Results 1 to 9 of 9

Thread: Serious Problem

  1. #1
    Senior Member IcSilk's Avatar
    Join Date
    Aug 2001
    Posts
    296

    Exclamation Serious Problem

    I have a serious Problem with my system ......... my knowledge base is primarily software and internet and I only possess a rudimentary knowledge of OS's and hardware.

    I use Windows XP Home and Im pretty sure that my problem is trojan or worm related rather than viral.
    I'll try to structure this as well as possible, so not to make it too confusing:

    The main problem facing me now (literally) is that I get a persistent box popping up saying: "Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience." This happens every few seconds. Its caused by my problem and I have uninstalled IE and denied permissions for it through my firewall (Kerio Personal) in an attempt to contain it - that hasn't worked and I still have the problem.

    I don't know if there is a windows background process associated with IE, but when Iv went into my version of WinTasks to check on this, I lose my desktop when I shut down or minimize WinTasks
    and then have to reboot again. So I can't really use my WinTasks.

    I also get advert windows popping up and arbitrarily resizing my internet windows (I use FireFox), I'v never had pop ups or adverts before and never, ever had my windows buzzing around and resizing themself.
    I detected 'Internet Optimizer' on my system, which is either a trojan or spyware (so much of it lately I forget which) that is allegedly very hard to uninstall and causes the activity I just explained. I have uninstalled it in the Control Panel, let Spyware Nuker 2005 auto uninstall it, found it again with the unpaid version of SpyHunter and manually deleted it from the registry and yet I am still seeing the effects.

    In doing research into the differant types of executables that are on my system (through Wintasks and my firewall), I will see that some are necessary for the 'stability and security of the system' buy are also associated with certain worms or trojans ex. svchost.exe and others.

    On restarts/reboots, when my desktop finally comes up, I see an alert saying that .../system32/kernels32.exe cant be found ........ I have researched this one too, and it says it is also associated with a trojan of some sort, so I am reluctant to try to replace it - though I have no clue why Id get this alert for a trojan file.

    As one can imagine, I have had to prematurely restart and shutdown a few times with these problems, and after I let it go through the diskscan it does when it is improperly shutdown, it says that there was an unrecoverable error: ../local settings/temp/werf6.tmp is missing, another allocation file had to be truncated or something, too - I didn't have enought time to write it all down.

    If I spend some time on it I will also get a blue screen that says there was a system error and shut down to protect the system, from here it will reboot after several seconds.

    I use Norton AV and at first it would detect a virus and some additional risks, delete the virus and then I would manually delete the others, it hasn't found anything in safe mode and I haven't been able to finish a scan in normal mode, as the IE box piles up and eventually bogs everything down.

    Thats all I can think of right now that is going on on my system, I really hope someone can help me through this one, Im at a loss.

    Thanks.

    P.S. Because I know it will be bought up, I shut down system restore before doing all of this
    "In most gardens they make the beds too soft - so that the flowers are always asleep" - Tiger Lily

  2. #2
    Senior Member
    Join Date
    Oct 2003
    Posts
    707
    Here check out these links [1,2] hope that they help you out....

    [1] Adware.NetOptimizer
    [2] HijackThis


    B.T.W. save a copy of the HijackThis log file and post it on here ...
    Operation Cyberslam
    \"I\'ve noticed that everybody that is for abortion has already been born.\" Author Unknown
    Microsoft Shared Computer Toolkit
    Proyecto Ututo EarthCam

  3. #3
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,534
    It has all been said before, but here's a link to a tut to give some assist on cleaning out the basics.

    hopefully, after following this, you will be clean, but if not, then at least we will know what has been tried.

    You say XP home, SP2 ?

    do you have ANY routine security tools that you use on a regular [weekly at least] basis ?

    I like CrapCleaner. Use it first, on default settings, sometimes the simplest answer is THE answer
    As a gut reaction, I'm leaning towards CoolWebSearch, so at least run CW Shredder .....
    use SAFE mode to run the tools, remember to update first ........

    and I second the HJT log, saved as a .txt file, so those that can, can have a look ........

    luck to you
    Pax
    so now I'm in my SIXTIES FFS
    WTAF, how did that happen, so no more alterations to the sig, it will remain as is now

    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  4. #4
    BANNED
    Join Date
    Nov 2003
    Location
    San Diego
    Posts
    724
    Is the taskmanager disabled? I looked up kernels32.exe and came up with this:
    http://securityresponse.symantec.com....vicsfram.html
    When death sleeps it dreams of you...

  5. #5
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    Well, I personally would do a reformat and reinstall at this point.

    Hope you have decent backups of your important data, and just forget the rest. It sounds like you have taken out some stuff that you need and have been over run with spyware/malware.

    Reinstallation will allow you to set it up right in the first place, and keep it that way from then on.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  6. #6
    Senior Member IcSilk's Avatar
    Join Date
    Aug 2001
    Posts
    296
    Yes, Muerto, I had forgotten to mention that in the initial post, but my task manager was disabled, and it seems like that link explains part of the problem, Im going to fish through the registry with the info from that link, and go through the Tut that foxyloxey posted and let someone who knows more about this decrypt this HJT logfile .......

    foxy loxley- I use NAV ( once a week), Kerio personal firewall (constant), Error Nuker 2005, SpyNuker 2005 (quick scans a few times a week and deep scans once a week), and ad-aware (once or twice every two weeks). I keep on top of things pretty well, this all started on Wed, which is 2 days b4 my scheduled virus scan. I also use WinTask Pro to monitor the system in between times.

    Agent steel - that symantec tool didn't find NetOptimizer, so maybe I finally got rid of that part of it.

    Ok, below is the HJT log file ..........

    Logfile of HijackThis v1.99.1
    Scan saved at 4:18:24 PM, on 10/30/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Maintenance & Security\Personal Firewall 4\kpf4ss.exe
    D:\Program Files\navapsvc.exe
    D:\Program Files\IWP\NPFMntor.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    D:\Program Files\Maintenance & Security\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\Explorer.exe
    D:\Program Files\Maintenance & Security\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\Program Files\Maintenance & Security\The Cleaner\The Cleaner\tca.exe
    D:\Program Files\Maintenance & Security\The Cleaner\The Cleaner\tcm.exe
    D:\Corel\Programs\CorUpd.exe
    D:\Program Files\uLead\photoExpress\CalCheck.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    D:\Program Files\Maintenance & Security\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [SpamNukeWeb] D:\Program Files\Maintenance & Security\SpamNuker\spamnuker.exe /auto
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Corel\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=111005 serial=dr12wux-0611779-mvv lang=EN
    O4 - HKLM\..\Run: [msresearch] C:\windows\msresearch.exe
    O4 - HKLM\..\Run: [tcactive] D:\Program Files\Maintenance & Security\The Cleaner\The Cleaner\tca.exe
    O4 - HKLM\..\Run: [tcmonitor] D:\Program Files\Maintenance & Security\The Cleaner\The Cleaner\tcm.exe
    O4 - HKCU\..\Run: [d:_corel_programs_corupd.e1c] D:\Corel\Programs\CorUpd.exe /Watch /r="Software\Corel\CorelDRAW\12.0"
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = D:\Program Files\uLead\photoExpress\CalCheck.exe
    O8 - Extra context menu item: &NeoTrace It! - D:\PiesNest\xfiles\NEOTRA~1.25\NEOTRA~1\NTXcontext.htm
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - D:\PiesNest\vrie.dll (file missing)
    O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - D:\PiesNest\vrie.dll (file missing)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - d:\program files\inetrepl.dll (file missing)
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - d:\program files\inetrepl.dll (file missing)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - d:\program files\inetrepl.dll (file missing)
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - D:\PiesNest\xfiles\NEOTRA~1.25\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
    O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products...dsDownload.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://www.worldwinner.com/games/v42/jigsaw/jigsaw.cab
    O16 - DPF: {4418DD4D-7265-4C32-BC0A-3FDB3C2DA938} (Protecter Class) - http://www.xxxtoolbar.com/ist/softwa...ct_regular.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_2.ocx
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) -
    O16 - DPF: {9D8D7672-93FF-417E-9024-C16AD141C50C} (Haunted Control) - http://www.worldwinner.com/games/v48...ed/haunted.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
    O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\hrju0519e.dll
    O23 - Service: Abel - Unknown owner - D:\PiesNest\Cain\Abel.exe (file missing)
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - D:\Program Files\Maintenance & Security\Personal Firewall 4\kpf4ss.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\IWP\NPFMntor.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    Thanks for all the responses so far, can't wait to hear about that logfile ..........
    "In most gardens they make the beds too soft - so that the flowers are always asleep" - Tiger Lily

  7. #7
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Straight from the analyzer:

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
    Nasty kernels32.exe the following information has been found about this entry: kernels32.exe.
    Must be fixed!

    16 - DPF: {4418DD4D-7265-4C32-BC0A-3FDB3C2DA938} (Protecter Class) - http://www.xxxtoolbar.com/ist/softw...ect_regular.cab
    Nasty This entry is possibly nasty.
    Should be fixed.

    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    Nasty This entry is possibly nasty.
    Should be fixed.

    cheers
    Connection refused, try again later.

  8. #8
    Senior Member IcSilk's Avatar
    Join Date
    Aug 2001
    Posts
    296
    Moxnix - I am almost in agreement with you, with a re-format I will lose some important stuff but its supposed to me a long winter and I can have alot of time to re-build it all, I would like to wait though to see if I can avoid that ........ I really don't know how this all has happened - Iv always been very diligent with keeping things up to date and clean.

    if it does come down to that, what is the proper way to re-format the drives and start from scratch??

    Relyt - looking at them, I can understand that they need to be taken care of, I could really use a walk through and some advice as to how to go about it properly though. Thanks.
    "In most gardens they make the beds too soft - so that the flowers are always asleep" - Tiger Lily

  9. #9
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Despite some mystical beliefs you can delete IE and make your system stable. However it sounds like you have many things going on and one of them is that although you may have deleted IE, your system is not stable. This may be partially caused by malware, but you may have created some of it as well.

    To correctly delete IE you must go into the registry and edit every application (that requires a window, basically), such as Word, Excel, Outlook, Explorer, etc., must be re-associated with another similar Web Browser or Web rendering (HTML) app. prior to deleting IE. So if you haven’t done that, you might have hosed it up pretty good. However it might be salvageable by going back to a previous system restore point or using the CD and the recovery console.

    But with all of the stuff going on, as Moxnix recommended, a reformat would probably be your best bet. And then create a couple of new restore points after you get all your additional software loaded.

    cheers
    Connection refused, try again later.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •