Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

My Log


  • Please log in to reply
9 replies to this topic

#1 Guest_Shortyaznkid_*

Guest_Shortyaznkid_*

  • Guests
  • OFFLINE
  •  

Posted 15 May 2006 - 04:13 AM

Here is my Hijackthislog and i need help on which to fix. Oh and i get Websearch pop ups, Home search assistant. Please and Thank You's

Logfile of HijackThis v1.99.1
Scan saved at 2:10:53 AM, on 5/15/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\windows\System32\svchost.exe
C:\windows\System32\taskmgr.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\TEMP\Desktop\HijackThis.exe

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\winmgd.win
F1 - win.ini: run=C:\WINDOWS\system32\mouse_configurator.win
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\windows\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [defender] c:\\defender19a.exe
O4 - HKLM\..\Run: [keyboard] c:\\keyboard19.exe
O4 - HKLM\..\Run: [newname] c:\\newname19.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - blank (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O20 - Winlogon Notify: ShellCompatibility - C:\windows\system32\irrml5911.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Edited by Shortyaznkid, 15 May 2006 - 04:16 AM.


BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas

Posted 15 May 2006 - 02:55 PM

Hello

Welcome to Bleeping Computer :thumbsup:

Please download Brute Force Uninstaller.
Unzip it to itís own folder (c:\BFU)

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).

Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute field copy and paste c:\bfu\alcanshorty.bfu
Press execute and let it do itís job.

Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Then please run HijackThis, click Scan, and check the following, if present:

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\winmgd.win
F1 - win.ini: run=C:\WINDOWS\system32\mouse_configurator.win
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [defender] c:\\defender19a.exe
O4 - HKLM\..\Run: [keyboard] c:\\keyboard19.exe
O4 - HKLM\..\Run: [newname] c:\\newname19.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - Winlogon Notify: ShellCompatibility - C:\windows\system32\irrml5911.dll


Close all open windows and click Fix Checked.


Please enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked


Next, delete the following files (if they exist):

C:\windows\system32\irrml5911.dll
C:\Program Files\outlook\outlook.exe <-----the legit folder is Outlook Express, so be careful and only delete this one!
C:\WINDOWS\system32\mouse_configurator.win
C:\WINDOWS\system32\winmgd.win

Reboot your computer.

Please download, install, and update the free version of Ewido Anti-Malware:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run Ewido for the first time, you might get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main Ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes, the status bar at the bottom will display "Update successful"
  • Click on Scanner
  • Click on Complete System Scan and the scan will begin.
  • If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
  • Close Ewido
In your reply, please post the log from Ewido and a new HijackThis log. Please let me know how your computer is running now.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Guest_Shortyaznkid_*

Guest_Shortyaznkid_*

  • Guests
  • OFFLINE
  •  

Posted 15 May 2006 - 07:45 PM

Here you go. Oh and i have this problem where C:\Documents and Settings\TEMP\Shared\
Folder, it always has zipped folders that i didnt download or get, and they show up alot.
How do i stop it?



Logfile of HijackThis v1.99.1
Scan saved at 5:42:42 PM, on 5/15/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\Program Files\AIM95\aim.exe
C:\windows\System32\taskmgr.exe
C:\windows\system32\rundll32.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\system32\NOTEPAD.EXE
C:\Documents and Settings\TEMP\Desktop\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\windows\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - blank (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O20 - Winlogon Notify: Syncmgr - C:\windows\system32\fppm0371e.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

----------------------------------------------------------------------------------

C:\Documents and Settings\TEMP\Shared\Monster Hunter Freedom PSP working on 1.5!.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Monster Hunter Freedom working on 1 5.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\MUST SEE - 911 truth -- Everybodyís Gotta Learn Sometime, 911 documentary 8may2006.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\NBA Ballers Rebound PSP USA [solops2.com].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\NBA Ballers Rebound USA PSP-pSyPSP.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\New Street Law S01E02 WS PDTV XviD-RiVER [eztv].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Nintendo Power 129+ Issues (Retromags.com).zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Numb3rs S02E23 HDTV XviD-LOL [eztv].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Opie &amp; Anthony 2006-05-12-O&amp;A (JB-64kCF) mp3.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Partnership opportunities.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Porsche Carrera GT SULiik.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Primal Scream - Riot City Blues (2006).zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Privacy policy.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\QuickTime Pro 7.1.0.210 Multilingual.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Release 1.0.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Rig Racer 2 -Webseed- [found-on-www-bitreactor-to].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\rihanna sos music video mpeg.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Rise Of Nations Rise Of Legends Clone-UnleashedBRANDNEW + WEBSEED.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Running Scared 2006 DVDRip XviD-LiNE.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Russian Lesbians Play In Bath rar.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Scientific American No 05 May 2006 [Demonoid].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Search Cloud.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Shark Aquarium ScreensaverV2+Serial [Greenboy420].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Show all of today &rarr;.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\SiN Episode 1 Emergence BUGFIX-PROViSiON rar.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Smallville - Smallville S05E22 [HDTV] [www tensiontorrent com].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\SP-310 Makro Photos.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Spyware Removal.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Submit Software.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Terms of use.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\That 70s Show The Final Goodbye PDTV XviD-FQM [eztv].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\The Avatar - 207 - Zuko Alone avi.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\The Best And Most Expensive Fonts.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\The Friday Show + News - 05-12-2006 24k (Howard Stern) (-icp-).zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\The Friday Show + News - 05-12-2006 64k (Howard Stern) (-icp-).zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\The Google AdSense Handbook_WCcT.us.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\The Unit S01E08 HR HDTV AC3 5 1 XviD-CTU [eztv].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\The Unit S01E09 HR HDTV AC3 5 1 XviD-CTU [eztv].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Tiffany Amber Thiesen - Over 150 High Quality Photos.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Today on CNET.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\TV Shows.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Upload a torrent.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\US Marine Corps - Marine Corps Martial Arts pdf.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\VA-Underground Hip-Hop Volume 04-2006-OSC.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Windows Media Player 11 + Windows Key changer.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Windows Media Player 11 build 4826 Leaked.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\Windows Media Player 11.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\WinPE - XP that runs directly from the CD,bakup tools,HDD mainte.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\women abused In Iraq War.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\WWE Wreckless Intent (Full Album).zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\WWE Wreckless Intent.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\X-Men 3 Spanish PC [www tensiontorrent com].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\[a f k ] Karin - 24 avi.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\[Kyuu] Air Gear - 06[C89ACCE5] avi.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\[Photos and Screen Savers] Angelina Jolie [TNTVillage.org].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\[raw] Fate stay night 19 (704x396 DivX511 120f) avi.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\[Shinsen-Subs] Blood+ 26 [27A185A9] avi.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\[Shinsen-Subs] Blood+ 27 [BA83DE20] avi.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\[Shinsen-Subs] Blood+ 28 [DEF628A4] avi.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\[Shinsen-Subs] Blood+ 29 [17539E35] avi.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\[Spanish Newspaper] El Pais PDF 13 05 2006.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Documents and Settings\TEMP\Shared\[yesy] Utawarerumono - 06 [E67A2B89] avi.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\graals\Practice\Ol' West\Levels\New WinRAR ZIP archive.zip/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\graals\Practice\Scripts\New WinRAR ZIP archive.zip/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\hijackthis\backups\backup-20060317-155634-197.dll -> Downloader.Zlob.ja : Cleaned with backup
C:\hijackthis\backups\backup-20060317-162125-666.dll -> Downloader.Zlob.ja : Cleaned with backup
C:\hijackthis\backups\backup-20060317-162215-496.dll -> Downloader.Zlob.ja : Cleaned with backup
C:\hijackthis\backups\backup-20060317-162606-528.dll -> Downloader.Zlob.ja : Cleaned with backup
C:\hp\drivers\printers\deskjet\assistnt\3320\enu\data\3320ENU.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\hp\drivers\printers\deskjet\assistnt\3420\enu\data\3420ENU.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\hp\drivers\printers\deskjet\assistnt\3820\enu\data\3820ENU.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\hp\drivers\printers\deskjet\assistnt\5550\enu\data\5550ENU.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\hp\drivers\printers\deskjet\assistnt\920c\enu\data\920CENU.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\hp\drivers\printers\deskjet\assistnt\940c\enu\data\940CENU.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\hp\drivers\printers\deskjet\assistnt\960c\enu\data\960CENU.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\hp\drivers\printers\deskjet\assistnt\990c\enu\data\990CENU.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\hp\EXPLOREBAR\VABOUT\EN_AU\V-EN_US.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\hp\EXPLOREBAR\VABOUT\EN_US\V-EN_US.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Packages\AdobeHelpCenter_1.0_en-us.zip/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\Program Files\Adobe\Adobe Help Center\Browser\skin\standard_skin.zip/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\Program Files\Adobe\Adobe Help Center\Browser\skin\windows_skin.zip/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\Program Files\Adobe\Adobe Help Center\Required\help\AdobeHelpCenter_1.0_en-us.zip/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\CORE1.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\CORE3.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\Program Files\hp center\137903\pre-seed\HP Music Server\12\LaunchMMJB.vbs -> Worm.Gedza : Cleaned with backup
C:\Program Files\hp center\137903\Shadow\ShadowHelp\Help.hhc.zip/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\Program Files\hp center\137903\Shadow\ShadowHelp\Help.hhk.zip/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\Program Files\hp center\137903\Shadow\ShadowHelp\WEBHELP.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\Program Files\hp center\137903\Shadow\ShadowHelp\WEBHELP0.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\Program Files\HP Instant Support\plugin\bin\MOTDEUSR.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\Program Files\HP Instant Support\plugin\bin\pchplugin.zip/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\Program Files\outlook\p.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
C:\Program Files\outlook\v.tmp -> Worm.VB.dw : Cleaned with backup
C:\Program Files\Outlook Express\wabfind.exe -> Adware.Agent : Cleaned with backup
C:\Program Files\QuickTime\QTSystem\QTJAVA.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\Program Files\Windows Media Player\NPDRMV2.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\Program Files\Windows Media Player\NPDS.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\Program Files\winupdates\A.ZIP/Setup.exe -> Worm.VB.an : Cleaned with backup
C:\Program Files\winupdates\A.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\WINDOWS\java\classes\PCDRAPI.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\WINDOWS\java\Packages\BLN7DBV9.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\WINDOWS\java\Packages\GNNRDRDV.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\WINDOWS\java\Packages\JDNV1NNB.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\WINDOWS\java\Packages\JZFVFXJH.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\WINDOWS\java\Packages\RJLB1F1N.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\WINDOWS\java\Packages\U6MU5B3L.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\WINDOWS\java\Packages\ZZV7F3PF.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\WINDOWS\system32\Adobe\SVG Viewer\SVGViewer.zip/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\WINDOWS\system32\adsldpbj.dll -> Adware.CWS : Cleaned with backup
C:\WINDOWS\system32\dfrgsrv.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\FILEZIP.ZIP/FILE.VBS -> Worm.Gedza : Cleaned with backup
C:\WINDOWS\system32\ginuerep.dll -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\guard.tmp -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\hta.vbs -> Worm.Gedza : Cleaned with backup
C:\WINDOWS\system32\interf.tlb -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\k244lchq1f4e.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\l2j80c1uef.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\m428lefu1h28.dll -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\winlog.exe -> Backdoor.Rbot : Cleaned with backup


::Report End

Edited by Shortyaznkid, 15 May 2006 - 07:47 PM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:19 PM

Posted 15 May 2006 - 10:27 PM

Hello again,

Any reason why your windows isn't up to date? You don't have even ServicePack1 installed!
Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems.
Please visit http://www.microsoft.com/windowsxp/downloa...p1/network.mspx and update to Service Pack 1. Without this update, you're wide open to re-infection.
When your system is clean afterwards, then update to SP2, because updating to SP2 CAN cause problems as long as you are infected.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas

Posted 16 May 2006 - 09:59 PM

Hello again,

Please update to SP1 as soon as you can. In the meantime stay offline as much as possible, or you'll get reinfected as fast as we get rid of them. :thumbsup:


Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Thanks
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:19 PM

Posted 16 May 2006 - 10:31 PM

http://www.microsoft.com/windowsxp/downloa...p1/network.mspx

This link works, so go update. :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Guest_Shortyaznkid_*

Guest_Shortyaznkid_*

  • Guests
  • OFFLINE
  •  

Posted 18 May 2006 - 07:04 PM

Here you go.

Logfile of HijackThis v1.99.1
Scan saved at 5:00:58 PM, on 5/18/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\Program Files\AIM95\aim.exe
C:\windows\System32\taskmgr.exe
C:\Documents and Settings\TEMP\Desktop\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\windows\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - blank (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 5/18/2006 4:50:08 PM

Infected! C:\windows\system32\i6600gjme6oa0.dll
Infected! C:\WINDOWS\system32\ir24l5fq1.dll
Infected! C:\WINDOWS\system32\mltvca.dll

Attempting to delete infected files...

Attempting to delete: C:\windows\system32\i6600gjme6oa0.dll
C:\windows\system32\i6600gjme6oa0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ir24l5fq1.dll
C:\WINDOWS\system32\ir24l5fq1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mltvca.dll
C:\WINDOWS\system32\mltvca.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4A45D797-9AD9-4AA1-9B3F-5F573E24F165}"
HKCR\Clsid\{4A45D797-9AD9-4AA1-9B3F-5F573E24F165}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CF2CDFA6-B73A-49BE-B43B-4A33974BF6C3}"
HKCR\Clsid\{CF2CDFA6-B73A-49BE-B43B-4A33974BF6C3}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:19 PM

Posted 18 May 2006 - 07:19 PM

You didn't update to SP1.....why not? This really is necessary.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Guest_Shortyaznkid_*

Guest_Shortyaznkid_*

  • Guests
  • OFFLINE
  •  

Posted 18 May 2006 - 07:30 PM

Sorry Ill update it now, didnt see the post with working link but i do now :] Thx. :thumbsup:

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:19 PM

Posted 19 May 2006 - 12:28 PM

It's all right....no need to be sorry. :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users