2c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} -
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Trend Micro showed No viruses.

aIm beginning to think I will never be able to download from Microsoft Update.
Looking forward to your advice,
Classy
  • 0

#78
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Classy2

Download the RKFiles.zip from here:
http://skads.org/special/rkfiles.zip

Create a new folder called c:\Antispyware\RKFiles
Extract the contents of RKFiles.zip into this new RKFiles folder.

Reboot into Safe Mode
Restart and press the F8 key a few times after the BIOS loads -- the first thing you see when the pc "comes alive" and does its "self test" -- before windows loads).

Open the C:\Antispyware\RKFiles folder
* Locate and double-click the RKFILES.BAT to run this tool.
* Sit back and wait untill its finished.
* When it is finaly finished a text file will open.
* Save the contents of that text file.

Note: It should save by default to C:\Log.txt
* Find this log, right-click and rename it RKFiles_log.txt so you can post it for me later.

Reboot back to Normal Mode.

Post the log and a new hijackthis log.

Kc
  • 0

#79
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Kc,
You say to; Reboot into Safe Mode
Restart and press the F8 key a few times after the BIOS loads -- the first thing you see when the pc "comes alive" and does its "self test" -- before windows loads).
Im confused because the only two places before windows loads;
Are in the bios OR At a prompt?
Are you telling my to type at the prompt, C: Open the C:\Antispyware\RKFiles folder
Please explain exactly where to open and run this .bat file.

I appologize,
Classy
  • 0

#80
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
I mean to say did you mean;
"Reboot in Safe Mode with a Command Prompt"
Classy
  • 0

#81
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Classy2

Just boot into safemode

When in safemode double click on your C:\Drive

Open the C:\Antispyware\RKFiles folder
* Locate and double-click the RKFILES.BAT to run this tool.
* Sit back and wait untill its finished.
* When it is finaly finished a text file will open.
* Save the contents of that text file.
Note: It should save by default to C:\Log.txt

Find this log, C:\Log.txt so you can post it for me.

Reboot into regular mode and post the log.txt

Kc :tazz:

Edited by thatman, 26 April 2005 - 06:39 AM.

  • 0

#82
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Dear Kc
Please carefully read my letter.
Kc, Because you are very patient, and understand how make something technical understandable to me with great respect , Im asking if you consider to stay with me help me setup my firewall in the safest way possible.

I have read about setting up microfts firewall, they leave out things esp. where you have to type Information in box, like configuring a port. (microsoft leaves out info what to type here). Microsoft gives instructions to people who are somewhat familiar in this subject, Im NOT.

Kc Please read from the link below. Blank boxes to type in ip and USD.

Manually Configuring Windows Firewall in Windows XP Service Pack 2

I as understand the better I can techinically setup my firewall with the appropiate IP and USD, the more unlikely a hacker can get into my sytem.

After installing SP2 (in the past had no internet connection), will you please tell me your way (because I understand YOU)! me where to go and what to do TO CONNECT to the internet?

Please, will you stay with me and help me setup my firewall? I quote from Links, "Your firewall is as safe as you set it to be" and I ytrust YOU help me to keep hackers away from my computer. Or make it hard to get in.

Your long time devoted admirer,
Classy :tazz:
  • 0

#83
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Classy2

Have you updated to XP_SP2 NOW
Dont waste your time with the windows firewall have a easyer one for you to use.

Zone Alarm FREE download and install this first.
http://www.zonelabs.com/store/content/c...!7551!7552


WinSockFix download this file no need to use it now. will tell you what it is later
http://downloads.sub.../WinsockFix.zip
http://www.spychecke...nsockxpfix.html.

Will be online for some time and will stay with you to help

Please post a new HJT.Log

Kc :tazz:
  • 0

#84
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Hi Kc,
In safe mode, I clicked RKFiles .bat.
It loaded 3 files, then said not to close dos window until it closes itself
Then it said checkng system files and I waited for 15 minutes, after nothing, I closed the window.
Do you think this ran properly?
Heres the RKfiles log file;

C:\Program Files\Antispyware\rkfiles ...thats all ;)

I went to Windows update, Install and view history is still dimmed. And I waited for windows to scan my pc for prvious downloads but still nothing :tazz:
My router was unpluged and probablly the setup for the IP and user was erassed. Do you think if I reset my router it would help with finding the host?

When opening this forum I get an error asking "do you want to work offline or try to connect".
Classy ;)


Heres the HJT.Log

Logfile of HijackThis v1.99.1
Scan saved at 2:19:41 AM, on 4/28/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\kmw_run.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\KMW_SHOW.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\locator.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geekstogo...&st=60&p=87648
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: strings.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} -
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#85
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Kc,
Your post about keeping me company, was seperated and at the bottom.
What Im saying is yes, Id love your company anytime,although, I find night time quiet and impossible to be interupted by anything. I am flexible during the day if its better for you. I believe in compromising.
Please do let me know when you can be online,Id love to talk to you
I have a techinical question about my comupter. Can you tell a way to ask you privately, without invading on your privacy?
Sleepless in NY,
Classy :tazz:
  • 0

Advertisements


#86
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
C2: I am going to assist you with your log. Please tell me what problems you are having, and we will try to get it resolved.
  • 0

#87
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
Hi CW,
I feel Kc did everything possible to remove malware and try to get Windows Update to regonize my computer.
Maybe you can shed some new ideas and help protect me from any future hackers or hijackers. :tazz:

Download the Hoster from here Press "Restore Original Hosts. and press "OK and Exit Program"".
I have 2 questions about the " Restore Orginal Host.
Q-- 1 my Host is editable" it asks if I want to make it "Read Only"?
Q--2. "Remove Block items from Host" (Removes 127.0.0.* entries)?

Kc was giving me all these programs because I can not get Update from Windows, esp. firewall SP2. I prresume SP2 is the best firewall package and they are always new making improvements to download from Windows Update.
I am presuming SP2 is the best firewall to have if it can be setup properly. I not familar with firewall with the technical terms. I quote " A Firewall is only as safe as its setup"
Can you please advise me which firewall youd use on your computer?
Or can FireZone can be set to be as good as SP2?
I also have a question about my computer and I wondering how can I ask it privately??

I have been working on cleaning up my system and then trying to get my host back.
Looking forward to learning from you,
Classy ;)
  • 0

#88
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I don't know if thatman asked you this already, but is your version of Windows valid?

I want you to visit this page and see:

Windows validation

You should see this halfway down the page.

This download is available to customers running genuine Microsoft Windows. Please click Continue to begin Windows validation.


Click continue and tell me what it says,
  • 0

#89
Classy2

Classy2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 242 posts
OK, I followed your instructions and the instructions on the page. It just asked the brand and name of my computer.
I did a lot of reading about other Firewalls, none seem to have everthing. For instance ZoneAlarm does not have mail protection. I was also interested in Sygate, it had an extra protection called ICP.
I am sad and frustrated. I have another Trojan. I thought Avast keeps Trojans out.
Do you know of any Anti-virus programs that do PREVENTION?
Classy
  • 0

#90
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please go to http://www.howtotell.com and click on "Windows Validation Assistant" - tell me what it says.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP