I hve follow the rule but Look2Me-Destroyer doesn't reopen

T

tzewing

Dear Sir,

I have infected the W32.Myzor.FK@yf and I have followed the step 3, then 1, when it comes to step 2, after I download the Look2Me-Destroyer, double clikc and tick the Run this program as task, it doesn't re-open again. do I need to skip this step to to further the next? please help. thanks
 
The HijackThis log file

Dear, please find the following HijackThis log file after I follow exactly the steps.
 

Attachments

  • hijackthis.txt
    5.6 KB · Views: 6
Boot into safe mode.

Turn off system restore. (XP/ME only)

In Windows Explorer, turn on "Show all files and folders, including hidden and system".

Run Task Manager and End Process this file if found:

egvwlnrtd.exe



Run HJT and have it fix (place a tick in the box next to the entry):

O4 - HKLM\..\Run: [eMCryT Sh3ars Panagers] egvwlnrtd.exe

O4 - HKLM\..\RunServices: [eMCryT Sh3ars Panagers] egvwlnrtd.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: <-- All of the 016 - DPF entries


Click on the Fix Checked button.



Search for and delete egvwlnrtd.exe.
*Research has suggested that this file can be found in the c:\windows\system32 folder. But it might also be found in c:\windows or even a TEMP folder.




Reboot into normal mode and then turn System Restore back on.

Post a new HJT log after finishing the above steps.


I've also noticed that you are not running any Service Pack for WinXP. I recommend installing all Critical updates to help protect against the latest virus and malware threats.
 
tzewing said:
Dear, please find the following HijackThis log file after I follow exactly the steps.
Click to expand...

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

egvwlnrtd.exe This may or may not be a nasty entry. If you recognise it and know what it is, then leave it as it is. I can find no info for this file.

Close task manager.

Click start/run and type services.msc into the run box and press the enter key. When the window appears, maximise it. Locate the following service(if there) and double click on it. Select stop if it`s running and set the startup type to disabled. click apply/ok.

eMCryT Sh3ars Panagers Again, if you know what this service does and you`re sure it`s safe, ignore it.

Close the services window.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).


R3 - Default URLSearchHook is missing This is a nasty entry and needs to be fixed.

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll (file missing)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)

O4 - HKLM\..\Run: [eMCryT Sh3ars Panagers] egvwlnrtd.exe See above.

O4 - HKLM\..\RunServices: [eMCryT Sh3ars Panagers] egvwlnrtd.exe [/b]See above{/b]

Fix all 016-DPF entries.

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

egvwlnrtd.exe You will need to search you computer for this file. Again, if you know what this file is and you know it`s safe, ignore this.


Reboot into normal mode and turn system restore back on.

You are running a completely unpatched version of Windows XP. You should download and install at least servicepack1(sp1) and preferably servicepack2(sp2).


Regards Howard :)
 
gmuser2006 said:
Boot into safe mode.

Turn off system restore. (XP/ME only)

In Windows Explorer, turn on "Show all files and folders, including hidden and system".

Run Task Manager and End Process this file if found:

egvwlnrtd.exe



Run HJT and have it fix (place a tick in the box next to the entry):

O4 - HKLM\..\Run: [eMCryT Sh3ars Panagers] egvwlnrtd.exe

O4 - HKLM\..\RunServices: [eMCryT Sh3ars Panagers] egvwlnrtd.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: <-- All of the 016 - DPF entries


Click on the Fix Checked button.



Search for and delete egvwlnrtd.exe.
*Research has suggested that this file can be found in the c:\windows\system32 folder. But it might also be found in c:\windows or even a TEMP folder.




Reboot into normal mode and then turn System Restore back on.

Post a new HJT log after finishing the above steps.


I've also noticed that you are not running any Service Pack for WinXP. I recommend installing all Critical updates to help protect against the latest virus and malware threats.
Click to expand...

gmuser2006.

You did a pretty good job at analysing this HJT log. However, you missed the R3 - Default URLSearchHook is missing. This should always be fixed as it is a nasty entry.

You also missed the file missing entries.

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

These are unecessary entries and should be fixed.

The file egvwlnrtd.exe may or may not be nasty, as there is no info available on this file. Unless you know something I don`t lol.

If tzewing recognises this file as safe, then obviously it should be left alone.

Thanks for your help. It is very much appreciated.

Regards Howard :)
 
Howard -

I saw the R3, O18 and O20 entries in the HJT log but wasn't real familiar with them so I didn't mark those for deletion. Didn't want to cause different problems while trying to fix the original problem. Thanks for looking over my post and letting me know about those entries! :)

Also, here is what I found about the egvwlnrtd.exe file. It is the W32/Rbot-AWI worm.

Thanks again!
 
Thanks for the Info. Very useful.

tzewing.

After you have followed the above instructions, go HERE and follow the instructions for using the Rbot removal tool.

Post a fresh HJT log afterwards.

Regards Howard :)
 
Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html


Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

eMCryT Sh3ars Panagers

close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

egvwlnrtd.exe

Close task manager.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).


O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\zh-tw\msntb.dll (file missing)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)

O4 - HKLM\..\Run: [eMCryT Sh3ars Panagers] egvwlnrtd.exe

O4 - HKLM\..\RunServices: [eMCryT Sh3ars Panagers] egvwlnrtd.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{2A6E7C19-78D3-481A-8E87-CE545B51A0B7}: NameServer = 210.0.255.216 210.0.128.241

O17 - HKLM\System\CS1\Services\Tcpip\..\{2A6E7C19-78D3-481A-8E87-CE545B51A0B7}: NameServer = 210.0.255.216 210.0.128.241

Only fix the above 017 entries, if they don`t belong to your ISP.

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

egvwlnrtd.exe

Reboot into normal mode and turn system restore back on.

Now install sp1 or sp2 ASAP. This is because your unpatched Windows is a security risk.


Regards Howard :)
 

Similar threads

K
Winmail in Windows 7 (Poppa Bear)
Replies
1
Views
7K
kermit
K
Julio Franco
Football reviewed: The sport from a gamer's perspective
Replies
18
Views
2K
Guest
G
Z
  • Locked
Solved Apparent drive-by infection with odd symptoms
Replies
14
Views
2K
Broni
Broni

Latest posts

Back