Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

help me with this plz [CLOSED]


  • This topic is locked This topic is locked

#1
xiaoJiin

xiaoJiin

    New Member

  • Member
  • Pip
  • 1 posts
;) :help: :help: :help: :yeah: :yeah:
helooo .. my computer got the virus call Bloodhound.W32.EP in my C:\windows\system32\wininet.dll i try to delete and remove it usind norton but it failed....

Logfile of HijackThis v1.99.1
Scan saved at 10:26:24 AM, on 7/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\tpaqkmc9.exe
C:\WINDOWS\system32\combo.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ACD Systems\ACDSee\ACDSee.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 213.219.251.78 google.com
O1 - Hosts: 213.219.251.78 www.google.co.uk
O1 - Hosts: 213.219.251.78 google.co.uk
O1 - Hosts: 213.219.251.78 www.google.ca
O1 - Hosts: 213.219.251.78 google.ca
O1 - Hosts: 213.219.251.78 www.google.es
O1 - Hosts: 213.219.251.78 google.es
O1 - Hosts: 213.219.251.78 www.google.de
O1 - Hosts: 213.219.251.78 google.de
O1 - Hosts: 213.219.251.78 www.google.fr
O1 - Hosts: 213.219.251.78 google.fr
O1 - Hosts: 213.219.251.78 www.google.com.au
O1 - Hosts: 213.219.251.78 google.com.au
O1 - Hosts: 213.219.251.79 www.yahoo.com
O1 - Hosts: 213.219.251.79 yahoo.com
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O1 - Hosts: 213.219.251.80 www.msn.com
O1 - Hosts: 213.219.251.80 msn.com
O1 - Hosts: 213.219.251.80 search.msn.com
O1 - Hosts: 213.219.251.80 www.search.msn.com
O1 - Hosts: 213.219.251.80 go.com
O1 - Hosts: 213.219.251.80 www.go.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:\WINDOWS\timon3.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O2 - BHO: AddressBar Class - {f65b197f-8260-4d52-909a-f70118e646eb} - C:\WINDOWS\system32\iasada.dll (file missing)
O3 - Toolbar: Search Toolbar - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\timon3.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [fLMhBlG] C:\WINDOWS\aiwdopbc.exe
O4 - HKLM\..\Run: [tpaqkmc9] C:\WINDOWS\system32\tpaqkmc9.exe
O4 - HKLM\..\Run: [combo.exe] combo.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ImageFox.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.co...l/azesearch.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

this is the result after i have hijackthis.. PLZ help me !!! thanks :tazz: ;)
  • 0

Advertisements


#2
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Hello and welcome to Geeks to Go! :tazz: I'm kool808 and I will be helping you today.

I am working on your log. As soon as I made a good fix for this, I will post a reply. Thank you for your patience.
  • 0

#3
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
++++++++ N O T I C E ++++++++

This will likely be a few step process in removing the malware that has infected your system.  I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further. You have lots of complex infections but we can take them one at a time. Trust me!


++++++++ STEP 1 ++++++++

I strongly advise that you to download the following programs from another computer then transfer it to your PC.


Download the Hoster http://www.funkytoad.com/download/hoster.zip
DO NOT run the program yet.

Unzip Host to your desktop

Open up the Host program folder then double-clicking Hoster.exe.
  • Make sure that the instruction found on the upper-right corner is labeled as the one shown below. Otherwise, if the label is RED click the button just right beside it to change the label and color back.

    "Your Host file is editable. Click button to right to make your Hosts file Read-only"

  • Click back-up Host files
  • then click Restore orginal host files
  • close the program.
++++++++ STEP 2 ++++++++
1.) Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
Do NOT run it yet.

2.) Place a shortcut to Panda ActiveScan on your desktop.

3.) Please download the trial version of Ewido Security Suite 3.5 here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

4.) If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Do NOT run the scan yet!

5.) Please download [ Spybot Search & Destroy 1.4 ].

1. Install Spybot S&D, accepting the Default Settings
2. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.
3. Close ALL windows except Spybot S&D
4. Click the button to ‘Search for Updates’ then download and install the Updates.
5. Once the update is complete, do NOT run the scans yet.
6. Close Spybot S&D


Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
(How to boot in Safe Mode...)

++++++++ STEP 3 ++++++++
We will now fix the remaining problems with HijackThis. Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:\WINDOWS\timon3.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O2 - BHO: AddressBar Class - {f65b197f-8260-4d52-909a-f70118e646eb} - C:\WINDOWS\system32\iasada.dll (file missing)
O3 - Toolbar: Search Toolbar - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\timon3.dll

O4 - HKLM\..\Run: [fLMhBlG] C:\WINDOWS\aiwdopbc.exe
O4 - HKLM\..\Run: [tpaqkmc9] C:\WINDOWS\system32\tpaqkmc9.exe
O4 - HKLM\..\Run: [combo.exe] combo.exe
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.co...l/azesearch.cab

Make sure to double check the items you have selected,then click Fix Checked.

++++++++ STEP 4 ++++++++
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

++++++++ STEP 5 ++++++++
You have a WinTools infection.
From Start -> Control Panel -> Add/Remove Programs, remove anything related to WinTools, Toolbar, or Search Toolbar. Do not reboot until the last application has been uninstalled.

++++++++ STEP 6 ++++++++
Open Ad-aware and do a full scan. Remove all it finds.

++++++++ STEP 7 ++++++++
1. Open Spybot, next click the button ‘Check for Problems'
2. When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' Entries and ‘GREEN’ entries in the window
3. Make certain there is a check mark beside all of the RED entries ONLY.
4. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.
5. REBOOT to complete the scan and clear memory.

++++++++ STEP 8 ++++++++
Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

++++++++ STEP 9 ++++++++
Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\WINDOWS\nem220.dll
  • C:\WINDOWS\timon3.dll
  • C:\WINDOWS\system32\msbe.dll
  • C:\WINDOWS\system32\iasada.dll
  • C:\WINDOWS\system32\combo.exe
  • C:\WINDOWS\aiwdopbc.exe
  • C:\WINDOWS\system32\tpaqkmc9.exe
  • C:\Program Files\[Wintools], [Search Bar], [Toolbar] <-- whole folder

    NOTE: [Wintools], [Search Bar], [Toolbar] This will depend on whatever that exist in that similar form.

Finally, Empty Recycle Bin

++++++++ STEP 10 ++++++++
Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!

Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0

#4
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP