but i'm not sure it's gaobot, because when I used on-line scaners, they found Torvill.D& A, but they were just in temporary internet files and not active. but now all the scan-s and anti-trojans& other ascesories say everything is OK with my machine :(

0

It does appear that you may be getting re-infected. Windowsupdates >> patch up ANY vulnerabilities remaining.

0

do i install them all?

0

http://v4.windowsupdate.microsoft.com/en/default.asp Definitely anything related to dcom rpc, webdav, rpc locator ; etc….the whole lot… no more file sharing till you get this done… Read this carefully; http://www.computing.net/security/wwwboard/forum/7667.html

0

all the updates are install-ed. but still that's just the security! and my problem is infection, so the problem is to locate the malicous program? thanx for all the advices

0

arghhh*** my virus scan is clean!my trojan removal utility is clean! my "hijackthis" is okey. i checked the registry with tweak xp pro v.3. everything okey. security is up-to-date and everything should be fine. but my filesharing is not working :( it's very interesting that just filesharing is not working...i am getting paranoid mayby this is some Windows-government conspiracy :)

0

heh heh no thats just normal paranoia... we all have it.

0

nice to see i am not alone. but so close and yet so fare... i am just one of those computer users who realy wants to have control of everything. Am i'm in a funny position because i am usually the one who gives people advice and now i am really clueless, and so are my friend giving just one advice: format c: but i just install it 2 weeks ago :(

0

To check further; ** Disable System Restore Reboot and run an online virus scan here RAV <<<<<use this one http://www.ravantivirus.com/scan/ House Call<<<<< and use this one……….. http://housecall.trendmicro.com/housecall/start_corp.asp

0

nice to see you have ideas... my system restore is allready disabled. i allready tried housecall, but i will do it again! then i will try RAV... to you thing i should scan before virus activates or after?

0

both. I am not convinced you have an active or inactivated virus. We need to confirm that by the scanning and notification of file and location if that comes up. If you find something - don't delete it yet. Write down the notification that you get. Run HijackThis and post a freh log.

0

nothing... is found with TrendMicro (after the activison of worm on emule!) i am waiting for the results for RAV then i will try at the begining...

0

soo if i understand you corectly i really don't have i virus (obviously) so what now?

0

my new hijackthis file: Logfile of HijackThis v1.97.7 Scan saved at 23:58:38, on 9.12.2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe C:\PROGRAM FILES\NORMAN\Nvc\BIN\ZLH.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Tweak-XP Pro 3\AdBlocker.exe C:\Program Files\MSN Messenger\MsnMsgr.exe C:\Program Files\Tweak-XP Pro 3\transtask.exe C:\Program Files\Tweak-XP Pro 3\popup.exe C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe C:\Program Files\Norman\NVC\BIN\Zanda.exe C:\PROGRAM FILES\NORMAN\Nvc\BIN\NYMSE.exe C:\PROGRAM FILES\NORMAN\Nvc\BIN\NIP.exe C:\PROGRAM FILES\NORMAN\Nvc\BIN\nvcoas.exe C:\PROGRAM FILES\NORMAN\Nvc\BIN\NVCSCHED.exe C:\PROGRAM FILES\NORMAN\Nvc\BIN\NJEEVES.exe C:\PROGRAM FILES\NORMAN\Nvc\BIN\nipsvc.exe C:\PROGRAM FILES\NORMAN\Nvc\BIN\cclaw.exe C:\Documents and Settings\Jakob\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fdvinfo.net/index.php?p1=229 O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe O4 - HKLM\..\Run: [Norman ZANDA] C:\PROGRAM FILES\NORMAN\Nvc\BIN\ZLH.exe /LOAD /SPLASH O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro 3\AdBlocker.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background O4 - HKCU\..\Run: [TransTask] "C:\Program Files\Tweak-XP Pro 3\transtask.exe" O4 - HKCU\..\Run: [Pop-Up-Blocker] "C:\Program Files\Tweak-XP Pro 3\popup.exe" O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: Pinnacle Scheduler.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37924.4990972222 O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

0

now i reinstall emule: i get this message: the exception Breakpoint a breakpoint has been reached (0x8000003) occured in the application at location 0x77f75a58???

0

Close all browser windows and have HjT fix these.. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fdvinfo.net/index.php?p1=229 O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) Reboot rescan with Hjt and repost

0

correction. the O3 item is from a previous log - please ignore that item, but have Hjt fix: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fdvinfo.net/index.php?p1=229 O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

0

I missed this earlier. Can you explain in full what this means " (after the activison of worm on emule!) " Anything that is reported needs to be passed on fully before you do anything. If you delete files they will not show up on a Hijack log.

0

it doesnot fix: O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) well i try to fix it but then when i do scan they reapir! What i meant with "after the activison of worm on emule!" is that when i run emule it works for a minute or 2 a then the everthing goes blank for a moment.And "worm" closes emule and all other programs are okey! i will try to search withing registry to clean all the remainig file-sharing programs, mayby this helps?

0

are you keen on registry values? i remember the file name which had baobot: winhlpp32.exe!

0

yes it still here!!! i reinstall e-mule, i thought everything is okey and then it closed down again :( i tries kazaa and napster it's the same thing it works for a while and then it gets switched off...

0

Logfile of HijackThis v1.97.7 Scan saved at 12:09:31, on 10.12.2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe C:\PROGRAM FILES\NORMAN\Nvc\BIN\ZLH.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Tweak-XP Pro 3\AdBlocker.exe C:\Program Files\MSN Messenger\MsnMsgr.exe C:\Program Files\Tweak-XP Pro 3\transtask.exe C:\Program Files\Tweak-XP Pro 3\popup.exe C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe C:\Program Files\Norman\NVC\BIN\Zanda.exe C:\PROGRAM FILES\NORMAN\Nvc\BIN\NYMSE.exe C:\PROGRAM FILES\NORMAN\Nvc\BIN\NIP.exe C:\PROGRAM FILES\NORMAN\Nvc\BIN\nvcoas.exe C:\PROGRAM FILES\NORMAN\Nvc\BIN\NJEEVES.exe C:\PROGRAM FILES\NORMAN\Nvc\BIN\NVCSCHED.exe C:\PROGRAM FILES\NORMAN\Nvc\BIN\nipsvc.exe C:\PROGRAM FILES\NORMAN\Nvc\BIN\cclaw.exe C:\Documents and Settings\Jakob\Desktop\HijackThis.exe O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe O4 - HKLM\..\Run: [Norman ZANDA] C:\PROGRAM FILES\NORMAN\Nvc\BIN\ZLH.exe /LOAD /SPLASH O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro 3\AdBlocker.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background O4 - HKCU\..\Run: [TransTask] "C:\Program Files\Tweak-XP Pro 3\transtask.exe" O4 - HKCU\..\Run: [Pop-Up-Blocker] "C:\Program Files\Tweak-XP Pro 3\popup.exe" O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: Pinnacle Scheduler.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37924.4990972222

0

Back to basics. http://www.emule-project.net/faq/ <<< read this completely Firewalls (excerpt) As most Windows firewalls are application based you can save yourself some trouble by adding a rule which allows the eMule.exe all UPD,TCP traffic on all ports in all directions. This will not compromise your security, as no exploits of eMule are known so far. All ports listed here <see link> have to be opened in the firewall’s rule set. Notes: - ZoneAlarm is reported to cause problems with eMule. It is not recommended. Nice and free firewalls are Kerio Personal Firewall and Agnitum Outpost I let Hijack do most of the work; which is why we need enough info to help. Without the information, we are useless, and will have to walk away. Back to basics; you are operating with your firewall disabled and you are running major file sharing operations on e-mule kazaa and napster. More than likely yoou are being re-infected through the file sharing sites. As well as that, there still may be vulnerabilities to exploit still present on your system. On top of that the AV system seems unable to prevent re-infection from incoming files, and then seems incapable of removing some infected files. Re-infection is inevitable in these circumstances. As well as that you seem to have software conflicts impossible to diagnose without a full examination of your system. You need to review: 1. your firewall 2. your Antivirus program 3. your vulnerabilities and patches 4. your software mix 5. your own personal security decisions on incoming files When you have thes sorted we will be able to fix specific problems that occur. We cannot enable your system security for you.

0

Eureka!!! i got it now! it not a security that is a problem but something more simplier! O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) is probably a program which does this: when my program is minimized as a tray icon it shuts it down. simple now i how to find this program and remove it

0

everythnig works as long as i don't minize it on system tray. That's a funny one, don't you think? it probably some hoaks that a worm left before i found it. i am so much happy now, just to find out how to remove this background program. Isn't it weird that hijackthis doesn't clean it??? j.

0

nope false alarm :(

0