Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

viruses

Started by royfball56 , Aug 04 2005 01:28 AM

  • Please log in to reply

#1
royfball56
Posted 04 August 2005 - 01:28 AM

royfball56

    New Member

  • Member
  • Pip
  • 2 posts
I am having a little trouble with spyware and malware on my computer. I have spent the last couple of days downlaoding and running anti-virus programs and following the instructions on your website before posting a hijack this log.
I am posting one now.
Logfile of HijackThis v1.99.1
Scan saved at 3:17:25 AM, on 8/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\mstasks.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\Kernell.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\winmsc32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ewido\security suite\securitysuite.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lehighsports.com/
O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WinStat - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - C:\WINDOWS\System32\WinStat13.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\l4n.dll
O2 - BHO: (no name) - {FA48DF0A-64E7-3935-ED79-1DF3ED2044CC} - C:\WINDOWS\System32\lvk.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [DNS Config service] win32.exe
O4 - HKLM\..\Run: [Windows Task Scheduler] C:\mstasks.exe
O4 - HKLM\..\Run: [QMIPU]QUWK[ZY[]V] C:\WINDOWS\System32\wssoeqeydprbm.exe
O4 - HKLM\..\RunServices: [DNS Config service] win32.exe
O4 - HKLM\..\RunServices: [QMIPU]QUWK[ZY[]V] C:\WINDOWS\System32\wssoeqeydprbm.exe
O4 - HKLM\..\RunOnce: [xlrp7.exe] C:\WINDOWS\System32\xlrp7.exe /k
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O23 - Service: System Event Trap (Evttrp) - Cat Soft - C:\WINDOWS\Kernell.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Configuration Utility (mbot) - Unknown owner - C:\WINDOWS\winmsc32.exe
O23 - Service: Plug & Play Extender (pnpext) - Unknown owner - C:\WINDOWS\System32\smrs.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Wireless Connection Configuration (wificonf) - Unknown owner - C:\WINDOWS\mscarrt32.exe (file missing)

also in ewido, under the analysis-connections tab, i shows that there are at leat 20 remote connections that are listening. I have copied and pasted the log for that als

---------------------------------------------------------
ewido security suite - Connection report
---------------------------------------------------------

+ Created on: 3:20:16 AM, 8/4/2005
+ Report-Checksum: D86C8F3A

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3119 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3573 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3647 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3652 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3653 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3664 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3670 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3673 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3674 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3677 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3857 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3879 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3908 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3992 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3994 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3996 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3998 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3999 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4003 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4008 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4011 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4012 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4021 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4022 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4028 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4031 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6346 0.0.0.0:0 LISTENING
TCP 0.0.0.0:6748 0.0.0.0:0 LISTENING
TCP 0.0.0.0:17552 0.0.0.0:0 LISTENING
TCP 0.0.0.0:45100 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49494 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3001 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3002 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3003 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3118 0.0.0.0:0 LISTENING
TCP 127.0.0.1:43958 0.0.0.0:0 LISTENING
TCP 128.180.195.15:139 0.0.0.0:0 LISTENING
TCP 128.180.195.15:3573 209.196.229.211:6346 ESTABLISHED
TCP 128.180.195.15:3647 67.161.68.92:6348 ESTABLISHED
TCP 128.180.195.15:3652 67.118.12.73:6346 ESTABLISHED
TCP 128.180.195.15:3653 68.20.14.196:6039 ESTABLISHED
TCP 128.180.195.15:3664 66.31.48.248:6350 ESTABLISHED
TCP 128.180.195.15:3670 66.143.46.7:6346 ESTABLISHED
TCP 128.180.195.15:3673 24.137.179.207:6348 ESTABLISHED
TCP 128.180.195.15:3674 24.79.117.93:6348 ESTABLISHED
TCP 128.180.195.15:3677 68.80.69.31:6346 ESTABLISHED
TCP 128.180.195.15:3857 82.40.19.196:6348 LAST_ACK
TCP 128.180.195.15:3879 69.73.119.209:6346 ESTABLISHED
TCP 128.180.195.15:3908 24.247.85.109:6346 ESTABLISHED
TCP 128.180.195.15:3992 201.135.72.222:6346 ESTABLISHED
TCP 128.180.195.15:3994 24.15.195.99:6348 ESTABLISHED
TCP 128.180.195.15:3996 68.115.30.5:6351 ESTABLISHED
TCP 128.180.195.15:3998 67.172.234.219:6346 ESTABLISHED
TCP 128.180.195.15:3999 66.66.215.112:6346 ESTABLISHED
TCP 128.180.195.15:4003 144.137.177.173:27620 ESTABLISHED
TCP 128.180.195.15:4008 216.197.158.73:6346 ESTABLISHED
TCP 128.180.195.15:4011 207.144.6.127:6346 ESTABLISHED
TCP 128.180.195.15:4012 142.167.199.179:6346 ESTABLISHED
TCP 128.180.195.15:4013 216.196.146.184:6348 TIME_WAIT
TCP 128.180.195.15:4017 202.73.124.108:6348 TIME_WAIT
TCP 128.180.195.15:4021 24.148.34.174:6346 ESTABLISHED
TCP 128.180.195.15:4022 69.244.86.197:6348 ESTABLISHED
TCP 128.180.195.15:4027 71.96.211.103:6349 ESTABLISHED
TCP 128.180.195.15:4028 12.222.186.24:6346 ESTABLISHED
TCP 128.180.195.15:4031 169.254.31.5:80 SYN_SENT
TCP 128.180.195.15:5214 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445
UDP 0.0.0.0:500
UDP 0.0.0.0:1026
UDP 0.0.0.0:3069
UDP 0.0.0.0:3085
UDP 0.0.0.0:3089
UDP 0.0.0.0:3097
UDP 0.0.0.0:3254
UDP 0.0.0.0:5353
UDP 0.0.0.0:6346
UDP 0.0.0.0:6347
UDP 127.0.0.1:123
UDP 127.0.0.1:1900
UDP 127.0.0.1:2234
UDP 127.0.0.1:3815
UDP 128.180.195.15:123
UDP 128.180.195.15:137
UDP 128.180.195.15:138
UDP 128.180.195.15:1900
UDP 128.180.195.15:2234


There isnt as many viruses as there was before but my computer speed and internet speed is still slow. Any help or advice would be appreciated.

Royce
  • 0

Advertisements

#2
Metallica
Posted 04 August 2005 - 05:27 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Step 1

Find C:\WINDOWS\system32\drivers\etc\hosts
and rename it to hosts.bak

Step 2

*Click here and download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\mstasks.exe
C:\WINDOWS\Kernell.exe
C:\WINDOWS\winmsc32.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: WinStat - {0BAE99AF-A9F7-4f7e-9C72-2C1CC81BE0FF} - C:\WINDOWS\System32\WinStat13.dll

O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\l4n.dll
O2 - BHO: (no name) - {FA48DF0A-64E7-3935-ED79-1DF3ED2044CC} - C:\WINDOWS\System32\lvk.dll (file missing)

O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [DNS Config service] win32.exe
O4 - HKLM\..\Run: [Windows Task Scheduler] C:\mstasks.exe
O4 - HKLM\..\Run: [QMIPU]QUWK[ZY[]V] C:\WINDOWS\System32\wssoeqeydprbm.exe
O4 - HKLM\..\RunServices: [DNS Config service] win32.exe
O4 - HKLM\..\RunServices: [QMIPU]QUWK[ZY[]V] C:\WINDOWS\System32\wssoeqeydprbm.exe
O4 - HKLM\..\RunOnce: [xlrp7.exe] C:\WINDOWS\System32\xlrp7.exe /k
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O23 - Service: System Event Trap (Evttrp) - Cat Soft - C:\WINDOWS\Kernell.exe

O23 - Service: Configuration Utility (mbot) - Unknown owner - C:\WINDOWS\winmsc32.exe
O23 - Service: Plug & Play Extender (pnpext) - Unknown owner - C:\WINDOWS\System32\smrs.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Wireless Connection Configuration (wificonf) - Unknown owner - C:\WINDOWS\mscarrt32.exe (file missing)

Step 3

Click Start > Run type services.msc > OK
In the list of services find:
System Startup Service (SvcProc)
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: SvcProc

In the list of services find:
Wireless Connection Configuration (wificonf)
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: wificonf

In the list of services find:
Plug & Play Extender (pnpext)
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: pnpext

In the list of services find:
Configuration Utility (mbot)
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: mbot

In the list of services find:
System Event Trap (Evttrp)
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: Evttrp

Boot back to normal and

Step 4

Download and install SP1 for XP and IE

Post a new log when you are done.

Regards,
  • 0

#3
royfball56
Posted 06 August 2005 - 01:35 AM

royfball56

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
i followed the directions and here is the new hijack this log
Logfile of HijackThis v1.99.1
Scan saved at 3:30:22 AM, on 8/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lehighsports.com/
O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QMIPU]QUWK[ZY[]V] C:\WINDOWS\system32\pumwmoloadf.exe
O4 - HKLM\..\RunServices: [QMIPU]QUWK[ZY[]V] C:\WINDOWS\system32\pumwmoloadf.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

i also have troublew with windows installer popping up everytime i open up an internet connection
  • 0

#4
Metallica
Posted 06 August 2005 - 02:59 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
First find this file:
C:\WINDOWS\System32\drivers\etc\hosts
rightclick it and rename it to hosts.bak

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [QMIPU]QUWK[ZY[]V] C:\WINDOWS\system32\pumwmoloadf.exe
O4 - HKLM\..\RunServices: [QMIPU]QUWK[ZY[]V] C:\WINDOWS\system32\pumwmoloadf.exe

Then see if the file C:\WINDOWS\system32\pumwmoloadf.exe exists
If so, delete it.

Download and run the Windows Installer Cleanup Utility from here:
http://support.micro...kb;en-us;290301

Use that to solve the other problem.

Regards,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP