Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spyware/Malware Infection - Extremely Annoying [CLOSED]


  • This topic is locked This topic is locked

#1
j-alexander

j-alexander

    Member

  • Member
  • PipPip
  • 42 posts
Did have a problem with smitfraud.c perviously but I believe this virus is different. It's a miracle I am even able to give you a log on here as I couldnt get passed an error message however it seems to come and go - tempermental. The main differences between this infection and smitfraud is no change in the desktop wallpaper, a hijack attempt on the home page and some form of other internet hijack (a popup of some sort) trying to appear.

The PC which is infected runs on windows 98 and I am currently using a clean xp system.
Here's the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 16:30:44, on 21/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\SYSVCS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {21E1CE21-55E1-11DA-A16B-0002A5F504A4} - C:\WINDOWS\SYSTEM\NEDD.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: StartMulti - {D741A309-75B3-929C-5D25-C7A1BCA0C982} - C:\PROGRAM FILES\ACID BLUE ERROR\INSIDE MATH.DLL (file missing)
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [MOSearch] c:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\SYSTEM\sysvcs.exe
O4 - HKCU\..\RunServices: [aupd] C:\WINDOWS\SYSTEM\sysvcs.exe
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...ireShowdown.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = home.co.uk
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 194.168.4.100,194.168.8.100
O18 - Filter: text/html - {21E1CE20-55E1-11DA-A16B-0002CAB9A13F} - C:\WINDOWS\SYSTEM\NEDD.DLL
O18 - Filter: text/plain - {21E1CE20-55E1-11DA-A16B-0002CAB9A13F} - C:\WINDOWS\SYSTEM\NEDD.DLL
O21 - SSODL: hbeUYKE - {07D00B15-AD7A-A1BF-840D-413A4D7E085C} - C:\WINDOWS\SYSTEM\PZRKD.DLL


I have been helped fantastically by people on these boards before, and I'm sure you will be able to do something to help.

Thanks in advance,

j-alexander
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi j-alexander and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.



Your system has an About:Blank infection as well as other less serious infections.

1. Download the stand alone version of CWShredder
  • Save the program to your Desktop
  • Click on the CWShredder icon, then on the RUN button
  • Click on "Check for Updates"
  • Once the program is updated, close it until needed. DO NOT USE IT NOW
2. If you do not have a zip program please download and install the evaluation version of Winzip.

3. Download SpSeHjfix.zip to the desktop.
  • Then right click on the desktop and select new >folder, name it spfix.
  • Unzip SpSeHjfix.zip into the new folder.
4. Disconnect from the net and Close ALL OPEN PROGRAMS.

5. Run 'SpSeHjfix'. and click on "Start Disinfection".

When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

6. Once it is finished run CWShredder - Hit The FIX button!

7. Reboot and post a new HJT log and the log that was created by 'SpSeHjfix'.

Warning Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this, go into Control Panel >Internet Options >Programs & press reset web settings, then you can set your home page to what you want on the general tab.

Regards,

Trevuren

  • 0

#3
j-alexander

j-alexander

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Thank you very much for the speedy response and I will perform what you have stated (or will finish it) once I can properly start up my pc....after the spfix was run and a restart done the error message came up again about a failure in explorer (caused by the virus) so will only be able to run cwshredder in a few days (or however long it takes for the system to boot again.


Thanks very much - much appreciated!

j-alexander
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
When the error message decides to appear again, please jot down, as closely as possible, the full message and post it into this thread.

Regards,

Trevuren

  • 0

#5
j-alexander

j-alexander

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
No problem - I already posted it to another forum, but I knew if I could solve the other problems (spyware) it would go away...or thats what I hoped at least.

Here's the link:
http://www.geekstogo...=0

I did have a look at the help suggested - but PC has only just decided to give way and actually boot up (or...it did before to allow for a hijack this log).

Hope that error isn't too bad.


Thanks again,

j-alexander
  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Receiving asisstance from 2 different sources is strongly discouraged. I therefore will close your thread in malware and let the "tech" guys finish their work. If they deem it necessary, they will transfer you back to "Malware"

Regards,

Trevuren

  • 0

#7
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP