I have recently installed WinXP Pro and as usual, I connected without any protection and then had to race to d/l AVG ect before too many megahertz thieves got to me. I've gotten rid of just about all of it except ringtone.exe. Nothing seems to detect it :unsure:

Here's a shot of AVG after a complete system scan :unsure:

http://img.photobucket.com/albums/v219/Arcadiaculttv/avgfree.jpg

Here's my task manager, it doesn't seem to be listed in there either :unsure:

http://img.photobucket.com/albums/v219/Arcadiaculttv/taskmanager.jpg

Here's my SpyBot results. The ones you see that haven't been fixed won't go, I get the usual "Do you want us to try at start up?" but that never works :unsure:

http://img.photobucket.com/albums/v219/Arcadiaculttv/spybot.jpg

The only thing that does detect it is AVG, but only as a warning and never in a system scan, when I click on delete, or heal, or virus vault, it says it's done. But then moments later I get a virus warning sign for a ringtone.exe[2] which it won't let me do anything with, the process then starts again with the original ringtone.exe :dry:

http://img.photobucket.com/albums/v219/Arcadiaculttv/ringtoneexe1.gif

And finally, here's my hijackthis log (I tend to go overboard with the deleting and mess up all the browsers to the point of them not working again, so end up restoring nearly everything)


Logfile of HijackThis v1.99.0
Scan saved at 17:32:12, on 24/01/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\winasp.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\dllman.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\mswin32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\shch.exe
C:\WINDOWS\System32\winproxy.exe
C:\WINDOWS\System32\realone.exe
C:\WINDOWS\System32\updsrv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\rob\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Windows Online Updater] dllman.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Microsoft Applications] mswin32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SvcH0st] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvlvx32.exe
O4 - HKLM\..\Run: [NvCplScan] winasp.exe
O4 - HKLM\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\Run: [Kernal Fault Check] ntosrkl.exe
O4 - HKLM\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKLM\..\Run: [1D668JAYm] C:\WINDOWS\rnbmqoyh.exe
O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
O4 - HKLM\..\RunServices: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
O4 - HKLM\..\RunServices: [Microsoft Applications] mswin32.exe
O4 - HKLM\..\RunServices: [Update Microsoft System] updsrv.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [Kernal Fault Check] ntosrkl.exe
O4 - HKLM\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKLM\..\RunOnce: [Kernal Fault Check] ntosrkl.exe
O4 - HKCU\..\Run: [NvCplScan] winasp.exe
O4 - HKCU\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKCU\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKCU\..\Run: [Real One Player] realone.exe
O4 - HKCU\..\Run: [Kernal Fault Check] ntosrkl.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKCU\..\RunOnce: [Kernal Fault Check] ntosrkl.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CFB7165-3589-4BE0-8FC5-E254517EACAE}: NameServer = 194.72.9.38 194.74.65.68
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

So, any ideas on how to destroy it? :unsure:

(If you see anything in the above that shouldn't be there then please let me know, and please excuse the child-like spelling, haven't got round to d/l Word yet :unsure: )

restart in save mode, search for ringtone.exe files -> delete them and reboot

dont see anything strange in your log.

just dont visit that site anymore ;)



also try Real alternative instead of realone player ;)

Hiya mate.

I've just read that what IKE said won't fix it since the key re-writes itself every 2 seconds from a different location. Sneaky.

O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvlvx32.exe -- That's the line in HJT that identifies the ringtone.exe thing.

Best boot up in safe mode, delete it and then try again to see if it's gone.

While looking around to see what this ringtone.exe was, it appears that it's really difficult to isolate and delete so this simple step may not be enough. I've got no idea if the rest of the log is alright, btw.

There are folk who suggest going into the registry editor - in safe mode - searching for 'Kalvsys' and deleting all entries pertaining to that. So it wouldn't hurt to do that as well.

Are you using IE, btw :shifty:

Are you using IE, btw :shifty:

:ohmy: How dare you!

Cheers fellas :D I'll give it a go :01:

turn off system restore as well, or else all your trouble could be for nothin ;)

The safe mode bit worked, it's gone now :D I hadn't gone to any sites other than Google and AVG, ringtone.exe and the 6 or 7 other bits were just part of the standard gang rape you recive when connecting with any windows os for the first time :unsure:

Will switch of restore now :01:

Will switch of restore now :01:

well, if the system is actually clean, you can leave it on if you like
its just good practice to turn restore off during a cleaning
then after you reboot, and verify that the files are gone, you can re-enable it
thats if you want, but if you got ghost or trueimage...restore isnt needed
if you dont have a disc imaging app, restore maybe isnt a bad idea

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
First off, I'm not sure that's OK to be there so you may want to fix that on it's own in HijackThis, so it's easy to restore later, just in case.

Turn on Show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Uncheck the Hide file extensions for known file types option.
Click Yes to confirm. Click OK.

Close all browser and explorer windows, start HijackThis and hit the Scan button.
In HJT select these items and click Fix Checked

O4 - HKLM\..\Run: [Windows Online Updater] dllman.exe
O4 - HKLM\..\Run: [Microsoft Applications] mswin32.exe
O4 - HKLM\..\Run: [SvcH0st] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvlvx32.exe
O4 - HKLM\..\Run: [NvCplScan] winasp.exe
O4 - HKLM\..\Run: [Kernal Fault Check] ntosrkl.exe
O4 - HKLM\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKLM\..\Run: [1D668JAYm] C:\WINDOWS\rnbmqoyh.exe
O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
O4 - HKLM\..\RunServices: [Microsoft Applications] mswin32.exe
O4 - HKLM\..\RunServices: [Update Microsoft System] updsrv.exe
O4 - HKLM\..\RunServices: [Kernal Fault Check] ntosrkl.exe
O4 - HKLM\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKLM\..\RunOnce: [Kernal Fault Check] ntosrkl.exe
O4 - HKCU\..\Run: [NvCplScan] winasp.exe
O4 - HKCU\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKCU\..\Run: [Kernal Fault Check] ntosrkl.exe
O4 - HKCU\..\RunOnce: [NvCplScan] winasp.exe
O4 - HKCU\..\RunOnce: [Kernal Fault Check] ntosrkl.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Boot into Safe Mode and perform a thorough search (enable searching of system/hidden files/folders and subfolders) for these files:
ntosrkl.exe, winasp.exe, updsrv.exe, mswin32.exe, dllman.exe, shch.exe, kalvlvx32.exe
Delete all instances of these files.

Reboot normally, scan and post a new HJT log.

The safe mode bit worked, it's gone now :D I hadn't gone to any sites other than Google and AVG, ringtone.exe and the 6 or 7 other bits were just part of the standard gang rape you recive when connecting with any windows os for the first time :unsure:

Will switch of restore now :01:
Yeah, you may not have been redirected, but who's that script-kiddie watching you type passwords?

I've done as you asked and managed to delete the .exe's for all the ones you mentioned :01:


Logfile of HijackThis v1.99.0
Scan saved at 20:33:24, on 24/01/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\realone.exe
C:\WINDOWS\System32\winproxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\rob\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKCU\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKCU\..\Run: [Real One Player] realone.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CFB7165-3589-4BE0-8FC5-E254517EACAE}: NameServer = 194.72.9.38 194.74.65.68
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Does it look good? :unsure:

Whats:


O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll

Some toolbar for MS Excel or spywarez :unsure:

Can I just stress at this point to any members (both full and new) the importance of keeping an up-to-date antivirus and firewall on discs prior to installing a new opersating system / reformatting.

The first thing you should do is install an antivirus before connecting to the Internet, followed by a firewall. Then update both asap and you shouldn't tun into these kind of problems.

Samurai ;)

Whats:


Some toolbar for MS Excel or spywarez :unsure:


http://www.navexcel.com/live/about.html

The NavExcel Search Toolbar is a space-efficient browser toolbar that is installed conveniently to the right of the browser address bar and enables end users to access our search engine from anywhere on the web. The NavExcel Search Toolbar also comes with a Pop-up Blocker that enables end users to surf the web with greater privacy and fewer annoyances.

NavHelper and the NavExcel Search Toolbar are not spyware nor adware - neither software programs will collect any personally identifiable information or web browsing data about end users or serve end users any pop-up or pop-under advertisements. Please see our full Privacy Policy for more information our software practices.

http://www.navexcel.com/live/about.html

The NavExcel Search Toolbar is a space-efficient browser toolbar that is installed conveniently to the right of the browser address bar and enables end users to access our search engine from anywhere on the web. The NavExcel Search Toolbar also comes with a Pop-up Blocker that enables end users to surf the web with greater privacy and fewer annoyances.

NavHelper and the NavExcel Search Toolbar are not spyware nor adware - neither software programs will collect any personally identifiable information or web browsing data about end users or serve end users any pop-up or pop-under advertisements. Please see our full Privacy Policy for more information our software practices.
Yeah, they all say that don't they? ;)
Seriously, if Mr Mulder didn't knowingly install it, then it should be removed together with the helper object:
O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
I thought I may have missed it first time round but t wasn't there which makes me wonder where Mr M went while trying to sort this out... perhaps it was a result of one of those trojans.

Other than that, it looks clean.

I've done as you asked and managed to delete the .exe's for all the ones you mentioned :01:



Does it look good? :unsure:

Get Real Alternative instead of RealOne player ;)

Sorry if off topic but seems like the perfect time ! That DOS exploit that spybot keeps finding. I'm thinking its something to do with Zonealarm because you have it too . WTF is it ? I remove it ,next scan it flags it again? :frusty: