Need Help

bl0w.exe

Mod Note: Member being assisted in this thread: https://www.wilderssecurity.com/showthread.php?t=41925 - snap


i found out that .. my computer is infected by some program that calls bl0w.exe ... it disable my norton anti virus .. pop up unwanted sites .... i tired delete it .. but it seens that won't work .. and in my windows task manager .... is runing alot of rundd32.exe ... well i dun know wat to do ... i download alot of programs to detect it .. but it won't work .... >.< please help

sorry for my poor english

 

Re: bl0w.exe

Hi Tokiya,

Welcome to Wilders.

I would suggest first you do an on-line virus scan from one of these sites: Free Services

Then follow ALL the instructions, and each step in this link, carefully:
HOW TO? Read here about how to post your log!!

Once you have downloaded HijackThis, create a permanent folder for it on your computer (call the folder whatever you'd like) then unzip Hijackthis.exe into the new folder (do not put it in a Temp folder or desktop).

Then open Hijackthis and run it by clicking on the Scan button. When the scan has finished, the "Scan" button will then change to a Save Log button. Press the "Save Log" button and save it to a location you can easily find it. Open the saved log and copy and paste the entire contents of the log here in this thread in your next reply.

Please do NOT fix anything in Hijackthis by yourself. Most of what it lists will be harmless and even essential. Someone will review your log and reply back with instructions on what needs to be fixed.

Regards,

snap

 

here i fellowed all the steps =)

Logfile of HijackThis v1.97.7
Scan saved at 6:00:56 AM, on 7/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\ZTE\ADSLDIAL\adslDial.exe
C:\Documents and Settings\oem\Desktop\Botz\chaos's bot\Wizard\KoreEasy.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Yuna001,Yuna~chan\modKore-Hybrid.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Yuna002,~Miduki~\modKore-Hybrid.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Yuna003,Tokiya\modKore-Hybrid.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Yuna004,Yuna~\modKore-Hybrid.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Yuna005,Huriko\modKore-Hybrid.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Yuna007 ,~Genko~\modKore-Hybrid.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\wanshan88 , ~Tokiya~\modKore-Hybrid.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\noob34 , ~Midori\modKore-Hybrid.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\noob12 ,~Midori~\modKore-Hybrid.exe
C:\Documents and Settings\oem\Desktop\Botz\chaos's bot\doppel\KoreC-Final.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\Huriko , ~Yanagi~\modKore-Hybrid.exe
C:\Documents and Settings\oem\Desktop\Botz\Thor's Bot\toon0129 , Doppelganger\modKore-Hybrid.exe
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
C:\Program Files\Common Files\Vbox\Common\vboxm.dll
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\oem\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [Microsoft Update] esplorer.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [JA Cfg Util v2] jacfg2.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ 4.1 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1017_EN_XP.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93F8CC08-10AE-44F1-A5B2-2E1CF2B2E8DC}: NameServer = 202.188.0.133 202.188.1.5