Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I don't know what I have[RESOLVED]


  • This topic is locked This topic is locked

#31
calgooda1323

calgooda1323

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Ok, I tried to download Icesword and this is what it says. "Acrobat could not open Icesword122en.zip because it is either not a supported file type or because the file has been corrupted."

Edited by calgooda1323, 21 March 2008 - 02:03 PM.

  • 0

Advertisements


#32
calgooda1323

calgooda1323

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
So I have just been trying to get it to open. I closed out that box that popped up. THe one I told you about in the previous post. Then I went to see if my computer had downloaded it. It said it did so I opened it and clicked unzip it. It brought up these files when it was unzipped. "bcb6" "ChkFile" "vc6" "notepad cooperater" "Icesword110.dll" "IshHelp". I don't know where to go from here.
  • 0

#33
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please right click on Icesword122en.zip and chose Open with

You should see a menu which allows you to open the file with WinZip.

Open it with WinZip, then Extract Icesword to its own folder on your desktop. Let me know if you have a problem doing this.
  • 0

#34
calgooda1323

calgooda1323

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Sorry, I guess I am jut not getting it. You want me to open it from the original post on how to open it? I tried right clicking on that but there is no open with. Sorry to be so difficult.
  • 0

#35
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, no problem. Download and install IzArc from http://www.izarc.org/download.html.

This is probably one of the best Zip file managers available. Follow the prompts to install it, then unzip Icesword and run it as outlined in my earlier post.
  • 0

#36
calgooda1323

calgooda1323

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
OK, I downloaded IZarc. I opened Icesword in the Izarc and can see the file there. Should I show you what I see?? It comes up with cooperator.zip. Is this what I should be opening?

I click on open in IzArc.exe . It opens the file in IzArc and then I am lost.

THis is where I am at!

Attached Files


Edited by calgooda1323, 21 March 2008 - 02:40 PM.

  • 0

#37
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, close down IzArc.

Now Right Click on Icesword122en.zip

You will now have a new option in the right click menu: IzArc

Click it, and choose Extract Here

This will create a folder on your desktop named Icesword122en

Open that folder and locate Icesword.exe

Now follow the instructions in my post above regarding Icesword.
  • 0

#38
calgooda1323

calgooda1323

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
I don't have that option when I right click on it. I only have "open in new window" "open in new tab" "bookmark link" "save link as" "send link" etc. NO IzArc.

Sorry if I am frustrating you. I'm trying to understand.

Edited by calgooda1323, 21 March 2008 - 02:58 PM.

  • 0

#39
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
We will get there in the end! :)

OK click on Icesword122en.zip to open IzArc

Now click on the Extract button at the top of IzArc

It will ask you where you want to Extract to

Make sure you extract it to your desktop.

You should now have the folder there and be able to run the program.
  • 0

#40
calgooda1323

calgooda1323

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
OK, I made it in. I looked through all the stuff. THere was only one red one. It was under SSDT and the KModule name was "unknown"
  • 0

Advertisements


#41
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Did it have any path? For instance Windows\System32
  • 0

#42
calgooda1323

calgooda1323

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
no, this is the only one that doesn't say "windows system 32 blah blah stuff". It just says unknown. It does have the original and current addr if that helps at all
  • 0

#43
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Can I see what those addresses are please, also can you post me the logs for:

# Processes
# Win32 Services
# Startup


Thanks,
RatHat
  • 0

#44
calgooda1323

calgooda1323

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
ok the current address is 0x86086250 and the original address is 0x80589278

log for processes:
Process:

System Idle Process
System
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\agrsmmsg.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Toshiba\TouchED\TouchED.exe
C:\Program Files\Toshiba\PadTouch\PadExe.exe
C:\WINDOWS\system32\TPSMain.exe
C:\TOSHIBA\Ivp\ISM\pinger.exe
C:\WINDOWS\system32\alg.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark 5200 Series\lxbtbmgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Lexmark 5200 Series\lxbtbmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Documents and Settings\Cortney\Desktop\IceSword122en\IceSword.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Cortney\Local Settings\Temp\Temporary Directory 1 for IceSword122en.zip\IceSword122en\Cooperator\Cooperator\IsHelp.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\lxbtcoms.exe
C:\Program Files\MSN Messenger\usnsvc.exe

log for Win32
Started Service:

Service Name:ALG Display Name:Application Layer Gateway Service
Service Name:AudioSrv Display Name:Windows Audio
Service Name:BITS Display Name:Background Intelligent Transfer Service
Service Name:Browser Display Name:Computer Browser
Service Name:CryptSvc Display Name:Cryptographic Services
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:DVD-RAM_Service Display Name:DVD-RAM_Service
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:helpsvc Display Name:Help and Support
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:lxbt_device Display Name:lxbt_device
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification
Service Name:SharedAccess Display Name:Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:SoundMAX Agent Service (default) Display Name:SoundMAX Agent Service
Service Name:Spooler Display Name:Print Spooler
Service Name:srservice Display Name:System Restore Service
Service Name:SSDPSRV Display Name:SSDP Discovery Service
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:usnjsvc Display Name:Messenger Sharing Folders USN Journal Reader service
Service Name:W32Time Display Name:Windows Time
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows Management Instrumentation
Service Name:WmiApSrv Display Name:WMI Performance Adapter
Service Name:wuauserv Display Name:Automatic Updates
Service Name:WZCSVC Display Name:Wireless Zero Configuration


and log for startup

Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IgfxTray
C:\WINDOWS\System32\igfxtray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HotKeysCmds
C:\WINDOWS\System32\hkcmd.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AGRSMMSG
AGRSMMSG.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Apoint
C:\Program Files\Apoint2K\Apoint.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TouchED
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PadTouch
"C:\Program Files\TOSHIBA\PadTouch\PadExe.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TPSMain
TPSMain.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Pinger
c:\toshiba\ivp\ism\pinger.exe /run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LtMoh
C:\Program Files\ltmoh\Ltmoh.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
00THotkey
C:\WINDOWS\System32\00THotkey.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ezShieldProtector for Px
C:\WINDOWS\System32\ezSP_Px.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TFNF5
TFNF5.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TFncKy
TFncKy.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RealTray
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Lexmark 5200 series
"C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
000StTHK
000StTHK.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Share-to-Web Namespace Daemon
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HPDJ Taskbar Utility
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
LXBTCATS
rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,[email protected]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IntelliPoint
"c:\Program Files\Microsoft IntelliPoint\ipoint.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
MsnMsgr
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\System32\ctfmon.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office OneNote 2003 Quick Launch.lnk
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE (Remark£ºQuick Launcher for Microsoft Office OneNote.)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk
C:\Program Files\Microsoft Office\Office10\OSA.EXE (Remark£ºMicrosoft Office StartUp)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Trend Micro Anti-Spyware.lnk
C:\Program Files\Trend Micro\Tmas\Tmas.exe (Remark£ºTrend Micro Anti-Spyware)

C:\Documents and Settings\Cortney\Start Menu\Programs\Startup
desktop.ini
  • 0

#45
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Now Reboot your computer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Now please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


One thing that concerns me with Icesword is that it is reporting that you are running part of it from within a temp folder:

C:\Documents and Settings\Cortney\Local Settings\Temp\Temporary Directory 1 for IceSword122en.zip\IceSword122en\Cooperator\Cooperator\IsHelp.exe

This would happen if you try to run it from within the Zip and will not allow it to work properly. So could you run it again from within the IceSword122en folder on your desktop, and post me the logs again. Also check to see if there is any other details under the SSDT and the KModule.

Regards,
RatHat
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP