| |
| |
| |
|
Page: 1 2 3 4
Comments:
<0> just open the services control panel
<0> and stop the fishy ones
<1> enum (RFC 3761) using the dns network to handle voip numbers. or some crap
<2> inetinfo probably isn't the prob
<2> it's an iis service
<0> hijackthis might help
<1> mm seems i'm behind on the conversation.
<2> windows defender most likely won't do a damn thing
<3> yeah
<3> windows defender was already installed on the machine
<4> ronitovi: what makes you think you're infected?
<3> but its not a protection against viruses
<3> Two-Bits: a tray icon which says "ur computer may be infected bla bla bla..."
<5> Please... Please... Please tell me you're kidding?
<4> lol
<3> i really would want to
<3> lol
<4> does it advertise a product to remove it?
<1> dfgfdg
<3> wtf?
<5> Is it shaped like a shield, and yellow, or red?
<3> i will never ever click on that icon
<4> that should have been obvious
<3> no
<3> its now windows own warning
<3> its virus itself
<4> can you screen cap it?
<4> with a tooltip?
<3> yeppers
<3> but not at this time, 'cus i've ended the explorer.exe
<4> so restart it
<3> i fear that restarting it may cause virus to spread more :~/
<4> it wont
<3> ok
<4> to be perfectly honest, most viruses now a days are really rather benign to the systems they infect
<6> ronitovi, steps to clean system: 1) backup any important data. 2) put Ubuntu (or other GNU/Linux cd in cdrom drive) 3) use the point and click installer to intall it 4) Drool over your new shiny desktop system, 99.95% virus free and 30,000s of Freely available software packages and easy development tools
<6> tada!
<4> also.. if it was paticularly nasty, it wouldn't advertise itself
<4> and ignore the horny commie
<6> horny commie?
<3> lance[uni]: it is a remote server so i cant
<6> drive over there and do it.
<3> hey
<6> anyways i'm going to miss bus.
<2> look at the msconfig too
<3> i've started explorer.exe and this time that icon just didnt appear!
<4> have you run a proper scan?
<3> not for a while
<4> housecall.trendmicro.com is a quick and easy free scan
<3> yep
<3> i always use that
<3> but it couldnt clean earlier
<3> maybe it does this time
<4> you just said "not for a while"
<3> yeah, last scaning was 1 hour ago
<4> besides, it should give you an idea of which files are infected. there are manual ways of removing some of those
<3> with trendmicro
<3> c:\windows\svchost.exe
<3> trying to kill file...
<0> boot in safemode
<4> stop killing ****
<0> and yeah you dont need to delete the file
<4> he's remote, he cannot use safemode
<0> stop whatever is running it
<0> oh
<3> heh
<4> ronitovi: is that the file that trendmicro says is infected?
<0> open up the service manager and look for screwey services
<3> yes, Two-Bits
<0> or try HijackThis and post the log somewhere for us
<3> ok
<7> HijackThis and ProcExplorer
<4> i dont know about procexplorer, but prcview is rather nice about showing the command line options a process started with
<3> what's the latest version of HijackThis? 1.99.1 ?
<7> procexplorer lets you view processes in a heirarchy, see where the files were loaded from and what files/reg keys they have open
<7> And, most importantly for virus hunting, suspend processes instead of just kill them
<2> sysinternals procexplorer?
<7> That's the one
<2> didn't know it showed reg keys
<7> It does, but maybe not by default
<2> hrm
<7> CTRL+L to open the lower info pane
<2> sure enough
<2> i've been using it for ages and never knew that
<2> never really had the need to know that though
<7> I can't honestly think of a reason either, since RegMon does a better job IMHO
<7> But it's there!
<2> yeah
<3> http://72.232.232.138/hijackthis.log
<3> "C:\DOCUME~1\ADMINI~1\APPLIC~1\WNSXS~1\dexplore.exe"
<3> O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
<3> O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvvif.dll,startup
<3> they look suspecting, dont they?
<2> URLSearchHook
<7> You have Visual Studio installed?
<3> nope
<7> ipwins.exe is bad
<2> URLSearchHook needs to be rid of
<7> Browser hijack
<7> And ipwins is adware.
<3> what about O4 - HKLM\..\Run: [{749E692F-0A64-1033-0825-050412200001}] "C:\Program Files\Common Files\{749E692F-0A64-1033-0825-050412200001}\Update.exe" mc-110-12-0000272
<7> Heh, Windows defender. Might as well uninstall that...
<2> check dexplore.exe also
<7> That Update.exe is a trojan dropper
<2> dexplore is fine
<3> dexplore is fine??
<2> yes
<2> leave it
<7> Somebody has been visiting naughty websites while logged in as Administrator...
<3> noway
<3> or maybe they are crack sites, not naughty ones :~~
<3> i know i know... crackin is bad :~/
<2> traymonitor.exe probably isn't great
<7> ALL crack sites are naughty. It's just a matter of how bad.
<7> "?dobe\userinit.exe" is also bad
<8> whackin is bad too
<2> hope you're writing these down
<3> traymonitor is part of Plesk service
<3> i know it
<3> nothin to worry about
<7> I'm not 100% convinced dexplore.exe is good.
<2> NameServer = could be a dns redirector
<7> It's in a weird location
<7> And he said he didn't have Vis. Studio installed
<2> kill it
<7> Yeah. Even if it's legit it's not essential.
<2> i just looked up the name to see what it was
<2> didn't look any gurther
<7> clamav obviously didn't work either :p
<7> O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272
<7> That's also bad.
<2> what is plesk?
<2> it's spawning tons of ****
<3> its my backup web server
<3> so i need it
<3> btw
<2> tried apache?
<7> That explains the Apache and MySQL services
<3> http://89.106.30.66/kill.txt
<3> im gonna remove them, should i proceed?
<2> if you are unsure look them up
<3> actually im just unsure of "O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\otelyogl.dll",setvm
<2> http://www.hedidnotseethatcoming.com/
<2> that's about funny
<3> restarting now..
<3> lets see whats gonna happen
<3> system restarted
<3> i no longer see that stupid "ur computer is infected" tray warning
<3> but an error report window appeared when i log on that says "internet explorer has encountered with errors and need to be closed bla bla.."
<3> but i'm damn sure that i didnt click it
Return to
#vb
or
Go to some related
logs:
Non-veg SMS
#india
#worldchat
Weanta
#india
sindhi tuks
jinggle bell
#allnitecafe
#allnitecafe
aunty 35 india
|
|