Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Warning: You're in Danger - #2


  • Please log in to reply

#1
LostInSpyWareHell

LostInSpyWareHell

    New Member

  • Member
  • Pip
  • 2 posts
Hello:

I appear to have the same problem that someone else had a couple of days ago:

http://www.geekstogo...?showtopic=6297


I do get the "Warning : You're in danger" desktop (it's not really a desktop, but a window sized to take up all of your desktop). I also get a "Please Select your Country" Drop down window which I can't get rid of.

To the extent possible, I tried all the solutions mentioned in the previous thread (I'm running a Windows 2000 and my symptons are slightly different). I did run spysubtract, but the [bleep] windows keep coming back.

I have tracked this problem down to several files which I delete (and empty trash been) but they always comeback:

c:\125209.exe
C:\WINNT\desktop.html
C:\WINNT\ssico.ico
C:\WINNT\system32\vxh8jkdq5.exe
C:\WINNT\system32\vxh8jkdq2.exe

My Hijack this log is below.

Thanks in Advance for your Help !!

*****************************************************************

Logfile of HijackThis v1.99.0
Scan saved at 4:45:35 PM, on 1/2/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\WINNT\system32\kernels32.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\WINNT\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE
C:\WINNT\system32\ntvdm.exe
c:\125209.exe
C:\Documents and Settings\Administrator\My Documents\upgrade\spybot\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\system32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53484D7C-B868-480C-B925-00D648F5BBD2} - C:\WINNT\system32\odaj.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BF2BCBE5-DDE2-4A60-8EFB-A3AB0D23BD05} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [System] C:\WINNT\system32\kernels32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINNT\system32\kernels32.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O18 - Filter: text/html - {58D0CA3A-EA4E-4A8E-A470-42EFEE22B3F4} - C:\WINNT\system32\odaj.dll
O18 - Filter: text/plain - {58D0CA3A-EA4E-4A8E-A470-42EFEE22B3F4} - C:\WINNT\system32\odaj.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Norton Internet Security Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#2
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Here is a fix from Metallica:

First, follow instructions here:
http://securityrespo...moval.tool.html

Then download and run CWShredder from http://www.intermute...r_download.html

Reboot and post a new log. :tazz:
  • 0

#3
LostInSpyWareHell

LostInSpyWareHell

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Hello and thanks for the reply:

I think I was able to find another fix at:

http://computercops....92222-0-0-.html


I pretty much followed the procdure that Tony Klein suggested. I downloaded and ran Adaware SE (the update from lavasoft didn't work though), then I ran the pandascan.

This seems to have taken care of things. I will keep you posted and I will also post my hijack this log tomorrow.

Please note that prior to doing what Tony suggested, I had tried several other things suggested by other people (spybot, search and destroy, etc.), so the solution may have been the combination of things.

Again, thanks for your suggestion. I will see how things go and then post a hijack this log tomorrow.

If the problem reappears, then I will try your proposed solution.

Hopefully, I am NO LONGER LostInSpyWareHell !
  • 0

#4
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Sounds great. Let us know if we can help you further. :tazz:
  • 0

#5
oversummer

oversummer

    New Member

  • Member
  • Pip
  • 1 posts
i also have this ssico in my computer.
is there any others ways to solve it? an easier way?
when i online, there's windows pop up showing that i'm having 50,000++ viruses inside my pc?what is happening?
can anyone help me?
thanks..
  • 0

#6
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Welcome to GTG oversummer, please start a new topic.
  • 0

#7
mxm727

mxm727

    New Member

  • Member
  • Pip
  • 1 posts
I also had the same problem with the Black Desktop Background: "WARNING.. YOur in Danger.." But my Task Manager was also disabled ' by the administrator', New icons on desktop (ISECURE),... many things going on. Also, Kernels32.exe kept reappearing in the startup, even after I unchecked it in msconfig.

Anyway, similar to LostInSPywareHEll, Tony Klein's suggestion also worked for me but I followed it a bit differently.
1) On Desktop, right click at very top of Black Backrgound, go into Properties, Desktop, Customize, Web, Uncheck SECURITY. This will remove the annoying black background. (But the VIRUS was still on my machine... )
2) I ran MSCONFIG and unchecked kernels32.exe from STARTup. Not sure if this helped in anyway, but I did it.
3) Did a GOOGLE Search on "Ad-Aware SE" and downloaded, installed. Before running, Look for Updates. Then Run the software and remove anything it finds. (when I did this in Safe-Mode as Tony suggested, everything I did to this point became undone after I Rebooted, so i had to start again with step (1).
4) Did a GOOGLE search on Panda Active Scan, ran the scan which found more virues, but all were disinfected.
5) Restarted computer. Everthing was ok except my Internet Explorer Home page was changed to a blank page. Fixed this in Internet Options, rebooted again and all seems ok for now.
Task Manager is back. Black Background is gone. All virused seems to be gone.
I normally don't contribute to these forums, I just search them, but this virus was such a pain. I hopes solution works for at least one other person...
MXM
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP