Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winlogon File Not Found .../windows/sembako-cgzjmji.exe"


  • This topic is locked This topic is locked
7 replies to this topic

#1 billie-tot

billie-tot

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 24 March 2006 - 04:33 AM

everytime i log on, there is always a small window that shows up, stating "Windows cannot find 'File not found: D:\windows\sembako-sembako-cgzjmji.exe.' Make sure you type the name correctly, and then try again. To search for a file, click the start button, and then click search."

I know that this event is primarily caused by a worm and so i downloaded the autoruns (an instruction provided here in bc.com) and tried to delete it from the list and registry. In fact, i've discovered other worms in the list like bron-spizaetus and tok-cirrhautus wherein their image path is "file not found: windows\..." as well. Only the problem is, after i delete these three from the list and registry, once i restart the computer or just refresh the list, they all show up again.

In terms of checking if my computer is virus-free, i've run 2 antivirus software, namely norton and antivir xp, and results show that my computer is malware free. I've also done the instructions before using HJT log, but this does not solve the problem.

I've also noticed that ever since i scanned and cleaned malwares in my pc, i could no longer make my yahoo messenger work. I've downloaded and installed it several times, but once i start to click on it to test it, a window shows up saying "ym has encountered problems and need to be closed..." Does this have something to do with cleaning up the malwares in my pc? or with the worm sembako that keeps on showing up at the start?

It's really frustrating to see this annoying window popping up everytime i turn on the computer. It would really be nice if someone will be able to help me get rid of this annoying message.

Thanks in advance. :thumbsup:




Logfile of HijackThis v1.99.1
Scan saved at 5:17:28 PM, on 3/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\slserv.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\Explorer.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\sllights.exe
D:\Program Files\Opera\Opera.exe
D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe "D:\WINDOWS\sembako-cgzjmji.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [Bron-Spizaetus-cgijmprz] "D:\WINDOWS\ShellNew\bbm-zrpmjigc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tok-Cirrhatus-1926] "D:\Documents and Settings\Billie\Local Settings\Application Data\br4875on.exe"
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - D:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1141542397281
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://D:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://D:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://D:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://D:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0A1FF98-408D-42C0-A54B-542B8B4271E3}: NameServer = 202.81.160.6 202.81.160.7
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


#2 billie-tot

billie-tot
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 25 March 2006 - 11:00 AM

oh about the yahoo messenger, i've tried to repair it using the add/delete programs at the my Windows OS control panel but then there's this window that pops us looking for a particular file "...\LOCALS~1\Temp\GLB3EC.tmp" but then it just could not be found. So my ym could not be fixed. boo. :thumbsup:

#3 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 29 March 2006 - 09:52 AM

Hello and welcome to the forum. Being someone who uses MSNIM more than email, I can understand you wanting Yahoo messenger restored. I do see some nasty junk that is on your computer. We will remove it, clean up a bit and see what happens.

Your Ad-Aware SE Professional\Ad-Watch.exe program may stop the fix we must make, please print the instructions and look ahead. Download the tools you need, then go offline before you disable Ad-Watch. Turn it back on before returning online. Proceed in the posted order.


1) ewido scan:
Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

**some items may be removed when you get there, not to be concerned, just do not miss any**

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

F2 - REG:system.ini: Shell=Explorer.exe "D:\WINDOWS\sembako-cgzjmji.exe"
O4 - HKLM\..\Run: [Bron-Spizaetus-cgijmprz] "D:\WINDOWS\ShellNew\bbm-zrpmjigc.exe"
O4 - HKCU\..\Run: [Tok-Cirrhatus-1926] "D:\Documents and Settings\Billie\Local Settings\Application Data\br4875on.exe"

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

D:\WINDOWS\sembako-cgzjmji.exe <<< file

D:\WINDOWS\ShellNew\bbm-zrpmjigc.exe <<< I believe the folder (ShellNew) needs to go. Look at it, you should be able to tell. The bbm-zrpmjigc.exe needs to be deleted for sure!

D:\Documents and Settings\Billie\Local Settings\Application Data\br4875on.exe <<< file
C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER) <<< this may be D:\Windows\Prefetch\
Prefetch info: http://www.windowsnetworking.com/articles_...refetch-XP.html

If you don't have a good cleaner, use this free one with these instructions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the ewido scan results, a new HJT log and any comments you think will help.

Thanks...pskelley
BleepingComputer

Edited by pskelley, 29 March 2006 - 09:53 AM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#4 billie-tot

billie-tot
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 03 April 2006 - 11:59 AM

Thanks for the welcome and the immediate response to my message. :thumbsup:

I have finally downloaded the neccessary software and performed the instructions provided. i clicked on the fix checked at the HJT which seemed to work since those three disappeared. only, upon attempting to enable the hidden files and folders with the use of the folder options at the control panel, i could no longer locate it. so i just used the windows explorer to search for the three junks. unfortunately, i could not locate them either. but i was able to clean the prefetch folder and delete the shellnew folder (even if bbm-zrpmjigc.exe wasn't there). finally, i used the ccleaner to clean-up the unneccessary stuff and everything seemed to turn out pretty okay. i restarted it and the annoying message on sembako didn't show up. but as soon as i enabled ad-watch, the three of them were back again and could not be blocked. :flowers:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:31:27 PM, 9/30/2006
+ Report-Checksum: 4C4963A1

+ Scan result:

D:\Documents and Settings\Billy\Cookies\billy@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup


::Report End

---------------------------------------------------------
Hi jack this - Saved report
---------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 1:21:08 AM, on 4/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
D:\WINDOWS\system32\slserv.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Rainlendar\Rainlendar.exe
D:\Program Files\RocketDock\RocketDock.exe
D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
D:\Program Files\Opera\Opera.exe
D:\Program Files\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe "D:\WINDOWS\sembako-cgzjmji.exe"
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Bron-Spizaetus-cgijmprz] "D:\WINDOWS\ShellNew\bbm-zrpmjigc.exe"
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tok-Cirrhatus-1926] "D:\Documents and Settings\Billie\Local Settings\Application Data\br4875on.exe"
O4 - Startup: Rainlendar.lnk = D:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = D:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - D:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1141542397281
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://D:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://D:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://D:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://D:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SmartLinkService (SLService) - - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

#5 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 03 April 2006 - 03:43 PM

OK, before we start, I want to make sure you understand this junk may be running from a TEMP folder of Temporary Internet files folder, or Prefetch. We may have ruled out Prefetch as you said you deleted the contents of it. I will post the instructions for enabling hidden files and folders again, you can't delete what you can't see.
SHOW HIDDEN FILES: MANUAL INSTRUCTIONS
Double click my computers & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

The hackers have done all they can to keep you from finding and removing their junk. You want to use your search companion first so you will know where any of the items can be. HJT is a small process manager and it stops the process for you as long as you do not reboot so you can delete the junk. Let's look at what they are:

Are you 100% positive this program is safe? D:\Program Files\RocketDock\RocketDock.exe If you are not, or you downloaded it about the time of the problem uninstall it.

F2 - REG:system.ini: Shell=Explorer.exe "D:\WINDOWS\sembako-cgzjmji.exe"

O4 - HKLM\..\Run: [Bron-Spizaetus-cgijmprz] "D:\WINDOWS\ShellNew\bbm-zrpmjigc.exe"

O4 - HKCU\..\Run: [Tok-Cirrhatus-1926] "D:\Documents and Settings\Billie\Local Settings\Application Data\br4875on.exe"

Important: http://www.personal-computer-tutor.com/deletingtempfiles.htm

http://www.mvps.org/winhelp2002/delcache.htm

http://support.microsoft.com/default.aspx?...kb;en-us;260897

HJT instructions:

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

F2 - REG:system.ini: Shell=Explorer.exe "D:\WINDOWS\sembako-cgzjmji.exe"
O4 - HKLM\..\Run: [Bron-Spizaetus-cgijmprz] "D:\WINDOWS\ShellNew\bbm-zrpmjigc.exe"
O4 - HKCU\..\Run: [Tok-Cirrhatus-1926] "D:\Documents and Settings\Billie\Local Settings\Application Data\br4875on.exe"

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Navigate to:

D:\WINDOWS\sembako-cgzjmji.exe >>> file

D:\WINDOWS\ShellNew\bbm-zrpmjigc.exe >>> folder (let the folder set in the recycle bin, if you should have a problem you can empty the folder there and restore it)

D:\Documents and Settings\Billie\Local Settings\Application Data\br4875on.exe >>> file
make sure all TEMP and TIF files are deleted, even check Prefetch to make sure none of these files is there. Restart the computer and post a clean log for me.

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#6 billie-tot

billie-tot
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 04 April 2006 - 05:55 AM

hi! im sorry but the folder option at the tools of my computer is not also there so i could not exactly perform the instructions.

#7 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 04 April 2006 - 06:12 AM

Here are the directions from Microsoft for Windows XP:
http://www.microsoft.com/windowsxp/using/h...iddenfiles.mspx

From BleepingComputer:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

From Symantec:
http://service1.symantec.com/SUPPORT/tsgen...002092715262339

Please make sure you are viewing the instructions for your Operating System: Platform: Windows XP SP1 (WinNT 5.01.2600)

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#8 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:04:38 AM

Posted 11 April 2006 - 05:58 PM

There has been no response to this topic in a week
This topic is closed

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users