Valhalla Legends Forums Archive | General Discussion | Er problem

AuthorMessageTime
Mitosis
Eh guys, I dont know which thing is causing this. Storm.Id helped me delete Blss.exe but the problem keeps going on and on. I have used spybot SnD and I still have this.

http://clite.zodiaclegends.com/

those 3 pictures are screen shots of the performences.

Pretty much what happens is every 10ish mins my browser opens up to an angelfire page "pwnage clan and hacks" if anyone knows how to get rid of this thanks!
July 7, 2004, 2:12 AM
Hitmen
First of all, try a scan at http://housecall.trendmicro.com
July 7, 2004, 2:25 AM
crankycefx
Start -> Run -> msconfig - "OK"

Services Tab:
- Check the checkbox Hide all Microsoft services.
- Click disable all.
Startup Tab:
- click disable all. (Yes. Disable ALL.)

Click apply, close, and restart.
Restart twice. Resetting services takes two restarts.

Then get on the web, run a scan at:
http://housecall.trendmicro.com or
http://www.pandasoftware.com | and
http://www.pestscan.com

If stuff turns up in PestScan, get Ad-Aware, HijackThis, and CW-Shredder.

Those will fix you right up.
July 7, 2004, 2:33 AM
DrivE
Scan with this and post the logs.
July 7, 2004, 2:36 AM
crashtestdummy
update spybot and reboot your computer. tap f8 until you get an option to boot into safemode. Run spybot in safe mode. Reboot and run trendmicros housecall like they said.
By the way what browser are you using?
July 7, 2004, 3:42 AM
crankycefx
Safe Mode isn't always the best.
If someone has dial-up. ;p
July 7, 2004, 5:01 AM
crashtestdummy
[quote]Safe Mode isn't always the best.
If someone has dial-up. ;p[/quote]
Could you explain?
July 7, 2004, 5:03 AM
crankycefx
Yes.

Safe Mode and/or Safe Mode with networking does not allow for individuals with PPP or PPPoE connections.
The support for such things is not there in those modes.
Ergo, Dial-Up and Broadband users such as SBC Global, will not be able to use the internet.

Generally speaking, you want to have access to the internet when performing troubleshooting from a technical support point of view. Countless reboots aren't an option. ;)

Quick solution: format/reinstall
July 7, 2004, 5:20 AM
crashtestdummy
Read my post again I said update your spybot and reboot. You don't have to reformat if it's just a virus or spyware.
July 7, 2004, 5:41 AM
crankycefx
You've never seen serious cases with virus and spyware. :p

Trust me.
Call Microsoft.

We'll tell you the same thing. :)
July 7, 2004, 6:07 AM
Null
Thats why he said "Quick Solution" go READ his post again dumbass

July 7, 2004, 8:41 AM
Mitosis
Meh I am downloading everything from Pandasoftware. Pest scan wont work. well now it has become very disturbing. Gay porn shit is fucking popping up and I want to smash my moniter.

I am using Mozzila FireFox.
July 7, 2004, 11:58 AM
DrivE
[quote author=Hazard link=board=2;threadid=7595;start=0#msg68956 date=1089167795]
Scan with this and post the logs.
[/quote]
July 7, 2004, 2:05 PM
crankycefx
Boot into Safe mode with networking and perform the instructions I outlined, as well as Hazard's.
July 7, 2004, 2:11 PM
Mitosis
Logfile of HijackThis v1.97.7
Scan saved at 5:20:57 PM, on 7/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\taskmngrs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\sesinetd.exe
C:\WINDOWS\System32\hserver.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\cLite\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clite.net/
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_30.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: LBBHO - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - C:\WINDOWS\lbbho.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [Microsoft AUT Update] MSlti32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] taskmngrs.exe
O4 - HKLM\..\Run: [Microsoft Update] wuammgr32.exe
O4 - HKLM\..\Run: [MSR] msr.exe
O4 - HKLM\..\Run: [msn] msnmsgr.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [blss] C:\Program Files\blss\blss.exe
O4 - HKLM\..\Run: [WebRebates] javaw -cp "C:\Program Files\WebRebates\System\Code" Main lp: "C:\Program Files\WebRebates"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] taskmngrs.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuammgr32.exe
O4 - HKLM\..\RunServices: [MSR] msr.exe
O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] taskmngrs.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti32.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Microsoft Update] wuammgr32.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\WebRebates\System\Temp\topr1150_script0.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1087218294453
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38151.7664351852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{82BC38FE-48F2-4A5F-A797-15EE36E9F4C2}: NameServer = 209.226.175.223 198.235.216.111

Now what do I do?
July 8, 2004, 12:21 AM
crashtestdummy
You have 3 antivirus programs running....
If you run more than one anti virues program they start to scan each others files and you start showing that you have viruses you dont have. Uninstall all your av. And reinstalll just one.
July 8, 2004, 12:24 AM
Mitosis
dude the fucking gay shit comes up this is fucking sick as hell! wtf deleting AVs gets rid of this? BULLSHIT!
July 8, 2004, 12:26 AM
crashtestdummy
Yeah you shouldn't run more than one AV.
July 8, 2004, 12:30 AM
crankycefx
Kill anything listed below

Yes, you should only run one Anti-Virus. I'd go with Panda or Norton.

Delete all of the below:


C:\WINDOWS\System32\taskmngrs.exe - kill it: http://www.sophos.com/virusinfo/analyses/w32rbotcr.html
C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe - kill it: http://www.2-spyware.com/file-wfxswtch-exe.html
C:\WINDOWS\System32\wfxsnt40.exe - kill it: http://www.dslreports.com/forum/remark,9277170~mode=flat


O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_30.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [blss] C:\Program Files\blss\blss.exe
O4 - HKLM\..\Run: [WebRebates] javaw -cp "C:\Program Files\WebRebates\System\Code" Main lp: "C:\Program Files\WebRebates"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\RunServices: [Microsoft AUT Update] MSlti32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] taskmngrs.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuammgr32.exe
O4 - HKLM\..\RunServices: [MSR] msr.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] taskmngrs.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti32.exe
O4 - HKCU\..\Run: [Microsoft Update] wuammgr32.exe - http://www.sophos.com/virusinfo/analyses/w32rbotaw.html

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\WebRebates\System\Temp\topr1150_script0.htm
O10 - Hijacked Internet access by New.Net
July 8, 2004, 2:19 AM
crankycefx
Do you get redirected to gay porn links/sites?
July 8, 2004, 2:20 AM
Mitosis
not anymore but it is like my comp is low on ram
it is going so slow
July 8, 2004, 2:33 AM
crankycefx
Yeah just delete those things from the registry/your computer.
follow the instructions on sophos for the virus..

Try and get CW-Shredder
google for it, no link offhand, sorry.
July 8, 2004, 2:35 AM

Search