Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help me!


  • Please log in to reply
2 replies to this topic

#1 pinklotus

pinklotus

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 23 November 2004 - 08:25 PM

Hi u all,
Another problem come with me.
Another PC in my office get the makemesearch trojan and get an security alert : warning you are in danger...on the desktop that can not move.
I'll run HJT & send u the logs cat later. This PC run WinXP program.

Hope u enjoy the day! :thumbsup:

BC AdBot (Login to Remove)

 


#2 pinklotus

pinklotus
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 23 November 2004 - 09:20 PM

Here is the PC's logs cat:
Logfile of HijackThis v1.98.2
Scan saved at 9:15:47 AM, on 11/24/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Vietkey2000\VKNT.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Trong Vien\My Documents\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=115
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=115
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\System32\MTC.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D4820} - C:\WINDOWS\System32\spm4820.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\System32\MTC.dll
O4 - HKLM\..\Run: [Vietkey] C:\Program Files\Vietkey2000\VKNT.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\runsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\runsrv32.exe
O9 - Extra button: P&&PDIE - {2514D59E-3D7E-4EF1-9FA8-6F49BF779132} - C:\Program Files\Popup & Privacy Defender for IE\pdie.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com/6/files.chm::/file.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{70DDA50F-899B-467C-86EE-5A163F05A78D}: NameServer = 192.168.1.199,203.162.0.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{70DDA50F-899B-467C-86EE-5A163F05A78D}: NameServer = 192.168.1.199,203.162.0.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{70DDA50F-899B-467C-86EE-5A163F05A78D}: NameServer = 192.168.1.199,203.162.0.11

Help me if u can (this is the PC of my chief... :thumbsup: )

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:15 AM

Posted 27 November 2004 - 04:49 PM

Can you please zip and email the following files to grinler@yahoo.com:

C:\WINDOWS\System32\MTC.dll
C:\WINDOWS\System32\spm4820.dll
C:\WINDOWS\System32\runsrv32.exe

When you email me, please include a link to this topic.

Thanks


I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=115
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=115
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\System32\MTC.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D4820} - C:\WINDOWS\System32\spm4820.dll
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\System32\MTC.dll
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\runsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\runsrv32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com/6/files.chm::/file.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINDOWS\System32\MTC.dll
C:\WINDOWS\System32\spm4820.dll
C:\WINDOWS\System32\runsrv32.exe

Reboot your computer to go back to normal mode and post a new log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users