[Ataraxis]

Hey, my first time to the forums . I own my own computer that is clean as a whistle and runs well... but the rest of my family uses another computer that is plagued with every possible virus and problem it seems.

Here is the HJL log.

Logfile of HijackThis v1.98.1
Scan saved at 5:17:13 PM, on 4/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Common Files\WinTools\WSup.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Emily\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Emily\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {D625980F-28FB-46BA-91DA-EF9D55672E29} - C:\WINDOWS\system32\jjlpcaa.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Carrie\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O18 - Filter: text/html - {2BD1DD1D-260F-4CF7-8817-5CBFD2688A6C} - C:\WINDOWS\system32\jjlpcaa.dll
O18 - Filter: text/plain - {2BD1DD1D-260F-4CF7-8817-5CBFD2688A6C} - C:\WINDOWS\system32\jjlpcaa.dll


If someone could help me as soon as they can, it would be much appreciated

Edited by Ataraxis, 27 April 2005 - 05:16 PM.

[Advertisements]

Hello,

°First of all, you are still using a previous version of hijackthis..so please update your version by starting hijackthis,
click on the 'misc tools'>Check for update online. Download the new version (1.99.1), unzip it and make sure you put it in an permanent folder.
(If the update option doesn't work, please download your new version here

Go to controlpanel > software > add/remove programs and uninstall next if present:

Media Access
Wintools
Websearch Toolbar

REBOOT afterwards.

Download http://www.trojaner-...gi?file=sphjfix
Unzip it to your desktop.

Start SpSeHjfix and click "Start disinfection"

Let it finish the job.

Restore your websettings: Go to start > controlpanel > Internetoptions > Tab Programs.
Click: "Restore Websettings"

When done, post a new hijackthislog together with the log that SpSeHjfix produced. (it's in the same folder as SpSeHjfix)

[miekiemoes]

Hello,

°First of all, you are still using a previous version of hijackthis..so please update your version by starting hijackthis,
click on the 'misc tools'>Check for update online. Download the new version (1.99.1), unzip it and make sure you put it in an permanent folder.
(If the update option doesn't work, please download your new version here

Go to controlpanel > software > add/remove programs and uninstall next if present:

Media Access
Wintools
Websearch Toolbar

REBOOT afterwards.

Download http://www.trojaner-...gi?file=sphjfix
Unzip it to your desktop.

Start SpSeHjfix and click "Start disinfection"

Let it finish the job.

Restore your websettings: Go to start > controlpanel > Internetoptions > Tab Programs.
Click: "Restore Websettings"

When done, post a new hijackthislog together with the log that SpSeHjfix produced. (it's in the same folder as SpSeHjfix)

[Ataraxis]

Ok, thanks, here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:17:07 PM, on 4/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Emily\My Documents\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe


And here is the SPSehjfix thing:



(4/28/05 5:03:52 PM) SPSeHjFix started v1.1.2
(4/28/05 5:03:52 PM) OS: WinXP Service Pack 2 (5.1.2600)
(4/28/05 5:03:52 PM) Language: english
(4/28/05 5:03:52 PM) Win-Path: C:\WINDOWS
(4/28/05 5:03:52 PM) System-Path: C:\WINDOWS\system32
(4/28/05 5:03:52 PM) Temp-Path: C:\DOCUME~1\Emily\LOCALS~1\Temp\
(4/28/05 5:03:55 PM) Disinfection started
(4/28/05 5:03:55 PM) Bad-Dll(IEP): (not found)
(4/28/05 5:03:55 PM) Bad-Dll(IEP) in BHO: (not found)
(4/28/05 5:03:55 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\system32\hhgp.dll
(4/28/05 5:03:55 PM) Searchassistant Uninstaller - Keys Deleted
(4/28/05 5:03:55 PM) UBF: 4 - UBB: 0 - UBR: 0
(4/28/05 5:03:55 PM) UBF: 4 - UBB: 0 - UBR: 0
(4/28/05 5:03:55 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\Carrie\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(4/28/05 5:03:55 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank

Thanks again for the help, get back to me whenever you can.

[miekiemoes]

That is one of the shortest logs I have ever seen.

Well, actually, it was all malware installed. So now I strongly suggest you install an antivirus and a firewall!! Because your system is very vulnerable for the moment!!

AVG OR Avast are good FREE antivirus.
Zonealarm OR Sygate are FREE firewalls.

Update your antivirus and let it perform a full scan to get rid of the leftovers.

Next, to get rid of some other leftovers added by spyware/adware..

Download the latest version of Ad-Aware:
http://www.lavasoft....pport/download/

After installing AAW, and before running the program.
Please be sure to update the reference file following the instructions here:
http://www.lavahelp.net/howto/updref/

Reconfigure Ad-Aware for Full Scan:

Launch the program, and click on the Gear at the top of the start screen.

Click the 'Scanning' button.
Under Drives, Folders and Files, select 'Scan within Archives'.
Click 'Click here to select Drives + folders' and select your installed hard drives.

Under Memory & Registry, select all options.
Click the 'Advanced' button.
Under 'Log-file detail level', select all options.
Click the 'Tweaks' button.

Under 'Scanning Engine', select the following:
'Unload recognized processes during scanning.'
Under 'Cleaning Engine', select the following:
'Let Windows remove files in use after reboot.'
Click on 'Proceed' to save these Preferences.

Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT to allow it to finish.

Post a last hijackthislog afterwards to make sure everything stayed clean.

Edited by miekiemoes, 28 April 2005 - 05:39 PM.

[Ataraxis]

Ok, it's working alot better now, here is the HJL after doing all you recommended,

Logfile of HijackThis v1.98.1
Scan saved at 8:38:17 PM, on 4/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Emily\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {70506FAA-145B-45F1-91FC-6C7D7FD88885} - C:\WINDOWS\system32\klbge.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O20 - AppInit_DLLs: C:\WINDOWS\System32\resej.dll

[miekiemoes]

Hello,

Seems like you have the one with the hidden installer.
Hmmm.. can you perform SpSeHjfix again?
Post the log from SpSeHjfix afterwards in your next reply together with a new hijackthislog.

[Ataraxis]

The Spsejfix thing said it wasn't infected...

(4/30/05 12:06:27 PM) SPSeHjFix started v1.1.2
(4/30/05 12:06:27 PM) OS: WinXP Service Pack 2 (5.1.2600)
(4/30/05 12:06:27 PM) Language: english
(4/30/05 12:06:27 PM) Win-Path: C:\WINDOWS
(4/30/05 12:06:27 PM) System-Path: C:\WINDOWS\system32
(4/30/05 12:06:27 PM) Temp-Path: C:\DOCUME~1\Emily\LOCALS~1\Temp\
(4/30/05 12:06:30 PM) Disinfection started
(4/30/05 12:06:30 PM) Bad-Dll(IEP): (not found)
(4/30/05 12:06:30 PM) Bad-Dll(IEP) in BHO: (not found)
(4/30/05 12:06:30 PM) UBF: 4 - UBB: 0 - UBR: 1
(4/30/05 12:06:30 PM) UBF: 4 - UBB: 0 - UBR: 1
(4/30/05 12:06:30 PM) Bad IE-pages: (none)
(4/30/05 12:06:30 PM) Stealth-String not found
(4/30/05 12:06:30 PM) Not infected->END

and here is HJL from just now:

Logfile of HijackThis v1.99.1
Scan saved at 12:09:34 PM, on 4/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Emily\My Documents\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxmk596YYUS
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[miekiemoes]

This is odd, your log changes every step without I ask you to fix anything in it. I can't really follow it. Is this a log from another account on your system?

I see you installed mywebsearch. Well I suggest you uninstall it aggain, because this can bring spyware with it.

After the uninstall of Mywebsearch, post a new hijackthislog please.

[miekiemoes]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.