Need Help

Discussion in 'adware, spyware & hijack cleaning' started by Tokiya, Jul 16, 2004.

Thread Status:
Not open for further replies.
  1. Tokiya

    Tokiya Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    6
    bl0w.exe

    Mod Note: Member being assisted in this thread: https://www.wilderssecurity.com/showthread.php?t=41925 - snap


    i found out that .. my computer is infected by some program that calls bl0w.exe ... it disable my norton anti virus .. pop up unwanted sites .... i tired delete it .. but it seens that won't work .. and in my windows task manager .... is runing alot of rundd32.exe ... well i dun know wat to do ... i download alot of programs to detect it .. but it won't work .... >.< please help

    sorry for my poor english
     
    Last edited by a moderator: Jul 19, 2004
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: bl0w.exe

    Hi Tokiya,

    Welcome to Wilders.

    I would suggest first you do an on-line virus scan from one of these sites: Free Services

    Then follow ALL the instructions, and each step in this link, carefully:
    HOW TO? Read here about how to post your log!!

    Once you have downloaded HijackThis, create a permanent folder for it on your computer (call the folder whatever you'd like) then unzip Hijackthis.exe into the new folder (do not put it in a Temp folder or desktop).

    Then open Hijackthis and run it by clicking on the Scan button. When the scan has finished, the "Scan" button will then change to a Save Log button. Press the "Save Log" button and save it to a location you can easily find it. Open the saved log and copy and paste the entire contents of the log here in this thread in your next reply.

    Please do NOT fix anything in Hijackthis by yourself. Most of what it lists will be harmless and even essential. Someone will review your log and reply back with instructions on what needs to be fixed.

    Regards,

    snap
     
  3. Tokiya

    Tokiya Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    6
    here i fellowed all the steps =)

    Logfile of HijackThis v1.97.7
    Scan saved at 6:00:56 AM, on 7/17/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\vsnpstd.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\ICQLite\ICQLite.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Spyware Doctor\spydoctor.exe
    C:\Program Files\ZTE\ADSLDIAL\adslDial.exe
    C:\Documents and Settings\oem\Desktop\Botz\chaos's bot\Wizard\KoreEasy.exe
    C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Yuna001,Yuna~chan\modKore-Hybrid.exe
    C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Yuna002,~Miduki~\modKore-Hybrid.exe
    C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Yuna003,Tokiya\modKore-Hybrid.exe
    C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Yuna004,Yuna~\modKore-Hybrid.exe
    C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Yuna005,Huriko\modKore-Hybrid.exe
    C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Yuna007 ,~Genko~\modKore-Hybrid.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\wanshan88 , ~Tokiya~\modKore-Hybrid.exe
    C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\noob34 , ~Midori\modKore-Hybrid.exe
    C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\noob12 ,~Midori~\modKore-Hybrid.exe
    C:\Documents and Settings\oem\Desktop\Botz\chaos's bot\doppel\KoreC-Final.exe
    C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Huriko , ~Yanagi~\modKore-Hybrid.exe
    C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\toon0129 , Doppelganger\modKore-Hybrid.exe
    C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
    C:\Program Files\Common Files\Vbox\Common\vboxm.dll
    C:\WINDOWS\System32\RUNDLL32.exe
    C:\WINDOWS\System32\RUNDLL32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\oem\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
    O4 - HKLM\..\Run: [Microsoft Update] esplorer.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServices: [JA Cfg Util v2] jacfg2.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
    O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ICQ 4.1 (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1017_EN_XP.cab
    O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{93F8CC08-10AE-44F1-A5B2-2E1CF2B2E8DC}: NameServer = 202.188.0.133 202.188.1.5
     
Thread Status:
Not open for further replies.