Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

gaaaah, would someone check this?


  • This topic is locked This topic is locked
4 replies to this topic

#1 play_dead

play_dead

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 09 April 2005 - 10:12 PM

hello.. im having trouble with pop ups and spyware. earlier i clicked on a pop up thinking it was official because i just reinstalled windows xp and my computer is going so SO slow now, internet hardly starts..it wont let me install sp2 properly either. the popup i clicked on said something like ''system to user.. you may notice windows isnt running correctly and its going considerably slower this is because you have errors in your registry please visit registry-doctor.com to fix your pc'' so me thinking this was official, i went to the site and downloaded the thing ...stupid me!!

anyway..would someone be ever so kind and check this out for me? do i have any nasties lurking in my pc or anything that needs to be deleted? thanks..



Logfile of HijackThis v1.99.1
Scan saved at 21:17:49, on 09/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\kav32.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\wnmsconfig.exe
C:\WINDOWS\System32\Systemwks32.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wifsipc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.q-serve.com/signup.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Win Microsoft Config] wnmsconfig.exe
O4 - HKLM\..\Run: [Windows Bootup] Systemwks32.exe
O4 - HKLM\..\Run: [NvCplScan] kav32.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [q8c3D] C:\WINDOWS\mlemx.exe
O4 - HKLM\..\RunServices: [Win Microsoft Config] wnmsconfig.exe
O4 - HKLM\..\RunServices: [Windows Bootup] Systemwks32.exe
O4 - HKLM\..\RunServices: [NvCplScan] kav32.exe
O4 - HKLM\..\RunOnce: [NvCplScan] kav32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Win Microsoft Config] wnmsconfig.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvCplScan] kav32.exe
O4 - HKCU\..\Run: [c0o9RgK5e] wifsipc.exe
O4 - HKCU\..\RunOnce: [NvCplScan] kav32.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1113072516730

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:05:55 AM

Posted 10 April 2005 - 07:46 PM

Hello play_dead and welcome to BleepingComputer.


Open Control Panel then Add/Remove Programs. Look for the following and uninstall them if found:
Media Access


Configure Windows to enable viewing of Hidden and System files.

Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)

O4 - HKLM\..\Run: [Win Microsoft Config] wnmsconfig.exe
O4 - HKLM\..\Run: [Windows Bootup] Systemwks32.exe
O4 - HKLM\..\Run: [NvCplScan] kav32.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [q8c3D] C:\WINDOWS\mlemx.exe
O4 - HKLM\..\RunServices: [Win Microsoft Config] wnmsconfig.exe
O4 - HKLM\..\RunServices: [Windows Bootup] Systemwks32.exe
O4 - HKLM\..\RunServices: [NvCplScan] kav32.exe
O4 - HKLM\..\RunOnce: [NvCplScan] kav32.exe
O4 - HKCU\..\Run: [Win Microsoft Config] wnmsconfig.exe
O4 - HKCU\..\Run: [NvCplScan] kav32.exe
O4 - HKCU\..\Run: [c0o9RgK5e] wifsipc.exe
O4 - HKCU\..\RunOnce: [NvCplScan] kav32.exe

If you did not set the following, also check this:
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders if found (do not be concerned if they do not exist):

C:\WINDOWS\wnmsconfig.exe
C:\WINDOWS\Systemwks32.exe
C:\WINDOWS\mlemx.exe
C:\WINDOWS\wifsipc.exe

C:\WINDOWS\System32\wnmsconfig.exe
C:\WINDOWS\System32\Systemwks32.exe
C:\WINDOWS\System32\wifsipc.exe
C:\WINDOWS\System32\kav32.exe

C:\Program Files\Media Access\ <--Folder

If any of these resist being deleted, boot into Safe Mode and try from there.


I notice you do not have any anti-virus software running. On today's internet, an up to date AV is a must. AVG by Grisoft is a well respected and free AV program.


Reboot and post a new HJT log.
Derfram
~~~~~~

#3 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 April 2005 - 07:46 PM

Hello play_dead,Welcome to Bleeping Computers!!

Lets get started by checking Add\Remove Prgorams!
Click Start>>Click Control Panel>>Click Add\Remove Programs

Locate and Remove any of these that exist there:

Media Access
ISTbar
MS Updates


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)

O4 - HKLM\..\Run: [Win Microsoft Config] wnmsconfig.exe

O4 - HKLM\..\Run: [Windows Bootup] Systemwks32.exe

O4 - HKLM\..\Run: [NvCplScan] kav32.exe

O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe

O4 - HKLM\..\Run: [q8c3D] C:\WINDOWS\mlemx.exe

O4 - HKLM\..\RunServices: [Win Microsoft Config] wnmsconfig.exe

O4 - HKLM\..\RunServices: [Windows Bootup] Systemwks32.exe

O4 - HKLM\..\RunServices: [NvCplScan] kav32.exe

O4 - HKLM\..\RunOnce: [NvCplScan] kav32.exe

O4 - HKCU\..\Run: [Win Microsoft Config] wnmsconfig.exe

O4 - HKCU\..\Run: [NvCplScan] kav32.exe

O4 - HKCU\..\Run: [c0o9RgK5e] wifsipc.exe

O4 - HKCU\..\RunOnce: [NvCplScan] kav32.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that:
http://www.bleepingcomputer.com/forums/ind...showtutorial=62
Be sure to use the Instructions For XP!

While in Safe Mode,Locate and Delete the Files or Folders listed in Bold Print:

C:\WINDOWS\mlemx.exe<< File Only!

C:\WINDOWS\System32\kav32.exe<< File Only!

C:\WINDOWS\System32\wnmsconfig.exe<< File Only!

C:\WINDOWS\System32\Systemwks32.exe<< File Only!

C:\Program Files\Media Access<< Entire Media Access Folder!

C:\Program Files\ISTbar<< Entire ISTbar Folder!

When finished, reboot your system again and bring it back up in normal mode. Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK.

Make Sure Normal Startup is Checked!!

Select the tab labeled Startup and put a Check by every box there!! Once everything is enabled, run "Hijack This!" and post a new log to this thread!!

Here is a link explaining:
http://netsquirrel.com/msconfig/

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 April 2005 - 08:23 PM

Sorry ddeerrff,We must have hit this one at the same time!

play_dead,Stick with ddeerrff Instructions,you are in most capable hands!


Plus,I missed C:\WINDOWS\System32\wifsipc.exe :thumbsup:

Sorry about the Intrusion!!!

#5 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US

Posted 25 April 2005 - 12:46 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users