Your Ad Here Your Ad Here
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Bloody Spyware! (ringtone.exe)

  1. #1
    Mr. Mulder's Avatar pepper your angus BT Rep: +10BT Rep +10
    Join Date
    Aug 2003
    Location
    Vault 111
    Age
    31
    Posts
    30,947
    I have recently installed WinXP Pro and as usual, I connected without any protection and then had to race to d/l AVG ect before too many megahertz thieves got to me. I've gotten rid of just about all of it except ringtone.exe. Nothing seems to detect it

    Here's a shot of AVG after a complete system scan



    Here's my task manager, it doesn't seem to be listed in there either



    Here's my SpyBot results. The ones you see that haven't been fixed won't go, I get the usual "Do you want us to try at start up?" but that never works



    The only thing that does detect it is AVG, but only as a warning and never in a system scan, when I click on delete, or heal, or virus vault, it says it's done. But then moments later I get a virus warning sign for a ringtone.exe[2] which it won't let me do anything with, the process then starts again with the original ringtone.exe



    And finally, here's my hijackthis log (I tend to go overboard with the deleting and mess up all the browsers to the point of them not working again, so end up restoring nearly everything)

    Logfile of HijackThis v1.99.0
    Scan saved at 17:32:12, on 24/01/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\winasp.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    C:\WINDOWS\System32\dllman.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\mswin32.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\shch.exe
    C:\WINDOWS\System32\winproxy.exe
    C:\WINDOWS\System32\realone.exe
    C:\WINDOWS\System32\updsrv.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\rob\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKLM\..\Run: [Windows Online Updater] dllman.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Microsoft Applications] mswin32.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SvcH0st] C:\WINDOWS\shch.exe /i
    O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvlvx32.exe
    O4 - HKLM\..\Run: [NvCplScan] winasp.exe
    O4 - HKLM\..\Run: [Winproxy Personal] winproxy.exe
    O4 - HKLM\..\Run: [Real One Player] realone.exe
    O4 - HKLM\..\Run: [Kernal Fault Check] ntosrkl.exe
    O4 - HKLM\..\Run: [Update Microsoft System] updsrv.exe
    O4 - HKLM\..\Run: [1D668JAYm] C:\WINDOWS\rnbmqoyh.exe
    O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
    O4 - HKLM\..\RunServices: [Winproxy Personal] winproxy.exe
    O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
    O4 - HKLM\..\RunServices: [Microsoft Applications] mswin32.exe
    O4 - HKLM\..\RunServices: [Update Microsoft System] updsrv.exe
    O4 - HKLM\..\RunServices: [Real One Player] realone.exe
    O4 - HKLM\..\RunServices: [Kernal Fault Check] ntosrkl.exe
    O4 - HKLM\..\RunOnce: [NvCplScan] winasp.exe
    O4 - HKLM\..\RunOnce: [Kernal Fault Check] ntosrkl.exe
    O4 - HKCU\..\Run: [NvCplScan] winasp.exe
    O4 - HKCU\..\Run: [Winproxy Personal] winproxy.exe
    O4 - HKCU\..\Run: [Update Microsoft System] updsrv.exe
    O4 - HKCU\..\Run: [Real One Player] realone.exe
    O4 - HKCU\..\Run: [Kernal Fault Check] ntosrkl.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\RunOnce: [NvCplScan] winasp.exe
    O4 - HKCU\..\RunOnce: [Kernal Fault Check] ntosrkl.exe
    O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8CFB7165-3589-4BE0-8FC5-E254517EACAE}: NameServer = 194.72.9.38 194.74.65.68
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    So, any ideas on how to destroy it?

    (If you see anything in the above that shouldn't be there then please let me know, and please excuse the child-like spelling, haven't got round to d/l Word yet )

  2. Software & Hardware   -   #2
    Retired
    Join Date
    Feb 2003
    Posts
    14,058
    restart in save mode, search for ringtone.exe files -> delete them and reboot

    dont see anything strange in your log.

    just dont visit that site anymore



    also try Real alternative instead of realone player
    Last edited by {I}{K}{E}; 01-24-2005 at 06:11 PM.

  3. Software & Hardware   -   #3
    manker's Avatar effendi
    Join Date
    May 2004
    Location
    I wear an Even Steven wit
    Posts
    44,031
    Hiya mate.

    I've just read that what IKE said won't fix it since the key re-writes itself every 2 seconds from a different location. Sneaky.

    O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvlvx32.exe -- That's the line in HJT that identifies the ringtone.exe thing.

    Best boot up in safe mode, delete it and then try again to see if it's gone.

    While looking around to see what this ringtone.exe was, it appears that it's really difficult to isolate and delete so this simple step may not be enough. I've got no idea if the rest of the log is alright, btw.

    There are folk who suggest going into the registry editor - in safe mode - searching for 'Kalvsys' and deleting all entries pertaining to that. So it wouldn't hurt to do that as well.

    Are you using IE, btw
    Last edited by manker; 01-24-2005 at 06:14 PM.
    I plan on beating him to death with his kids. I'll use them as a bludgeon on his face. -

    --Good for them if they survive.

  4. Software & Hardware   -   #4
    Mr. Mulder's Avatar pepper your angus BT Rep: +10BT Rep +10
    Join Date
    Aug 2003
    Location
    Vault 111
    Age
    31
    Posts
    30,947
    Quote Originally Posted by manker
    Are you using IE, btw
    How dare you!

    Cheers fellas I'll give it a go

  5. Software & Hardware   -   #5
    fkdup74's Avatar Pneuberator.
    Join Date
    Sep 2003
    Posts
    3,616
    turn off system restore as well, or else all your trouble could be for nothin
    I am just a worthless liar. I am just an imbecile.
    I will only complicate you. Trust in me and fall as well.
    I will find a center in you. I will chew it up and leave.
    I will work to elevate you just enough to bring you down.

  6. Software & Hardware   -   #6
    Mr. Mulder's Avatar pepper your angus BT Rep: +10BT Rep +10
    Join Date
    Aug 2003
    Location
    Vault 111
    Age
    31
    Posts
    30,947
    The safe mode bit worked, it's gone now I hadn't gone to any sites other than Google and AVG, ringtone.exe and the 6 or 7 other bits were just part of the standard gang rape you recive when connecting with any windows os for the first time

    Will switch of restore now

  7. Software & Hardware   -   #7
    fkdup74's Avatar Pneuberator.
    Join Date
    Sep 2003
    Posts
    3,616
    Quote Originally Posted by Mr. Mulder
    Will switch of restore now
    well, if the system is actually clean, you can leave it on if you like
    its just good practice to turn restore off during a cleaning
    then after you reboot, and verify that the files are gone, you can re-enable it
    thats if you want, but if you got ghost or trueimage...restore isnt needed
    if you dont have a disc imaging app, restore maybe isnt a bad idea
    I am just a worthless liar. I am just an imbecile.
    I will only complicate you. Trust in me and fall as well.
    I will find a center in you. I will chew it up and leave.
    I will work to elevate you just enough to bring you down.

  8. Software & Hardware   -   #8
    Chewie's Avatar Chew E. Bakke
    Join Date
    Feb 2004
    Posts
    4,883
    Quote Originally Posted by Mr. Mulder
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
    First off, I'm not sure that's OK to be there so you may want to fix that on it's own in HijackThis, so it's easy to restore later, just in case.

    Turn on Show hidden files:
    Click Start. Open My Computer.
    Select the Tools menu and click Folder Options. Select the View Tab.
    Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
    Uncheck the Hide file extensions for known file types option.
    Click Yes to confirm. Click OK.

    Close all browser and explorer windows, start HijackThis and hit the Scan button.
    In HJT select these items and click Fix Checked
    Quote Originally Posted by Mr. Mulder
    O4 - HKLM\..\Run: [Windows Online Updater] dllman.exe
    O4 - HKLM\..\Run: [Microsoft Applications] mswin32.exe
    O4 - HKLM\..\Run: [SvcH0st] C:\WINDOWS\shch.exe /i
    O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvlvx32.exe
    O4 - HKLM\..\Run: [NvCplScan] winasp.exe
    O4 - HKLM\..\Run: [Kernal Fault Check] ntosrkl.exe
    O4 - HKLM\..\Run: [Update Microsoft System] updsrv.exe
    O4 - HKLM\..\Run: [1D668JAYm] C:\WINDOWS\rnbmqoyh.exe
    O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
    O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
    O4 - HKLM\..\RunServices: [Microsoft Applications] mswin32.exe
    O4 - HKLM\..\RunServices: [Update Microsoft System] updsrv.exe
    O4 - HKLM\..\RunServices: [Kernal Fault Check] ntosrkl.exe
    O4 - HKLM\..\RunOnce: [NvCplScan] winasp.exe
    O4 - HKLM\..\RunOnce: [Kernal Fault Check] ntosrkl.exe
    O4 - HKCU\..\Run: [NvCplScan] winasp.exe
    O4 - HKCU\..\Run: [Update Microsoft System] updsrv.exe
    O4 - HKCU\..\Run: [Kernal Fault Check] ntosrkl.exe
    O4 - HKCU\..\RunOnce: [NvCplScan] winasp.exe
    O4 - HKCU\..\RunOnce: [Kernal Fault Check] ntosrkl.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    Boot into Safe Mode and perform a thorough search (enable searching of system/hidden files/folders and subfolders) for these files:
    ntosrkl.exe, winasp.exe, updsrv.exe, mswin32.exe, dllman.exe, shch.exe, kalvlvx32.exe
    Delete all instances of these files.

    Reboot normally, scan and post a new HJT log.
    There isn't a bargepole long enough for me to work on [a Sony Viao] - clocker 2008

  9. Software & Hardware   -   #9
    Chewie's Avatar Chew E. Bakke
    Join Date
    Feb 2004
    Posts
    4,883
    Quote Originally Posted by Mr. Mulder
    The safe mode bit worked, it's gone now I hadn't gone to any sites other than Google and AVG, ringtone.exe and the 6 or 7 other bits were just part of the standard gang rape you recive when connecting with any windows os for the first time

    Will switch of restore now
    Yeah, you may not have been redirected, but who's that script-kiddie watching you type passwords?
    There isn't a bargepole long enough for me to work on [a Sony Viao] - clocker 2008

  10. Software & Hardware   -   #10
    Mr. Mulder's Avatar pepper your angus BT Rep: +10BT Rep +10
    Join Date
    Aug 2003
    Location
    Vault 111
    Age
    31
    Posts
    30,947
    I've done as you asked and managed to delete the .exe's for all the ones you mentioned

    Logfile of HijackThis v1.99.0
    Scan saved at 20:33:24, on 24/01/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\System32\realone.exe
    C:\WINDOWS\System32\winproxy.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\rob\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
    O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Winproxy Personal] winproxy.exe
    O4 - HKLM\..\Run: [Real One Player] realone.exe
    O4 - HKLM\..\RunServices: [Winproxy Personal] winproxy.exe
    O4 - HKLM\..\RunServices: [Real One Player] realone.exe
    O4 - HKCU\..\Run: [Winproxy Personal] winproxy.exe
    O4 - HKCU\..\Run: [Real One Player] realone.exe
    O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8CFB7165-3589-4BE0-8FC5-E254517EACAE}: NameServer = 194.72.9.38 194.74.65.68
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    Does it look good?

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •