Spartan73 Posted May 10, 2008 Posted May 10, 2008 Hi guys please help - I Installed Vista Ultimate - and 2 weeks later - what seems to be american radio stations just randomly start blasting through my speakers for about 5 secs and then stops. Happens 2 times a day normaly and i'm really freaked out! :(:(:(:(:( - Tried Anti Virusing - ad aware - spybot and they are all clean - there was some malware but thats been removed - and still radio gaga!!! Anyone have any ides pleeeease? :D Quote
Guest Wolfeymole Posted May 10, 2008 Posted May 10, 2008 Hello Spartan Welcome to Extreme Tech Support - Free PC Help AdAware and Spybot are a bit long in the tooth now and are not the programs they once were. We'd like to find out if your system may still contain Malware. Follow the instructions below please. Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a combination of the words malicious and software. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. Required Cleanup Steps Disable the Spybot Search & Destroy TEA TIMER if enabled Run a Temporary file and cache cleaner (ATF) Run 2 Anti-Malware scanners Run an Online Anti-Virus / Anti-Malware Scanner Clear out old System Restore points If continued Malware type activity is present you may be asked to post a TrendMicro™ HijackThis™ Log file The reason to run multiple scanners is to ensure that no single scanner is missing something. The time it takes will vary depending on your system and your internet connection speed. Typically the SUPERAntiSpyware and Malwarebytes scanners will take between 10 to 90 minutes. The ESET online scan should take between 1 to 3 hours. In most cases, these scans will suffice to clean and disinfect your computer. Heavily infected systems or slower PCs can take much longer to scan and clean. For best results print the following instructions and bookmark this Web page To keep this guide printer-friendly, use your cursor to highlight the contents below. From your browser select File - Print and in the printer dialog box under "Print range" click the Selection choice to print out these instructions for removal of malware.http://kixhelp.com/wr/images-freepchelp/printer-selection.gif__________________________________________________ STEP 1 Disable Spybot Search & Destroys' TEA TIMER: (if installed) Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select "Advanced Mode" On the left hand side, Click on Tools Then click on the Resident Icon in the List Uncheck "Resident TeaTimer" and OK any prompts. Restart your computer. __________________________________________________ STEP 2 Follow these instructions carefully. Download ATF-Cleaner from Snapfiles.com to remove un-needed temporary files from your computer that may contain malware. You can also download it from Majorgeeks.com When you run ATF-Cleaner, check the items as shown below for Main. For FireFox, be sure to click on the FireFox tab on top and check the items as shown below for FireFox NOTE: If you don't have FireFox or Opera installed then they will be grayed out and can be ignored Then click on "Empty Selected". http://kixhelp.com/wr/images-freepchelp/atf-cleaner01.gif . http://kixhelp.com/wr/images-freepchelp/atf-cleaner02.gif__________________________________________________ STEP 3 Install and run the free version (not the Professional version) of SUPERAntiSpyware from SUPERAntiSpyware.com Accept any prompts to allow SUPERAntiSpyware to install the latest rules and infection definition files. You do not have to send them your e-mail address, just click next. You can leave the automated check for updates on. You can uncheck "Send a diagnostic report to research center" if you don't want to send the information. DO NOT allow SUPERAntiSpyware to protect your Home Page settings. On the Top Left select the Scan your computer button. Make sure there is a CHECK MARK on all Fixed Drives. Click "Perform a Complete Scan". Click "Next" to Repair issues found and reboot the computer when prompted to do so. __________________________________________________ STEP 4 Install and run Malwarebytes' Anti-Malware from Malwarebytes - (direct download) Accept all defaults for the installer Allow the program to update the definitions Click on the Quick Scan and click Next. If any items are found allow it to clean them and then Reboot your computer. __________________________________________________ STEP 5 Run an online scan with ESET from Free Virus Scan: Use ESET's Online Antivirus Scanner You must use Internet Explorer for this online scan. FireFox, Opera, etc will not work for this scan. Accept the terms and click "Start". Once the scanner is ready, check "Remove found threats" AND "Scan unwanted applications". Click "Start" to begin the scan. When completed restart your computer __________________________________________________Make sure your internet firewall security is enabled, and then please return to Extreme Tech Support - Free PC Help and tell us how the computer seems to be operating. At that time, you will receive instructions to assist you in removing malicious programs from your Add/Remove program list if warranted. If required this is the download link for TrendMicro™ HijackThis™ Unless instructed to by the Technician helping you then do not download this tool. Once you and the Technician agree that your system appears to be clean then you should delete all your System Restore points and recreate a new one. Please follow the instructions here How to turn off and turn on System Restore in Windows XP How to turn off and turn on System Restore in Windows Vista Quote
Spartan73 Posted May 10, 2008 Author Posted May 10, 2008 Wolfey - Thanks I will try the above and let you know. Probably Be in the next day or 2 so if you could look out that'd be great! Thank you! Spart:D Quote
Spartan73 Posted May 18, 2008 Author Posted May 18, 2008 (edited) Wolf HI Again - Tried all of the above bar the online scanner - it keeps saying It needs Administrative rights to proceed - even though I'm logged in as the administrator. Hmmm The malware detected some more items, and removed them etc, and I had hoped that solved my problem,bet then my whole pc woouldnt reboot - and was missing a file so i had to repair using the vista disc.... I thought that did it! till about an hour ago, where whats seemed to be a barrage of radio clips came through my speakers. I think these clips could even be recordings, as they are starting to sound familiar, and also one or 2 british voices, indicating the possibility that they may be uk stations. Last time it happened I opened task manager to see what was running, but I couldnt see anything before it stopped. Im trying Housecall online scanner - seems to be working so far Anything else I should try as the two malware programs didnt seem to do much... Thanks loads for your help. Spartan Edited May 18, 2008 by Spartan73 Quote
maynardvdm Posted May 18, 2008 Posted May 18, 2008 Hi Right-click on the file for those programs and select "Run as Administrator". Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs. RaidMax Smilodon Gaming Case | Gigabyte Z77X-UD5H M/B | Intel Core i5 3570K @ 3.4GHz | 8GB Corsair RAM | Nvidia GTX550 Ti 1GB GDDR5 | Corsair 800w PSU Register for FREE >>here<< | If we have helped you, please consider a donation >>here<< SAS | MBAM | WinPatrol | Avira | ERUNT | Nvidia Drivers http://i285.photobucket.com/albums/ll57/mjsmileys/userbarnew4sec.gif
Spartan73 Posted May 18, 2008 Author Posted May 18, 2008 Hi Right-click on the file for those programs and select "Run as Administrator". Hi Thanks for the advice but I dont think it will work, as it is a browser based online virus scanner, and will not show files as such. They are ( I guess ) embeded in Internet explorer. :) :rolleyes: I woke up this morning to find my PC off - after perhaps a scan by housecall - on rebooting, I was prompted to start using safe mode etc.... Im going nowhere fast, and rubbish is still making me jump out of my skin when it randomly decides to play! :mad: Quote
maynardvdm Posted May 18, 2008 Posted May 18, 2008 Hi Download Hijack This in the link in post #2. Then do a scan only and save log file. Then copy and paste that log here. Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs. RaidMax Smilodon Gaming Case | Gigabyte Z77X-UD5H M/B | Intel Core i5 3570K @ 3.4GHz | 8GB Corsair RAM | Nvidia GTX550 Ti 1GB GDDR5 | Corsair 800w PSU Register for FREE >>here<< | If we have helped you, please consider a donation >>here<< SAS | MBAM | WinPatrol | Avira | ERUNT | Nvidia Drivers http://i285.photobucket.com/albums/ll57/mjsmileys/userbarnew4sec.gif
Spartan73 Posted May 18, 2008 Author Posted May 18, 2008 Hi Download Hijack This in the link in post #2. Then do a scan only and save log file. Then copy and paste that log here. OK - Thanks will do Im considering re intallation,as theyre isnt much to back up :confused: :rolleyes: Quote
Spartan73 Posted May 18, 2008 Author Posted May 18, 2008 Hi Download Hijack This in the link in post #2. Then do a scan only and save log file. Then copy and paste that log here. Here goes - chinese to me. :) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:36:54, on 18/05/2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Windows\System32\mobsync.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Windows\System32\rundll32.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Windows\ehome\ehtray.exe C:\Users\cunb3w\Program Files\DNA\btdna.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Windows\System32\rundll32.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Windows\ehome\ehmsas.exe C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Sky.com - Home R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [iMON] C:\Program Files\SOUNDGRAPH\iMON\iMON.exe /startup O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" O4 - HKLM\..\Run: [WrtMon.exe] C:\Windows\system32\spool\drivers\w32x86\3\WrtMon.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [McRegWiz] C:\Program Files\McAfee.com\Agent\mcregwiz.exe /autorun O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\RunServices: [McShld9x] C:\Program Files\McAfee.com\VSO\mcshld9x.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Users\cunb3w\Program Files\DNA\btdna.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O13 - Gopher Prefix: O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\Windows\system32\afinding.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\Windows\system32\perfmonss.exe O23 - Service: Routing Service (Routing) - Unknown owner - C:\Windows\system32\routing.exe O23 - Service: WServing Service (WServing) - Unknown owner - C:\Windows\system32\wserving.exe (file missing) O23 - Service: WUSB54GSv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe -- End of file - 9265 bytes Quote
RandyL Posted May 19, 2008 Posted May 19, 2008 Your system is still infected. Quite honestly the malware removal process should have cleaned it even without the Eset scan. Malwarebytes and SuperAntiSpyware are two of the best programs to be found. Then your problem returned after running a Vista repair. Where did you obtain Vista? Did you let malwarebytes clean everything it found? Did you let SuperAntispyware clean everything it found? Did you remove the Restore points after cleaning? Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs.Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
Spartan73 Posted May 19, 2008 Author Posted May 19, 2008 Your system is still infected. Quite honestly the malware removal process should have cleaned it even without the Eset scan. Malwarebytes and SuperAntiSpyware are two of the best programs to be found. Then your problem returned after running a Vista repair. Where did you obtain Vista? Did you let malwarebytes clean everything it found? Did you let SuperAntispyware clean everything it found? Did you remove the Restore points after cleaning? Bought Vista from Overclockers cleaned everything - but i didnt remove the restore points. will try it all again today - with removing restore points thanks :) Quote
RandyL Posted May 19, 2008 Posted May 19, 2008 I would try that Spartan as Trojans can reside there and re-install from there. It seems you have them too. It's very important that you follow the guide as closely as you can. Good luck and get back to us please. Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs.Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
Spartan73 Posted May 19, 2008 Author Posted May 19, 2008 Your system is still infected. Quite honestly the malware removal process should have cleaned it even without the Eset scan. Malwarebytes and SuperAntiSpyware are two of the best programs to be found. Then your problem returned after running a Vista repair. Where did you obtain Vista? Did you let malwarebytes clean everything it found? Did you let SuperAntispyware clean everything it found? Did you remove the Restore points after cleaning? I Bougfht Vista from overclockers.co.uk - I thought it cleaned them but obviously not. I cannot remember removing restore points so I am doing it all again. I am going to remove Spybot aswell, as it keeps popping up with threats etc, and has caused me a crash. The sound is deffinately recordings of tv or radio shows, and theyre being repeated in some sort of sequence. Its driving me nuts LOL. Just running SAS again - and there is 42 threats so far - eeeeek Thanks for your help guys... :rolleyes: Quote
Spartan73 Posted May 19, 2008 Author Posted May 19, 2008 (edited) Your system is still infected. Quite honestly the malware removal process should have cleaned it even without the Eset scan. Malwarebytes and SuperAntiSpyware are two of the best programs to be found. Then your problem returned after running a Vista repair. Where did you obtain Vista? Did you let malwarebytes clean everything it found? Did you let SuperAntispyware clean everything it found? Did you remove the Restore points after cleaning? Hi I bought Vista From Overclockers. I didnt remove the restore points. But I ran everything again, and a lot of malware was still present. And on rebooting, I had to do a windows repair, or Vista wouldnt start. I did evrything and deleted retore points except very recent ones, and there is still malware in the PC. :( Edited May 19, 2008 by Spartan73 Quote
RandyL Posted May 19, 2008 Posted May 19, 2008 Did you disable System Restore via this method? How to turn off and turn on System Restore in Windows Vista Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs.Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
Spartan73 Posted May 27, 2008 Author Posted May 27, 2008 Hi Guys Sorry in the delay with this post, family and work commitments have kept me pretty tied up lately. I appreciate all your help! Right – getting somehwere removing this Malware, and the random noise seems to have stopped. :D I started right from the beginning. just after i uninstalled AVG and Spybot. This is what I have done – hopefully correctly this time : Turned off System Restore ( yes as described above ) Ran ATF Cleaner as described Ran SAS again, and again same result. 10 Unclassified Oreans.32 clicked Next and removed them! Rebooted Pc - and started OK Ran Malware and it came up CLEAN! No Trojan BHO showing this time. YIPEE! It didnt ask me to reboot, but i did anyway, just to see if i was still getting a ci.dll error afterwards. - PC Booted OK - Yeeha. Then I worked out how to run IE as administrator ( doh ) and managed and online scan with ESET - That also came up clean! Turned ON System Restore Well chuffed! However, i thought i'd double check ( as you do ) and restarted SAS and the same Unclassified Oreans.32 were still there. Are these " friendly bacteria " or something? When SAS was deleting them, i noticed something saying LEGACY oreans etc.... ALSO - when rebooting my PC - there are 5 internet ( user ) accounts as well as my User account to log into.... They appeared from nowhere lol. DO i remove these manually? PC seems to be running much better now, but those Oreans are bugging me. Here is a HTL - all chinese to me, but any feedback would be great! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:19:03, on 27/05/2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe C:\Windows\System32\spool\drivers\w32x86\3\WrtMon.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Windows\System32\rundll32.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Windows\ehome\ehtray.exe C:\Users\cunb3w\Program Files\DNA\btdna.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Windows\System32\spool\drivers\w32x86\3\WrtProc.exe C:\Windows\System32\rundll32.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Adobe\Photoshop CS\Photoshop.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Sky.com - Home R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [iMON] C:\Program Files\SOUNDGRAPH\iMON\iMON.exe /startup O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" O4 - HKLM\..\Run: [WrtMon.exe] C:\Windows\system32\spool\drivers\w32x86\3\WrtMon.exe O4 - HKLM\..\Run: [McRegWiz] C:\Program Files\McAfee.com\Agent\mcregwiz.exe /autorun O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\RunServices: [McShld9x] C:\Program Files\McAfee.com\VSO\mcshld9x.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Users\cunb3w\Program Files\DNA\btdna.exe" O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O13 - Gopher Prefix: O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\Windows\system32\afinding.exe (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\Windows\system32\perfmonss.exe (file missing) O23 - Service: Routing Service (Routing) - Unknown owner - C:\Windows\system32\routing.exe (file missing) O23 - Service: WServing Service (WServing) - Unknown owner - C:\Windows\system32\wserving.exe (file missing) O23 - Service: WUSB54GSv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe -- End of file - 8124 bytes Thanks so much for your help guys, you're the best! Spart :D;):D;):D;) Quote
Guest Wolfeymole Posted May 27, 2008 Posted May 27, 2008 Why do you have AVG and McAfee running Spartan? Pokerstars does you no favours either and you could be liable for crap downloaded via Bit Torrent. Allow our techs to get back to you with further information on this HJT log mate. Quote
Spartan73 Posted May 27, 2008 Author Posted May 27, 2008 Why do you have AVG and McAfee running Spartan? Pokerstars does you no favours either and you could be liable for crap downloaded via Bit Torrent. Allow our techs to get back to you with further information on this HJT log mate. Hi Wolfey - wow that was quick thanks bud! Well - Pokerstars is something I'm on quite often so I can't remove that, but by " running " do you mean it is open in my sytem although the software wasnt open at the time of HT scan? Hmm please shed some more light on this, I'd hate to think Pstars is monitoring something they shouldnt be! I'm also on WIlliam Hill Poker a lot, do they have any hidden running processes too, is this a ploy by Pstars to monitor my play on other sites? AM i paranoid? LOL Bit torrent i use to catch the odd missed episode of lost, dont doo too many other downloads of any from there, i find it quite usefull. Now as for Macafee - Good question. I installed it just after Vista, a couple of months back, but read some bad reviews after noticing my PC was slow, so I removed it. No when I reboot my PC I get an error saying the dam thing failed to start. I tried removing the files manually, but it wouldnt let me!!! As for AVG i thought i saw the back of that too.....:( Why do these things not fully uninstall? Thanks again Pal, will wait for the tech guys too.... :D Quote
Guest Wolfeymole Posted May 27, 2008 Posted May 27, 2008 I'll rephrase on the Pokerstars aspect mate and suggest that it may be ok as would the William Hill site. I'll let the techs offer further discussion on this when they get on line Spartan. Quote
Seth Posted May 27, 2008 Posted May 27, 2008 Hi Spartan. Let's disable needless programs from automatically starting when Vista starts. 1) Right click on the Vista start icon and choose properties>Customize. Put a check on the Run Command option and click ok. 2) Left click on the Vista start icon and click on run. Type in msconfig and click ok. 3) Put a dot on Selective Startup and click on the Startup tab. Scroll through the list and uncheck all entries other than your security software and jusched. Click apply and ok. Do not choose to restart the computer at this point. Run HijackThis and choose Scan Only. put a check in the box on all of the items that end with "No file" or "file missing". Do not put a check in any other entries. Now click on "Fix Checked" and restart the computer once HijackThis does its thing. How are things now? Quote Need help with your computer problems? Then why not join Free PC Help. Register here If Free PC Help has helped you then please consider a donation. Click here
Spartan73 Posted May 27, 2008 Author Posted May 27, 2008 (edited) Hi Spartan. Let's disable needless programs from automatically starting when Vista starts. 1) Right click on the Vista start icon and choose properties>Customize. Put a check on the Run Command option and click ok. 2) Left click on the Vista start icon and click on run. Type in msconfig and click ok. 3) Put a dot on Selective Startup and click on the Startup tab. Scroll through the list and uncheck all entries other than your security software and jusched. Click apply and ok. Do not choose to restart the computer at this point. Run HijackThis and choose Scan Only. put a check in the box on all of the items that end with "No file" or "file missing". Do not put a check in any other entries. Now click on "Fix Checked" and restart the computer once HijackThis does its thing. How are things now? Hi- thanks, but your 3rd point ........ Scroll through the list and uncheck all entries other than your security software and jusched - ???Please explain ! Also im about to start unchecking stuff, but before i DO.... there are allsorts of things in there like ms windows operating system, nvidia drivers, SAS, Other Drivers Java etc.... DO you mean uncheck these too?/??:confused::confused::confused: Thanks :rolleyes: Edited May 27, 2008 by Spartan73 Quote
Seth Posted May 27, 2008 Posted May 27, 2008 Sorry, I forgot you had Vista. Keep the MS Windows entries. Any Nvidia stuff can be unchecked as well. The free version of sas doesn't need to run at startup. Only the paid version does. Java is jusched. Any other entries you're not sure about? Quote Need help with your computer problems? Then why not join Free PC Help. Register here If Free PC Help has helped you then please consider a donation. Click here
Spartan73 Posted May 27, 2008 Author Posted May 27, 2008 Sorry, I forgot you had Vista. Keep the MS Windows entries. Any Nvidia stuff can be unchecked as well. The free version of sas doesn't need to run at startup. Only the paid version does. Java is jusched. Any other entries you're not sure about? Hey Seth - Unchecked everything and the PC is starting up staright into my desktop. ( I manually deleted the other accounts and they didnt re appear ) so ALL GOOD on that side..... THANK YOU!:D:D:D Oh I think a donation is imminent ...... lol I am currently doing another SAS scan 12 mins in all good for now, but the Oreans usually appear a bit later. will keep you posted. Thanks Muchly :D Quote
Guest Wolfeymole Posted May 27, 2008 Posted May 27, 2008 "Imminent" Donations can assuredly be via the nice shiny Green Button at the top or via the link an any Admin or Moderators Signature Spartan. :) Quote
Spartan73 Posted May 27, 2008 Author Posted May 27, 2008 "Imminent" Donations can assuredly be via the nice shiny Green Button at the top or via the link an any Admin or Moderators Signature Spartan. :) Yes Thank you! Im well aware of that Wolfey - whereupon I will be redirected in almost like teleporting fashion to the ever so efficient Paypal......where conveniently, my prestored details are ready and waiting for my prompt arrival, ready to expunge the little plastic thing in my wallet... Haha - ;) Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.