MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Closed Thread
 
Thread Tools Display Modes
  #1  
Old 12-14-04, 21:10
And1mixtape88 And1mixtape88 is offline
Private E-2
 
Join Date: Dec 2004
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Don't Know What to Do! I'm Stumped

I've followed the steps and still cannot lose this pestering adware/trojan, I think its the ISTbar or something of that nature. Can anyone at all help me? I'm do not no what to do anymore, and I figure one of the great people at this forum can help me out.
Sponsored links
  #2  
Old 12-14-04, 21:53
spacedustM's Avatar
spacedustM spacedustM is offline
Private First Class
 
Join Date: Dec 2004
Location: In a fog
Posts: 57
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Don't Know What to Do! I'm Stumped

Which steps? was it the thread Read this before by major attitude? or the one How to protect yourself from malware, it seems to me I had Istbar as well but, after following the steps in the Read sticky It is gone. Ill go double check and post back if I find it.
__________________
The most potent words of wisdom are those that are internalized.
  #3  
Old 12-14-04, 22:38
spacedustM's Avatar
spacedustM spacedustM is offline
Private First Class
 
Join Date: Dec 2004
Location: In a fog
Posts: 57
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Don't Know What to Do! I'm Stumped

I checked back on my information and it seems that the ISTbar trojan/spyware was destroyed after using the macaffe advert stinger and about:buster you might jump ahead to those steps but, if you do end up taking a look at my tread Where to begin you'll notice I didn't make much headway until the steps were acomplished in order. breaking off to do about:buster may make a world of difference, but I'm definately not an expert. (had some unwilling programs for some reason, so we skiped around a bit)
__________________
The most potent words of wisdom are those that are internalized.
  #4  
Old 12-15-04, 02:41
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,764
Thanks: 62
Thanked 7,830 Times in 4,252 Posts
Default Re: Don't Know What to Do! I'm Stumped

If you have followed ALL the steps in this Sticky thread < READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal > and you still have a problem, you should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log file as an attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

Make sure you have HJT version 1.98.2 and follow the guidelines on where to install it and how to post a log as an attachment.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
  #5  
Old 12-15-04, 22:10
And1mixtape88 And1mixtape88 is offline
Private E-2
 
Join Date: Dec 2004
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Don't Know What to Do! I'm Stumped

Heres my logfile, I really hope you guys can help me out, I hope I did this right, if not let me know.
Attached Files
File Type: txt hijackthis1.txt (3.9 KB, 11 views)
Sponsored links
  #6  
Old 12-16-04, 00:20
PhilliePhan
Guest
 
Posts: n/a
Lightbulb Re: Don't Know What to Do! I'm Stumped

Hi And1mixtape88,

You have an absolute BOATLOAD of Worms and Trojans!
I would strongly suggest dumping ARES It only invites more headaches.
Also, the next time you scan with HijackThis, please make sure that there is no IE or Windows Command Prompt running as you had before. They can interfere with the fix.

NOW:
Please look in Add or Remove Programs for the following and Uninstall it:

Ares

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them if possible:

ndis.exe
nvsc32.exe
lass32.exe
winlogin.exe
msa.exe
axqvdu.exe
Ares.exe
istsvc.exe


Now scan with HijackThis and Check the Boxes for the following:

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [NvCplScan] nvsc32.exe
O4 - HKLM\..\Run: [MSN Messenge] winlogin.exe
O4 - HKLM\..\Run: [Microsoftkeysds] lass32.exe
O4 - HKLM\..\Run: [Windows Media Player] msa.exe
O4 - HKLM\..\Run: [Start Uppings] mssupdate.exe
O4 - HKLM\..\Run: [PUBS] C:\WINDOWS\axqvdu.exe
O4 - HKLM\..\Run: [Windows Compliant] uogjvq.exe
O4 - HKLM\..\Run: [Starting up] wvsvc.exe
O4 - HKLM\..\Run: [Microsoftkeysd] systemwin32s.exe
O4 - HKLM\..\Run: [NDIS Adapter] ndis.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [NvCplScan] nvsc32.exe
O4 - HKLM\..\RunServices: [MSN Messenge] winlogin.exe
O4 - HKLM\..\RunServices: [Microsoftkeysds] lass32.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe
O4 - HKLM\..\RunServices: [Start Uppings] mssupdate.exe
O4 - HKLM\..\RunServices: [Windows Compliant] uogjvq.exe
O4 - HKLM\..\RunServices: [Starting up] wvsvc.exe
O4 - HKLM\..\RunServices: [Microsoftkeysd] systemwin32s.exe
O4 - HKLM\..\RunServices: [NDIS Adapter] ndis.exe
O4 - HKLM\..\RunOnce: [NvCplScan] nvsc32.exe
O4 - HKLM\..\RunOnce: [Microsoftkeysds] lass32.exe
O4 - HKLM\..\RunOnce: [Microsoftkeysd] systemwin32s.exe
O4 - HKLM\..\RunOnce: [NDIS Adapter] ndis.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [NvCplScan] nvsc32.exe
O4 - HKCU\..\Run: [Microsoftvirus] sysoverload.exe
O4 - HKCU\..\Run: [Microsoftkeysd] systemwin32s.exe
O4 - HKCU\..\Run: [Microsoftkeysds] lass32.exe
O4 - HKCU\..\Run: [MSN Messenge] winlogin.exe
O4 - HKCU\..\Run: [Starting up] wvsvc.exe
O4 - HKCU\..\Run: [NDIS Adapter] ndis.exe
O4 - HKCU\..\Run: [Windows Media Player] msa.exe
O4 - HKCU\..\RunServices: [MSN Messenge] winlogin.exe
O4 - HKCU\..\RunOnce: [Microsoftkeysds] lass32.exe
O4 - HKCU\..\RunOnce: [NDIS Adapter] ndis.exe
O4 - HKCU\..\RunOnce: [NvCplScan] nvsc32.exe
O23 - Service: ZESOFT - Unknown - C:\WIN


Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode and navigate to and DELETE the following if they should remain. Note the spellings CAREFULLY so that you do not remove a legitimate file:

C:\WINDOWS\System32\ndis.exe
C:\WINDOWS\System32\nvsc32.exe
uogjvq.exe --> Use Windows Explorer to search for this one
C:\WINDOWS\System32\lass32.exe
C:\WINDOWS\System32\winlogin.exe
C:\WINDOWS\System32\msa.exe
wvsvc.exe --> Use Windows Explorer to search for this one
mssupdate.exe --> Use Windows Explorer to search for this one
C:\WINDOWS\axqvdu.exe
C:\Program Files\Ares ---> The Folder
systemwin32s.exe --> Use Windows Explorer to search for this one
C:\Program Files\ISTsvc ---> The Folder
sysoverload.exe --> Use Windows Explorer to search for this one

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin


And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. Chaslang or I will try to check back when time permits.

Best luck
PP
  #7  
Old 12-16-04, 01:03
And1mixtape88 And1mixtape88 is offline
Private E-2
 
Join Date: Dec 2004
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Don't Know What to Do! I'm Stumped

REALLY APPRECIATE This PhilliePhan, I had no troubles with the instructions. Here is the new logfile.
Attached Files
File Type: log hijackthis.log (2.2 KB, 4 views)
  #8  
Old 12-16-04, 01:19
PhilliePhan
Guest
 
Posts: n/a
Lightbulb Re: Don't Know What to Do! I'm Stumped

Quote:
Originally Posted by And1mixtape88
REALLY APPRECIATE This PhilliePhan, I had no troubles with the instructions. Here is the new logfile.
Happy to help

You still have a few remnants and a few new entries. Please follow the same procedure as my previous instructions and have HJT FIX the following:

O4 - HKLM\..\Run: [cyg updates] cygcfg32.exe

O4 - HKLM\..\Run: [Start Uppings] mssupdate.exe

O4 - HKLM\..\Run: [start uploading] crsss.exe

O4 - HKLM\..\Run: [Microsoftkeysd] systemwin32s.exe

O4 - HKLM\..\RunServices: [NDIS Adapter] ndis.exe

O4 - HKLM\..\RunServices: [cyg updates] cygcfg32.exe

O4 - HKLM\..\RunServices: [Start Uppings] mssupdate.exe

O4 - HKLM\..\RunServices: [start uploading] crsss.exe

O4 - HKLM\..\RunServices: [Microsoftkeysd] systemwin32s.exe

O4 - HKLM\..\RunOnce: [cyg updates] cygcfg32.exe

O4 - HKCU\..\Run: [cyg updates] cygcfg32.exe

O4 - HKCU\..\Run: [Start Uppings] mssupdate.exe

O4 - HKCU\..\RunServices: [Start Uppings] mssupdate.exe

O4 - HKCU\..\RunOnce: [cyg updates] cygcfg32.exe

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)


Make sure ALL Browser Windows are Closed when you FIX.

Then, boot to Safe Mode and find and Delete the following:

C:\WINDOWS\System32\ndis.exe
C:\WINDOWS\System32\cygcfg32.exe
systemwin32s.exe --> You'll have to track this one down
C:\WINDOWS\System32\mssupdate.exe
mssupdate.exe --> You'll have to track this one down

crsss.exe ----> NOTE: When you search for this one, Do not confuse it with the legitimate CSRSS


Next, you should revisit these steps:

Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now.

I am going to crash, so I'll have to check back Thursday night. Chas may look in sooner.

PP

Last edited by PhilliePhan; 12-16-04 at 01:37..
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 05:27.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger