[Michelle]

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
Unzip it to the desktop but do NOT run it yet.

Edited by bananafanafo, 30 April 2005 - 12:31 PM.

[Advertisements]

just saw this one now, sry.
i dl'ed..its an exe-file. no need to unpack.

Edited by Wiz, 02 May 2005 - 08:11 AM.

[Wiz]

just saw this one now, sry.
i dl'ed..its an exe-file. no need to unpack.

Edited by Wiz, 02 May 2005 - 08:11 AM.

[Michelle]

I don't understand what you're saying in the last post.

[Wiz]

okayyyy...
here's your easier sentence: i downloaded the file u asked me for. but this one is an exe-file not zip. so i did not have to unzip ("Unzip it to the desktop" like you said)

[Michelle]

Ah, I see lol

I need you to copy all of the Killbox instructions below and paste them into Notepad.

* Please run Killbox.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy all of the file names below to the clipboard by highlighting them all, then pressing CTRL + C:

C:\WINDOWS\system32\dosxpd.exe
C:\WINDOWS\system32\fixmapirs.exe
C:\WINDOWS\system32\system.exe
C:\WINDOWS\system32\locate.com

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

After your computer reboots, please Download, install, and run CleanUp! (so the below scan won't take as long because cleanup will clear temporary files and cookies)

Then, please run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log.

Edited by bananafanafo, 02 May 2005 - 10:54 PM.

[Wiz]

i followed your killbox-instructions and deleted those 4 files
but could you please tell me next time that cleanup! does not make a backup. it %&§$ deleted even lots of my own backups and my temp folder, which was abt 5gb. That program just deleted all of the content because it contained 'temp' as folder name. that's sad, very sad. and no backup either. lost abt 6gb so far because of that program. and it §$&$ed up lots programs and entire office2003. have no cd here so i cannot use any office applications at the moment

got this with your active scan. but i could delete these files without problems. so, it should be clean now.

Incident                      Status            Location                                                                                                                                                                                                                                                       
Adware:Adware/Funcade         No disinfected    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_MEDIAWHIZ5.exe                                                                                                    
Adware:Adware/SBSoft          No disinfected    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\webdlg32.dll      
Adware:Adware/SBSoft          No disinfected    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\webdlg32.inf      
Adware:Adware/SBSoft          No disinfected    C:\WINDOWS\Downloaded Program Files\webdlg32.dll                 
Adware:Adware/SBSoft          No disinfected    C:\WINDOWS\Downloaded Program Files\webdlg32.inf                 
Spyware:Spyware/YourSiteBar   No disinfected    C:\WINDOWS\Downloaded Program Files\ysbactivex.inf

Logfile of HijackThis v1.99.1
Scan saved at 14:59:01, on 03.05.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
D:\incoming\settings\desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.arcor-ip.de:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programme\MessengerPlus! 3\MsgPlus.exe"
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Programme\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{479973B1-9BE1-4390-A95E-987859387267}: NameServer = 195.50.140.252 145.253.2.81
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: MorningSound VirtualCamera Play Service (VirtualCameraService) - Unknown owner - C:\Programme\VirtualCamera\VCamSrv.exe (file missing)

could you tell me how to del a service from my system. in this case O23 - Service: MorningSound VirtualCamera Play Service (VirtualCameraService) - Unknown owner - C:\Programme\VirtualCamera\VCamSrv.exe (file missing). but seems that hijackthis-fix doesnt work since it always appears

and it looks like restrictions are back in present... strange.better we check first what's restricted before delete it again

---edit:
just checked regedit. the present restriction was NoBrowserContextMenu Dword 0 ... I just remember, that it was my browser (not IE) who did it. so, should be fine. Don't worry...

Edited by Wiz, 03 May 2005 - 08:56 AM.

[Michelle]

I said that Cleanup! clears temporary files and cookies - I don't read minds. You are the one who knew you had stuff you needed in your temp folders so you should have backed them up (or moved them) prior to running cleanup...

1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

MorningSound VirtualCamera Play Service (or VirtualCameraService)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

Run HiJackThis. Click on "none of the above just start the program", Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy and paste):

VirtualCameraService

Click ok.

It should pull up information about the service, then ask if you want to reboot. Close all programs and windows then click "yes".

Post a new HiJackThis log.

[Wiz]

yah temporary files, but not folders. it even deletes files which i called i.e. *.txtbak ... how am i supposed to know that it del these files.. but whatever

Logfile of HijackThis v1.99.1
Scan saved at 21:47:00, on 03.05.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
D:\incoming\settings\desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.arcor-ip.de:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Programme\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{479973B1-9BE1-4390-A95E-987859387267}: NameServer = 195.50.140.252 145.253.2.81
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe

guess its done now.

[Michelle]

Have you looked these up?
195.50.140.252, 145.253.2.81

Edited by bananafanafo, 03 May 2005 - 02:25 PM.

[Wiz]

yes, dont worry, it's my ISPs .

[Michelle]

Good!!

Any other problems?

[Michelle]

Guess not...you're welcome I'm closing this thread now.

I recommend checking the http://www.microsoft.com website periodically for critical updates to install.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Ewido Security Suite <= Protection against Trojans, Worms, Dialers, Hijackers, Spyware, and Keyloggers.

Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

• AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
• Firewall<= A firewall is definitely a must have. Two good free versions are Sygate and ZoneLabs.