Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected W/virusburst And ?


  • This topic is locked This topic is locked
2 replies to this topic

#1 jdt17

jdt17

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 05 September 2006 - 09:45 AM

I attempted the Automatic Removal and the following task from RogueScanFix:

Task:
===================================================
Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{7fa55359-7223-410f-bc82-efb3e3ded07f}"="died"


sharedtaskkey: 7fa55359-7223-410f-bc82-efb3e3ded07f
---------------------------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7fa55359-7223-410f-bc82-efb3e3ded07f}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7fa55359-7223-410f-bc82-efb3e3ded07f}\InProcServer32]
@="C:\\WINDOWS\\system32\\gtpbx.dll"
"ThreadingModel"="Apartment"









Hijack This:
===================================================
Logfile of HijackThis v1.99.1
Scan saved at 10:41:50 AM, on 9/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\PCODEC\pmsngr.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PCODEC\pmmon.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\explorer.exe
D:\Programs\Firefox\firefox.exe
C:\Documents and Settings\Dad.THE-KWE0RHTPQ49\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\PCODEC\isaddon.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: Protection Bar - {fe2d25c1-c1db-4b5e-9390-af1cb5302f32} - C:\Program Files\PCODEC\iesplugin.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - https://vapwda.ops.placeware.com/etc/place/...quicksilver.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1157245928530
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157246137741
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microsoft.com/...p/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: died - {7fa55359-7223-410f-bc82-efb3e3ded07f} - C:\WINDOWS\system32\gtpbx.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe


What should I do now?

Thanks for your help!

BC AdBot (Login to Remove)

 


m

#2 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 05 September 2006 - 01:41 PM

Hi,

Please follow the following instructions in the order given. You will need to print or copy these directions because you will be working in Safe Mode without an Internet connection.

Download smitRem and save the file to your Desktop.
Double-click it and choose install. This will create a new folder on your desktop with the name smitrem.
Do NOT run it yet!

Reboot into SAFE MODE.
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

Start HijackThis, click System Scan Only and place a checkmark next to the following items:
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\PCODEC\isaddon.dll
O3 - Toolbar: Protection Bar - {fe2d25c1-c1db-4b5e-9390-af1cb5302f32} - C:\Program Files\PCODEC\iesplugin.dll
O21 - SSODL: died - {7fa55359-7223-410f-bc82-efb3e3ded07f} - C:\WINDOWS\system32\gtpbx.dll


Close ALL browsers and open windows/programs except HijackThis and click 'Fix Checked'. Then exit HijackThis.

Navigate to and delete the following folder if present:
C:\Program Files\PCODEC

Open the smitRem folder, then double-click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Reboot into Normal Mode.

Post back with the contents of smitfiles.txt which is present on your C:\ drive and a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#3 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 11 September 2006 - 07:37 PM

Due to a lack of response ... this topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a new topic.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users