TechSpot

I hve follow the rule but Look2Me-Destroyer doesn't reopen

By tzewing
May 23, 2006
  1. Dear Sir,

    I have infected the W32.Myzor.FK@yf and I have followed the step 3, then 1, when it comes to step 2, after I download the Look2Me-Destroyer, double clikc and tick the Run this program as task, it doesn't re-open again. do I need to skip this step to to further the next? please help. thanks
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Yes you can skip that step and go on to the rest of the steps.

    Regards Howard :wave: :wave:
     
  3. tzewing

    tzewing TS Rookie Topic Starter

    Dear,

    again, the VundoFix also doesn't re-open, I will then go to step 4. thanks
     
  4. tzewing

    tzewing TS Rookie Topic Starter

    The HijackThis log file

    Dear, please find the following HijackThis log file after I follow exactly the steps.
     

    Attached Files:

  5. gmuser2006

    gmuser2006 TS Rookie Posts: 37

    Boot into safe mode.

    Turn off system restore. (XP/ME only)

    In Windows Explorer, turn on "Show all files and folders, including hidden and system".

    Run Task Manager and End Process this file if found:

    egvwlnrtd.exe



    Run HJT and have it fix (place a tick in the box next to the entry):

    O4 - HKLM\..\Run: [eMCryT Sh3ars Panagers] egvwlnrtd.exe

    O4 - HKLM\..\RunServices: [eMCryT Sh3ars Panagers] egvwlnrtd.exe

    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O16 - DPF: <-- All of the 016 - DPF entries


    Click on the Fix Checked button.



    Search for and delete egvwlnrtd.exe.
    *Research has suggested that this file can be found in the c:\windows\system32 folder. But it might also be found in c:\windows or even a TEMP folder.




    Reboot into normal mode and then turn System Restore back on.

    Post a new HJT log after finishing the above steps.


    I've also noticed that you are not running any Service Pack for WinXP. I recommend installing all Critical updates to help protect against the latest virus and malware threats.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    egvwlnrtd.exe This may or may not be a nasty entry. If you recognise it and know what it is, then leave it as it is. I can find no info for this file.

    Close task manager.

    Click start/run and type services.msc into the run box and press the enter key. When the window appears, maximise it. Locate the following service(if there) and double click on it. Select stop if it`s running and set the startup type to disabled. click apply/ok.

    eMCryT Sh3ars Panagers Again, if you know what this service does and you`re sure it`s safe, ignore it.

    Close the services window.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).


    R3 - Default URLSearchHook is missing This is a nasty entry and needs to be fixed.

    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll (file missing)

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)

    O4 - HKLM\..\Run: [eMCryT Sh3ars Panagers] egvwlnrtd.exe See above.

    O4 - HKLM\..\RunServices: [eMCryT Sh3ars Panagers] egvwlnrtd.exe [/b]See above{/b]

    Fix all 016-DPF entries.

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    egvwlnrtd.exe You will need to search you computer for this file. Again, if you know what this file is and you know it`s safe, ignore this.


    Reboot into normal mode and turn system restore back on.

    You are running a completely unpatched version of Windows XP. You should download and install at least servicepack1(sp1) and preferably servicepack2(sp2).


    Regards Howard :)
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    gmuser2006.

    You did a pretty good job at analysing this HJT log. However, you missed the R3 - Default URLSearchHook is missing. This should always be fixed as it is a nasty entry.

    You also missed the file missing entries.

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    These are unecessary entries and should be fixed.

    The file egvwlnrtd.exe may or may not be nasty, as there is no info available on this file. Unless you know something I don`t lol.

    If tzewing recognises this file as safe, then obviously it should be left alone.

    Thanks for your help. It is very much appreciated.

    Regards Howard :)
     
  8. gmuser2006

    gmuser2006 TS Rookie Posts: 37

    Howard -

    I saw the R3, O18 and O20 entries in the HJT log but wasn't real familiar with them so I didn't mark those for deletion. Didn't want to cause different problems while trying to fix the original problem. Thanks for looking over my post and letting me know about those entries! :)

    Also, here is what I found about the egvwlnrtd.exe file. It is the W32/Rbot-AWI worm.

    Thanks again!
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Thanks for the Info. Very useful.

    tzewing.

    After you have followed the above instructions, go HERE and follow the instructions for using the Rbot removal tool.

    Post a fresh HJT log afterwards.

    Regards Howard :)
     
  10. tzewing

    tzewing TS Rookie Topic Starter

    fresh hijackthis log

    pls find the fresh hijackthis log, which is after all of the suggested.
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html


    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    eMCryT Sh3ars Panagers

    close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    egvwlnrtd.exe

    Close task manager.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).


    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll (file missing)

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)

    O4 - HKLM\..\Run: [eMCryT Sh3ars Panagers] egvwlnrtd.exe

    O4 - HKLM\..\RunServices: [eMCryT Sh3ars Panagers] egvwlnrtd.exe

    O17 - HKLM\System\CCS\Services\Tcpip\..\{2A6E7C19-78D3-481A-8E87-CE545B51A0B7}: NameServer = 210.0.255.216 210.0.128.241

    O17 - HKLM\System\CS1\Services\Tcpip\..\{2A6E7C19-78D3-481A-8E87-CE545B51A0B7}: NameServer = 210.0.255.216 210.0.128.241

    Only fix the above 017 entries, if they don`t belong to your ISP.

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    egvwlnrtd.exe

    Reboot into normal mode and turn system restore back on.

    Now install sp1 or sp2 ASAP. This is because your unpatched Windows is a security risk.


    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...