| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 79994 | 2007-06-08 03:21:00 | Infected? | jonboy (11457) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 557155 | 2007-06-09 03:33:00 | By the way, is there any way I can save old restore points to CD so that I can reload them once all this is done? Turning off system restore will delete them. Thats the whole point. What do you want to keep them for? You'd restore all the malware back again. Just create a new restore point after you have cleaned it out. |
pctek (84) | ||
| 557156 | 2007-06-21 08:38:00 | These two are bad files.. get rid of them O4 - HKLM\..\Run: [oxbvpen] C:\WINDOWS\System32\gwthtis.exe O4 - HKLM\..\Run: [udjudwq] C:\WINDOWS\System32\sybqnub.exe run in safe mode and run hijackthis to get rid of them |
Jangos (12385) | ||
| 557157 | 2007-07-24 01:38:00 | Have the same virus.. It's disabled my NOD32 virus scanner, and is stopping HijackThis from running. I tried rebooting into safe mode so I can run these programs, but the virus processes still load in safe mode! Argh! What to do?? |
turnbullm (12386) | ||
| 557158 | 2007-07-24 02:38:00 | Try MoveOnBoot (www.snapfiles.com). | FoxyMX (5) | ||
| 557159 | 2007-07-24 04:21:00 | I have a feeling its this (www.symantec.com) Its what affected some Ipods (www.betanews.com) Here's the Symantec removal tool (securityresponse.symantec.com) |
Speedy Gonzales (78) | ||
| 557160 | 2007-07-24 06:25:00 | I ran MoveOnBoot which worked great - got rid of those 2 processes from starting on startup! However, the virus still has blocked access to some programs. Running nod32.exe won't work - says it can't find the file. To get 'HijackThis' to work I had to rename it to HijackThiss.exe - obviously the virus has done something to the registry? Here is the log file, if anyone has some ideas: Logfile of HijackThis v1.99.1 Scan saved at 2:17:38 PM, on 24/07/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Kerio\Personal Firewall\persfw.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\UltraMon\UltraMon.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\Strokeit\strokeit.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Bubbles\BubbleBox.exe C:\Program Files\UltraMon\UltraMonTaskbar.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\HijackThis\HijackThiss.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: IE DevToolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll O2 - BHO: BubblesBHO - {FF344242-A1AF-4343-A223-FC3DA42990C8} - (no file) O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto O4 - HKLM\..\Run: [Bubbles] "C:\Program Files\Bubbles\BubbleBox.exe" -startup O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Windows Firewall] C:\WINDOWS\System32\drivers\svchost.exe O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKCU\..\Run: [StrokeIt] C:\Program Files\Strokeit\strokeit.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Windows Firewall] C:\WINDOWS\System32\drivers\svchost.exe O4 - Startup: Macromedia Dreamweaver 8.lnk = C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe O4 - Startup: Mozilla Firefox.lnk = C:\Program Files\UltraMon\UltraMonShortcuts.exe O4 - Startup: Mozilla Thunderbird.lnk = C:\Program Files\UltraMon\UltraMonShortcuts.exe O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Bubble This URL - {A3A0268C-3146-431d-84EE-2789B750ABD2} - C:\Program Files\Bubbles\BubblesHBO.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O17 - HKLM\System\CCS\Services\Tcpip\..\{8BAB8D85-DAEE-480A-B5AF-EFFE9F7F86D8}: NameServer = 203.0.178.191 O17 - HKLM\System\CS1\Services\Tcpip\..\{8BAB8D85-DAEE-480A-B5AF-EFFE9F7F86D8}: NameServer = 203.0.178.191 O17 - HKLM\System\CS2\Services\Tcpip\..\{8BAB8D85-DAEE-480A-B5AF-EFFE9F7F86D8}: NameServer = 203.0.178.191 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe |
turnbullm (12386) | ||
| 557161 | 2007-07-24 21:42:00 | Did u try that removal tool? Run hijackthis again tick these entries then tick fix checked. Do you know what this is? C:\Program Files\Bubbles\BubbleBox.exe O2 - BHO: BubblesBHO - {FF344242-A1AF-4343-A223-FC3DA42990C8} - (no file) If you dont tick them. Safe O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE Not known O4 - HKLM\..\Run: [Bubbles] "C:\Program Files\Bubbles\BubbleBox.exe" -startup Safe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime This belongs to a worm. O4 - HKLM\..\Run: [Windows Firewall] C:\WINDOWS\System32\drivers\svchost.exe O4 - HKCU\..\Run: [Windows Firewall] C:\WINDOWS\System32\drivers\svchost.exe Looks like u have this (www.sophos.com) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O9 - Extra button: Bubble This URL - {A3A0268C-3146-431d-84EE-2789B750ABD2} - C:\Program Files\Bubbles\BubblesHBO.dll If you use IRC get out of it. Uninstall ALL versions of Sun Java. The latesxt is in my sig below. I would get trojan remover in my sig as well, install it update it, then click on scan. Then select all options under the utilities menu. |
Speedy Gonzales (78) | ||
| 557162 | 2007-07-26 00:41:00 | Thanks - that trojan removal worked great, it found alot of references in the registry to those 2 nasty processes. Now I can run nod32 and hijackthis. Thanks again :) |
turnbullm (12386) | ||
| 557163 | 2007-07-26 00:43:00 | Cool, good to hear its fixed :) | Speedy Gonzales (78) | ||
| 1 2 3 | |||||