1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Please Help..Worm_Rbot.H msconfg.exe

Discussion in 'Virus & Other Malware Removal' started by newguy2005, Feb 11, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. newguy2005

    newguy2005 Thread Starter

    Joined:
    Feb 11, 2005
    Messages:
    3
    I think its some sort of virus but has destroyed my computer basically. Cannot run internet worth crap and basically makes my computer slow. This is what I know from my noadware v3.0 system I just spent 30 dollars to figure out. But this virus/worm will not delete from my computer and need help.

    C:\WINNT\system32\msconfg.exe

    Can anyone help me with this? Im not very literate on this kind of stuff and would appreciate the help.

    NewGuy2005
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Noadware is not a very reliable program,there are others that are free and far superior applications.

    ======================================================

    Do this...right-click your desktop and choose "New Folder".name it "HijackThis".
    Now go to one of these links:http://www.spywareinfo.com/~merijn/files/hijackthis.zip
    http://www.merijn.org/files/hijackthis.zip , :http://computercops.biz/zx/Merijn/hijackthis.zip
    http://downloads.subratam.org/hijackthis.zip
    and download 'HijackThis!'.....
    Unzip it to its newly created folder! Doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please copy & paste its contents to the forum.

    It will possibly show other issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.

    If you have anything disabled by MSConfig or any other startup manager,please re-enable it before scanning to post.
    Also....If you have run and fixed anything with Spybot Search and Destroy or AdAware,please reboot before scanning.


    ;)
     
  3. newguy2005

    newguy2005 Thread Starter

    Joined:
    Feb 11, 2005
    Messages:
    3
    Took me awhile to figure out the zip thing but I got it done.

    OK, here it is.

    Logfile of HijackThis v1.99.0
    Scan saved at 10:53:26 AM, on 2/11/2005
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\WINNT\System32\cisvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\sm56hlpr.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINNT\loadqm.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\WINNT\System32\rundll32.exe
    C:\WINNT\isrvs\desktop.exe
    C:\winnt\system32\aujiujf.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\PROGRA~1\PEOPLE~1\PropelAC.exe
    C:\WINNT\System32\yefiil.exe
    C:\WINNT\System32\winocx.exe
    C:\Program Files\ISP50\Bin\Bartshel.exe
    C:\WINNT\hhcmqbe.exe
    C:\program files\180solutions\sais.exe
    C:\WINNT\System32\Uyxqlc.exe
    C:\winnt\system32\calc.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    c:\winnt\system32\mksc.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\NoAdware3\NoAdware3.exe
    C:\PROGRA~1\ISP50\bin\ppshared.exe
    C:\Documents and Settings\Owner\Desktop\WinZip\WZQKPICK.EXE
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\ISP50\Bin\Bartshel.exe
    C:\PROGRA~1\ISP50\dialer\DIALER.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\5Yw2vA.exe
    C:\Program Files\ISTsvc\istsvc.exe
    C:\Documents and Settings\Owner\Desktop\WinZip\WINZIP32.EXE
    C:\Documents and Settings\Owner\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
    O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll
    O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINNT\System32\hsrb.dll
    O2 - BHO: Web Directory Toolbar Helper - {441354C5-911B-409B-9A66-A11D6D4E1A22} - C:\WINNT\system32\sdmtb.dll
    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
    O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
    O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Web Directory Toolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINNT\system32\sdmtb.dll
    O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
    O3 - Toolbar: DebugBar - {3E1201F4-1707-409F-BB45-A5F192381DA0} - C:\Program Files\Core Services\DebugBar\DebugToolBar.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
    O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [aujiujf] c:\winnt\system32\aujiujf.exe
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\BIN\PPCOLink -STATION
    O4 - HKLM\..\Run: [Propel Accelerator] "C:\PROGRA~1\PEOPLE~1\PropelAC.exe"
    O4 - HKLM\..\Run: [PPCRunonce] C:\WINNT\System32\PPCRunOnce.exe
    O4 - HKLM\..\Run: [Windows Compliant] yefiil.exe
    O4 - HKLM\..\Run: [Office Update] winocx.exe
    O4 - HKLM\..\Run: [XLmdybAWb] C:\WINNT\hhcmqbe.exe
    O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
    O4 - HKLM\..\Run: [ivwjmf] C:\WINNT\ivwjmf.exe
    O4 - HKLM\..\Run: [secure] C:\WINNT\System32\Uyxqlc.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\RunServices: [Windows Compliant] yefiil.exe
    O4 - HKLM\..\RunServices: [Office Update] winocx.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [NoAdware3] "C:\Program Files\NoAdware3\NoAdware3.exe" /s
    O4 - HKCU\..\Run: [Windows Compliant] yefiil.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Documents and Settings\Owner\Desktop\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
    O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
    O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O10 - Hijacked Internet access by New.Net
    O10 - Broken Internet access because of LSP provider 'osmim.dll' missing
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/drm.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/FunBuddyIconsFWBInitialSetup1.0.0.8-2.cab
    O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
    O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelprocessing.com/SafeCommon/downloads/WalletCab.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_229/webolr/OCX/FlashAX.cab
    O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} (iiittt Class) - http://www.hotsearchbar.com/toolbar30/hsrb.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
    O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5FC96FDF-4533-49D2-8E58-2E56D17A5AA0}: NameServer = 209.244.0.3 209.244.0.4
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
    O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: AOL Spyware Protection Service - Unknown - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
     
  4. newguy2005

    newguy2005 Thread Starter

    Joined:
    Feb 11, 2005
    Messages:
    3
    Is this what you needed?
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    What a mess!! :eek:

    1st thing,we need to run a few removal programs through that lot....they wont clean everything by a long way but will thin things down a little.

    ===================================================

    Go to http://www.intermute.com/spysubtrac...r_download.html
    or http://cwshredder.net/, and download the latest version of CWShredder originally created by Merijn Bellekom...also the creator of Hijack This.
    Run it, press 'Fix', and allow it to fix all it finds.
    And remember to click "Fix" (Not "Scan only")

    ===================================================


    Download AdAware SE from here: http://www.lavasoftusa.com/

    Install the program and launch it.

    In the main window look in the bottom right corner and click on Check for updates now then click Connect....and download the latest reference files.

    From main window :Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When scan is finished mark everything for removal and get rid of it.(Right-click the window and choose"select all" from the drop down menu)


    Now re-boot...

    Then
    Download Spybot - Search & Destroy from http://majorgeeks.com/download2471.html

    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.
    Activate the "Imunize" function.

    Download and install Giant AntiSpyware.
    BE SURE TO UPDATE prior to scanning, and set it to perform a complete system scan under scan options. Fix the items Giant AS recommends fixing.
    http://www.giantcompany.com/(pt5aq355qo...fault.aspx

    ==========================================================
    Run an online antivirus check from at least one and preferably 2 of the following sites....
    http://virusscan.jotti.dhs.org/
    http://www.kaspersky.com/remoteviruschk.html
    http://www.dials.ru/english/www_av/
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/

    Re-boot again.

    Then post a new HijackThis log to check what is left.

    And when this is all clean...
    Consider installing the following:

    SpywareBlaster v 3.0 and SpywareGuard v2.2, to prevent Active-X drive-by installations, as well as provide real-time browser hijacking protection: http://www.wilderssecurity.net/index.html

    IE-SPYAD, a registry file that adds a long list of known "sites" to the Restricted Sites of your Internet Explorer: https://netfiles.uiuc.edu/ehowes/www/resource.htm
    You should check regularly for updates on all these programs

    Mozilla FireFox,much safer,faster and lighter browser than IE.
    http://www.mozilla.org/products/firefox/

    . Install 'Spoofstick"
    Spoofstick is a simple browser extension that
    helps users detect spoofed (fake) websites.
    This extension is free and installs in Internet
    Explorer and Mozilla Firefox.
    a. http://www.corestreet.com/spoofstick



    ;)
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/329180

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice