Jump to content
Sign in to follow this  
Dee

Help I Have Major Problems Here :(

Recommended Posts

Radio :)

 

OK can I leave that srvany.exe there and just go ahead and reboot and then delete those other files??? or do you wish me to try get rid of that file by another means first???

 

Also deleting those files you have listed following the reboot ....I persume you are talking about me

deleting them via the task manager Ctrl/Alt/Del facility too?

 

:blink:

Share this post


Link to post
Share on other sites

the srvany program looks like it is started by one of the other programs that you already 'fixed', so it shouldn't start back up again...

 

you need to go to those folders via 'my computer', 'c' drive, 'winnt'....

 

don't want to just stop them from running, need to actually remove them all together ;)

Share this post


Link to post
Share on other sites

How to I make sure I am in safe mode???.....sorry for sounding daft

Share this post


Link to post
Share on other sites

while the pc is booting up, just after the bios screen, start tapping the [F8] key, then choose 'safe mode' :)

 

it will take longer than normal to boot into this mode... ;)

Share this post


Link to post
Share on other sites

it will take longer than normal to boot into this mode... ;)

Far longer. :) v

Share this post


Link to post
Share on other sites

Yes, OMG Safe Mode took forever ......I also had some problems finding some of these files.......I have left the deleted files in recycle bin just encase I have deleted the wrong one by accident :rolleyes:

 

 

c:\winnt\tour.reg.........I deleted ONE of two I found..I left the 1999 one???

c:\winnt\srvany.exe....I deleted this completely

c:\winnt\svchost.exe...I deleted ONE and left the 1999 one????

 

 

C:\WINNT\system32\Explorer.exe .......deleted

C:\WINNT\System32\msapp.exe..........deleted

C:\WINNT\System32\api32.exe............deleted

C:\WINNT\system32\msiexec16.exe.....deleted

 

C:\WINNT\Fonts\rundll32.exe........Left a 1999 one

C:\WINNT\Fonts\explorer.exe........Left a 1999 one but I had problems finding these two files in the first place and I was getting not accessible and this folder was moved or removed???

 

 

My mIRC friend seems to have disappeared on start up also :)

 

My Firewall on log on has just popped up with a new program asking me do I want to allow :woot: msblast.exe to access the internet :woot: .......I am sure you want me to answer NO to this right now!

 

 

 

 

 

 

Here is the new Hijackthis scan results

===========================

 

 

ile of HijackThis v1.96.0

Scan saved at 03:35:18, on 17/08/2003

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\ati2evxx.exe

C:\WINNT\system32\crypserv.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\system32\ZONELABS\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.exe

C:\WINNT\System32\ibmpmsvc.exe

C:\WINNT\System32\tp4serv.exe

C:\WINNT\System32\Atiptaxx.exe

C:\WINNT\System32\RunDll32.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

C:\WINNT\System32\msblast.exe

C:\CFGSAFE\AUTOCHK.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\unzipped\hijackthis[1]\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iol.ie/

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [iBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [soundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe

O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE

O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe

O4 - HKLM\..\RunServices: [GLSetIT32] C:\winnt\system32\msiexec16.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080...all/xscan53.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7845.6232291667

O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://media.toontown.com/toontown/sv1.4.14/ttinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...285/mcfscan.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4294093F-8948-495F-BFA5-066EC4CCCE69}: NameServer = 194.145.128.1 194.125.2.206

 

 

 

 

It's nearly 3am again here........If you feel we still have a way to go on this, would you mind calling it a day.....I am wasted here totally :snooze:

 

I am so grateful, thank you thank you for you help

 

De ;)

Share this post


Link to post
Share on other sites

good morning :)

 

are you sure you checked this item before? put a check next to it,

O4 - HKLM\..\RunServices: [GLSetIT32] C:\winnt\system32\msiexec16.exe

 

also 'fix' this line, then reboot:

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

 

after rebooting, delete this file:

C:\WINNT\System32\msblast.exe

 

also, try to install the critical updates now.

Share this post


Link to post
Share on other sites

good morning :)

 

are you sure you checked this item before? put a check next to it,

O4 - HKLM\..\RunServices: [GLSetIT32] C:\winnt\system32\msiexec16.exe

 

also 'fix' this line, then reboot:

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

 

after rebooting, delete this file:

C:\WINNT\System32\msblast.exe

 

also, try to install the critical updates now.

:lol: lol,,Keep on chuggin Dee!! :mrgreen: v

Share this post


Link to post
Share on other sites

Update before I go :snooze:

====================

 

 

OK just tried to get rid of the mblast with the removal tool....it is now coming back saying that the removal was unsuccessful and that the tool could not delete mblast. :angry: Next time I am to try and reboot and use tool in safe mode and any files that cannot be deleted or repaired with this tool must be removed manually. The run with this tool did however fix one registry file.

 

 

I am trying to apply the patch and also I am running the stinger. Firewall has just alerted me asking do I wish to allow a fixtool for W32 Blaster.Worm to access - YOUR RIGHT I DON'T :woot:

 

 

AHHH :mrgreen: stinger is just completed and it has found and deleted mblast/lovesan file. :woot:

 

IT looks like SP2 is going to download successfully at LONG LAST and hopefully the patch will also apply then. I am going to leave it downloading here , it's going to take some time :mrwinky: :

 

 

 

Here is an updated McAfee Scan as of now

==============================

 

We gone down from 17 to 10

 

C:\WINNT\system32\navdb.dbx IRC/Flood.am

C:\WINNT\system32\inst.exe BackDoor-ARG.dr

C:\WINNT\system32\Dvldr32.exe W32/Deloder.worm

C:\WINNT\system32\rconnect.exe SlimFTP

C:\WINNT\system32\explore.EXE IRC/Flood.k.dr

C:\WINNT\Fonts\~GLH0003.TMP IRC-Pitchfork

C:\WINNT\Fonts\~GLH0004.TMP IRC-Pitchfork

C:\WINNT\Fonts\~GLH0005.TMP IRC-Pitchfork

C:\WINNT\Fonts\~GLH0006.TMP IRC-Pitchfork

C:\WINNT\svchost2.exe BackDoor-ACH

 

 

Okey dokey Radio, I will do that to-morrow

 

 

good night all :mrwinky:

 

 

PS yeah volt chuggin :woot:

Share this post


Link to post
Share on other sites

Good Afternoon All :)

 

 

Just to let you know that SP2 downloaded successfully and THE PATCH APPLIED SUCCESSFULLY TOO AT LAST :mrwinky: .....Radio, I will do those other things to take it a step further later this evening.

 

Hey were winning :lol:

Share this post


Link to post
Share on other sites

Good Afternoon All  :)

Good afternoon Dee. :)

 

Glad to see that your machine is in a healthier condition.

 

Just one thing, i don't think you use an onboard virus scanner.

 

If not, then you will probably be hacked again.

 

You can install this free scanner and scan anything you download before opening it:

 

AVG 6

 

Just remember to keep it up to date! ;)

 

I don't believe it - Someone's scanning me again as i type this! :mrgreen:

Share this post


Link to post
Share on other sites

Glad ya got it sorted Dee!! need anything else just hollar. :) v

Share this post


Link to post
Share on other sites

Hi :mrwinky::lol:

 

I think I am FIXED :woot:

 

 

Just did a scan there with my new AVG6 ;) scanner that Inprofile recommended :mrgreen: ....It's a nifty one, It successfully healed the remaining 10 infected files.

 

 

BUT: Could anyone answer me this - although the next scan said I had no virus present....it also said that was a number of files that could not be opened and are not checked???

 

HIBERFIL.SYS

C:\Winnt\system32\esnecil.ind

 

and also four files from Documents and administrators which are NTUSER.DAT and NTUSER.DAT.LOG

USRCLASS.DAT and also USRCLASS.DAT.LOG

 

I am going to run another McAfee Online Scan now and see if it shows anything up

 

Any thoughts in the meantime....I will post any findings

 

Regards

 

De

 

 

 

 

 

hummmmmmm not so completely fixed :blink: ...just completed the McAfee Scan and here is the results..still 4 files infected

 

C:\WINNT\system32\navdb.dbx IRC/Flood.am

C:\WINNT\system32\rconnect.exe SlimFTP

C:\Documents and Settings\...\Temp\eqbjgr.exe IRC/Flood.gen.dr

C:\Recycled\Dc4.exe IRC/Flood.mirc

 

 

What do you recommend to clear these..they are obviously hiding pretty good in those files that AVG6 could not open and check.

 

:huh:

Edited by Dee

Share this post


Link to post
Share on other sites

you should be able to find & delete those last 4 files, that McAfee found, in safe-mode.

 

the files that AVG couldn't scan look legitimate.

Share this post


Link to post
Share on other sites

Hi Folks

 

 

Hey now you better sit down for this.......just finished the McAfee Scan again and .......sorry to have to be the one to break the news....but it's real serious this time I am afraid :blink:

 

 

:woot: YOU GUYS KILLED THEM ALL OFF. :woot: ......the last 3 just left with packed suitcases although I am sure some of them will try to aquire a return ticket in the future :woot: ...and that will probably be my fault lol

 

Thank you all so much for your help, I arrived here in a rather sad state and now I am firewalled to the last, scanner in place and on the look out of spyware lol lol lol.......I have never known as much about computers as I do now hummmm :rolleyes:

 

So I guess I will as Volt says.....Keep on Chuggin along and hope for the best :woot::lol: I really really needed to get an MP3 to a studio to-morrow and thanks to you all, it's on time :mrwinky:

 

Anyways hope to see ya all on the boards soon...hopefully it won't be me causing more problems :rolleyes:

 

Thanks again

Hope your week gets off to a good start.......I owe you one :) :

 

Love, Luck, Laughter

 

 

De

 

 

 

Edited by Dee

Share this post


Link to post
Share on other sites

WoW Dee! That post got big from the first time I read it :lol:

What ??? Are you just going to leave us hanging?! What does this mean? :huh:

Hey now you better sit down for this.......just finished the McAfee Scan again and .......sorry to have to be the one to break the news....but it's real serious this time I am afraid

Share this post


Link to post
Share on other sites

Hey now you better sit down for this.......just finished the McAfee Scan again and  .......sorry to have to be the one to break the news...

You had me worried there for a minute Dee! :lol:

 

Glad the Pit managed to get you up and running again.

 

Look back in often, you don't have to have a problem to visit us.

 

Just remember to scan for a virus every time you d/load something and i don't care even if it's from your nearest and dearest. :mrgreen:;)

Share this post


Link to post
Share on other sites

:woot: YOU GUYS KILLED THEM ALL OFF. :woot:

you missed the punchline :mrgreen:

 

glad we could help :)

Share this post


Link to post
Share on other sites

:woot: tee hee,

 

Glad I got ya going there for a while.....kinda like a heart stopping moment.

Don't worry it's hard to get away from a bad thing lol lol....I'll be back ;) as Arnie would say lol.

If you would like go here and click on the speakers :rolleyes:http://www.tonos.com/primrose_de

 

Again thanks for all your help

 

Toodle pips :mrgreen:

 

De

Share this post


Link to post
Share on other sites

If you would like go here and click on the speakers  :rolleyes:

Think i'm in Posted Image!! :woot::lol:

 

On behalf of the Pitsters i would like to present you with the first of many Posted Image De/Dee/Deirdre/Primrose. :mrgreen::lol:

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...