LinkBack URL
About LinkBacksCrazyMonkey, please read the Symantec pdf DRM document. It's all there.
Wether another infection has slid in on the back of it is undetermined at this point, but I'm guessing no, but let sash25 follow the instructions first. Thanks.
CrazyMonkey, please read the Symantec pdf DRM document. It's all there.
Wether another infection has slid in on the back of it is undetermined at this point, but I'm guessing no, but let sash25 follow the instructions first. Thanks.
.
"Ladies and Gentlemen, take my advice: Pull down your pants and slide on the ice"
Whether he wants to follow your instructions (which only point to downloads and a translated page :S) and read a large pdf he may do so, the advice i give is freely avaliable and useable.Originally Posted by godsdog
CrazyMonkey, please read the Symantec pdf DRM document. It's all there.
Wether another infection has slid in on the back of it is undetermined at this point, but I'm guessing no, but let sash25 follow the instructions first. Thanks.
However the steps i have provided are his alone tailor made to suit what his logs show. Seeing as he is at the stage where he has finished using the steps i have provided i would feel continuing with the solutions i provide the best course of action. However he can choose to do either, it's his choice i am here to help.
Also their is no guessword in malware removal, that is why there are things such as logs. Also from the 2 years experience helping hundreds if not thousands of people on bleepingcomputers and gladiator, it is apparent that 90% of users seeking help have come to the forums because solutions such as those provided by symantec have failed to stop/remove the infections. I am not specifically flaming symantec here, they provide good solutions and well written online support. However in my opinion an anti-virus solution should be aiming to stop infections directly on the front line (before they become resident) as well as providing a good definition basis to remove the majority of malware. However there are some infections out there that are so persistant alternate steps have to usually be manually taken and this is why i am here providing such steps.
Last edited by CrazyMonkey; 28-02-2008 at 01:08 AM.
Sure thing, I'm not disputing your course of action, or your willingness to help, it's all good. It's just that ...
winsta32.exe
(hadl.dll, amqv.exe, auths.exe, avsys.exe, bootvid.exe, bszey.exe, bujp.exe, bvrkarq.exe, cdosysmon.exe, cmtl.dat, comstl.exe, comusys.exe, ctsrv.exe, culil.exe, d2d8.exe, ddfyc.exe, default8.exe, dmaaoc.exe, dmdmgr.exe, dpnpast.exe, efsysadu.exe, eygxbmb.exe, hyqy.exe, jplxxva.exe, lplbp.exe, msa2p.exe, msacm32.exe, msadm.exe, msapp32.exe, msauite.exe, mscomc.exe, msdmo16.exe, msgina2.exe, mstoc.exe, msxhtml.exe, pypdmc.exe, romipkj.exe, settecalphadisc.exe, ssedm.exe, sysmon32k.exe, systemmon32.exe, systemprop.exe, tatbqfy.exe, tvtrci.exe, win32k2.exe, wina2p.exe, wrsbzxb.exe, wtsap32.exe, xxnz.exe, znzd.exe) (hadl.dll, amqv.exe, auths.exe, avsys.exe, bootvid.exe, bszey.exe, bujp.exe, bvrkarq.exe, cdosysmon.exe, cmtl.dat, comstl.exe, comusys.exe, ctsrv .exe, culil.exe, d2d8.exe, ddfyc.exe, default8.exe, dmaaoc.exe, dmdmgr.exe, dpnpast.exe, efsysadu.exe, eygxbmb.exe, hyqy.exe, jplxxva.exe, lplbp.exe , msa2p.exe, msacm32.exe, msadm.exe, msapp32.exe, msauite.exe, mscomc.exe, msdmo16.exe, msgina2.exe, mstoc.exe, msxhtml.exe, pypdmc.exe, romipkj.exe, settecalphadisc .exe, ssedm.exe, sysmon32k.exe, systemmon32.exe, systemprop.exe, tatbqfy.exe, tvtrci.exe, win32k2.exe, wina2p.exe, wrsbzxb.exe, wtsap32.exe, xxnz.exe, znzd.exe )
is (C:\Windows(WINNT)\System; system32) Kopier-Rootkit von Alpha-DVD ( PlayDVD.exe ) [SystemManager]
That's from the translated German link. The pdf covers the rest. I just don't want him to get side tracked that's all.
.
"Ladies and Gentlemen, take my advice: Pull down your pants and slide on the ice"
Sure thing, I'm not disputing your course of action, or your willingness to help, it's all good. It's just that ...
winsta32.exe
(hadl.dll, amqv.exe, auths.exe, avsys.exe, bootvid.exe, bszey.exe, bujp.exe, bvrkarq.exe, cdosysmon.exe, cmtl.dat, comstl.exe, comusys.exe, ctsrv.exe, culil.exe, d2d8.exe, ddfyc.exe, default8.exe, dmaaoc.exe, dmdmgr.exe, dpnpast.exe, efsysadu.exe, eygxbmb.exe, hyqy.exe, jplxxva.exe, lplbp.exe, msa2p.exe, msacm32.exe, msadm.exe, msapp32.exe, msauite.exe, mscomc.exe, msdmo16.exe, msgina2.exe, mstoc.exe, msxhtml.exe, pypdmc.exe, romipkj.exe, settecalphadisc.exe, ssedm.exe, sysmon32k.exe, systemmon32.exe, systemprop.exe, tatbqfy.exe, tvtrci.exe, win32k2.exe, wina2p.exe, wrsbzxb.exe, wtsap32.exe, xxnz.exe, znzd.exe) (hadl.dll, amqv.exe, auths.exe, avsys.exe, bootvid.exe, bszey.exe, bujp.exe, bvrkarq.exe, cdosysmon.exe, cmtl.dat, comstl.exe, comusys.exe, ctsrv .exe, culil.exe, d2d8.exe, ddfyc.exe, default8.exe, dmaaoc.exe, dmdmgr.exe, dpnpast.exe, efsysadu.exe, eygxbmb.exe, hyqy.exe, jplxxva.exe, lplbp.exe , msa2p.exe, msacm32.exe, msadm.exe, msapp32.exe, msauite.exe, mscomc.exe, msdmo16.exe, msgina2.exe, mstoc.exe, msxhtml.exe, pypdmc.exe, romipkj.exe, settecalphadisc .exe, ssedm.exe, sysmon32k.exe, systemmon32.exe, systemprop.exe, tatbqfy.exe, tvtrci.exe, win32k2.exe, wina2p.exe, wrsbzxb.exe, wtsap32.exe, xxnz.exe, znzd.exe )
is (C:\Windows(WINNT)\System; system32) Kopier-Rootkit von Alpha-DVD ( PlayDVD.exe ) [SystemManager]
That's from the translated German link. The pdf covers the rest. I just don't want him to get side tracked that's all.
ComboFix should also address this issue, winsta32.exe is in the definitions of combo fix as well as general re-activation of both regedit and taskmanager as well as alot of other commonly used windows appilcations.
Also it's alot to read and it probably ends up promoting their giant corporation in some way or another
Actually it's a good read
..and I'd completely forgotten about it. It does actually offer an instructive link for removal or updating at the end, which is what I was referencing really.
.
"Ladies and Gentlemen, take my advice: Pull down your pants and slide on the ice"
Well, lets just let sash25 decide on what he/she wants to do. He more than likely will do both steps anyway, and lets hope either one fixes the issues.
You could have just referenced the instructive linkAnyway i think thats enough ranting for tonight, just finished a large removal procedure for a malware riddled pc over on gladiator im nackered.
Have a good night.
It's all good fun and you love it really.
Night.
.
"Ladies and Gentlemen, take my advice: Pull down your pants and slide on the ice"
Hi CrazyMonkey and godsdog!
First thank for your help!!! Its very nice to see a professional help on a forum like this!!
i will try the steps on friday and then i will post some more!
The pdf of symentec is long but good for understanding!
so thank you and one more time sorry for my broken english
sash
PS I'm a man! *GG*
Haha! Okhehe Anyway good luck, post if you need some more help. Or you can hit me up on PM (i get emailed then) and i will respond faster.
hi crazym monkey
You know: YESSSSS we did it!!!
Yes everything is ok and it works.
but i got 3 more small adware infections and so i run one more time the spyware doctor and avast and i hope i can you send the results this week!
do you want the whole file of combofix and hijackthis? after the cleaning?
one more time: thank you!!
greetz
sash
Yeh post a new Hijackthis log and the combofix log (after the cleaning process if you still have it)hi crazym monkey
You know: YESSSSS we did it!!!
Yes everything is ok and it works.
but i got 3 more small adware infections and so i run one more time the spyware doctor and avast and i hope i can you send the results this week!
do you want the whole file of combofix and hijackthis? after the cleaning?
one more time: thank you!!
greetz
sash
These 3 small adware infections, are they detected by spyware doctor? If so what are the names of these infections.
Thanks, Glad you got it sorted =]
Hi,
i will post it in the next days and also the infections, when i get it one more time!
so see you !!!
sash
hi crazymonkey
So here is the logfile:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:04:42, on 06.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe
C:\Programme\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\dvd43\dvd43_tray.exe
C:\Programme\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Logitech\MouseWare\system\em_exec.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\NETGEAR\WPN111 Configuration Utility\wpn111.exe
C:\Programme\T-Online\DSL-Manager\DslMgr.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Spyware Doctor\pctsAuxs.exe
C:\Programme\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\Programme\T-Online\DSL-Manager\DslMgrSvc.exe
C:\WINDOWS\System32\alg.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programme\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [T-Online DSL-Manager] "C:\Programme\T-Online\DSL-Manager\TODslMgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [dvd43] C:\Programme\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Programme\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: DSL-Manager.lnk = C:\Programme\T-Online\DSL-Manager\DslMgr.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: DSL-Manager (TDslMgrService) - T-Systems Enterprise Services GmbH - C:\Programme\T-Online\DSL-Manager\DslMgrSvc.exe
--
End of file - 8981 bytes
I hope you find nothingelse!!
By the way, today i have bought a new pc from aldi!
so here you and best greetz!
sash
1 post
2 post
3 post. I can't put the hijack log without posting at least 5 posts.
There are currently 3 users browsing this thread. (0 members and 3 guests)
Posting Permissions
Reply With Quote
