Post by: NDZ on July 16, 2006, 01:28:15 PM
this worm as my scanner wont remove it. I got a trojan too, Gaobot, but I was able to remove this. For some
reason i can't longer download things from IE Explorer or firefox. Installing things doesn't work either. I got a
laptop is there is any need to download programs to remove this worm. I'm not any expert when it comes to
this, so i will need some easy instructions
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: guestolo on July 16, 2006, 01:39:01 PM
Hijackthis 1.99.1
Open Hijackthis.exe
Do a "SCAN and Save a Log file"
A log will open in Notepad
Copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important
Post by: NDZ on July 16, 2006, 01:57:10 PM
Logfile of HijackThis v1.99.1
Scan saved at 21:01:52, on 16.07.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
C:\Programfiler\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Programfiler\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\Microsoft IntelliType Pro\type32.exe
C:\Programfiler\Microsoft IntelliPoint\point32.exe
C:\Programfiler\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\D-Link\AirPlus G\AirGCFG.exe
C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
D:\programmer\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Fellesfiler\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Programfiler\Fellesfiler\Teleca Shared\Generic.exe
C:\Programfiler\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Hijack\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.sol.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.sol.no
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.sol.no
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Programfiler\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Programfiler\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [type32] "C:\Programfiler\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programfiler\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Programfiler\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Programfiler\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [WinampAgent] D:\programmer\Winamp\winampa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\programfiler\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programfiler\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programfiler\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programfiler\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programfiler\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programfiler\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://www.flyordie.com/pub/dl/msjavx86.exe (http://\"http://www.flyordie.com/pub/dl/msjavx86.exe\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp09.photoprintit.de/microsite/502...geUploader3.cab (http://\"http://asp09.photoprintit.de/microsite/5026/defaults/activex/ImageUploader3.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab (http://\"http://www.popcap.com/games/popcaploader_v6.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{189E7FFE-FB9C-4E0B-95E5-2AAFC0BA21CE}: NameServer = 193.213.112.4,130.67.15.198
O17 - HKLM\System\CCS\Services\Tcpip\..\{54DD220D-47FA-4456-92E2-62BFEEA77D7C}: NameServer = 192.168.0.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
Post by: guestolo on July 16, 2006, 01:58:51 PM
I need you to do the following
"Do a fresh SCAN and Save a Log file"
A log will open in Notepad
To copy and paste the Whole log
You can use these steps
In the Hijackthis log>>Click EDIT at the top
and then SELECT ALL
Then EDIT and select COPY
Come back here and PASTE to your reply
Post by: NDZ on July 16, 2006, 02:57:46 PM
Post by: guestolo on July 16, 2006, 04:27:17 PM
==Download [color=\"red\"]Brute Force Uninstaller[/color] (http://\"http://www.merijn.org/files/bfu.zip\")[/b] to the desktop of the computer offline.
- Right click the BFU folder on your desktop, and choose Extract All
- Click "Next"
- In the box to choose where to extract the files to, click "Browse"
- Click on the + sign next to "My Computer"
- Click on "Local Disk (C:) or whatever your primary drive is
- Click "Make New Folder"
- Type in BFU
- Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
Save it then transfer to the
same folder you made earlier (c:\BFU).
Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.
Once in safe mode
==Go to Start > My Computer and navigate to the C:\BFU folder.
- Start the Brute Force Uninstaller by doubleclicking BFU.exe
- Next to the scriptline to execute field click the folder icon (http://metallica.geekstogo.com/foldericon.png) and select alcanshorty.bfu
- Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
- Wait for the complete script execution box to pop up and press OK.
- Press exit to terminate the BFU program.
Post a fresh hijackthis log
Quote
I got a trojan too, Gaobot, but I was able to remove this
How did you remove Gaobot, was it a file you deleted?
Give the name of the file if you remember please
Post by: NDZ on July 16, 2006, 05:51:37 PM
Scan saved at 00:44:22, on 17.07.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
C:\Programfiler\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Programfiler\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\Microsoft IntelliType Pro\type32.exe
C:\Programfiler\Microsoft IntelliPoint\point32.exe
C:\Programfiler\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\D-Link\AirPlus G\AirGCFG.exe
C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
D:\programmer\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Fellesfiler\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Programfiler\Fellesfiler\Teleca Shared\Generic.exe
C:\Programfiler\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Hijack\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.sol.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.sol.no
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.sol.no
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Programfiler\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Programfiler\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [type32] "C:\Programfiler\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programfiler\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Programfiler\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Programfiler\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [WinampAgent] D:\programmer\Winamp\winampa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\programfiler\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programfiler\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programfiler\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programfiler\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programfiler\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programfiler\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://www.flyordie.com/pub/dl/msjavx86.exe (http://\"http://www.flyordie.com/pub/dl/msjavx86.exe\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp09.photoprintit.de/microsite/502...geUploader3.cab (http://\"http://asp09.photoprintit.de/microsite/5026/defaults/activex/ImageUploader3.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab (http://\"http://www.popcap.com/games/popcaploader_v6.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{189E7FFE-FB9C-4E0B-95E5-2AAFC0BA21CE}: NameServer = 193.213.112.4,130.67.15.198
O17 - HKLM\System\CCS\Services\Tcpip\..\{54DD220D-47FA-4456-92E2-62BFEEA77D7C}: NameServer = 192.168.0.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
I removed Gaobot by using XoftSpy. Yes i think it was a file. I don't remember the name other then Gaobot.
Post by: guestolo on July 16, 2006, 06:40:56 PM
Click the OPEN IN NOTEPAD button
A text file will open in notepad
Copy>>Paste back the whole contents please
Are you able to download and install with the computer yet?
If you can do the following also
==Download, install, and update Ewido anti-spyware (http://\"http://www.ewido.net/en/download/\")[list=1]
- Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
- After the update finishes (the status bar at the bottom will display "Update successful")
- Close Ewido. Do not run it yet.
Post by: guestolo on July 16, 2006, 07:07:14 PM
Also, ==Download and install Windows CleanUp! 4.5.2 (http://\"http://www.stevengould.org/downloads/cleanup/CleanUp452.exe\")
CleanUp! attempts to delete files from various temporary directories (including download directories/caches),
as well as emptying the Recycle Bins.
If you make a habit of saving files that you wish to keep in any of these places, they will be deleted when CleanUp! is run.
Please move them too a different location before we run this tool if the above is true
Note: It is generally considered poor practice to use temporary folders or the Recycle Bin to store files you intend to keep.
Please do the following
==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
When it's done>>Click Close
DECLINE to Log off or Restart the computer
NOTE: The first time you run CleanUp! it may prompt to run in Demonstration mode
Deny this, we want to run the actual cleanup!!
Ewido Scan
- Then run Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
- Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
- Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://www.flyordie.com/pub/dl/msjavx86.exe (http://\"http://www.flyordie.com/pub/dl/msjavx86.exe\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab (http://\"http://www.popcap.com/games/popcaploader_v6.cab\")
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot your computer
Back in Windows
Post back the following please
1. Run Hijackthis again and post back a fresh log
2. Post the whole report from Ewido's
Also, let me know all the following
Do you have your own Anti-Virus software to install, or do you need a free solution?
Let me know please, It's not wise being without a good AV
What version of Firefox are you running?
Do you have both Spybot 1.4 and Ad-Aware SE Personal 1.06 installed? EDIT>>I see you have Ad-Aware
Is it updated?
Let me know, I can supply links for you to ensure you get the right program
Post by: NDZ on July 16, 2006, 07:26:01 PM
Logs from ewido and hijack coming soon
Post by: NDZ on July 16, 2006, 08:11:33 PM
Logfile of HijackThis v1.99.1
Scan saved at 02:59:26, on 17.07.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\ewido anti-spyware 4.0\guard.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
C:\Programfiler\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Programfiler\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\Microsoft IntelliType Pro\type32.exe
C:\Programfiler\Microsoft IntelliPoint\point32.exe
C:\Programfiler\Dell Photo AIO Printer 962\dlbxmon.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Programfiler\D-Link\AirPlus G\AirGCFG.exe
C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Programfiler\Fellesfiler\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Fellesfiler\Teleca Shared\Generic.exe
C:\Programfiler\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\devldr32.exe
C:\Hijack\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.sol.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.sol.no
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.sol.no
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Programfiler\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Programfiler\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [type32] "C:\Programfiler\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programfiler\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Programfiler\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Programfiler\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [WinampAgent] D:\programmer\Winamp\winampa.exe
O4 - HKLM\..\Run: [!ewido] "C:\Programfiler\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\programfiler\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programfiler\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programfiler\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programfiler\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programfiler\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programfiler\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp09.photoprintit.de/microsite/502...geUploader3.cab (http://\"http://asp09.photoprintit.de/microsite/5026/defaults/activex/ImageUploader3.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{189E7FFE-FB9C-4E0B-95E5-2AAFC0BA21CE}: NameServer = 193.213.112.4,130.67.15.198
O17 - HKLM\System\CCS\Services\Tcpip\..\{54DD220D-47FA-4456-92E2-62BFEEA77D7C}: NameServer = 192.168.0.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programfiler\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
Post by: guestolo on July 16, 2006, 08:14:22 PM
I suspect that you didn't run CleanUp! 4.5.2 the way I suggested
Please read ALL Instructions I post so I don't have to repeat myself
As mentioned, the first time you run CleanUp! it may prompt to run in Demonstration mode
If you did run in demonstration mode I still want you to run the actual CleanUp mode
Don't post back any entries from the ewido report that are related to cookies please
But post back everything else
Post by: NDZ on July 16, 2006, 08:16:43 PM
Post by: guestolo on July 16, 2006, 08:18:13 PM
/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' /> Can you post the remainder of the Ewido report excluding cookies please
Post by: guestolo on July 16, 2006, 08:52:10 PM
Quote
Many of these things i've never had on my computer...Not to worry, it's not you that was downloading those files, but a worm you had on your computer
I suggest that you still do the following
Access your add/remove programs and remove older updates and versions of Java
This includes
J2SE Runtime Environment 5.0 Update 2
We'll update this in a bit
Open Firefox>>Click on TOOLS>>OPTIONS
Under Cookies tab, Clear all cookies
Run CleanUp! again
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
When it's done>>Click Close
DECLINE to Log off or Restart the computer
Open Hijackthis>>Open Misc tools section>>Open "Delete File On Reboot" section
In the file name field, Copy>>Paste the next bold line below
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Then hit the OPEN button
Hijackthis should prompt that the file will be deleted on reboot
Allow the computer to reboot
Back in Windows
Access the following link to update to the latest version of Java
http://www.java.com/en/download/manual.jsp (http://\"http://www.java.com/en/download/manual.jsp\")
I suggest downloading the Windows Offline installer
Save to desktop, once installed you can delete the installer
Quote
Also, let me know all the followingInstead of repeating myself, I just quoted
Do you have your own Anti-Virus software to install, or do you need a free solution?
Let me know please, It's not wise being without a good AV
What version of Firefox are you running?
Do you have both Spybot 1.4 and Ad-Aware SE Personal 1.06 installed? EDIT>>I see you have Ad-Aware
Is it updated?
Let me know, I can supply links for you to ensure you get the right program
I see no Anti-Virus software on your computer
I highly recommend you install one of the following free AV's
AVG 7 by Grisoft (http://\"http://free.grisoft.com/doc/2/lng/us/tpl/v5\")
Avast Home Edition by ALWIL (http://\"http://www.avast.com/eng/down_home.html\")
Avira AntiVir Personal Edition Classic (http://\"http://www.free-av.com/antivirus/allinonen.html\")
ONLY install one, more than one can cause conflicts and operating system instabilities
Once your new AV is installed, ensure it is updated and run a complete system scan
Let it fix whatever it finds
reboot the computer afterwards
Come back here and post a fresh hijackthis log
And please answer the following
What version of Firefox are you running?
Do you have both Spybot 1.4 and Ad-Aware SE Personal 1.06 installed? EDIT>>I see you have Ad-Aware
Is it updated?
Let me know, I can supply links for you to ensure you get the right program
Post by: NDZ on July 16, 2006, 09:01:06 PM
Post by: guestolo on July 16, 2006, 09:04:31 PM
It may be corrupt
Please do all the following that I posted in my last reply
Exclude cleaning cookies if you still can't
Post back the new hijackthis log
Let me know if your still experiencing problems with Firefox afterwards
Post by: NDZ on July 16, 2006, 11:14:07 PM
Here's the Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 05:55:57, on 17.07.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\Programfiler\ewido anti-spyware 4.0\guard.exe
C:\Programfiler\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Programfiler\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\Microsoft IntelliType Pro\type32.exe
C:\Programfiler\Microsoft IntelliPoint\point32.exe
C:\Programfiler\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\Programfiler\QuickTime\qttask.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programfiler\D-Link\AirPlus G\AirGCFG.exe
C:\WINDOWS\system32\pctspk.exe
C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Programfiler\ewido anti-spyware 4.0\ewido.exe
C:\Programfiler\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Fellesfiler\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\Programfiler\Fellesfiler\Teleca Shared\Generic.exe
C:\Programfiler\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\devldr32.exe
C:\Hijack\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.sol.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.sol.no
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.sol.no
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programfiler\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programfiler\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Programfiler\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Programfiler\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [type32] "C:\Programfiler\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programfiler\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [dlbxmon.exe] "C:\Programfiler\Dell Photo AIO Printer 962\dlbxmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Programfiler\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programfiler\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programfiler\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [!ewido] "C:\Programfiler\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\programfiler\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programfiler\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programfiler\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programfiler\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programfiler\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programfiler\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp09.photoprintit.de/microsite/502...geUploader3.cab (http://\"http://asp09.photoprintit.de/microsite/5026/defaults/activex/ImageUploader3.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{189E7FFE-FB9C-4E0B-95E5-2AAFC0BA21CE}: NameServer = 193.213.112.4,130.67.15.198
O17 - HKLM\System\CCS\Services\Tcpip\..\{54DD220D-47FA-4456-92E2-62BFEEA77D7C}: NameServer = 192.168.0.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programfiler\Fellesfiler\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programfiler\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
-------------------------------------
I did post what version i have of firefox and ad-aware but the post with all the cookies was too long so this didn't show up.. So here it is:
FireFox Version: 1.5.0.4
Ad-Aware Version: Ad-Aware SE Personal, Build 1,06r1
XoftSpy Version: v4.22
Firefox was working normal before the computer got the worms.. I still have problems with firefox and here is a message i get when i try to download something or search for something.
[attachment=955:attachment]
I have never gotten this message before
Post by: guestolo on July 16, 2006, 11:40:52 PM
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Let's try to remove firefox
But first, download the installer for FireFox Version: 1.5.0.4
From here and save it too desktop, don't install it yet
http://www.mozilla.com/firefox/all.html (http://\"http://www.mozilla.com/firefox/all.html\")
Open Firefox you have installed right now and click on Bookmarks>>Manage Bookmarks
Click on FILE>>EXPORT
Save the html file somewhere you will remember, like the MyDocuments folder
If you have any other user accounts on this computer that use firefox, export their bookmarks also
Access your add/remove programs and remove Firefox 1.5.0.4
Manually navigate too and delete the following folders in bold
C:\Programfiler\Mozilla Firefox <-this folder
C:\Documents and Settings\sørbø\Application Data\Mozilla\Firefox <-this folder, you can delete the Mozilla folder if you have no other Mozilla browsers installed besides firefox
If there are any other users on the computer, including All Users
C:\Documents and Settings\<any other user account>\Application Data\Mozilla\Firefox
Open Ewido anti-malware>>Open the Infections tab>>Select all and Remove finally from computer
Run Windows CleanUp! one more time please
Reboot the computer
Try reinstalling Mozilla Firefox from the installer you saved earlier to desktop
You can import bookmarks from the file you saved earlier to MyDocuments
Let me know if that helped
Do you still have lot's of free space on your harddrive?
Post by: ThaReaper on July 17, 2006, 01:52:43 AM
Post by: NDZ on July 17, 2006, 07:54:11 AM
When i try to scan my computer with XoftSpy it gives me a message before scans starts that my browser may have been hijacked. I don't know if this has anything to do with the firefox problem... IE Browser is still working normal and i tried to install Opera but it wouldn't let me run the browser. I get the message "Error initializing Opera"
Post by: guestolo on July 17, 2006, 08:58:33 AM
Quote
i was not able to find the "Application Data"You must have Show hidden files and folders selected as I posted earlier
Actually, this is the folder I most wanted to remove
I'm not sure if the folder Application Data will show as I posted
In your language it may show different, can you take another look for
the below folder
C:\Documents and Settings\sørbø\Application Data\Mozilla\Firefox <-this folder
If found, redo All the steps I posted to remove Firefox and then reinstall it
Again, Application Data folder may be under another name
Can you also remove this folder if found after uninstalling firefox
C:\Documents and Settings\sørbø\Local Settings\Application Data\Mozilla\Firefox <-folder
Post by: NDZ on July 17, 2006, 09:04:07 AM
Post by: guestolo on July 17, 2006, 11:12:36 PM
What are you running XP HOME OR PRO
We may have to check your permissions your user name
C:\Documents and Settings\sørbø
If your running HOME
Can you reboot into safe mode
Right click on C:\Documents and Settings\sørbø <-this folder
Click the Security tab
Highlight your user account
Under Permissions for sørbø
Is everything selected under ALLOW?
Excluding Special permissions
If you are running PRO
You can remain in Normal mode
Open MyComputer>>Click on TOOLS>>Folder options>>VIEW
Scroll down and uncheck "Disable simple file sharing"
apply and ok
Then check the sørbø folder
Post by: NDZ on July 18, 2006, 04:49:48 AM
Post by: guestolo on July 18, 2006, 08:15:59 AM
What did you do?
Navigate to
C:\Documents and Settings\sørbø <-this folder
Right click the folder and select properties
Click the Security tab
Highlight your user account
Under Permissions for sørbø
Is everything selected under ALLOW?
Excluding Special permissions
Check this folder also
C:\Documents and Settings\sørbø\Lokale instillinger\Programdata\Microsoft\Outlook
Post by: NDZ on July 18, 2006, 08:19:40 AM
It comes a new error when i open Outlook
"Can't open standard folder for e-mail. No access to the file. No sufficient access to the file"
This isn't the same message i got yesterday, but it's the same directory
Post by: guestolo on July 18, 2006, 08:23:08 AM
Post by: NDZ on July 18, 2006, 08:28:08 AM
Post by: guestolo on July 18, 2006, 08:46:56 PM
Can you Creating a new user account with Admin privileges
Here's some more info
http://support.microsoft.com/kb/811151/ (http://\"http://support.microsoft.com/kb/811151/\")
Let me know if you have any problems with that
Post by: NDZ on July 19, 2006, 05:33:49 AM
Post by: guestolo on July 19, 2006, 06:44:06 PM
I would bet it would be more than just Outlook that is having problems
Try the following, of course backup important files and documents beforehand, just in case
You have the corrupt user account, the one that gives you the Outlook error
You have the new account you just created
If you have no other user accounts with admin privileges
Create one more admin account
So now you have these accounts
#1. Corrupt profile
#2. Profile you created earlier, which will be your new profile
#3. Another new profile
This is the account you will be doing the transferring from
Log off other users and sign into account #3
Then follow the instructions at this link and transfer your folders needed
http://support.microsoft.com/kb/811151/ (http://\"http://support.microsoft.com/kb/811151/\")
From account #3 you want to tranfer from #1 to #2
Take Note at the link, You DO NOT want to transfer
• Ntuser.dat
• Ntuser.dat.log
• Ntuser.ini
The instructions at the link also show how to transfer data from Outlook Express
I haven't used Outlook, OE is fine for my needs
Take a look at the following link to help you in backing data and settings in Outlook
http://support.microsoft.com/?kbid=287070 (http://\"http://support.microsoft.com/?kbid=287070\")
Log off profile #3 and log into your new profile
which will be #2
If your happy with the way everything is running in #2, you should be able to go ahead and delete profile #3 and the corrupt user profile #1
I hope that helps
Post by: NDZ on July 19, 2006, 08:22:30 PM
http://techrepublic.com.com/5100-1035_11-1052339.html (http://\"http://techrepublic.com.com/5100-1035_11-1052339.html\")
I also scanned my computer with Kaspersky and it found two more files of the Worm.Win32.VB.an
It's the first time i use Kaspersky so i wonder what i do next...
Post by: guestolo on July 19, 2006, 08:27:04 PM
I thought you were having more problems than just Outlook, I guess not
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> Did you save the log from Kapersky's?
Can you post it here
Post by: NDZ on July 19, 2006, 08:38:46 PM
And here's the Kaspersly log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, July 20, 2006 3:32:02 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 20/07/2006
Kaspersky Anti-Virus database records: 196022
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\
Scan Statistics:
Total number of scanned objects: 72170
Number of viruses found: 1
Number of infected objects: 2 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:19:00
Infected Object Name / Virus Name / Last Action \
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D6FF2B06-AC6B-43B3-AD87-98ACD5A1E68F}\RP63\A0072628.exe Infected: Worm.Win32.VB.an skipped
C:\System Volume Information\_restore{D6FF2B06-AC6B-43B3-AD87-98ACD5A1E68F}\RP64\A0073190.exe Infected: Worm.Win32.VB.an skipped
C:\System Volume Information\_restore{D6FF2B06-AC6B-43B3-AD87-98ACD5A1E68F}\RP652\change.log Object is locked skipped
Scan process completed.
Now how will i delete them from my computer? I scanned my computer with avast but it didn't find these files.
Post by: guestolo on July 19, 2006, 09:44:55 PM
Those are in your system restore folders, they won't do no harm unless you restore back to the infected point
If everything is running better
We should flush all your restore points
- Go to START>>RUN
Type in
Click OK
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"
Apply it and OK out of there>>Reboot your computer
[/list]
Back in Windows, Go back and take the check out of "Turn off system restore"
This will reenable the System Restore feature and creates a new restore point
[indent][color=\"#CC0000\"]Protect yourself against Future Attacks[/color][/i][/b][/indent]
*Install SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
- *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
*Keep up to date on Windows updates (High Priorities)
This is the most important step in keeping your system secure
Make sure you check for updates at least once a month and/or set to Autoupdate
*Make sure your Anti-Virus software is always kept up to date and actively running in the background
*Keep your Firewall protection enabled
A Firewall is also very important
This provides a line of defense against someone who might try to access your computer without your permission
+Any files you download from file sharing programs,
before opening should be scanned with your updated AntiVirus software
Right click the file and scan
Post by: NDZ on July 20, 2006, 03:21:51 AM
Post by: guestolo on July 20, 2006, 09:41:27 PM
You can ensure it's enabled by checking in the Windows Control panel
Of course, I prefer a better firewall that Microsoft provides
I recommend either
Sunbelt Kerio Personal Firewall (http://\"http://www.sunbelt-software.com/Kerio.cfm\")
Full version becomes free limited after 30 days
OR
Zone Alarm by Zonelabs (http://\"http://www.zonelabs.com/store/content/home.jsp\")
Free version at the link provided
You ONLY want to run one software firewall on your computer
Choose which you prefer, either will disable the SP2 firewall on installation, which is preferred when running either of the above
At the moment I'm running Sunbelt's, but you decide
Post by: NDZ on July 21, 2006, 07:43:23 AM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> Looks like my computer is running fine now. I very much appreciate that you took your time to help me out with my computer problems.
Keep up the good work!
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: guestolo on July 23, 2006, 03:02:22 PM
Take care
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />