Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • This topic is locked This topic is locked
5 replies to this topic

#1 mimmo

mimmo

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 21 April 2006 - 11:30 AM

please, verify this log, i'm affected by gaelicum


Logfile of HijackThis v1.99.1
Scan saved at 18.14.50, on 21/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\WINDOWS\system32\tp4mon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.13.246:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll
O4 - HKLM\..\Run: [HP Lamp] "C:\Programmi\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Epson Status_monitor_mio] C:\driverepson\Win2000XP\SETUP\E_SCHK02.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Cerca con Google - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Traduci parola in italiano - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Link a ritroso - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pagine simili - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .tif: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145130709205
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E824EB2-FF80-4764-A1E4-06B3D7537411}: NameServer = 193.70.192.25,193.70.152.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E824EB2-FF80-4764-A1E4-06B3D7537411}: NameServer = 193.70.192.25,193.70.152.25
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe

BC AdBot (Login to Remove)

 


m

#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 29 April 2006 - 07:31 PM

Hello and welcome to the forum. I see no evidence if this worm in the HJT log. What program told you it was there? Did it tell you the name and pathway of the worm? If AVG identified it, it should have been able to remove it. Here is the worm:
http://www.bleepingcomputer.com/startups/G....EXE-11223.html

If it is there and AVG (updated) can't remove it, they also offer a tool to remove it with, look here:
http://www.grisoft.com/doc/112/lng/us/tpl/tpl01
Download the remover vcleaner.exe. Restart your computer in Safe mode and run the remover on the infected computer. Vcleaner removal utility will detect and remove following viruses:
and that item is on the list: Win32/Gaelicum

Let me know how it goes, I don't need a new HJT log since it is not showing the worm.

Thanks...pskelley
BleepingComputer

Edited by pskelley, 29 April 2006 - 07:32 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 mimmo

mimmo
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 02 May 2006 - 03:10 AM

If it is there and AVG (updated) can't remove it, they also offer a tool to remove it with, look here:
http://www.grisoft.com/doc/112/lng/us/tpl/tpl01
Download the remover vcleaner.exe. Restart your computer in Safe mode and run the remover on the infected computer. Vcleaner removal utility will detect and remove following viruses:
and that item is on the list: Win32/Gaelicum

Let me know how it goes, I don't need a new HJT log since it is not showing the worm.


That's ok. After vcleaner worm was instead in "ripristino configurazione di sistema" directory
I have disabled "ripristino", run vcleaner, and then enabled "ripristino"
Antivirus is AVG and it didn't remove GAelicum

Thanks :thumbsup:

#4 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 02 May 2006 - 04:01 AM

Hello mimmo, Is this Spanish? Italian? What does it mean?

"ripristino configurazione di sistema" directory
I have disabled "ripristino", run vcleaner, and then enabled "ripristino"
Antivirus is AVG and it didn't remove GAelicum

System Restore? Disabled System Restore, run vcleaner and enabled System Restore?

all is well now with your computer? If so then, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 mimmo

mimmo
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:09 PM

Posted 02 May 2006 - 04:08 AM

System Restore? Disabled System Restore, run vcleaner and enabled System Restore?


you've understood correctly
I apologize, it was italian

thanks

#6 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:02:09 PM

Posted 02 May 2006 - 04:10 AM

Thank you and safe surfing :thumbsup:
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users