Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bho No Name No File ...


  • Please log in to reply
2 replies to this topic

#1 danespo

danespo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 04 February 2006 - 09:54 AM

I am all new to HiJackThis. Thank you in advance for your help.

I have intermittent problems with a computer. It became suddenly slow even when not on the Internet. This morning, AVG has found lib.exe in windows\system 32 and has deleted it. Nothing was done on the computer for 24 hrs and was scanned just before with AVG, Spybot, PestPatrol and AdAware all up to date. This virus as others seems to be coming from nowhere. On Internet Explorer, Pop up ads sometimes leed to Winfixer.

System recovery is disabled.

stng260.exe was runned and found nothing.

Please tell me if the line...

O2 - BHO: (no name) - {3ADCA3DF-24F9-8DEA-B64E-7E70AF3ACFC4} - (no file)

... represents a potential problem in the following log and why it is always coming back even thoug I asked HJT to fix it enverytime.

Logfile of HijackThis v1.99.1
Scan saved at 09:11:58, on 2006-02-04
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\ClaudetteG\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.montrealplus.ca/portalf/index.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {3ADCA3DF-24F9-8DEA-B64E-7E70AF3ACFC4} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Pages liées - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1138139040900
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

______________________________________________

I also include this log file for I think it could help find the source of the problems.

adsspy.txt

C:\WINDOWS\stub26.ini : ucoapp (11895 bytes)
C:\WINDOWS\stub29.ini : kavxku (134303 bytes)
C:\WINDOWS\stub29.ini : ndygjz (35959 bytes)
C:\WINDOWS\stub32.ini : cbocmx (11895 bytes)
C:\WINDOWS\stub32.ini : wyvtf (35959 bytes)
C:\WINDOWS\system.ini : qtcpnp (197761 bytes)
C:\WINDOWS\WindowsUpdate.log : zfqtb (134303 bytes)
C:\WINDOWS\winnt256.bmp : rvcfml (197761 bytes)
C:\WINDOWS\_default.pif : gfuxkn (114154 bytes)
C:\WINDOWS\_default.pif : zffcex (11895 bytes)

_________________________________________________

Thank you again !

Daniel

BC AdBot (Login to Remove)

 


#2 Skate_Punk_21

Skate_Punk_21

    Crapware Killing Canuck!


  • Members
  • 185 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 07 February 2006 - 03:33 PM

Please download AboutBuster.
  • Double click the AboutBuster folder, then double click the AboutBuster.exe inside.
  • Click "Extract all" in the box that pops up, then "Next"
  • Choose the location you would like to install AboutBuster, such as My Documents.
  • Make sure "Show extracted files" is checked, then click "Finish".
  • Reboot to safe mode by continually tapping the F8 key as the computer begins to boot.
  • Open AboutBuster and click the "Begin Removal" button. It will shut down all Explorer windows (if open) while it works.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
  • Run about:buster again following the same instructions as above, this time without the restart at the end
Perform an online scan with Internet Explorer with Kaspersky.
When you arrive at the page, click on Kaspersky Online Scanner and accept the TOS, and Privacy Statement that follow.

You will be prompted to install an ActiveX component from Kaspersky, Click Yes or right click the message at the top of your browser and select Install ActiveX.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan
If I've helped you in any way, please consider a donation to help me continue the fight: Posted Image
Posted Image

#3 danespo

danespo
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 07 February 2006 - 06:29 PM

Thank you for your precious help !

As soon as I have the chance to run your recommendations, it will be done !

danespo :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users