Dear Sir,

I have infected the W32.Myzor.FK@yf and I have followed the step 3, then 1, when it comes to step 2, after I download the Look2Me-Destroyer, double clikc and tick the Run this program as task, it doesn't re-open again. do I need to skip this step to to further the next? please help. thanks

Hello and welcome to Techspot.

Yes you can skip that step and go on to the rest of the steps.

Regards Howard :wave: :wave:

Dear,

again, the VundoFix also doesn't re-open, I will then go to step 4. thanks

The HijackThis log file

Dear, please find the following HijackThis log file after I follow exactly the steps.

Boot into safe mode.

Turn off system restore. (XP/ME only)

In Windows Explorer, turn on "Show all files and folders, including hidden and system".

Run Task Manager and End Process this file if found:

egvwlnrtd.exe



Run HJT and have it fix (place a tick in the box next to the entry):

O4 - HKLM\..\Run: [eMCryT Sh3ars Panagers] egvwlnrtd.exe

O4 - HKLM\..\RunServices: [eMCryT Sh3ars Panagers] egvwlnrtd.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: <-- All of the 016 - DPF entries


Click on the Fix Checked button.



Search for and delete egvwlnrtd.exe.
*Research has suggested that this file can be found in the c:\windows\system32 folder. But it might also be found in c:\windows or even a TEMP folder.




Reboot into normal mode and then turn System Restore back on.

Post a new HJT log after finishing the above steps.


I've also noticed that you are not running any Service Pack for WinXP. I recommend installing all Critical updates to help protect against the latest virus and malware threats.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

egvwlnrtd.exe This may or may not be a nasty entry. If you recognise it and know what it is, then leave it as it is. I can find no info for this file.

Close task manager.

Click start/run and type services.msc into the run box and press the enter key. When the window appears, maximise it. Locate the following service(if there) and double click on it. Select stop if it`s running and set the startup type to disabled. click apply/ok.

eMCryT Sh3ars Panagers Again, if you know what this service does and you`re sure it`s safe, ignore it.

Close the services window.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).


R3 - Default URLSearchHook is missing This is a nasty entry and needs to be fixed.

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll (file missing)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)

O4 - HKLM\..\Run: [eMCryT Sh3ars Panagers] egvwlnrtd.exe See above.

O4 - HKLM\..\RunServices: [eMCryT Sh3ars Panagers] egvwlnrtd.exe [/b]See above{/b]

Fix all 016-DPF entries.

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

egvwlnrtd.exe You will need to search you computer for this file. Again, if you know what this file is and you know it`s safe, ignore this.


Reboot into normal mode and turn system restore back on.

You are running a completely unpatched version of Windows XP. You should download and install at least servicepack1(sp1) and preferably servicepack2(sp2).


Regards Howard

gmuser2006.

You did a pretty good job at analysing this HJT log. However, you missed the R3 - Default URLSearchHook is missing. This should always be fixed as it is a nasty entry.

You also missed the file missing entries.

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

These are unecessary entries and should be fixed.

The file egvwlnrtd.exe may or may not be nasty, as there is no info available on this file. Unless you know something I don`t lol.

If tzewing recognises this file as safe, then obviously it should be left alone.

Thanks for your help. It is very much appreciated.

Regards Howard

Howard -

I saw the R3, O18 and O20 entries in the HJT log but wasn't real familiar with them so I didn't mark those for deletion. Didn't want to cause different problems while trying to fix the original problem. Thanks for looking over my post and letting me know about those entries!

Also, here is what I found about the egvwlnrtd.exe file. It is the W32/Rbot-AWI worm.

Thanks again!

Thanks for the Info. Very useful.

tzewing.

After you have followed the above instructions, go HERE and follow the instructions for using the Rbot removal tool.

Post a fresh HJT log afterwards.

Regards Howard

fresh hijackthis log

pls find the fresh hijackthis log, which is after all of the suggested.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html


Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

eMCryT Sh3ars Panagers

close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

egvwlnrtd.exe

Close task manager.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).


O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll (file missing)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)

O4 - HKLM\..\Run: [eMCryT Sh3ars Panagers] egvwlnrtd.exe

O4 - HKLM\..\RunServices: [eMCryT Sh3ars Panagers] egvwlnrtd.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{2A6E7C19-78D3-481A-8E87-CE545B51A0B7}: NameServer = 210.0.255.216 210.0.128.241

O17 - HKLM\System\CS1\Services\Tcpip\..\{2A6E7C19-78D3-481A-8E87-CE545B51A0B7}: NameServer = 210.0.255.216 210.0.128.241

Only fix the above 017 entries, if they don`t belong to your ISP.

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

egvwlnrtd.exe

Reboot into normal mode and turn system restore back on.

Now install sp1 or sp2 ASAP. This is because your unpatched Windows is a security risk.


Regards Howard