Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

please help me please.... :(


  • This topic is locked This topic is locked
34 replies to this topic

#16 medically tekki

medically tekki

    Authentic Member

  • Authentic Member
  • PipPip
  • 35 posts

Posted 03 March 2007 - 04:42 AM

hi sir,,,,, the dns servers are succesfully flushed.....

this is the logfile for fixwareout

Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="csrlt.exe"

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
....
»»»»» Misc files.
C:\Documents and Settings\SALAZAR\Application Data\kc.tmp Deleted
C:\WINDOWS\BALLOON.WAV Deleted
C:\WINDOWS\system32\{BA6EA082-F64E-46D4-86C1-CE26F11F2DFA}.exe Deleted
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DataLayer"="C:\\Program Files\\Common Files\\PCSuite\\DataLayer\\DataLayer.exe"
"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -onlytray"
"AVG7_CC"="; C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"!AVG Anti-Spyware"="; \"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"DownloadAccelerator"="; \"C:\\Program Files\\DAP\\DAP.EXE\" /STARTUP"
"SunJavaUpdateSched"="; \"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"MSMSGS"="; \"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"PcSync"="; C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»



and this is the logfile for hijackthis:::



Logfile of HijackThis v1.99.1
Scan saved at 6:36:46 PM, on 3/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Installers\hijackthis latest version 2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = TAGA LIPA ARE!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\ISPx Web Accelerator\components\NOWImaging.dll (file missing)
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [AVG7_CC] ; C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] ; "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DownloadAccelerator] ; "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] ; "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] ; "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] ; C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



thanks for the great help sir......

    Advertisements

Register to Remove


#17 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 03 March 2007 - 07:46 AM

Looking better :thumbup:

We need to make sure all hidden files are showing so please:
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Click "Start"> "Run"> type in Regedit tap Enter Key

Make sure "My Computer" is highlighted

Click "Edit"> "Find"
Type in FS6519 tap Enter Key.
Right Click on the file if found and select "Delete"

Tap the "F3" Key to find the next entry of the file. Continue using the "F3" Key until it's finished searching.

do the same for:
TAGA LIPA ARE

Close Regedit.


Empty Recycle Bin

Reboot and "copy/paste" a new HijackThis log file into this thread.
Also please describe how your computer behaves at the moment.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#18 medically tekki

medically tekki

    Authentic Member

  • Authentic Member
  • PipPip
  • 35 posts

Posted 03 March 2007 - 12:01 PM

hi sir have done it,,,

after which nothing has changed to my computer still whenever i will try to open all my three hard drives it still says "WINDOWS SCRIPT HOST... CAN NOT FIND SCRIPT FILE C:\FS6519.dll.vbs"....


and after deleting the file FS6519 to the registry nothin had been thrown to my recycle bin so,, i cant empty it... and after rebooting my computer i did check again the registry and search the file FS6519 still it is there... i did delete it again and nothin has been on my recycle bin,,, i reboot it again and search the file on the registry still it comes back,, I did that cycle for 5 times but still the file comes back...

this is the hijacklogfile...

Logfile of HijackThis v1.99.1
Scan saved at 1:50:07 AM, on 3/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Installers\hijackthis latest version 2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\Program Files\ISPx Web Accelerator\components\NOWImaging.dll (file missing)
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [AVG7_CC] ; C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] ; "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DownloadAccelerator] ; "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] ; "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] ; "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] ; C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#19 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 03 March 2007 - 12:13 PM

I aplogize,

I left out instructions on my last post, my bad.

Using Windows Explorer delete the following file from the locations indicated:

C:\autorun.inf
D:\autorun.inf
E:\autorun.inf

Click "Start"> "Run"> type in Regedit tap Enter Key

Make sure "My Computer" is highlighted

Click "Edit"> "Find"
Type in FS6519 tap Enter Key.
Right Click on the file if found and select "Delete"

Tap the "F3" Key to find the next entry of the file. Continue using the "F3" Key until it's finished searching.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#20 medically tekki

medically tekki

    Authentic Member

  • Authentic Member
  • PipPip
  • 35 posts

Posted 04 March 2007 - 02:34 AM

hi sir,,, how can i delete the file at the windows explorer... i cant find it.... i deleted the FS6519 on the regedit and when i open my hard drives it says " this file does not have a program associated with it for performing this action. create an association in the folder opttions control panel" how can i delete the said C:\autorun.inf and the likes in the windows explorer? thanks alot sir.....

#21 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 04 March 2007 - 08:23 AM

Start > Search > All Files And Folders
Under More Advanced Options, make sure the following are checked:
*Search system folders
*Search hidden files and folders
*Search subfolders
*Make sure you look in all of your drives
Then copy and paste the following(one at a time) in the search box:

autorun.inf

It is likely that you will find several instances of this file. Only delete the ones that are found at the root of each drive:

(drive):\autorun.inf
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#22 medically tekki

medically tekki

    Authentic Member

  • Authentic Member
  • PipPip
  • 35 posts

Posted 04 March 2007 - 02:49 PM

good day sir,,,, i did it but no file was found all on the three hard drives...... serach it over and over but none was found.... thanks sir,,,, for helping me out..

#23 medically tekki

medically tekki

    Authentic Member

  • Authentic Member
  • PipPip
  • 35 posts

Posted 04 March 2007 - 02:57 PM

good day sir,,,, i did it but no file was found all on the three hard drives...... serach it over and over but none was found.... thanks sir,,,, for helping me out..

#24 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 04 March 2007 - 03:32 PM

Let's try this:

1. On Windows NT, 2000, XP, and Server 2003, press
CTRL+SHIFT+ESC, then click the Processes tab.
2. In the list of running programs*, locate the process:
WSCRIPT.EXE
3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your computer.
4. To check if the malware process has been terminated, close Task Manager, and then open it again.
5. Close Task Manager.


1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
FS6519 = "%Windows%\FS6519.dll.vbs"
(Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)

Deleting Other Entries from the Registry

1. Still in Registry Editor, in the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Internet Explorer>Main
2. In the right panel, locate and delete the entry:
Window Title = "TAGA LIPA ARE!"
2. Close Registry Editor.

Deleting AUTORUN.INF

1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
2. In the Named input box, type:
AUTORUN.INF
3. In the Look In drop-down list, select My Computer, then press Enter.
4. Once located, select the file then open with Notepad. Check if it contains the following strings:
shellexecute=wscript.exe FS6519.dll.vbs
5. If the said strings are found, close Notepad, select the file then press SHIFT+DELETE.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#25 medically tekki

medically tekki

    Authentic Member

  • Authentic Member
  • PipPip
  • 35 posts

Posted 05 March 2007 - 05:08 AM

hi sir..... i opened the windows task manager and i found none on the processes tab on WSCRIPT.EXE here are the available list of programs running: SVCHOST.EXE Ymsgr_tray.exe WUAUCLT.EXE WINLOGON.EXE winamp.exe taskmgr.exe system Idle process System SVCHOST.EXE SVCHOST.EXE SVCHOST.EXE SVCHOST.EXE SVCHOST.EXE SPOOLSV.EXE SMSS.EXE SERVICES.EXE SERVIC~1.EXE SAgent2.exe rundll32.exe nvsvc32.exe LSASS.EXE LaunchApplication.exe GUARD.EXE FIREFOX.EXE EXPLORER.EXE datalayer.exe CSRSS.EXE avgupsvc.exe avgemc.exe AVGAMSVR.EXE ALG.EXE

    Advertisements

Register to Remove


#26 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 05 March 2007 - 12:45 PM

If wscript.exe is not running then skip that part and try to carry out the remainder of the fix.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#27 medically tekki

medically tekki

    Authentic Member

  • Authentic Member
  • PipPip
  • 35 posts

Posted 05 March 2007 - 01:25 PM

hi good day sir.... on the registry i did not found any FS6519 = "%Windows%\FS6519.dll.vbs" and Window Title = "TAGA LIPA ARE!" i did found the autorun.inf on the search bar have it deleted... and after rebooting my computer my hard drives are now easily access by opening it.... sir is that gives me the assurance that the worm solow is now totaly eradicated at my computer ? thanks for the wonderful help sir so much....

#28 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 05 March 2007 - 02:43 PM

Wonderful and great to hear :thumbup: Post a fresh HJT log and I'll take a look to make sure all is well.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#29 medically tekki

medically tekki

    Authentic Member

  • Authentic Member
  • PipPip
  • 35 posts

Posted 06 March 2007 - 09:18 AM

hi sir... good day.....

here's the new hjt logfile

Logfile of HijackThis v1.99.1
Scan saved at 11:10:35 PM, on 3/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common

Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common

Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite

6\LaunchApplication.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.E

XE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\avgas.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Installers\hijackthis latest version

2\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://us.rd.yahoo.c...ie/defaults/sb/

msgr7/*http://www.yahoo.com/ext/search/search.ht

ml
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://us.rd.yahoo.c...ie/defaults/sp/

msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://us.rd.yahoo.c...ie/defaults/su/

msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://us.rd.yahoo.c...ie/defaults/sb/

msgr8/*http://www.yahoo.com/ext/search/search.ht

ml
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://us.rd.yahoo.c...ie/defaults/sp/

msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet

Explorer\SearchURL,(Default) =

http://us.rd.yahoo.c...ie/defaults/su/

msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no

file)
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat

5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: NOW!Imaging -

{9AA2F14F-E956-44B8-8694-A5B615CDF341} -

C:\Program Files\ISPx Web

Accelerator\components\NOWImaging.dll (file

missing)
O4 - HKLM\..\Run: [DataLayer] C:\Program

Files\Common

Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication]

C:\Program Files\Nokia\Nokia PC Suite

6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [AVG7_CC] ;

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] ;

"C:\Program Files\Grisoft\AVG Anti-Spyware

7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DownloadAccelerator] ;

"C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] ;

"C:\Program

Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager]

"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE"

-quiet
O4 - HKCU\..\Run: [MSMSGS] ; "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PcSync] ; C:\Program

Files\Nokia\Nokia PC Suite 6\PcSync2.exe

/NoDialog
O4 - Global Startup: Microsoft Office.lnk =

C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces -

C:\Program Files\DAP\Privacy

Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with

&DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search -

file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with

DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to

Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/30

00
O8 - Extra context menu item: Yahoo! &Dictionary

- file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps -

file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS -

file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program

Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AVG Anti-Spyware Guard -

Anti-Malware Development a.s. - C:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server

(Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc)

- GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) -

GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2

(EPSONStatusAgent2) - SEIKO EPSON CORPORATION -

C:\Program Files\Common

Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service

(NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe


sir as i was scanning my drives using avg antispyware i detected this type of worm solow a. again.... what should i do to this ?

C:\System Volume Information\_restore{D5AF344F-C21F-43AE-A8CF-8C4E066DE91B}\RP13\A0020580.vbs -> Worm.Solow.a :
C:\System Volume Information\_restore{D5AF344F-C21F-43AE-A8CF-8C4E066DE91B}\RP13\A0020581.vbs -> Worm.Solow.a :
C:\System Volume Information\_restore{D5AF344F-C21F-43AE-A8CF-8C4E066DE91B}\RP13\A0021580.vbs -> Worm.Solow.a :
C:\System Volume Information\_restore{D5AF344F-C21F-43AE-A8CF-8C4E066DE91B}\RP13\A0021581.vbs -> Worm.Solow.a :
C:\System Volume Information\_restore{D5AF344F-C21F-43AE-A8CF-8C4E066DE91B}\RP13\A0021591.vbs -> Worm.Solow.a :
C:\System Volume Information\_restore{D5AF344F-C21F-43AE-A8CF-8C4E066DE91B}\RP13\A0021592.vbs -> Worm.Solow.a :
C:\System Volume Information\_restore{D5AF344F-C21F-43AE-A8CF-8C4E066DE91B}\RP13\A0021603.vbs -> Worm.Solow.a :
C:\System Volume Information\_restore{D5AF344F-C21F-43AE-A8CF-8C4E066DE91B}\RP13\A0021604.vbs -> Worm.Solow.a :
C:\System Volume Information\_restore{D5AF344F-C21F-43AE-A8CF-8C4E066DE91B}\RP13\A0022603.vbs -> Worm.Solow.a :
C:\System Volume Information\_restore{D5AF344F-C21F-43AE-A8CF-8C4E066DE91B}\RP13\A0022604.vbs -> Worm.Solow.a :
C:\System Volume Information\_restore{D5AF344F-C21F-43AE-A8CF-8C4E066DE91B}\RP13\A0024603.vbs -> Worm.Solow.a :
C:\System Volume Information\_restore{D5AF344F-C21F-43AE-A8CF-8C4E066DE91B}\RP13\A0024604.vbs -> Worm.Solow.a :
C:\System Volume Information\_restore{D5AF344F-C21F-43AE-A8CF-8C4E066DE91B}\RP13\A0024616.vbs -> Worm.Solow.a :
C:\System Volume Information\_restore{D5AF344F-C21F-43AE-A8CF-8C4E066DE91B}\RP13\A0024617.vbs -> Worm.Solow.a :
C:\System Volume Information\_restore{D5AF344F-C21F-43AE-A8CF-8C4E066DE91B}\RP13\A0024627.vbs -> Worm.Solow.a :
C:\System Volume Information\_restore{D5AF344F-C21F-43AE-A8CF-8C4E066DE91B}\RP13\A0024628.vbs -> Worm.Solow.a :


thanx alot sir.....

#30 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 06 March 2007 - 09:28 AM

Hi MT,

Those are in your restore points and can be easily cleaned up by doing the following:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which may be infected anyway).

Click Start>Help and Support>Undo changes to your computer with System Restore
Select Create A Restore Point then click Next. Give it a name it and then click Create

Click Start>Run and type Cleanmgr
Click the More Options Tab.
Click Clean Up in the System Restore section.

Can you do me a favor and turn off word wrap in Notepad then repost your HJT log so it's not all broken up.

To do that in Notepad select Format and uncheck Word Wrap.

Thanks,
Dave
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users