Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Several problems


  • Please log in to reply

#1
miet

miet

    Member

  • Member
  • PipPip
  • 14 posts
Hello I've got several problems with my computer. That's why I'm posting my HijackThis Log here. I hope someone can help me.

Another problem that I have is salm.exe. I removed a few files, folders, regkeys concerning salm.exe. But now I getting dialog boxes asking me to reinstall Search Assistent Manager.

HijackThis Log

Logfile of HijackThis v1.98.2
Scan saved at 11:23:20, on 29/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\386.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\LAUNCH~1\QtaET2S.EXE
C:\Program Files\USB ADSL\CnxDslTb.exe
C:\Program Files\Windows AdControl\WinAdCtl.exe
C:\Program Files\Windows AdTools\WinAdTools.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Windows AdControl\WinAdAlt.exe
C:\Program Files\Windows AdTools\WinRatchet.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\wuamgrder.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\RegScrubXP\RegScrubXP.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Miet\Mijn documenten\Install\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.impro-noevoo.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/5me...6.2.0137&OS=Win
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtaET2S.EXE
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\USB ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
O4 - HKLM\..\Run: [Win32 USB2.0 Driver] 386.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Automatic Update] wuamgrder.exe
O4 - HKLM\..\RunServices: [Win32 USB2.0 Driver] 386.exe
O4 - HKLM\..\RunServices: [Windows Automatic Update] wuamgrder.exe
O4 - HKLM\..\RunOnce: [Win32 USB2.0 Driver] 386.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Win32 USB2.0 Driver] 386.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [Win32 USB2.0 Driver] 386.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Web-registratie.lnk = C:\WINDOWS\winhlp32.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail.hogelimb.be/iNotes6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3967247F-ADD5-42B5-B1CA-6E633595F708}: NameServer = 62.58.94.130 62.58.62.132
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL

O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
O4 - HKLM\..\Run: [Win32 USB2.0 Driver] 386.exe

O4 - HKLM\..\Run: [Windows Automatic Update] wuamgrder.exe
O4 - HKLM\..\RunServices: [Win32 USB2.0 Driver] 386.exe
O4 - HKLM\..\RunServices: [Windows Automatic Update] wuamgrder.exe
O4 - HKLM\..\RunOnce: [Win32 USB2.0 Driver] 386.exe

O4 - HKCU\..\Run: [Win32 USB2.0 Driver] 386.exe

O4 - HKCU\..\RunOnce: [Win32 USB2.0 Driver] 386.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

Reboot after doing so, preferably Reboot into safe mode
and delete:
C:\Program Files\Web_Rebates <= entire folder
C:\WINDOWS\System32\386.exe <= http://sarc.com/avce...2.ircbot.d.html
C:\Program Files\Windows AdControl <= entire folder
C:\Program Files\Windows AdTools <= entire folder

Then boot normally and dod a Find Files for:
wuamgrder.exe
Please let me know if and where you find it and if you do, upload it to
http://www.kaspersky.com/scanforvirus
Let me know the results.

Regards,

Pieter
  • 0

#3
miet

miet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hello,

Thanks for your help. A lot of my problems are solved. Only wuamgrder.exe still exist although I cannot find the file on my computer. If I scan my computer with f-secure online scanner wuamgrder.exe is found in de c:\windows\system32 directory but when I look in that folder I cannot find the file. Strange!?! I have also searched on the complete hard disk. No result.

Greets,
Miet
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Can you try again after doing this.

Regards,

Pieter
  • 0

#5
miet

miet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Yes!!! Found!

Here's what Kaspersky says about it:

Scanned file: wuamgrder.exe

wuamgrder.exe - packed with Morphine
wuamgrder.exe - packed with Exe32Pack
wuamgrder.exe - infected by Backdoor.Win32.Rbot.gen


Statistics:
Known viruses: 110033 Updated: 29-11-2004
File size (Kb): 182 Virus bodies: 1
Files: 3 Warnings: 0
Archives: 0 Suspicious: 0

Now I am going to reboot in Save mode en remove the [edit langauage]!

Thx again.

BTW: Is Pieter een Nederlandse/Vlaamse naam?

Groetjes,
Miet

Edited by admin, 30 November 2004 - 01:31 PM.

  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Hoi Miet,

Nederlands in my case.

Were you able to delete wuamgrder.exe ?
Or do you need help to get rid of that double-packed piece of ahum malware?

Groetjes,

Pieter
  • 0

#7
miet

miet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hello,

The [edited langauge] is gone! I could delete it in Save Mode.

Thx for your help,
Groetjes,
Miet from Flanders

admin: this is a family forum accessible by all, kindly watch the language. <_<

Edited by admin, 30 November 2004 - 01:32 PM.

  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Excellent work. <_<

Regards,

Pieter
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP