1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help with virus! I have tried everything!

Discussion in 'Windows - Virus and spyware problems' started by cjp6398, Jan 6, 2006.

  1. cjp6398

    cjp6398 Member

    Joined:
    Jan 6, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    Logs below!

    HJT LOG:

    Logfile of HijackThis v1.99.1
    Scan saved at 3:05:27 PM, on 1/6/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\gld.exe
    C:\WINDOWS\System32\gld.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 7 for hijackthis_199.zip\HijackThis.exe
    C:\WINDOWS\regedit.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*htt...
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/yme/*ht...
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\gld.exe
    O2 - BHO: (no name) - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - (no file)
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
    O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

    end of log

    windelf log:

    ************************
    * WIN32DELFKIL LOGFILE *
    ************************


    BEFORE RUNNING WIN32DELFKIL
    ***************************

    File(s) found in Windows directory
    ----------------------------------
    alt.exe

    File(s) found in system32 folder
    --------------------------------
    browsela.dll

    SharedTaskScheduler key
    -----------------------

    SteelWerX Registry Console Tool 1.0
    Written by Bobbi Flekman © 2005

    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler
    {438755C2-A8BA-11D1-B96B-00A0C90312E1} REG_SZ Browseui preloader
    {8C7461EF-2B13-11d2-BE35-3078302C2030} REG_SZ Component Categories cache daemon
    {31EE3286-D785-4E3F-95FC-51D00FDABC01} REG_SZ Master Browseui

    Notify key
    ----------
    subkey browsela is present!
     
    cjp6398, Jan 6, 2006
    #1
  2. cjp6398

    cjp6398 Member

    Joined:
    Jan 6, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    Somebody help?
     
    cjp6398, Jan 6, 2006
    #2
  3. Jeanc1

    Jeanc1 Guest


    Your log shows :-
    O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\[bold]browsela.dll[/bold]

    You have to get this off your PC !

    That is a leftover from EWIDO... ! Get the FREE Pocket Killbox here:- http://www.bleepingcomputer.com/files/killbox.php

    Start it up.. and open C:\WINDOWS\system32\browsela.dll -- click and hold browsela.dll then slide it in the window of the KillBox

    Tick Delete at next REBOOT --- Ok then

    Reboot your Pc.. the critter will be gone.

    Reset your homepage to wherever it was before.
     
    Last edited by a moderator: Jan 6, 2006
    Jeanc1, Jan 6, 2006
    #3
  4. cjp6398

    cjp6398 Member

    Joined:
    Jan 6, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    I'm getting a blue screen on a normal boot up because it says windows can't find C:\windows\inet2001\winlogon.exe

    Any ideas?
     
    cjp6398, Jan 6, 2006
    #4
  5. cjp6398

    cjp6398 Member

    Joined:
    Jan 6, 2006
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    11
    Kill box is saying pendingfilerename operations registry data removed by an external process.

    What does this mean?
     
    cjp6398, Jan 6, 2006
    #5
  6. -kemisti-

    -kemisti- Active member

    Joined:
    Jun 6, 2005
    Messages:
    6,305
    Likes Received:
    0
    Trophy Points:
    96
    It means that file already deleted or something. That windelf log isn't complete. Send it again.

    Also, fix these lines:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*htt...
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/yme/*ht...
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\gld.exe
    O2 - BHO: (no name) - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - (no file)
    O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe

    And delete these also with eg. Killbox same way as Jeanc1 already told you:

    C:\WINDOWS\System32\gld.exe
    C:\WINDOWS\alt.exe
     
    -kemisti-, Jan 7, 2006
    #6

Share This Page