Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Just another problematic hijacker log and pc


  • This topic is locked This topic is locked
11 replies to this topic

#1 DannyLedsham

DannyLedsham

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 03 July 2005 - 07:55 AM

Hi everyone,
anyone can help?

I have few problems, i know I have many adwares, spywares, but dont know how to remove them all.

Help me, please...

I have mostly problems with internet explorer, being online, pop-ups, system crashes...

and there these two exe files I dont know how to remove... and i can not find anything about them online... they are iwjx.exe and gomdjkic.exe
I will follow your advices... In every way... Thank you very much... in advance


Logfile of HijackThis v1.99.1
Scan saved at 12:19:44 AM, on 7/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Okuccin\Iwjx.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\windows\system32\gomdjkic.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Washer\washer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\hijacks\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Vule\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Vule\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Eatggfci] C:\Program Files\Okuccin\Iwjx.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [gomdjkic] c:\windows\system32\gomdjkic.exe -start
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Vule"
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6...e/bridge-c9.cab
O16 - DPF: {26D73573-F1B3-48C9-A989-E6CE071957A1} - http://akamai.downloadv3.com/binari...ESS_1057_XP.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binari...ESS_1058_XP.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binari...slv32_EN_XP.cab
O20 - AppInit_DLLs: apihookdll.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

best wishes and take care

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:03:12 PM

Posted 03 July 2005 - 10:47 PM

Hello DannyLedsham and welcome to BleepingComputer. Quite a collection of malware you have there.

Open the Control Panel then double click on Add/Remove Programs. Look for the following and uninstall them if found:

- Media Access
- Security iGuard
- Spyware Begone
- SpyKiller

Spyware Begone and SpyKiller are both on the list of rogue anti-spyware.


Configure Windows to enable viewing of Hidden and System files.

Please download CWShredder.exe to your desktop from: http://cwshredder.net/bin/CWSInstall.exe
- Run CWShedder.exe.
- Click on Check for Update to be sure you have the most current version.
- Close CWShredder, we will use it later.

Download AboutBuster.zip to your desktop.
- Unzip the contents of AboutBuster.zip to it's own folder.
- Navigate to the AboutBuster folder and double-click on AboutBuster.exe.
- Click Update to begin the update process.
- If any updates exist please install them.
- Close AboutBuster by clicking on Exit. AboutBuster will be used later.

Download CleanUp! and install it.
- Start CleanUp! and click on the CleanUp! button.
- Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.
- Exit Cleanup

Download SpSeHjfix112.zip and unzip it to it's own folder.
- We will use it later.


Reboot into Safe Mode.


Run CWShredder and click on the Fix button.

Run SpSeHjfix and click on Start Disinfection.
- As part of the cleaning process, it will reboot your machine.
- The tool will create a log of the fix which will appear in the folder that SpSeHjfix is located in.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Vule\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Vule\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O3 - Toolbar: (no name) - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - (no file)

O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Eatggfci] C:\Program Files\Okuccin\Iwjx.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [gomdjkic] c:\windows\system32\gomdjkic.exe -start
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6...e/bridge-c9.cab
O16 - DPF: {26D73573-F1B3-48C9-A989-E6CE071957A1} - http://akamai.downloadv3.com/binari...ESS_1057_XP.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binari...ESS_1058_XP.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binari...slv32_EN_XP.cab

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders (Don't be concerned if they can not be found):

C:\Program Files\Okuccin\Iwjx.exe <--Files
c:\windows\system32\gomdjkic.exe

C:\freescan\ <--Folders
C:\Program Files\SpyKiller\
C:\Program Files\Media Access\
C:\Program Files\Security iGuard\


Browse to where you saved AboutBuster and double click AboutBuster.exe.
- Click Begin removal to allow AboutBuster to scan.
- When it has finished, AboutBuster will open a 'Scan Completed' window. Click OK.
- Another information window will open. Click on Exit.
- AboutBuster will inform you that a log has been created. Click OK.


Reboot and post a fresh HijackThis log and the log that was created by SpSeHjfix.
Derfram
~~~~~~

#3 DannyLedsham

DannyLedsham
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 04 July 2005 - 03:46 AM

THANK YOU very much
I will try to do everything as you said and then post logs file...

take care

#4 DannyLedsham

DannyLedsham
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 05 July 2005 - 09:37 PM

Hi there ...
I finally did it
there was some mess up with spykiller and other program Here are the logs
Aboutbuster had some error


(7/6/05 1:24:07 AM) SPSeHjFix started v1.1.2
(7/6/05 1:24:07 AM) OS: WinXP Service Pack 1 (5.1.2600)
(7/6/05 1:24:07 AM) Language: english
(7/6/05 1:24:07 AM) Win-Path: C:\WINDOWS
(7/6/05 1:24:07 AM) System-Path: C:\WINDOWS\System32
(7/6/05 1:24:07 AM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(7/6/05 1:24:09 AM) Disinfection started
(7/6/05 1:24:09 AM) Bad-Dll(IEP): (not found)
(7/6/05 1:24:09 AM) Bad-Dll(IEP) in BHO: (not found)
(7/6/05 1:24:09 AM) UBF: 5 - UBB: 0 - UBR: 9
(7/6/05 1:24:09 AM) UBF: 5 - UBB: 0 - UBR: 9
(7/6/05 1:24:09 AM) Bad IE-pages: (none)
(7/6/05 1:24:09 AM) Stealth-String not found
(7/6/05 1:24:09 AM) Not infected->END


(7/6/05 1:27:04 AM) SPSeHjFix started v1.1.2
(7/6/05 1:27:04 AM) OS: WinXP Service Pack 1 (5.1.2600)
(7/6/05 1:27:04 AM) Language: english
(7/6/05 1:27:04 AM) Win-Path: C:\WINDOWS
(7/6/05 1:27:04 AM) System-Path: C:\WINDOWS\System32
(7/6/05 1:27:04 AM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\


This is hijack log in safe mode... if needed, cause there are differences
Logfile of HijackThis v1.99.1
Scan saved at 2:03:25 AM, on 7/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\hijacks\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Vule"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O20 - AppInit_DLLs: apihookdll.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



[B]and Finally hijack this log in normal mode...
Please help... I am not sure that everything is right[B]

Logfile of HijackThis v1.99.1
Scan saved at 2:09:01 AM, on 7/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Washer\washer.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijacks\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Vule\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Vule"
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O20 - AppInit_DLLs: apihookdll.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


so here is the log file now... I had few problems posting and doing it all but i think i did it... Analyse me now... Thank you...

and I will post another pc's problematic log in new post. If you are by chance willing please help me with that too... Thank you anyways and so far...

Thank You and sorry for bothering

Best wishes

#5 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:03:12 PM

Posted 06 July 2005 - 12:02 AM

Making some progress.

"Spyware Begone" and "SpyKiller" appear to be still installed. Spyware Begone and SpyKiller are both on the list of rogue anti-spyware, and at this time may be interfering with our fix. Please uninstall them from Control Panel, Add/Remove programs. If you are getting any errors when trying to uninstall these, please post the specific errors.


What errors did you see with AboutBuster?


I don't see any antivirus application running on this machine. Download AVG7 by Grisoft. AVG is a well respect antivirus program and it is free for personal use. The Reference Guide for this AV program is listed on the same page.

Please install, update, and run a full system scan using AVG7. Allow it to remove anything it finds. Note anything it finds but can not remove.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Vule\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O20 - AppInit_DLLs: apihookdll.dll

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.

Open Windows Explorer (Windows key+e), navigate to and delete the following files and folders (Don't be concerned if they can not be found):

C:\freescan\ <--Entire Folder
C:\Program Files\SpyKiller\ <--Entire Folder

Reboot and post a fresh HJT log. Normal mode is all I need at this time.
Derfram
~~~~~~

#6 DannyLedsham

DannyLedsham
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 06 July 2005 - 02:31 PM

Hey
hi

1 question:
do i have to use disable system restore?

:-)

#7 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:03:12 PM

Posted 06 July 2005 - 02:55 PM

No, do NOT disable system restore.

After you are completely clean, THEN you can consider disabling/re-enabling system restore to clear the restore points. Until then, having a restore point that contains a bit of malware is better than having no restore point at all.
Derfram
~~~~~~

#8 DannyLedsham

DannyLedsham
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 07 July 2005 - 02:26 AM

(7/6/05 5:49:09 PM) SPSeHjFix started v1.1.2
(7/6/05 5:49:09 PM) OS: WinXP Service Pack 1 (5.1.2600)
(7/6/05 5:49:09 PM) Language: english
(7/6/05 5:49:09 PM) Win-Path: C:\WINDOWS
(7/6/05 5:49:09 PM) System-Path: C:\WINDOWS\System32
(7/6/05 5:49:09 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(7/6/05 5:49:13 PM) Disinfection started
(7/6/05 5:49:13 PM) Bad-Dll(IEP): (not found)
(7/6/05 5:49:13 PM) Bad-Dll(IEP) in BHO: (not found)
(7/6/05 5:49:13 PM) UBF: 5 - UBB: 0 - UBR: 5
(7/6/05 5:49:13 PM) UBF: 5 - UBB: 0 - UBR: 5
(7/6/05 5:49:13 PM) Bad IE-pages: (none)
(7/6/05 5:49:13 PM) Stealth-String not found
(7/6/05 5:49:13 PM) Not infected->END


Hey there this is the latest log file of Hijack...
I still ahve problem with IE
My IE on this pc opens, it doesnt have any other homepage than the blank (like i wanted it) but it doesnt open any any page.

Any ideas?

would this help with my IE
Internet Explorer
1. Start
2. Run

rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %windir%\inf\ie.inf

???

This log below of Hijack looks ok? i just dont know why I have two MSMGS.EXE and one another mentioned but in small letters.


Thank You, all around

Logfile of HijackThis v1.99.1
Scan saved at 6:23:37 PM, on 7/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Washer\washer.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\hijacks\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Vule"
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I installed avg7 as you said... on both pcs... It is nice. [I must say that on another pc it detect pc clean even though i still have problem with some registry entry that re-appears that changes my homepage from blank to msn.com... but that is another problem... and has its own post...http://www.bleepingcomputer.com/forums/Another_pc_another_problem-t23757.html] so my question is... since i have upadeted version... avg searches for viruese and no adware and spyware?

#9 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:03:12 PM

Posted 07 July 2005 - 10:24 AM

The HijackThis log appears malware free.

I still ahve problem with IE
My IE on this pc opens, it doesnt have any other homepage than the blank (like i wanted it) but it doesnt open any any page.

Do I understand correctly.... IE opens normally, but you are unable to open any web page? Please post any error message you are getting.

We can try rebuilding your TCP/IP/LSP stack.
Download Winsockfix.zip from here. Follow the instructions on that page to unzip and run the program. Let me know if you are now able to get to web sites.

rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %windir%\inf\ie.inf

The above will attempt to reinstall IE. You will need to have your XP CD available for this. See http://www.dougknox.com/xp/tips/xp_ie_reinstall.htm. If you would like, go ahead and run it. I don't believe that to be your problem, but it shouldn't hurt.

i just dont know why I have two MSMGS.EXE and one another mentioned but in small letters.

The O4 line indicates the program starting and running in the background. The two other entries are for extra buttons and menu items refering to Windows Messenger. These entries are all normal.

I installed avg7 as you said

I don't see AVG running on this machine. Be sure you have it configured for real-time protection.

avg searches for viruese and no adware and spyware?

AVG is and anti-virus program, not an anti-spyware program. It provides protection from computer viruses. Other programs and methods are needed for full protection against adware/spyware/malware/trojans/ ect. We will cover that further after you are fully cleaned.

After running WinsockFix, let me know how things are working.
Derfram
~~~~~~

#10 DannyLedsham

DannyLedsham
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 12 July 2005 - 10:20 AM

I've been away since Thursday so now i am nack in reality and this problems with unreality machines...

i will do as you said!!!

Thank You very much

#11 DannyLedsham

DannyLedsham
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:12 PM

Posted 18 July 2005 - 08:13 PM

Hi there

it looks like zone alarm was blocking my ie.
now it is just slow...

i did kaspersky online and kasperky on my pc

this is result of my home scan
Posted Image

and the online scan
-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Tuesday, July 19, 2005 01:37:39
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 18/07/2005
Kaspersky Anti-Virus database records: 130938
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 52975
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 7859 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.



so... what do u say... if u r still here with me
thank u anyway

#12 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:03:12 PM

Posted 18 July 2005 - 08:53 PM

That's looking good. The Kaspersky online scan if quite thorough.

You do have the Matlab Web server running, and my research shows that can slow a system down. I'm not at all familiar with the Matlab software. There may be a way to disable the server within the Matlab configuration.

Alternately, click on Start, then Run, and type in Services.msc. Find MATLAB Server in the list, and double click on it. Change the 'Startup Type:' to Manual, and click Apply. Click on Stop and then OK to close the window. See if that helps any with the speed.

If you have not done one in a while, a disk defrag may help. Microsoft explains how here.

You can test various aspects of your internet connection using the Tests+Tools at http://www.dslreports.com/.


Let me know if any of the above help.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users