Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93099 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

I seriously need have getting rid of this thing like everyone else


  • This topic is locked This topic is locked
29 replies to this topic

#16 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 20 December 2005 - 06:08 AM

Mikey,

Go ahead and try removing this line with HJT,

O4 - HKCU\..\Run: [SeekUser] C:\DOCUME~1\michael\APPLIC~1\THATSK~1\DELETE LOGO BLUE.exe

Then reboot your computer and see if its gone, if its not, you can follow the path to the file and delete it, you may have to do it in Safemode.

C:\DOCUMENNTS AND SETTINGS\michael\APPLICATINSS\THATSK~1\DELETE LOGO BLUE.exe


Then post one last log, everygthing else looks good :thumbup: , and I will give you a list of tips and free progams to install that will help keep you more secure.

Ken :D

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

    Advertisements

Register to Remove


#17 Mikey_D

Mikey_D

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 20 December 2005 - 07:27 AM

I've deleted that entry a few times already, but I tried doing it again and the file is still in the system. So, I tried removing the folder it's contained in and it says the program is in use. This is connected to the one problem I still haven't been able to resolve, which is that several iexplorer.exe tasks are still appearing in the Task Manager and keep coming back after I end them. The program DELETE LOGO BLUE.exe also appears for a few seconds as I've ended the task, so I know its connected to it.

Anyway, here's one last HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:20:04 AM, on 12/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Programs\Avast!\aswUpdSv.exe
C:\WINDOWS\system32\RunDll32.exe
D:\Programs\Avast!\ashserv.exe
D:\Programs\Avast!\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Programs\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\Avast!\ashMaiSv.exe
D:\Programs\Avast!\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Programs\SpywareGuard\sgbhp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\InterActual\InterActual Player\iPlayer.exe
c:\progra~1\intern~1\iexplore.exe
D:\Programs\HiJackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\programs\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Programs\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] D:\Programs\Avast!\ashDisp.exe
O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe
O4 - HKLM\..\Run: [STOPzilla] "D:\Programs\STOPzilla\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [CloneCDTray] d:\programs\clone cd\CloneCDTray.exe
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "d:\programs\clone cd\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "d:\programs\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - Startup: SpywareGuard.lnk = D:\Programs\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.co...pside_web18.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C0DAA4E-35A3-4970-822E-F5F405E54798}: Domain = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Programs\Avast!\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Programs\Avast!\ashserv.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Programs\Avast!\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Programs\Avast!\ashWebSv.exe" /service (file missing)
O23 - Service: STOPzilla Local Service - Unknown owner - D:\Programs\STOPzilla\szntsvc.exe (file missing)

Hopefully there's another way to removing that program and stop it from coming back.

Cheers,
Mikey

#18 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 20 December 2005 - 08:02 AM

Mikey,

Did you try removing it in Safemode??

The entry is gone from your HJT log.


Open up HJT Misc Tools and go to System Process and if you see Logo Blue, click on Kill Process.


If it was there and you where able to kill it, then reboot to Safemode and delete it.

C:\DOCUMENNTS AND SETTINGS\michael\APPLICATINSS\THATSK~1\DELETE LOGO BLUE.exe Try removing it again is Safemode.



Let me know what happened, out side of that your log looks clean.

Ken :D

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#19 Mikey_D

Mikey_D

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 20 December 2005 - 08:49 AM

I couldn't find Logo Blue in the System Process list in HJT, but I did manage to delete it in Safe Mode. Having restart the computer, it looks like its gone permanently, as have the iexplore.exe tasks in Task Manager :) Looks like everything's fixed up now. Thank you so much for all the help you've given me ridding my computer of the spyware, adware, viruses and whatever else, its been very much appreciated. Please post back that list of tips and programs I can install to make sure I don't fall into this trap again. Cheers, Mikey

#20 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 20 December 2005 - 09:29 AM

Mikey, :D

Glad all is well :thumbup: The people (if you can call them that ) that write all this garbage are getting sneekier all the time. You really have to stay on your guard. Be careful with the sites you go into, stay away from any File Sharing and dont click on any links in Spam email. Years ago you used to have to click on a link to get infected with something, today they use somthing called Drive By, just going to a bad site can get you in trouble.

Here are some free programs and tips for keeping your system up to date, and to help keep all the riff raff out of your system.

* Download and Install CCleaner, Click on RUN TOOL, when you run the Issues Scan and it asks
you to back up the registry Say Yes.

Now that your clean, we need to erase all possible older infected files that may still be lurking on your system.
* Clean out your TEMP FILES
* This procedure should be run from SAFEMODE for better results.

To Enter SAFEMODE

* Go to START/ SHUT OF YOUR COMPUTER/ RESTART
* As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
* Use the UP AND DOWN ARROW KEYS to scroll up to SAFEMODE
* Then press the ENTER KEY ON YOUR KEYBOARD

* Go to My Computer/ C: Drive/ Documents and Settings/ Local Settings/ Every User on this Computer
and delete all the contents of the Temp Folder

* Go to My Computer/ C:/ Windows/ Temp and delete all the contents of the Temp Folder

* Go to My Computer/ C:/ Windows/ Prefetch and remove all the contents of the Prefetch Folder.
But not the Prefetch folder itself.

NOW RE-BOOT NORMALLY


* Open INTERNET EXPLORER
* Click on the TOOLS MENU
* Then INTERNET OPTIONS
* At the GENERAL TAB (which should be the first tab you are currently on),
* click on the DELETE FILES BUTTON and put a checkmark in DELETE ALL OFFLINE CONTENT.
* Then press the OK BUTTON . This may take quite a while, so do not be alarmed with how long it takes.
* When it is done, your Temporary Internet Files will now be deleted.

Now Empty your Recycle Bin

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your
system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

* Right-click My Computer.
* Click Properties.
* Click the System Restore tab.
* Check Turn off System Restore on all Drives.
* Click Apply, and then click OK.

Reboot your System

Turn ON System Restore.

* Right-click My Computer.
* ClickProperties.
* Click the System Restore tab.
* UN-Check Turn off System Restore on all Drives.
* Click Apply, and then click OK.

* Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You can name the restore point anything you like, something that you can remember

* Make sure that your ANTI-VIRUS SOFTWARE is up to date and run a full scan at least once aweek.

* Here are Free Anti-Virus Programs if you need one

AVG Free Edition
AntVir Personal Edition


* Spybot Search and Destroy 1.4
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

* Ad-Aware SE Personal 1.06
Check for Updates and run a Full System Scan on a regular basis.

* Spyware Blaster It will prevent most spyware from ever being installed.

* Spyware Guard It offers realtime protection from spyware installation attempts.

* Win Patrol This program will warn you when any changes are being made to your system and
give you the option to deny the change.

* IE- Spyad IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

* Firefox Browser
It has more features and is a lot more secure than IE. It is a very easy and painless download and install it will no way interfere with IE, you can use them both. When it asks you if you want it to be your default browser, say NO and take the checkmark out of the box to ask you again. After you use this for awhile, you will want to make it your default.

* Thunderbird Mail There companion mail program was highly favored in PCWorld Magazine, this has a good spam filter and is more secure than Outlook Express.

* Zone Alarm Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.

* WINDOWS UPDATES - Enable Automatic Updates
Right click on MY COMPUTER/Click on PROPERTIES/ AUTOMATIC UPDATES and put a mark in the radio button
DOWNLOAD UPDATES FOR ME BUT LET ME CHOOSE WHEN TO INSTALL THEM.

* Go to START/ CONTROL PANEL> PERFROMANCE AND MAINTENANCE> REARRANGE ITEMS ON YOUR HARD DISK TO MAKE PROGRAMS RUN FASTER
This is the Windows Disk Defragger, run this maybe once or twice a month to keep your system running good. The first time you run it, it may take awhile.

Be good and enjoy the Holidays :lol:

I will keep this thread open for a few days in case you have any other questions.

Thanks for using TOM COYOTE,

Ken :D

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#21 Mikey_D

Mikey_D

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 20 December 2005 - 06:37 PM

I just have one quick question. It's about System Restore, I can't seem to access it. I've looked in the properties for My Computer, but there's no tab for it. Also, I've tried opening it in the Start Menu under System Tools, but it won't allow me to turn it back on saying I need to contact the "Domain Administrator". I'm the only one with a username on the computer, as I use it the most, so I'd assume that I was the Administrator. Is there any way of turning it back on? Thanks for all the tips you've given me and the programs I can download. I'll do my best to keep them in mind and reguarly check-up on everything ;) Cheers, Mikey

#22 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 20 December 2005 - 07:00 PM

Mikey,

Go to Start> Run and type in services.msc , scroll down to System Restore and make sure that it is not disabled. If it is, right click on it and go to Properties and change the Startup Type to Automatic. Reboot your system and see if it now there.

ken :D

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#23 Mikey_D

Mikey_D

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 20 December 2005 - 07:12 PM

Unfortunately, System Restore is set to automatic and hasn't been disabled. But I had a look at the properties of the service and it looks like you reset the service. Is this what I should do? Thanks, Mikey

#24 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 20 December 2005 - 07:22 PM

Give it a shot, It cant hurt :D

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#25 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 20 December 2005 - 07:51 PM

More info

http://www.kellys-ko.../xp_restore.htm
http://support.micro...kb;en-us;304449
http://support.micro...B;EN-US;q302796

Ken :D

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

    Advertisements

Register to Remove


#26 Mikey_D

Mikey_D

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 20 December 2005 - 08:56 PM

I've tried restarting the service, running regedit and changing the value to 0 and running the program in the Command Prompt in Safemode, but none of these have seemed to work. It keeps displaying this same message: System Restore has been turned off by Group Policy. To turn on System Restore, contact the Domain Administrator. I've investigated further in where the Group Policy is in the Help Files, but it can't seem to find the tool in the computer. I've also tried looking for the file gpedit.msc, but also couldn't find that. It's very important for me to find this as one of the things you can do is to "Disable creation of System Restore checkpoint" Cheers, Mikey

#27 Mikey_D

Mikey_D

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 20 December 2005 - 10:54 PM

I've managed to get "Group Policy" running through the Microsoft Management Console after finding out how to run gpedit.msc in a forum. However, I can't access the tools necessary to turn the System Restore back on. The Folder "Administrative Templates" isn't there and according to the help-file, this is where you have to go to access the System Restore policy. If you know anything about this program and how to find that missing folder, please post back. It seems like the only way to get System Restore functioning again. Thanks again, Mikey

#28 Mikey_D

Mikey_D

    Authentic Member

  • Authentic Member
  • PipPip
  • 48 posts

Posted 21 December 2005 - 05:11 AM

I've finally worked out how to get System Restore back in, its all good. I found another forum with someone having the exactly same problem. They suggested to delete 2 files in the Registry Editor for System Restore and now the tab's back in the My Computer properties :) That's all I needed help with. I've already started to do the things on that list including installing WinPatrol and Zone Alarm, and its feeling more secure already. Thanks once again for all the help you've given me. Cheers, Mikey

#29 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 21 December 2005 - 05:53 AM

Your welcome Mikey :thumbup: Enjoy the Holidays, Ken :D

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#30 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 28 December 2005 - 11:50 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users