Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

kernels32 is gone but......

Started by tom-host , Jan 20 2005 12:19 PM

  • This topic is locked This topic is locked

#1
tom-host
Posted 20 January 2005 - 12:19 PM

tom-host

    Member

  • Member
  • PipPip
  • 11 posts
[FONT=Arial]Task Manager has been disabled by the system administrator - pleese help me.
How can I put away this ***** :mad: away? Can you help me? May I put here a log from hijackthis??? or what i have to do?????

sorry fo mad enflish......i´m from czech republic
  • 0

Advertisements

#2
Guest_thatman_*
Posted 20 January 2005 - 02:18 PM

Guest_thatman_*
  • Guest
Hi tom-host

Welcome to geekstogo ;)

Click the HijackThis Guide in my signature, and follow the instructions in the guide.


kc :tazz:
  • 0

#3
Guest_thatman_*
Posted 21 January 2005 - 05:31 AM

Guest_thatman_*
  • Guest
Hi tom-host ;)

Please post your HijackThis. log into this topic

kc :tazz:
  • 0

#4
tom-host
Posted 21 January 2005 - 05:31 AM

tom-host

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
well, thanx
i´m not a super novice in removing "viruses" but i didn´t find (my english isn´t at 100%) smthng what will tell me about my problem at your link. I´ve had a kernels32.exe virus (as i wrote) and i put em away (i hope). everything seems to be ok.....well my bluetooth stoped "functioned"...............but i just only want to know where´s the problem with "Task Manager" wich is blocked by some "administrator". heere iz the log

Logfile of HijackThis v1.98.2
Scan saved at 12:30:00, on 21.1.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Anycom\Anycom Bluetooth USB\BTTray.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Anycom\Anycom Bluetooth USB\btsendto_explorer.exe
C:\Program Files\Microsoft Office\Office10\FRONTPG.EXE
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Stáhnout položku pomocí FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Stáhnout všechny položky pomocí FlashGet - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
  • 0

#5
Guest_thatman_*
Posted 21 January 2005 - 05:42 AM

Guest_thatman_*
  • Guest
Hi tom-host

1) You may wish to print out a copy of these instructions to follow while you complete this procedure.

2)Be sure you're able to view hidden files

3)Please download cleanup312.
Please unzip the file but do not run it yet.

4) Ensure you have the latest version which is currently 1.99.0. Get the latest version Click the HijackThis Guide in my signature

5) Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.


R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy


6) Please run cleanup312 now

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. ;)

kc :tazz:
  • 0

#6
tom-host
Posted 22 January 2005 - 08:17 AM

tom-host

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
well, i´ve did what you wrote step by step (twice) but i´ve got still the same problem.
here is the log from new hijackthis

Logfile of HijackThis v1.99.0
Scan saved at 15:12:59, on 22.1.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\AcroRd32.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Microsoft Office\Office10\FRONTPG.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\Downloads\HijackThis2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Stáhnout položku pomocí FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Stáhnout všechny položky pomocí FlashGet - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

any ideas??
  • 0

#7
Guest_thatman_*
Posted 22 January 2005 - 08:59 AM

Guest_thatman_*
  • Guest
Hi tom-host

Click the HijackThis Guide in my signature, and Download Ad-aware.
Run Ad-aware.

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Now run Ad-aware again

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. ;) :smile:

kc :tazz:
  • 0

#8
tom-host
Posted 22 January 2005 - 10:05 AM

tom-host

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
uuueeeeeeehhhaaaaaaaaaaaa.....ic workiinnngggg!!!!!!!!!!!!.....

thank you veryveryvery much man...............

i think it´s not 4 the last time that i´m here. Now i´ve got "little bit" more experience of destroying viruses.

thank you once again......see ya.... :tazz: ;)
  • 0

#9
tom-host
Posted 04 February 2005 - 08:15 AM

tom-host

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Logfile of HijackThis v1.99.0
Scan saved at 15:09:56, on 4.2.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG70\avgamsvr.exe
C:\PROGRA~1\AVG70\avgupsvc.exe
C:\AVGNET\Admin\AVGTCP~1\avgtcpsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WinRoute\winroute.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\PROGRA~1\AVG70\avgcc.exe
C:\PROGRA~1\AVG70\avgemc.exe
C:\WinRoute\WrCtrl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\outlook\OFFICE11\OUTLOOK.EXE
C:\Program Files\outlook\OFFICE11\WINWORD.EXE
C:\Program Files\wincmd\WINCMD32.EXE
Z:\Install\Antivirz\HijackThis2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.seznam.cz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasear...said=acc0001_ho
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.seznam.cz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasear...said=acc0001_ho
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1; 192.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
F2 - REG:system.ini: UserInit=Userinit.exe,TGBRFV_
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net server
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: HomePageCtrl Class - {1B9CB0F8-118B-49C1-956D-B703E976F8E3} - C:\Program Files\STHomePage\STHomePage2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: STLinksCtrl Class - {B54BFA47-D897-49CA-9657-05EC9F80A32B} - C:\Program Files\STLinks\STLinks2.dll
O2 - BHO: STIEbarBHO Class - {D797AD6C-6447-4DB4-91D0-090344408E72} - C:\Program Files\0CAT YellowPages\STIEbar2.dll
O3 - Toolbar: 0CAT Yellow Pages - {679695BC-A811-4A9D-8CDF-BA8C795F261A} - C:\Program Files\0CAT YellowPages\STIEbar2.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG70\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\AVG70\avgemc.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\prvdi.exe
O4 - HKCU\..\Run: [WrCtrl] C:\WinRoute\WrCtrl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\System32\prvdi.exe
O9 - Extra button: My button - {47FE5D70-9AA2-40F1-9C6B-12A255F085EA} - C:\Program Files\0CAT YellowPages\STIEbar2.dll
O9 - Extra 'Tools' menuitem: My menu - {47FE5D70-9AA2-40F1-9C6B-12A255F085EA} - C:\Program Files\0CAT YellowPages\STIEbar2.dll
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\outlook\OFFICE11\REFIEBAR.DLL
O16 - DPF: KB KTpro Pack - https://www.mojebank...t_pro_v1101.cab
O16 - DPF: KB SH Pack - https://www.mojebank...ars/sh_pack.cab
O16 - DPF: MIB Pack - https://www.mojebank..._pack_v1400.cab
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downlo...dtc32_EN_XP.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downlo...thv32_EN_XP.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1096719572703
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.80.66.25/...sCamControl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?322
O17 - HKLM\System\CCS\Services\Tcpip\..\{22B55846-7752-4617-BBD7-3D274555DFE7}: NameServer = 81.27.192.33,81.27.192.97
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B2F276C-3F72-4B37-BF96-C96EEF93299A}: NameServer = 81.27.192.33,81.27.192.97
O17 - HKLM\System\CCS\Services\Tcpip\..\{82C2A544-1EB1-4227-BDB4-D3CECD99E6C6}: NameServer = 81.27.192.33,81.27.192.97
O17 - HKLM\System\CS1\Services\Tcpip\..\{22B55846-7752-4617-BBD7-3D274555DFE7}: NameServer = 81.27.192.33,81.27.192.97
O17 - HKLM\System\CS2\Services\Tcpip\..\{22B55846-7752-4617-BBD7-3D274555DFE7}: NameServer = 81.27.192.33,81.27.192.97
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\AVG70\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\AVG70\avgupsvc.exe
O23 - Service: AVG7 TCP Server - GRISOFT, s.r.o. - C:\AVGNET\Admin\AVGTCP~1\avgtcpsv.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: WinRoute Pro 4.2 - Unknown - C:\WinRoute\winroute.exe



\?????? help
  • 0

#10
Guest_thatman_*
Posted 04 February 2005 - 10:34 AM

Guest_thatman_*
  • Guest
Hi tom-host

Back so soon ;)

Please search you system for any files with the name TGBRFV.??

F2 - REG:system.ini: UserInit=Userinit.exe,TGBRFV_
the name of the bad is TGBRFV_

C:\WINDOWS\System32\TGBRFV_.exe
C:\WINDOWS\System32\TGBRFV_5.dll
C:\WINDOWS\System32\TGBRFV_.dll
C:\WINDOWS\System32\TGBRFV_5.exe


(1) Download the Pocket Killbox.
(2) Unzip the contents of KillBox.zip to a convenient location.
(3) Double-click on KillBox.exe.
(4) Click "Replace on Reboot" and check the "Use Dummy" box.
(5) Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\System32\ TGBRFV_.exe

(6) Click the "Delete File" button which looks like a stop sign.
(7) Click "Yes" at the Replace on Reboot prompt.
(8) Click "No" at the Pending Operations prompt.
(9) Repeat steps 4-8 above for these files:

C:\WINDOWS\System32\ TGBRFV_.exe

C:\WINDOWS\System32\ TGBRFV_5.dll

C:\WINDOWS\System32\ TGBRFV_.dll

C:\WINDOWS\System32\ TGBRFV_5.exe

* Click "Replace on Reboot" and check the "Use Dummy" box.
* Paste this file into the top "Full Path of File to Delete" box.
C:\WINDOWS\System32\TGBRFV_.exe
* Click the "Delete File" button which looks like a stop sign.
* Click "Yes" at the Replace on Reboot prompt.
* Click "Yes" at the Pending Operations prompt to restart your computer.
* Double-click on find.bat and post the new output.txt.


If you would please, rescan with HijackThis and post a fresh log in this same topic,

kc :tazz:
  • 0

Advertisements

#11
tom-host
Posted 05 February 2005 - 02:45 AM

tom-host

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
thank you thank you thank you.......yo the best.......´well ic my boss comp so this problem is not my.......i realy thanks once again......i´ll do what you wrote be sure step by step then i write whac happnin....pease...
  • 0

#12
tom-host
Posted 06 February 2005 - 05:46 AM

tom-host

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
heere iz the log....
it seems to be good now.......i hope 4ever.....thankz onceagain....

Logfile of HijackThis v1.99.0
Scan saved at 12:43:49, on 6.2.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG70\avgamsvr.exe
C:\PROGRA~1\AVG70\avgupsvc.exe
C:\AVGNET\Admin\AVGTCP~1\avgtcpsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WinRoute\winroute.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\PROGRA~1\AVG70\avgcc.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\AVG70\avgemc.exe
C:\WinRoute\WrCtrl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.seznam.cz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.seznam.cz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1; 192.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG70\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\AVG70\avgemc.exe
O4 - HKCU\..\Run: [WrCtrl] C:\WinRoute\WrCtrl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Zdroje informací - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\outlook\OFFICE11\REFIEBAR.DLL
O16 - DPF: KB KTpro Pack - https://www.mojebank...t_pro_v1101.cab
O16 - DPF: KB SH Pack - https://www.mojebank...ars/sh_pack.cab
O16 - DPF: MIB Pack - https://www.mojebank..._pack_v1400.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1096719572703
O17 - HKLM\System\CCS\Services\Tcpip\..\{22B55846-7752-4617-BBD7-3D274555DFE7}: NameServer = 81.27.192.33,81.27.192.97
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B2F276C-3F72-4B37-BF96-C96EEF93299A}: NameServer = 81.27.192.33,81.27.192.97
O17 - HKLM\System\CCS\Services\Tcpip\..\{82C2A544-1EB1-4227-BDB4-D3CECD99E6C6}: NameServer = 81.27.192.33,81.27.192.97
O17 - HKLM\System\CS1\Services\Tcpip\..\{22B55846-7752-4617-BBD7-3D274555DFE7}: NameServer = 81.27.192.33,81.27.192.97
O17 - HKLM\System\CS2\Services\Tcpip\..\{22B55846-7752-4617-BBD7-3D274555DFE7}: NameServer = 81.27.192.33,81.27.192.97
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\AVG70\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\AVG70\avgupsvc.exe
O23 - Service: AVG7 TCP Server - GRISOFT, s.r.o. - C:\AVGNET\Admin\AVGTCP~1\avgtcpsv.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: WinRoute Pro 4.2 - Unknown - C:\WinRoute\winroute.exe

:tazz:
  • 0

#13
Guest_thatman_*
Posted 06 February 2005 - 06:17 AM

Guest_thatman_*
  • Guest
Hi tom-host

Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here http://windowsupdate.microsoft.com/ to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox user posted image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. :thumbsup:

kc ;)
  • 0

#14
tom-host
Posted 07 February 2005 - 01:42 AM

tom-host

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
uoou....good...´i m testing the SpywareBlaster......

but the thing is that i´m doing really nothing and in directory temp is from time to time (4x time a day) copied a "PRVDI.EXE" file and my antivir find it as a trojan..........how could he all alone download from net and how may I stop him??...and is he danger.....or what the f*** is it????

thank you...
  • 0

#15
Guest_thatman_*
Posted 07 February 2005 - 04:36 AM

Guest_thatman_*
  • Guest
Hi tom-host

If you would please, rescan with HijackThis and post a fresh log in this same topic,

kc :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP