Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Several problems

Started by miet , Nov 29 2004 04:24 AM

  • Please log in to reply

#1
miet
Posted 29 November 2004 - 04:24 AM

miet

    Member

  • Member
  • PipPip
  • 14 posts
Hello I've got several problems with my computer. That's why I'm posting my HijackThis Log here. I hope someone can help me.

Another problem that I have is salm.exe. I removed a few files, folders, regkeys concerning salm.exe. But now I getting dialog boxes asking me to reinstall Search Assistent Manager.

HijackThis Log

Logfile of HijackThis v1.98.2
Scan saved at 11:23:20, on 29/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\386.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\LAUNCH~1\QtaET2S.EXE
C:\Program Files\USB ADSL\CnxDslTb.exe
C:\Program Files\Windows AdControl\WinAdCtl.exe
C:\Program Files\Windows AdTools\WinAdTools.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Windows AdControl\WinAdAlt.exe
C:\Program Files\Windows AdTools\WinRatchet.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\wuamgrder.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\RegScrubXP\RegScrubXP.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Miet\Mijn documenten\Install\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.impro-noevoo.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/5me...6.2.0137&OS=Win
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtaET2S.EXE
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\USB ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
O4 - HKLM\..\Run: [Win32 USB2.0 Driver] 386.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Automatic Update] wuamgrder.exe
O4 - HKLM\..\RunServices: [Win32 USB2.0 Driver] 386.exe
O4 - HKLM\..\RunServices: [Windows Automatic Update] wuamgrder.exe
O4 - HKLM\..\RunOnce: [Win32 USB2.0 Driver] 386.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Win32 USB2.0 Driver] 386.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [Win32 USB2.0 Driver] 386.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Web-registratie.lnk = C:\WINDOWS\winhlp32.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail.hogelimb.be/iNotes6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3967247F-ADD5-42B5-B1CA-6E633595F708}: NameServer = 62.58.94.130 62.58.62.132
  • 0

Advertisements

#2
Metallica
Posted 29 November 2004 - 06:43 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL

O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
O4 - HKLM\..\Run: [Win32 USB2.0 Driver] 386.exe

O4 - HKLM\..\Run: [Windows Automatic Update] wuamgrder.exe
O4 - HKLM\..\RunServices: [Win32 USB2.0 Driver] 386.exe
O4 - HKLM\..\RunServices: [Windows Automatic Update] wuamgrder.exe
O4 - HKLM\..\RunOnce: [Win32 USB2.0 Driver] 386.exe

O4 - HKCU\..\Run: [Win32 USB2.0 Driver] 386.exe

O4 - HKCU\..\RunOnce: [Win32 USB2.0 Driver] 386.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

Reboot after doing so, preferably Reboot into safe mode
and delete:
C:\Program Files\Web_Rebates <= entire folder
C:\WINDOWS\System32\386.exe <= http://sarc.com/avce...2.ircbot.d.html
C:\Program Files\Windows AdControl <= entire folder
C:\Program Files\Windows AdTools <= entire folder

Then boot normally and dod a Find Files for:
wuamgrder.exe
Please let me know if and where you find it and if you do, upload it to
http://www.kaspersky.com/scanforvirus
Let me know the results.

Regards,

Pieter
  • 0

#3
miet
Posted 29 November 2004 - 10:12 AM

miet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hello,

Thanks for your help. A lot of my problems are solved. Only wuamgrder.exe still exist although I cannot find the file on my computer. If I scan my computer with f-secure online scanner wuamgrder.exe is found in de c:\windows\system32 directory but when I look in that folder I cannot find the file. Strange!?! I have also searched on the complete hard disk. No result.

Greets,
Miet
  • 0

#4
Metallica
Posted 29 November 2004 - 12:52 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you try again after doing this.

Regards,

Pieter
  • 0

#5
miet
Posted 29 November 2004 - 02:27 PM

miet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Yes!!! Found!

Here's what Kaspersky says about it:

Scanned file: wuamgrder.exe

wuamgrder.exe - packed with Morphine
wuamgrder.exe - packed with Exe32Pack
wuamgrder.exe - infected by Backdoor.Win32.Rbot.gen


Statistics:
Known viruses: 110033 Updated: 29-11-2004
File size (Kb): 182 Virus bodies: 1
Files: 3 Warnings: 0
Archives: 0 Suspicious: 0

Now I am going to reboot in Save mode en remove the [edit langauage]!

Thx again.

BTW: Is Pieter een Nederlandse/Vlaamse naam?

Groetjes,
Miet

Edited by admin, 30 November 2004 - 01:31 PM.

  • 0

#6
Metallica
Posted 29 November 2004 - 02:36 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Hoi Miet,

Nederlands in my case.

Were you able to delete wuamgrder.exe ?
Or do you need help to get rid of that double-packed piece of ahum malware?

Groetjes,

Pieter
  • 0

#7
miet
Posted 30 November 2004 - 04:15 AM

miet

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hello,

The [edited langauge] is gone! I could delete it in Save Mode.

Thx for your help,
Groetjes,
Miet from Flanders

admin: this is a family forum accessible by all, kindly watch the language. <_<

Edited by admin, 30 November 2004 - 01:32 PM.

  • 0

#8
Metallica
Posted 30 November 2004 - 12:43 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Excellent work. <_<

Regards,

Pieter
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP