Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

a questionable...program.[RESOLVED]

  • This topic is locked This topic is locked



    New Member

  • Member
  • Pip
  • 2 posts
Scan saved at 9:13:56 PM, on 5/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
*Modified to get past the filter as i dont care if its outdated..i know whats wrong
Running processes:
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\IDA\ida.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\keith.SALMELA-6M4F393\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\KEITH~1.SAL\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\KEITH~1.SAL\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - C:\PROGRA~1\IDA\idaiehlp.dll
O2 - BHO: (no name) - {92044299-E001-4E6B-8CDD-E3F2543D12CA} - C:\WINDOWS2\System32\jogn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS2\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\KEITH~1.SAL\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunServices: [Microsoft SCVHOST32 Protocol] scvhost32.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Program Files\IDA\idaie.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O18 - Filter: text/html - {90C57C01-B2A3-41A4-8B7F-34685F5F12C4} - C:\WINDOWS2\System32\jogn.dll
O18 - Filter: text/plain - {90C57C01-B2A3-41A4-8B7F-34685F5F12C4} - C:\WINDOWS2\System32\jogn.dll
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS2\System32\Ati2evxx.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

Well if you see in the running processes it says Rundll32.exe. I know rundll is important....but thats clearly spyware/malware/annoying as it causes popups.
I was wondering how would be the best possible way to deleteing it without killing my computer.
Also does rundll also reside in system32? if not then thats one easy way to kill it.
The rest i will have to find manually and delete as it wont be deleted any other way.
  • 0





  • Retired Staff
  • 19,711 posts
  • MVP
Hello there and welcome to GeeksToGo! My name is Kat, and I will help you get fixed back up and on the go.

Actually, the rundll is NOT what is causing your problems. You have a very nasty case of the CoolWebSearch virus, as evidenced by this line:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\KEITH~1.SAL\LOCALS~1\Temp\se.dll/spage.html

Just 'finding it and manually deleting it' will not cure this infection. There are special tools involved to kill this, and it takes a few steps.

I will be happy to help you get this taken care of, but I have to see a new HJT log from the newest version in order to do so.

The first thing we need to tackle is to get you updated to the newest version of HijackThis. Please go Here and download the newest version 1.99.1. Please be sure to save it to a permanent directory, such as C:\Prgram Files\HJT.
  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
well i got rid of the issue with a nice boot into shell mode and i went through the list of things that came up as spyware ;D
Thanks for the help anyways :tazz: i'll try to hang out in this thread and help others also,i truely do hate intrusive malware.
  • 0




  • Retired Staff
  • 19,711 posts
  • MVP
I sincerely hope you were able to remove it all yourself. If not, please feel free to come back and start a new topic.

Here at GeekstoGo we have a strict policy about helping members. You cannot do so unless you are a Staff member..at least when the problem is Malware related!

Good luck to you!
  • 0




  • Retired Staff
  • 19,711 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP