Dismiss Notice

Welcome To CK5!

Registering is free and easy! Hope to see you on the forums soon.

Score a FREE t-shirt and membership sticker when you sign up for a Premium Membership and choose the recurring plan.

virus?

Discussion in 'The Lounge' started by tRustyK5, Mar 14, 2004.

  1. tRustyK5

    tRustyK5 Big meanie Staff Member Super Moderator GMOTM Winner Author

    Joined:
    Jul 23, 2000
    Posts:
    36,169
    Likes Received:
    1,368
    Location:
    E-town baby!
    I have someting on the desktop that is stubbornly unwilling to be gone. The tab on the bottom says "regsvc" and on the desktop I have this tiny window that says "Download hp1" and a button that says "OK".

    It won't go away, and not being some computer savvy person i can't make it go away. I ran msconfig and removed it from the start-up list, but a re-start is required for that to take affect...and that little window prevents restart or shut-down. To shut it down I have to kill the thing at the power bar.

    Obviously I do not wish to download this.

    In the start-up list I have two things that look very similar to this 'thing'.

    MSregsvc C:\WINDOWS\SYSTEM\REGSVC32.exe

    and regsvc with the same 'addy'

    Any of this look familiar to anyone? I don't even know where this crap came from, no email today that's been opened to my knowledge and I have expressly told my wife not to open any attachments unless she specifically asked someone to send her something via email.

    Rene
     
  2. R72K5

    R72K5 Banned

    Joined:
    Mar 5, 2001
    Posts:
    8,905
    Likes Received:
    0
    Location:
    central IL
    google is your best friend: regsvcr32 search

    you should go download adaware if you already dont have it
    adaware from downloadgeeks.com
    scroll down to `download from'
    click on Planet Mirror or BTN
    when its done downloading then run the program and click on check for update

    also go get hijackthis from here scroll down to official downloads, when done downloading then run the program and go to cybertechhelp.com cybertech forum and register to be a member real quick and post the entire log file(when you run hijackthis program) in this board: cyber safety board and someone will reply with what items in the log to fix, do not change or fix anything though until someone replies with what to fix, unless you recognize any of the items in the log file to be bad for your OS and not important ! and also if you want to then post the log file here(copy and paste the text of the .txt flog file that pops up) and i and anyone else who knows what they are doing can see what items we recognize as oens that need to be fixed ASAP, i know there will be quite a few that wil need to be fixed that are hurting your OS

    i run adaware and hijackthis all the time very often and always find stuff to get rid of liek dataminers and so forth at least with awaware anyways, the first coupel of times you run hijackthis you wqill find alot to get rid of usually, and at least a handful anwyays depending on how you use your puter, where you visit and so forth.
     
  3. R72K5

    R72K5 Banned

    Joined:
    Mar 5, 2001
    Posts:
    8,905
    Likes Received:
    0
    Location:
    central IL
    also do this:

    Download CWShredder from here

    Spybot from Spybot download

    Run them while offline and in SAFE boot mode.

    Delete the red entries that Spybot displays.

    Reboot.

    Prevent further infection of spyware by adjusting the following:

    In IE go to Tools,
    Internet Options,
    Advanced tab and uncheck Enable Install On Demand for both IE and Other.
    Then click the Privacy tab, click Advance button.
    Tick:- Overide automatic cookie handling, Accept First-party Cookies, Block Third-party Cookies, Always allow session cookies. Click Ok, Ok.
    Finally, download SpywareBlaster and SpywareGuard from SpyWareBlaster download, install them and your OS will be spyware proof.
    You can verify this by running either Spybot or Adaware after an internet session. They will come up with a clean bill of health.

    Of course you need to frequently look for updates for all of the above mentioned software.


    note: if you get a 339 error after installing spywareblaster entitled "mscomctl.ocx or one of its dependencies not correctly registered" then go to here and scroll down to the last reply in the thread by the username HaViNaBaDdAy and click on the msconctl installer hyper link he posted, i had to do this myself and works like a charm /forums/images/graemlins/peace.gif

    but at minimum do go get hijackthis and adaware and spywareblaster in that order, and ASAP
     
  4. newyorkin

    newyorkin 1 ton status

    Joined:
    May 8, 2001
    Posts:
    16,555
    Likes Received:
    157
    Location:
    Los Estados Unitos
    Check this out too: http://forums.techguy.org/t147857/sb80632de96b7579a88059a1093e66b93.html

    It looks like it's a homepage hijacker, according to that thread (I just read the first couple posts).
    what you'll have to do is remove it from the startup folder, remove it from the registry run key (I think msconfig does that), and change your IE homepage (without opening I.E.; go to the control panel and open internet options, and change it there).
    Also, go to windowsupdate and install any critical updates.
    Reboot, and see if it's gone.

    It sounds like you picked something up during surfing, and it reset your homepage, so every time you open i.e., it reinfects your machine.
     
  5. tRustyK5

    tRustyK5 Big meanie Staff Member Super Moderator GMOTM Winner Author

    Joined:
    Jul 23, 2000
    Posts:
    36,169
    Likes Received:
    1,368
    Location:
    E-town baby!
    Ratch, my daughter (4 year old) clicked OK to download this little bugger...

    Anyways, I run Zone Alarm and refused it access to the internet so my homepage has not been hijacked yet. I did run AdAware and it found and removed a ton of stuff /forums/images/graemlins/blush.gif then I DL'd HijackThis and copied the scanlog and posted in that forum. So far I'm just waiting for a response...

    I'll keep you posted, oh and here is the scan log for your amusement.

    Logfile of HijackThis v1.97.7
    Scan saved at 12:45:48 PM, on 14/03/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WARNER\WARNER.EXE
    C:\SUPPORTCENTER\AUAGENT.EXE
    C:\WINDOWS\SYSTEM\PRINTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\WINDOWS\SYSTEM\REGSVC32.EXE
    C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
    C:\PROGRAM FILES\IRIS\ANTIVIRUS\WIMMUN32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\LOGITECH\PROFILER\LWEMON.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free-popup-killer.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.free-popup-killer.com/ie/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shaw.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.free-popup-killer.com/ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.free-popup-killer.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.free-popup-killer.com/ie/?q=%s
    F1 - win.ini: run=C:\windows\options\systools\cyxid98.exe
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Warner] C:\Warner\Warner.exe
    O4 - HKLM\..\Run: [AUAgent] C:\SupportCenter\AUAgent.exe
    O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
    O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [IntelliType] "c:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [MSRegSvc] C:\WINDOWS\SYSTEM\REGSVC32.exe
    O4 - HKLM\..\Run: [regsvc32] C:\WINDOWS\SYSTEM\REGSVC32.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
    O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwtest.exe" /detect /quiet /launch "C:\Program Files\Logitech\Profiler\lwemon.exe /noui"
    O4 - Startup: AntiVirus Active Monitor.lnk = C:\Program Files\iRiS\AntiVirus\WIMMUN32.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38031.6106134259
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://63.102.226.240:8000/Java/cfs40301.cab

    I can see it in the scanlog. Still a little hazy on the removal of stuff like that. I'm much better with my hands than I am with my computer.

    Rene

    PS...Thanks Randy, very helpful info. /forums/images/graemlins/thumb.gif
     
  6. 87GMC

    87GMC 1/2 ton status

    Joined:
    Nov 5, 2001
    Posts:
    653
    Likes Received:
    0
    Location:
    Olathe, KS 66061
    How do you restart windows XP in safe mode?
     
  7. ncbloodhound

    ncbloodhound 1/2 ton status

    Joined:
    Aug 18, 2003
    Posts:
    400
    Likes Received:
    0
    Location:
    Indian Trail, NC
    [ QUOTE ]
    How do you restart windows XP in safe mode?

    [/ QUOTE ]

    Press the F8 key when your computer is booting up. You have to do it before the windows xp logo shows up.
     
  8. jakeslim

    jakeslim 1/2 ton status

    Joined:
    Sep 18, 2002
    Posts:
    2,686
    Likes Received:
    0
    Location:
    Napa, CA
    r72k5 hit it on the money, cwshredder is a great tool to remove this kindof crap. Hijack this is good, but you need to know what your looking for. "Search & Destroy" is great also. So much crap out there that you NEED to have this stuff on all pcs. Adaware is good, but I find that it misses alot of stuff. Use in conjuction with the others and your in good shape...

    oh yeah, in addition to Norton(which i swear misses most trojans anyways), learn to moderate your Task Manager running processes. I have literally gone through all those funny named exe files and checked them by searching them on google. I have found some trojans that Norton did not get this way. Its tedious, but after the first time, you'll remember most of them and be able to spot "new" processess.
     

Share This Page