| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 74707 | 2006-12-02 09:09:00 | Virus help | 4Lowie (10869) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 503786 | 2006-12-03 08:22:00 | O2 - BHO: (no name) - {326CD37E-85BF-D727-09DF-020967BAEB89} - C:\WINDOWS\system32\yrphfec.dll O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\tfrextfm.dll O2 - BHO: (no name) - {67270207-b9ee-4d26-9270-860fdb060ca1} - C:\WINDOWS\system32\ixt0.dll (file missing) O2 - BHO: (no name) - {8B7DC88A-8864-488E-BAB2-114BC9D1574A} - C:\WINDOWS\system32\mllmj.dll O3 - Toolbar: Safety Bar - {fbea0445-4c4a-4136-864a-c72a4a182a84} - C:\Program Files\Safety Bar\SafetyBar.dll (file missing) O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe O4 - HKLM\..\Run: [nxjzyqg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\nxjzyqg.dll,nrjxlu O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} - O17 - HKLM\System\CCS\Services\Tcpip\..\{3A327F69-2718-49E8-ABC2-03E7A69340DB}: NameServer = 192.168.80.100,192.168.80.254 O17 - HKLM\System\CCS\Services\Tcpip\..\{FBDFD30E-F4D6-45BB-BB33-4BB338FDDE05}: NameServer = 202.27.184.3,202.27.184.5 O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll [/QUOTE] The above for starters. Alias: safetybar, safety bar, Zlob.SafetyBar, Safety Bar Toolbar Description: Safety Bar (SafetyBar) is a rogue browser toolbar. Safety Bar has several trojan components that are very similar in behavior to the ZLOB Trojan. Within minutes of being installed, Safety Bar falsely claims that the user's computer is infected and then recommends buying various rogue anti-spyware and / or anti-virus programs. searchupgrader.exe (abebot trojan) - Details If you find a program named searchupgrader.exe on your computer, your computer may have been infected with a trojan known as 'abebot'. |
pctek (84) | ||
| 503787 | 2006-12-03 08:32:00 | Thanks, what the best way of removing these? | 4Lowie (10869) | ||
| 503788 | 2006-12-03 20:09:00 | The same program u used to post that log, hijackthis. Tick the entries PCtek posted, and tick fix checked. Close browser/s first. Then reboot. Then post another log. These dont have to be in startup O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" - update is here (java.sun.com) O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe And these look nasty O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll - You may have Winfixer as well. O20 - Winlogon Notify: winexz32 - C:\WINDOWS\SYSTEM32\winexz32.dll I would also get Spybot (www.spybot.info) and the detection updates. Install both then do a scan. And install a firewall. |
Speedy Gonzales (78) | ||
| 503789 | 2006-12-04 07:54:00 | Well....... cleaned up as per surgestions with hijackthis. System started sweet but can't find my server. Any ideas?? | 4Lowie (10869) | ||
| 503790 | 2006-12-04 08:12:00 | Those 017 items should not have been taken out........ | Pancake (6359) | ||
| 503791 | 2006-12-04 08:30:00 | OK then how do I reinstate it? | 4Lowie (10869) | ||
| 503792 | 2006-12-04 08:40:00 | Of coasre I just went back to Hijackthis and restored the lines you mentioned. A message for Systemdoctor opened in Explorer straight away (I use mozzila) so something is still there..... Will register with the link you supplied and see if anyone else has an idea. Thanks again |
4Lowie (10869) | ||
| 503793 | 2006-12-04 08:52:00 | Here is a scan after the first round of cleanups... Anymore to look at? Logfile of HijackThis v1.99.1 Scan saved at 9:34:53 p.m., on 4/12/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\ATK0100\Hcontrol.exe C:\WINDOWS\SOUNDMAN.EXE C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe C:\WINDOWS\System32\sistray.EXE C:\WINDOWS\System32\khooker.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\Common Files\{2469B7A9-0A60-5129-1124-030625200040}\Update.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Asus\Asus ChkMail\ChkMail.exe C:\WINDOWS\system32\fxssvc.exe C:\PROGRA~1\MICROS~3\rapimgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\ATK0100\ATKOSD.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HijackThis 1.99.1\Analyse.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Progra~1\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\kqeorrtq.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: (no name) - {B8FDFADA-54D6-4C4D-AAAF-5FB7E1003305} - C:\WINDOWS\system32\mllmj.dll O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Power_Gear] C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe 1 O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\Asus\Asus ChkMail\ChkMail.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw O17 - HKLM\System\CCS\Services\Tcpip\..\{3A327F69-2718-49E8-ABC2-03E7A69340DB}: NameServer = 192.168.80.100,192.168.80.254 O17 - HKLM\System\CCS\Services\Tcpip\..\{FBDFD30E-F4D6-45BB-BB33-4BB338FDDE05}: NameServer = 202.27.184.3,202.27.184.5 O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winexz32 - C:\WINDOWS\SYSTEM32\winexz32.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe |
4Lowie (10869) | ||
| 503794 | 2006-12-04 09:24:00 | Looks like you still have something hanging in there.. Install and importantly, update , avg AntiSpyware (was Ewido) free.grisoft.com If you haven't got it, get Ccleaner www.majorgeeks.com Remove these entries... O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\kqeorrtq.dll O2 - BHO: (no name) - {B8FDFADA-54D6-4C4D-AAAF-5FB7E1003305} - C:\WINDOWS\system32\mllmj.dll O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll O20 - Winlogon Notify: winexz32 - C:\WINDOWS\SYSTEM32\winexz32.dll Run Ccleaner, using both Cleaner and Issues buttons. Restart into safemode and scan with the AVG antispyware program. Re-run Ccleaner and restart computer into safemode. Hopefully that will kill it. |
pheonix (36) | ||
| 1 2 | |||||