Mr. Mulder
01-24-2005, 05:53 PM
I have recently installed WinXP Pro and as usual, I connected without any protection and then had to race to d/l AVG ect before too many megahertz thieves got to me. I've gotten rid of just about all of it except ringtone.exe. Nothing seems to detect it :unsure:
Here's a shot of AVG after a complete system scan :unsure:
http://img.photobucket.com/albums/v219/Arcadiaculttv/avgfree.jpg
Here's my task manager, it doesn't seem to be listed in there either :unsure:
http://img.photobucket.com/albums/v219/Arcadiaculttv/taskmanager.jpg
Here's my SpyBot results. The ones you see that haven't been fixed won't go, I get the usual "Do you want us to try at start up?" but that never works :unsure:
http://img.photobucket.com/albums/v219/Arcadiaculttv/spybot.jpg
The only thing that does detect it is AVG, but only as a warning and never in a system scan, when I click on delete, or heal, or virus vault, it says it's done. But then moments later I get a virus warning sign for a ringtone.exe[2] which it won't let me do anything with, the process then starts again with the original ringtone.exe :dry:
http://img.photobucket.com/albums/v219/Arcadiaculttv/ringtoneexe1.gif
And finally, here's my hijackthis log (I tend to go overboard with the deleting and mess up all the browsers to the point of them not working again, so end up restoring nearly everything)
Logfile of HijackThis v1.99.0
Scan saved at 17:32:12, on 24/01/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\winasp.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\dllman.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\mswin32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\shch.exe
C:\WINDOWS\System32\winproxy.exe
C:\WINDOWS\System32\realone.exe
C:\WINDOWS\System32\updsrv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\rob\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Windows Online Updater] dllman.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Microsoft Applications] mswin32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SvcH0st] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvlvx32.exe
O4 - HKLM\..\Run: [NvCplScan] winasp.exe
O4 - HKLM\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\Run: [Kernal Fault Check] ntosrkl.exe
O4 - HKLM\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKLM\..\Run: [1D668JAYm] C:\WINDOWS\rnbmqoyh.exe
O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
O4 - HKLM\..\RunServices: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
O4 - HKLM\..\RunServices: [Microsoft Applications] mswin32.exe
O4 - HKLM\..\RunServices: [Update Microsoft System] updsrv.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [Kernal Fault Check] ntosrkl.exe
O4 - HKLM\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKLM\..\RunOnce: [Kernal Fault Check] ntosrkl.exe
O4 - HKCU\..\Run: [NvCplScan] winasp.exe
O4 - HKCU\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKCU\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKCU\..\Run: [Real One Player] realone.exe
O4 - HKCU\..\Run: [Kernal Fault Check] ntosrkl.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKCU\..\RunOnce: [Kernal Fault Check] ntosrkl.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CFB7165-3589-4BE0-8FC5-E254517EACAE}: NameServer = 194.72.9.38 194.74.65.68
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
So, any ideas on how to destroy it? :unsure:
(If you see anything in the above that shouldn't be there then please let me know, and please excuse the child-like spelling, haven't got round to d/l Word yet :unsure: )
Here's a shot of AVG after a complete system scan :unsure:
http://img.photobucket.com/albums/v219/Arcadiaculttv/avgfree.jpg
Here's my task manager, it doesn't seem to be listed in there either :unsure:
http://img.photobucket.com/albums/v219/Arcadiaculttv/taskmanager.jpg
Here's my SpyBot results. The ones you see that haven't been fixed won't go, I get the usual "Do you want us to try at start up?" but that never works :unsure:
http://img.photobucket.com/albums/v219/Arcadiaculttv/spybot.jpg
The only thing that does detect it is AVG, but only as a warning and never in a system scan, when I click on delete, or heal, or virus vault, it says it's done. But then moments later I get a virus warning sign for a ringtone.exe[2] which it won't let me do anything with, the process then starts again with the original ringtone.exe :dry:
http://img.photobucket.com/albums/v219/Arcadiaculttv/ringtoneexe1.gif
And finally, here's my hijackthis log (I tend to go overboard with the deleting and mess up all the browsers to the point of them not working again, so end up restoring nearly everything)
Logfile of HijackThis v1.99.0
Scan saved at 17:32:12, on 24/01/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\winasp.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\dllman.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\mswin32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\shch.exe
C:\WINDOWS\System32\winproxy.exe
C:\WINDOWS\System32\realone.exe
C:\WINDOWS\System32\updsrv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\rob\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Windows Online Updater] dllman.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Microsoft Applications] mswin32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SvcH0st] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvlvx32.exe
O4 - HKLM\..\Run: [NvCplScan] winasp.exe
O4 - HKLM\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\Run: [Kernal Fault Check] ntosrkl.exe
O4 - HKLM\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKLM\..\Run: [1D668JAYm] C:\WINDOWS\rnbmqoyh.exe
O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
O4 - HKLM\..\RunServices: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
O4 - HKLM\..\RunServices: [Microsoft Applications] mswin32.exe
O4 - HKLM\..\RunServices: [Update Microsoft System] updsrv.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [Kernal Fault Check] ntosrkl.exe
O4 - HKLM\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKLM\..\RunOnce: [Kernal Fault Check] ntosrkl.exe
O4 - HKCU\..\Run: [NvCplScan] winasp.exe
O4 - HKCU\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKCU\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKCU\..\Run: [Real One Player] realone.exe
O4 - HKCU\..\Run: [Kernal Fault Check] ntosrkl.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKCU\..\RunOnce: [Kernal Fault Check] ntosrkl.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CFB7165-3589-4BE0-8FC5-E254517EACAE}: NameServer = 194.72.9.38 194.74.65.68
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
So, any ideas on how to destroy it? :unsure:
(If you see anything in the above that shouldn't be there then please let me know, and please excuse the child-like spelling, haven't got round to d/l Word yet :unsure: )