MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Need help...again
November 21, 2019, 12:48:32 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 21, 2019, 12:48:32 AM

Login with username, password and session length
 Featured Sites:
News
Help us help you! Help us help you by helping out! The more people know about us, the more help will be available. Click here to find out how...
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Need help...again  (Read 3385 times)
nte1973
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 10


Bookmark and Share

View Profile
« on: February 06, 2005, 12:56:36 AM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version:
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages:




I had posted before about getting rid of the openconf.exe files that brings up the strip poker window and occassionally a nude website page will come up if I'm in IE.  Here is my HiJack log:

Logfile of HijackThis v1.99.0
Scan saved at 6:52:12 PM, on 2/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\Todd Erwin\Desktop\Unused Desktop Shortcuts\America Online 9.0b\aoltray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\nlsfuncs.exe
C:\Documents and Settings\Todd Erwin\My Documents\8T2R
« Last Edit: February 06, 2005, 12:57:01 AM by nte1973 » Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #1 on: February 06, 2005, 03:39:06 PM »

Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.



**(Always create a Folder for HiJackThis anywhere but your Temp/Temporary Internet Folders. This is where it will save the backup files needed if there's a problem.)**

Press Ctrl/Alt/Del and "End Task" or "End Process" on each of the following: (They may or may not be there)

nlsfuncs.exe
InstaFinderK_inst.exe
fsg_4203.exe

Turn off System Restore WinXP WinME. (Turn it back on after this is repaired and you've rebooted.) Close all other open Windows and have HiJackThis Fix:


O4 - HKLM\..\Run: [InstaFinderK] C:\Program Files\INSTAFINK\InstaFinderK_inst.exe
O4 - HKLM\..\Run: [Trickler] "c:\windows\temp\adware\fsg_4203.exe"


Go to Control Panel / Add/Remove Programs and remove the
 following if they are there:


InstaFinderK
Trickler

Now delete these Folders or Files that are Highlighted: (You may need enable "Show all Files" and disable "Hide System Files" in Windows Explorer / Tools / Folder Options / View Tab) (You may have to boot to "Safe Mode" in order to delete some Files/Folders)

C:\WINDOWS\system32\nlsfuncs.exe
C:\Program Files\INSTAFINK\InstaFinderK_inst.exe
c:\windows\temp\adware\fsg_4203.exe

Now, empty all your TEMP Folders (WinXp has up to 4 of them) / Temporary Internet Files Folder and then empty your "Recycle Bin" and Reboot.

In Xp, here are some locations of Temp files

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Username\Local Settings\Temporary Internet Files
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files

Turn on System Restore

Before opening your browser goto START>CONTROL PANEL>INTERNET OPTIONS and make sure your Homepage is correct,if not ,type the URL you would like in the HomePage box.


Now re-run HJT and post a new logfile back here.

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
nte1973
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 10


Bookmark and Share

View Profile
« Reply #2 on: February 06, 2005, 03:52:07 PM »

Logfile of HijackThis v1.99.0
Scan saved at 9:48:18 AM, on 2/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\Todd Erwin\Desktop\Unused Desktop Shortcuts\America Online 9.0b\aoltray.exe
C:\Documents and Settings\Todd Erwin\My Documents\8T2R
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #3 on: February 06, 2005, 04:08:03 PM »

Your logfile looks clean .. Grin


Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
nte1973
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 10


Bookmark and Share

View Profile
« Reply #4 on: February 06, 2005, 05:22:10 PM »

I'm still getting the openconf.exe, unlodctl.exe, and nlsfuncs.exe files along with the little pop-up screen telling me my computer may be at risk.

Logfile of HijackThis v1.99.0
Scan saved at 11:19:42 AM, on 2/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\Todd Erwin\Desktop\Unused Desktop Shortcuts\America Online 9.0b\aoltray.exe
C:\WINDOWS\system32\unlodctl.exe
C:\WINDOWS\system32\nlsfuncs.exe
C:\WINDOWS\system32\openconf.exe
C:\Documents and Settings\Todd Erwin\Desktop\Unused Desktop Shortcuts\America Online 9.0b\waol.exe
C:\Documents and Settings\Todd Erwin\Desktop\Unused Desktop Shortcuts\America Online 9.0b\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Documents and Settings\Todd Erwin\My Documents\8T2R
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #5 on: February 06, 2005, 05:33:23 PM »

Let's do this again .. Lips Sealed

Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


Press Ctrl/Alt/Del and "End Task" or "End Process" on each of the following: (They may or may not be there)

unlodctl.exe
nlsfuncs.exe
openconf.exe


Turn off System Restore WinXP WinME. (Turn it back on after this is repaired and you've rebooted.) Close all other open Windows and have HiJackThis Fix:


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{608F7C31-CB78-419F-B734-C005FBC9601D}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{F06A3C6C-2D37-4B2A-B3D9-6E8B8E736896}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{608F7C31-CB78-419F-B734-C005FBC9601D}: NameServer = 69.50.176.156,195.225.176.31


Now delete these Folders or Files that are Highlighted: (You may need enable "Show all Files" and disable "Hide System Files" in Windows Explorer / Tools / Folder Options / View Tab) (You may have to boot to "Safe Mode" in order to delete some Files/Folders)

C:\WINDOWS\system32\unlodctl.exe
C:\WINDOWS\system32\nlsfuncs.exe
C:\WINDOWS\system32\openconf.exe


Now, empty all your TEMP Folders (WinXp has up to 4 of them) / Temporary Internet Files Folder and then empty your "Recycle Bin" and Reboot.

In Xp, here are some locations of Temp files

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Username\Local Settings\Temporary Internet Files
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files

Turn on System Restore

Before opening your browser goto START>CONTROL PANEL>INTERNET OPTIONS and make sure your Homepage is correct,if not ,type the URL you would like in the HomePage box.


Now re-run HJT and post a new logfile back here.

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
nte1973
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 10


Bookmark and Share

View Profile
« Reply #6 on: February 06, 2005, 09:18:30 PM »

Logfile of HijackThis v1.99.0
Scan saved at 3:15:52 PM, on 2/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\Todd Erwin\Desktop\Unused Desktop Shortcuts\America Online 9.0b\aoltray.exe
C:\Documents and Settings\Todd Erwin\Desktop\Unused Desktop Shortcuts\America Online 9.0b\waol.exe
C:\Documents and Settings\Todd Erwin\Desktop\Unused Desktop Shortcuts\America Online 9.0b\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Documents and Settings\Todd Erwin\My Documents\8T2R
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #7 on: February 06, 2005, 09:38:47 PM »

Your logfile looks pretty clean .. Grin

How's it running?

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
nte1973
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 10


Bookmark and Share

View Profile
« Reply #8 on: February 06, 2005, 09:40:54 PM »

so far so good, but i anticipate those files coming back.  not sure what i need to do to get rid of them for good.
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #9 on: February 06, 2005, 11:36:23 PM »

Let's see if they come back .. Lips Sealed

Post back and let us know.

You can also...
Go here and run online scans (all), allow them to delete whatever they find:

TrendMicro HouseCall
eTrust AntiVirus Web Scanner
Panda ActiveScan
Note any thing that can't be fixed
Reboot when done.

Also...

Even if you've already run these, make SURE they're up-to-date and run per instructions.

Make sure you have the up-to-date versions of Spybot V 1.3 and Ad-aware SE Build 1.05 . All are free and available below.

Download Spybot, install and update. Then download Ad-aware, install, and update.


Spybot:

Install the program and launch it.

Go to Start > Programs >Spybot > Search & Destroy and choose Spybot S&D

Close ALL windows except Spybot S&D
Click the button to "Search for Updates" and download and install the Updates.
Next click the button "Check for Problems"
When Spybot is complete, it will be showing "RED" (RED) entries "BLACK" entries and "GREEN" (GREEN) entries in the window
Put a check mark beside the RED (RED) entries ONLY.
Choose "Fix Selected Problems" and allow Spybot to fix the RED (RED) entries.

Ad-Aware FULL SCAN:

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From main window :Click Start then under Select a scan Mode check Perform full system scan.
Next deselect Search for negligible risk entries.
Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Empty Recycle Bin



Cactus
« Last Edit: February 06, 2005, 11:38:22 PM by Cactus » Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
nte1973
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 10


Bookmark and Share

View Profile
« Reply #10 on: February 07, 2005, 03:38:33 AM »

Thanks Cactus.  I really appreciate the help.  I'll post back if I have any more problems.
Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page November 24, 2018, 05:37:24 PM