Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Log, Trying To Remove Morwill Search Malware


  • This topic is locked This topic is locked
2 replies to this topic

#1 Sruli

Sruli

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 15 October 2005 - 11:20 PM

B"H

I am having the, apparently not so common yet, problem of Morwill Search coming up whenever I click a link on Google. I've located one strange .dll, jkkih.dll, and I've tried removing it by unloading it, incorporating fixvundo, and running KillBox. I deleted it and the hikkj.* files in Window/System32. It's back. Here is my log after reboot. I'm sure I have other "interesting" files, too.


Logfile of HijackThis v1.99.1
Scan saved at 12:19:02 AM, on 10/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PivX\PreEmpt\loadsvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Documents and Settings\Srulinator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\jkkih.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: jkkih - C:\WINDOWS\System32\jkkih.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:11:46 AM

Posted 20 October 2005 - 10:59 AM

Please post a complete log. I see malware in what you posted but there may be more in the part of the log that you did not post. Thanks.

There are several reasons for putting HiJackThis into its own folder.
  • HiJackThis is an analysis AND a repair tool. When you fix something in HiJackThis, you are deleting a bad entry in the Windows Registry. In case of a mistake being made, there is a reversal for line entry deletions. HiJackThis creates a new file which is a backup log of changes and you can reverse the line entry deletion. BUT...HiJackThis needs a safe folder to keep these critical backup logs and a temp folder is definitely not safe as you might run Disk Cleanup and delete them.
  • If you save HiJackThis to your desktop, you may easily lose track of the backup log in the wallpaper area (or someone might delete the backup file by dragging it to the Recycle Bin).
  • If you run HiJackThis from a zip folder, backups may not be made.
  • If you run HiJackThis from a Local Settings Temporary folder in XP or Windows 2000, when you post for help on a forum, the resulting text log will usually show your full name in a line entry since your Windows user profile is commonly named with your full name. When you copy and paste your log, HiJackThis provides a line entry showing the path to its running folder. If you use another folder like HiJackThis in the root of the C: drive (as recommended) then your Profile Name will NOT be displayed in the log.
Please download HijackThis Self-installer
  • This is the easiest way to install HijackThis to your computer
  • This is a complete installer that installs HijackThis on the computer to C:\Program Files\HijackThis.
  • It makes an entry in the start menu
  • It allows you to have a shortcut on your desktop as well.
  • HijackThis is currently at Version 1.99.1 released on 16.02.2005.
  • It is important that you uninstall any previous versions by using Add/Remove programs in your control panel before installing a newer version.
You are currently using an unpatched version of Microsoft XP. It is CRITICAL that you update to Windows XP Service Pack 1a You may also order the CD If you run into troubles, please post them here.

IMPORTANT: DO NOT update to Service pack 2. Doing so before your computer is clean can cause Windows to become unstable.
We will update to SP2 when you are clean.


Please post back with a HJT log and your computer running with Service pack 1 or with any problems you are having updating.

Edited by suebaby41, 20 October 2005 - 11:05 AM.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:11:46 AM

Posted 15 December 2005 - 04:36 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users