Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Frustrating Yellow Triangle warning[RESOLVED]


  • This topic is locked This topic is locked

#1
Gladiator667

Gladiator667

    New Member

  • Member
  • Pip
  • 4 posts
I'm having a bugger of a time trying to remove the latest bit of spyware thats found its way to my PC, I usually get rid of most Spyware after reading similar posts on these forums, but this one is driving me up the wall.

Theres a couple things I can identify that dont belong, but I mustnt be getting the whole lot as it keeps rearing its ugly head again.

Any help will be hugely appreciated, as i've just about given up :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 10:30:19 AM, on 30/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\Program Files\Spyware Nuker 2004\swn2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\STEVEN\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iinet.com.au/
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\fltmgr.dll
O16 - DPF: {2E6EF946-0CFA-4ED0-001A-23010F31E2FE} - http://216.118.71.185/1/rdgAU1828.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CA46B56-3A68-4776-9B5A-11906A4AFD63}: NameServer = 69.50.176.156,195.225.176.31
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Cheers,
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

It's better to print out next instructions or save them in notepad, because you have a lot of steps to take and I don't want to miss you any step. Please perform next steps in the right order!!

Please download LSPfix and save it to the Desktop and unzip it.

* Run LSPfix and place a check against the I know what I am doing checkbox.

Highlight every instance of the following name fltmgr.dll and move it from the Keep to the Remove panel. Be sure to move nothing other!!

When done, click on Finish to exit the program; do not use the X in the top right-hand corner as nothing will happen!

Reboot.

* Download Killbox. (make sure you have this version!!)
Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold:

C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
c:\windows\system\BHOmod.dll


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together!

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Your computer must reboot now.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O16 - DPF: {2E6EF946-0CFA-4ED0-001A-23010F31E2FE} - http://216.118.71.185/1/rdgAU1828.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CA46B56-3A68-4776-9B5A-11906A4AFD63}: NameServer = 69.50.176.156,195.225.176.31


* Click on Fix Checked when finished and exit HijackThis.

Enter your control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.

Download rkfiles.zip
UNZIP the contents to a permanent folder

Reboot in SAFE MODE !! Important !!
To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Search for next folders and delete them if present:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files

Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the doswindow closes and reboot back to normal mode.

Post the contents of C:\log.txt in your next reply together with a new hijackthislog.
  • 0

#3
Gladiator667

Gladiator667

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Oh no,

Followed your advice to the letter, but I've somehow wiped out my connection, I must have had something set up differently to cause this, Because I followed the process to the letter.

Heres my post on a similar help site (copied in below as well). http://forums.whirlp...t=334996#bottom

Ok I went through the process of removing some spyware from my pc today, all went fine and its now gone,

The Story and what I did to the letter
http://www.geekstogo...ing-t20622.html

The help from this site has never steered me wrong and I believe I must have had some different setting on my pc that buggered this process.

No more spyware, but no more connection either.

On my D-link modem, the ethernet light is dead as a doornail. strangly the ADSL light is still on.

I initally thought I may have buggered the network card, but it appears to be working fine. Just I cannot get an ethernet signal on the router.

PLus I could not log into the router using the usual method of http://192.168.0.1, to see whats going on.

Of course in the process I panicked and resorted to my usual last ditch problem solve of formatting the drive and re-installing windows, but this has done bugger all. Got back in exactly the same problem.

The automatically assigned ip address displaying is 169.254.214.221 which I have no idea why it has picked this number. I thought it would revert back to 192.168.0.1.

Need help or guidance desperatly

NB: help from this site has never steered me wrong and I believe I must have had some different setting on my pc that buggered this process.
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
So, as I understand in here.. you formatted and reinstalled windows and still have no connection?

So after you performed my steps, you lost your connection? Was this after you used LSPfix or after you fixed in hijackthis?
  • 0

#5
Gladiator667

Gladiator667

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Went through the entire process, booted into safe mode, deleted the bolded files, ran rkfiles.bat. rebooted in normal mode, and had no ethernet connection anymore.

So backed up my files on a thumb drive (Drive C: only has system files) Formatted drive C: are-installed default windows - No Ethernet.... hmm, bugger.

So put the old settings and files back on, still the same situation.

:tazz:
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
So you still had internetconnection after fixing in hijackthis? Because I asked you reboot and to download rkfiles afterwards.

This is odd. Even after a format and reinstall you have no connection.
Hmm.. you really need to check your settings in your router/connections again, because most probably they are not set up in the right way.
Unfortunately I can't tell you what settings you need to adjust, because it's different on every system/router.

I asked someone else to take a look at your problem, because I don't have a router, so I can't give you the right advise on it unfortunately.

Edit: Also take a look at this:

HOW TO: Save and Restore Dial-up Connections in Windows XP:

http://support.micro...;284269&sd=tech

Edited by miekiemoes, 01 May 2005 - 05:30 AM.

  • 0

#7
Gladiator667

Gladiator667

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
OK Problems solved, had to completely disassociate the network card (physcially remove it, boot without it in there (hence clearing all settings) then restart with it in there and now its fine.

Plus no spyware, and a fresh install of windows to play with :tazz:

Long way around but the spyware is gone
  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Good that is solved.
I already thought something was wrong with your networkcard, because it wasn't normal that after a fresh install of windows you couldn't connect either.

Anyway,

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Etrust and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates, so visit asap http://windowsupdate.microsoft.com/ to download and install all updates and security patves, because without, your system is very vulnerable and malware can get installed very easily!

Watch out with illegal sites such as cracksites and warez-sites, because that's where most malware is lurking.

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again!
  • 0

#9
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP