Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

polo.exe [RESOLVED]


  • This topic is locked This topic is locked

#1
zottekoe

zottekoe

    Member

  • Member
  • PipPip
  • 49 posts
when i open msconfig, polo.exe is there, enabled to start when my pc starts, when i disable it and restart my pc, it just comes back again. help me please!

hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 19:58:58, on 6/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\System32\polo.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\Rar$EX00.125\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.be/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WHttpHelper Class - {9896231A-C487-43A5-8369-6EC9B0A96CC0} - C:\WINDOWS\System32\WStart.dll (file missing)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [polo.exe] polo.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\System32\msconfig.exe /auto
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\openselectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\google.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.170.82....chm::/file.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
  • 0

Advertisements


#2
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome!

Please print these instructions out, or write them down, as you can't read them during the fix.

First;

Please download Ewido Security Suite it is a free version of the program.
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch Ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  • Exit Ewido. DO NOT run a scan yet.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Update AVG to the latest updates.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode:
  • Clean out temporary files:
  • Click Start -> Run and type in: cleanmgr
  • Click "Ok".
  • Let it scan your system.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only ones checked.
  • Click "OK" to remove them.
  • Click "Yes" to confirm the deletion.
Next, launch AVG and run a complete scan with the program. Remove ALL it finds.

Now open Ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • Clean anything it finds.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido.

Then reboot into normal mode and post your Ewido log here along with a fresh HijackThis log in a reply. :tazz:
  • 0

#3
zottekoe

zottekoe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
---------------------------------------------------------
ewido security suite - Scan rapport
---------------------------------------------------------

+ Gemaakt op: 23:16:04, 6/09/2005
+ Rapport samenvatting: 27660C90

+ Scan resultaten:

HKLM\SOFTWARE\Classes\CLSID\{9896231A-C487-43A5-8369-6EC9B0A96CC0} -> Spyware.Hijacker.Generic : Schoongemaakt met een backup
HKLM\SOFTWARE\Classes\TypeLib\{C5991634-0185-4B0D-B4F9-6C45597962B7} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{14A3221B-1678-1982-A355-7263B1281987} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9896231A-C487-43A5-8369-6EC9B0A96CC0} -> Spyware.Hijacker.Generic : Schoongemaakt met een backup
[200] C:\WINDOWS\system32\tcpG4T.dll -> TrojanSpy.Goldun.bp : Schoongemaakt met een backup
C:\Documents and Settings\Eigenaar\Cookies\eigenaar@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Schoongemaakt met een backup
C:\Documents and Settings\Eigenaar\Cookies\eigenaar@ad1.clickhype[1].txt -> Spyware.Cookie.Clickhype : Schoongemaakt met een backup
C:\Documents and Settings\Eigenaar\Cookies\eigenaar@atdmt[2].txt -> Spyware.Cookie.Atdmt : Schoongemaakt met een backup
C:\Documents and Settings\Eigenaar\Cookies\eigenaar@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Schoongemaakt met een backup
C:\Documents and Settings\Eigenaar\Cookies\eigenaar@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Schoongemaakt met een backup
C:\Documents and Settings\Eigenaar\Cookies\eigenaar@revenue[1].txt -> Spyware.Cookie.Revenue : Schoongemaakt met een backup
C:\Documents and Settings\Eigenaar\Cookies\eigenaar@stat.onestat[2].txt -> Spyware.Cookie.Onestat : Schoongemaakt met een backup
C:\Documents and Settings\Eigenaar\Cookies\eigenaar@targetnet[2].txt -> Spyware.Cookie.Targetnet : Schoongemaakt met een backup
C:\Documents and Settings\Eigenaar\Local Settings\Temp\2.qtdfmp -> Spyware.Hijacker.Generic : Schoongemaakt met een backup
C:\Documents and Settings\Eigenaar\Local Settings\Temp\vx2.game -> TrojanProxy.Lager.x : Schoongemaakt met een backup
C:\Program Files\SpySheriff -> Spyware.SpySheriff : Schoongemaakt met een backup
C:\Program Files\SpySheriff\base.avd -> Spyware.SpySheriff : Schoongemaakt met een backup
C:\Program Files\SpySheriff\base001.avd -> Spyware.SpySheriff : Schoongemaakt met een backup
C:\Program Files\SpySheriff\found.wav -> Spyware.SpySheriff : Schoongemaakt met een backup
C:\Program Files\SpySheriff\heur000.dll -> Spyware.SpySheriff : Schoongemaakt met een backup
C:\Program Files\SpySheriff\heur001.dll -> Spyware.SpySheriff : Schoongemaakt met een backup
C:\Program Files\SpySheriff\heur002.dll -> Spyware.SpySheriff : Schoongemaakt met een backup
C:\Program Files\SpySheriff\IESecurity.dll -> Spyware.SpySheriff : Schoongemaakt met een backup
C:\Program Files\SpySheriff\notfound.wav -> Spyware.SpySheriff : Schoongemaakt met een backup
C:\Program Files\SpySheriff\ProcMon.dll -> Spyware.SpySheriff : Schoongemaakt met een backup
C:\Program Files\SpySheriff\removed.wav -> Spyware.SpySheriff : Schoongemaakt met een backup
C:\Program Files\SpySheriff\SpySheriff.dvm -> Spyware.SpySheriff : Schoongemaakt met een backup
C:\Program Files\SpySheriff\SpySheriff.exe -> Spyware.SpySheriff : Schoongemaakt met een backup
C:\Program Files\SpySheriff\Uninstall.exe -> Spyware.SpySheriff : Schoongemaakt met een backup
C:\WINDOWS\sys3641.exe -> TrojanProxy.Lager.x : Schoongemaakt met een backup
C:\WINDOWS\sys3648.exe -> TrojanProxy.Lager.x : Schoongemaakt met een backup
C:\WINDOWS\sys3822.exe -> TrojanProxy.Lager.x : Schoongemaakt met een backup
C:\WINDOWS\sys3834.exe -> TrojanProxy.Lager.x : Schoongemaakt met een backup
C:\WINDOWS\system32\acipclhc.exe -> TrojanDropper.Small.acz : Schoongemaakt met een backup
C:\WINDOWS\system32\cfdlljbc.exe -> TrojanDropper.Small.acz : Schoongemaakt met een backup
C:\WINDOWS\system32\cqefncfn.exe -> TrojanDropper.Small.acz : Schoongemaakt met een backup
C:\WINDOWS\system32\doser.exe -> Trojan.Small.fh : Schoongemaakt met een backup
C:\WINDOWS\system32\eqbnmfll.exe -> TrojanDropper.Small.acz : Schoongemaakt met een backup
C:\WINDOWS\system32\fcjmopce.exe -> TrojanDropper.Small.acz : Schoongemaakt met een backup
C:\WINDOWS\system32\fddehjil.exe -> TrojanDropper.Small.acz : Schoongemaakt met een backup
C:\WINDOWS\system32\fqnnhdao.exe -> TrojanDropper.Small.acz : Schoongemaakt met een backup
C:\WINDOWS\system32\hacpjaof.exe -> TrojanDropper.Small.acz : Schoongemaakt met een backup
C:\WINDOWS\system32\hnifpmjl.exe -> TrojanDropper.Small.acz : Schoongemaakt met een backup
C:\WINDOWS\system32\latest.exe -> Trojan.Crypt.l : Schoongemaakt met een backup
C:\WINDOWS\system32\pcaidegi.exe -> TrojanDropper.Small.acz : Schoongemaakt met een backup
C:\WINDOWS\system32\poemcfop.exe -> TrojanDropper.Small.acz : Schoongemaakt met een backup
C:\WINDOWS\system32\polo.exe -> Trojan.Small.fh : Schoongemaakt met een backup
C:\WINDOWS\system32\sysvcs.exe -> Trojan.Crypt.l : Schoongemaakt met een backup
C:\WINDOWS\system32\tcpG4T.dll -> TrojanSpy.Goldun.bp : Schoongemaakt met een backup
C:\WINDOWS\system32\vxgame2.exe -> TrojanProxy.Lager.x : Schoongemaakt met een backup
C:\WINDOWS\system32\vxh8jkdq2.exe -> Spyware.Hijacker.Generic : Schoongemaakt met een backup
C:\WINDOWS\system32\zolker010.dll -> Spyware.Zbar : Schoongemaakt met een backup
C:\WINDOWS\system32\ztoolb010.dll -> Spyware.Zbar : Schoongemaakt met een backup
C:\WINDOWS\system32\~update.exe -> Trojan.Crypt.l : Schoongemaakt met een backup


::Einde rapport






Logfile of HijackThis v1.99.1
Scan saved at 23:17:47, on 6/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\Rar$EX00.282\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.be/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\System32\msconfig.exe /auto
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\openselectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\google.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: tcpG4T - tcpG4T.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#4
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Please download cureit;
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Run drweb - cureit
Double-click the "drweb-cureit.exe" and click "ok" in the prompt window that will open, asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it finds, and when it says "done" in the lower left corner click on all your drive's.
A red dot will mark the selected drive(s) . Then hit the pedestrian who now has turned green.
Click on the green man in the right corner, it will scan ALL your drive's, hit yes to all.

Reboot.

Post a fresh HiJackThis log once finished. :tazz:
  • 0

#5
zottekoe

zottekoe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Logfile of HijackThis v1.99.1
Scan saved at 16:48:44, on 7/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Eigenaar\LOCALS~1\Temp\Rar$EX00.313\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.be/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\openselectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\google.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: tcpG4T - tcpG4T.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#6
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Run a scan with HiJackThis and check the following objects for removal:

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: tcpG4T - tcpG4T.dll (file missing)


Close ALL open windows except for HiJackThis and hit FIX CHECKED.

Reboot. Now:
  • Clean out temporary files:
  • Click Start -> Run and type in: cleanmgr
  • Click "Ok".
  • Let it scan your system.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only ones checked.
  • Click "OK" to remove them.
  • Click "Yes" to confirm the deletion.
Post back and let me know how's the system running. :tazz:
  • 0

#7
zottekoe

zottekoe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Logfile of HijackThis v1.99.1
Scan saved at 17:06:15, on 7/09/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\Eigenaar\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.be/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\openselectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\google.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#8
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Any problems at the moment? :tazz:
  • 0

#9
zottekoe

zottekoe

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
not that i know of.. thanx :tazz:
  • 0

#10
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Good job.. Seems clean to me. :)

Let's clear out your restore points now.

Disable System Restore;

1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".


Reboot.

Enable System Restore;

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".


Be sure to set a new restore point. :)

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
  • Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)

Visit;
http://www.windowsupdate.com and install Service Pack 2 along with ALL critical updates available!!

If you want to learn how to help people with malware problems like I helped you, feel free to take a look at this thread; http://www.geekstogo...here-t4817.html :tazz:
  • 0

#11
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP