1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Problems with pc due to a strange program

Discussion in 'Other PC Software' started by Kayz, 2003/04/09.

Thread Status:
Not open for further replies.
  1. 2003/04/13
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Hello Kayz

    This is old foot in mouth mflynn! Sorry, this is not a first for me!

    One of these days on this board I am going to refer to HOSS as a him and she is really going to come down on me! Smile!

    OK now!

    How doo yoou doo it! Another one huh!

    So here is what to do. It is not as hard as it looks just do it!

    Configure CleanMgr to max settings
    Go to Start-Run and type

    cleanmgr /sageset:1
    The above need only be ran once (these settings will be remembered as the default until another sageset is ran).

    It will present a menu select all except compress, then

    Go to Start-Run and type

    cleanmgr /sagerun:1
    As long as /sageset above has been ran on this computer from now on the /sagerun is the only thing that needs to run.
    ____________________________________________

    Cleanups
    These are for 95 98 ME only!

    Boot to DOS (not shutdown to DOS). While booting hit F8 to startup menu. Chose "command prompt only ".

    Type these commands exactly hit enter at the end (do not type the notes that are in parenthesis like this).

    del c:\*.swp (may get file not found, is ok)
    del c:\windows\*.swp
    deltree c:\windows\shelli*.*
    deltree c:\windows\temp\*.* (answer yes to all) "ALL "
    deltree c:\windows\tempor~1\*.*
    deltree c:\windows\history\*.*
    deltree c:\windows\spool\printers\*.*

    Then boot back to SAFE MODE and run The Cleaner program again.

    This should clean you up again.

    Let us know!

    Mike
     
  2. 2003/04/13
    Kayz

    Kayz Inactive Thread Starter

    Joined:
    2002/12/31
    Messages:
    44
    Likes Received:
    0
    still shows up on the anti-trojan scan that there is a 1033 Trojan by the way its not that big of a deal that you mistake me for a girl besides who would expect it if they didnt tell someone who they are?
     
    Last edited: 2003/04/13

  3. to hide this advert.

  4. 2003/04/13
    Kayz

    Kayz Inactive Thread Starter

    Joined:
    2002/12/31
    Messages:
    44
    Likes Received:
    0
    well I went back to the site and it says that this file is infected with Backdoor.SubSeven22
     
  5. 2003/04/13
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Last edited: 2003/04/13
  6. 2003/04/13
    Kayz

    Kayz Inactive Thread Starter

    Joined:
    2002/12/31
    Messages:
    44
    Likes Received:
    0
    Im not clear on the exact files I should delete in the registry so far I already deleted a few that has been altered in name but other than that I dunno what to look for exactly and the stupid thing is I didnt write it down to post up
     
  7. 2003/04/14
    BruceKrymow

    BruceKrymow Inactive

    Joined:
    2002/03/20
    Messages:
    548
    Likes Received:
    0
    Hi, Kayz ~

    What you have is a stubborn trojan designed to take control of your 'puter that overwrites some system files and requires a moderate level of expertise to remove.

    As far as the exact files to delete in the registry, just take your time and follow the directions carefully one step at a time as outlined in the link Mike provided.

    Here is another link that may help.

    If you are unable to work this out and don't have much in the way of anything of importance on there, you may need to simply format & reinstall, as much as I hate suggesting.:(
     
  8. 2003/04/14
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Kayz

    The Apr 5 Norton update is supposed to detect and clean this Trojan. You should attempt a manual clean of the registry only after running the Virus scanners first.

    If you have a chance of saving this OS you are going to have to be aggressive now about removng this dirt.

    If you can eradicate it then it would be possible to do an overlay/repair install without formating. An overlay/repair install will save your software and settings.

    Get the updates mentioned below first then unplug the internet, only reconnect the internet when you go to do the online scan.

    Here are the steps.

    1. Run "The Cleaner" from the start menu, do its online update then in config check use huristics and scan all files. Then do a full scan with this.

    2. Same with Norton update first, max out the configuration by selecting scan all files including compressed.

    3. Do the Trend Housecall which has also stated it can handle this Trojan.

    http://housecall.antivirus.com/http...ie&venid=sym&plfid=20&pkj=OFRIWOBWYSHSFVIGMKI

    Mike

    PS and after this is cleaned we need to look at the software installed on this computer especially that that you run to find how it is gettig on. Do you use the Kazaa media desktop or other P2P downloader?
     
  9. 2003/04/14
    Kayz

    Kayz Inactive Thread Starter

    Joined:
    2002/12/31
    Messages:
    44
    Likes Received:
    0
    I have Kazaa Lite but its uninstalled. how do I do a overlay/repair install?
     
  10. 2003/04/14
    BruceKrymow

    BruceKrymow Inactive

    Joined:
    2002/03/20
    Messages:
    548
    Likes Received:
    0
    Hi, Kayz ~
    This is unclear. Would you care to elaborate, please?
     
    Last edited: 2003/04/14
  11. 2003/04/15
    Kayz

    Kayz Inactive Thread Starter

    Joined:
    2002/12/31
    Messages:
    44
    Likes Received:
    0
    which part would you like me to elaborate on? I had Kazaa Lite on my computer in which it installs Kazaa with it all together but when you uninstall it takes everything of kazaa out except for the files you download off of it.

    Well today I did the steps of updating Norton and The Cleaner cleaned my computer and did the online trend virus scan that you recommended Mike , the virus was done the first few scans of the anti-trojan thing and it was gone. So I just rebooted my computer just now and tested to make sure the virus is truly gone and sure enough it is back as it showed up on the scan again.
     
  12. 2003/04/15
    Kayz

    Kayz Inactive Thread Starter

    Joined:
    2002/12/31
    Messages:
    44
    Likes Received:
    0
    which part would you like me to elaborate on? I had Kazaa Lite on my computer in which it installs Kazaa with it all together but when you uninstall it takes everything of kazaa out except for the files you download off of it.

    Well today I did the steps of updating Norton and The Cleaner cleaned my computer and did the online trend virus scan that you recommended Mike , the virus was done the first few scans of the anti-trojan thing and it was gone. So I just rebooted my computer just now and tested to make sure the virus is truly gone and sure enough it is back as it showed up on the scan again.

    edit: I just got a limited trial version of the Norton Internet Security program for a year does that help any? I just borrowed it from a friend from cd and just now uploaded to the computer. and so far the person who has launched the Trojan has tried 2 times to attack me within 4 min. time.
     
    Last edited: 2003/04/15
  13. 2003/04/15
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    10-4 to that Kayz!

    Sorry late getting back. But had to leave early for work and work very late yesterday.

    Now you have it! Excellent move, you are learning!

    So you were being infected repeatedly from the internet. Your cleaning would be succsssful then it would hop back on.

    I should have considered this sorry!

    Now that you are protected from reinfection by the firewall, and if everything works forget the overlay reinstall for now.

    To clean the Kazaa just move your downloads to a new folder then if you have completed the add/remove part just browse to C:\Program Files and delete the folder for Kazaa.

    Then run the RegCleaner program and remove all remaining Kazaa entries here.

    Kazaa lite is OK in itself it is the full Kazaa Media desktop that has the baddies. But remember what Kazaa does and how it does it is a small danger so care needs to used. Email has ths same warning. So use Kazaa Lite it is clean but stay with the security issues by regular virus scans.

    I usually do the different scans when I don't need my computer.

    Good luck, Good job

    Mike
     
  14. 2003/04/15
    BruceKrymow

    BruceKrymow Inactive

    Joined:
    2002/03/20
    Messages:
    548
    Likes Received:
    0
    Hi, Kayz ~

    For proper KaZaA Lite installation, set-up and administering, please see my two BBS posts here and the links therein. Read them carefully or you may well be back where you do not wish to be. :eek:
     
  15. 2003/04/15
    Kayz

    Kayz Inactive Thread Starter

    Joined:
    2002/12/31
    Messages:
    44
    Likes Received:
    0
    Well can you help me to get it were it can update the cleaner , and other programs. And to also get it to were I can get on MSN Messenger. Norton IS is cutting the internet connections off those programs and doesnt seem to let me update or to allow the internet to be used.

    How can I get the other computer to quit sending me the virus? I dont know how long the temp. Norton IS will be on till itll want me to purchase the product. another thing is I noticed is that something keeps trying to open the Explorer.exe when I dont have the IE turned on like its trying to connect my computer to someone elses.
     
    Last edited: 2003/04/15
  16. 2003/04/15
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Hi Kayz

    Just got in from work.

    First! Are you sure that more than 1 different scan says you are still virus free?

    Because the attempt of something trying to get out on the internet is virus like.

    But it could be a normal program trying to update.

    Send us the startup list now, let us see what is left now!

    There is not a lot you can do to stop the probes from coming but you have stoped them from gaining entry. You might say they keep knocking on your door but cain't get in.

    Don't get parionid over this everyone gets hits evryday on up all the time Broadband.

    I don't and have never used Norton (I use Zone Alarm) but they all have a setup or configuration that let you grant permission for things to come and go on your computer. The NetSpy wants in and Norton is keeping him out, the thing opening explorer is trying to get out but Norton is keeping it in.

    I think BillyBob uses Norton Internet security but I think he is traveking this week. Hopefully some one that uses it will advise you.

    All I can say is to look thru the program for a way to controll this. It is there!

    mike
     
  17. 2003/04/15
    Kayz

    Kayz Inactive Thread Starter

    Joined:
    2002/12/31
    Messages:
    44
    Likes Received:
    0
    Well I only used two Scanners which is the Norton scanner and that Anti-Trojan scanner you sent earlier. As for the Norton SI Ive been trying for an hour to configure it so it would let MSN Messenger work and to update the Cleaner but I guess its ok. It annoys me having someone looking at stuff on my computer just makes me feel uncomfortable but oh well at least I have their IP now. Anyway here is my start up list:

    StartupList report, 4/15/03, 6:11:40 PM
    StartupList version: 1.52
    Started from : C:\WINDOWS\DESKTOP\STARTUPLIST.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
    C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\ATRACK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\NMAIN.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\STARTUPLIST.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    SystemTray = SysTray.Exe
    IntelliType = "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
    LoadQM = loadqm.exe
    POINTER = point32.exe
    NAV Agent = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    DeadAIM = rundll32.exe C:\PROGRA~1\AIM95\DeadAIM.ocm,ExportedCheckODLs
    iamapp = C:\Program Files\Norton Internet Security\IAMAPP.EXE
    fsvyuwg = "C:\WINDOWS\SYSTEM\FSVYUWG.exe "

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    SchedulingAgent = mstask.exe
    ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    nisserv = C:\Program Files\Norton Internet Security\NISSERV.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    msnmsgr = "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    McAfee.InstantUpdate.Monitor = "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 15/4/2003, 11:17:28)

    [Rename]
    NUL=c:\windows\cookies\geoff broom@atdmt[1].txt

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Symantec NetDetect.job
    Norton AntiVirus - Scan my computer.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [QuickTime Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37603.718912037

    [{4E888414-DB8F-11D1-9CD9-00C04F98436A}]
    CODEBASE = https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/537/2003031901/housecall.antivirus.com/housecall/xscan53.cab

    [Live365Player Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PLAY365.DLL
    CODEBASE = http://www.live365.com/players/play365.cab

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
    CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

    [PWLNINST Control]
    InProcServer32 = C:\WINDOWS\PWLN\PWLNINST.OCX
    CODEBASE = http://www.plato.com/pwln/02000050/cab/pwlninst.cab

    [AvxScanOnline Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\BITDEF~1.OCX
    CODEBASE = http://www.bitdefender.com/scan/Msie/bitdefender.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

    --------------------------------------------------
    End of report, 5,701 bytes
    Report generated in 1.543 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  18. 2003/04/15
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    No you don't understand. You now see him but he does not see you. He is not seeing your stuff now!

    The startups look ok.

    Now I guess we wait for someone to guide you on configuring the NIS.


    Mike
     
  19. 2003/04/15
    Kayz

    Kayz Inactive Thread Starter

    Joined:
    2002/12/31
    Messages:
    44
    Likes Received:
    0
    Yea I know I can view his stuff what I meant about having his IP is that I can block him or I can report him. But is there anyway from getting the stuff inside my computer to stop trying to send out any info? like the explorer.exe?
     
  20. 2003/04/16
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    You may not have his IP. A real hacker will not be so easy to trace. He could be using an anomymous proxy or several means of spoofing (hiding his IP address).

    Anyway on the outbounders try the below

    Startup control
    http://www.mlin.net/StartupCPL.shtml

    This gives simple and full control of what starts at boot up. After install there will be a Startup icon in control panel.

    Why this over Msconfig? Msconfig only allows unchecking/disabling of items. Startup Control panel allows deleting items or moving from startup to run as a service etc.

    Once it is installed go to control panel and run it. For this purpose we need to temporarily disable the Mcafee thing and the WebShots. So uncheck them and reboot. Now what?

    The Mcafee thing really seems like an orphan of some old program. Is there anything in the add/remove related to Mcafee. Is there anything in c:\Program Files related to Mcafee? Additionally it is a web update program and is probably the culprit!

    Mike
     
  21. 2003/04/16
    Kayz

    Kayz Inactive Thread Starter

    Joined:
    2002/12/31
    Messages:
    44
    Likes Received:
    0
    Well I found two folders in the Program Files and deleted them, then I ran the Start up Control Panel and there was an update program still running under a non existing Folder which was one of the two folders from Mcaffee. Also all day before doing this the person who was trying to or the program stopped trying to get the Explorer.exe to use the internet as well.
     
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.