Page 1 of 2 12 LastLast
Results 1 to 10 of 19
  1. #1
    Member
    Join Date
    Mar 2006
    Posts
    9
    Points
    0

    Default j.m3gak00rt.ifo trying to connect

    iam new to this forum. plz help me. i have recently upgaraded from windows98se to windowsXP professional. since i had upgraded, my pc has been infested by several spywares,etc. i got rid of most of them by downloading latest editions of xsoftspy and ad-aware. but the problem still continues. most annoying that a window pops-up saying either i or some program is trying to connect to "j.m3gak00rt.info". plus there are many other problems- pressing alt+crtl+del doesn't bring up the taskmanager and clicking taskmgr.exe from system32 folder says that it is being used by some other program. same is the case with registry editor (regedit.exe). i recently downloaded limewire. the limewire keeps starting up. i had uninstalled it but now also the limewire logo pops-up followed by a java error window saying that limewire did not get the files necessary for starting it.
    there is also a problem with dialup. the dialup connection (modem) connects and the icon in system tray appears and then suddenly disappear and with it the internet connection. i try to redial but it says that the port is already engaged. when i look in the network connections, another connection appears with the same name but the number changes to some starting with 004.

    the pc is intel pentium3 processor, 930 MHz and with 128 MB RAM. internet browser is internet explorer 6.00


    please look into this problem. any help would be welcomed.
    nilay

  2. #2
    Member
    Join Date
    Jan 2003
    Posts
    12,000
    Points
    1191

    Default

    Please read and follow everything here

    Browser hijacks, spyware problems: read this BEFORE posting


    http://www.help2go.com/component/opt...wtopic/t,9709/

    BG

  3. #3
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    HI

    We have a good idea what is causing your problems, I believe the program trying to connect is not related to the taskmanager & regedit problem, please follow Basementgeek's instructions first, and then we can help you finish the cleanup...

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  4. #4
    Member
    Join Date
    Mar 2006
    Posts
    9
    Points
    0

    Default

    thanks for the response. iam reading the articles prescribed by basementgeek. i will let you know if it works.
    thanks

  5. #5
    Member
    Join Date
    Mar 2006
    Posts
    9
    Points
    0

    Default

    i fixed most of the problems with the steps given in the articles prescribed.i got hijackthis kog checked by help2go detective. the problems of regedit and taskmanager are fixed. i again got the log file checked but it says there are some suspicious entries. iam posting hijackthis log now. it is as follows-

    Logfile of HijackThis v1.99.1
    Scan saved at 18:53:38, on 13/03/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\shost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\CursorXP\CursorXP.exe
    C:\Program Files\Windows Media Components\Encoder\Wmencagt.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\System32\efeca.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe"
    O4 - HKLM\..\RunServices: [csr] csrrs.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
    O4 - Global Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O16 - DPF: Win32 Classes -
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193423} - http://www.www2.p0rt2.com/files/777.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193429} - http://www.www2.p0rt2.com/files/_ipsec_.cab
    O16 - DPF: {33331111-1111-1111-1111-615111193427} -
    O16 - DPF: {33331111-1131-1111-1111-611111193428} -
    O16 - DPF: {33331111-1234-1111-1111-615111193427} - http://www.www2.p0rt2.com/files/epl7bd.cab
    O16 - DPF: {43331111-1111-1111-1111-611111195622} - http://www.www2.p0rt2.com/files/MirarSetup-875498.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1141974840174
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141974780077
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
    O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A5E766F5-7281-434D-9AEE-B55D1A952659}: NameServer = 61.0.160.33 61.0.0.5
    O20 - Winlogon Notify: efeca - C:\WINDOWS\SYSTEM32\efeca.dll
    O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\n64slgh7164.dll (file missing)
    O20 - Winlogon Notify: winkfq32 - C:\WINDOWS\SYSTEM32\winkfq32.dll
    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)
    O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe


    will someone please help me.
    thank you

  6. #6
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    HI

    You still have a very infected computer...

    I can see at least 2 worms, vundo trojan, vx2 infection ... and more...

    You didn't run the on-line scans did you ?

    Please run the on-line scans now, followed by ccleaner & ewido...

    Please download and run these :-

    Download CCleaner from :-

    http://www.filehippo.com/download_ccleaner/ (click the download tab)

    During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

    doubleclick the ccsetup.exe file and install the program...

    After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

    Make sure the "windows" tab is selected

    Under "internet explorer" tick...

    Temporary internet files
    Cookies* > see Note below
    History
    Recently typed URL's
    (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
    Delete index.dat files
    Last download location
    Autocomplete form history


    under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

    Other explorer MRU's
    (leave this unticked if you DON'T want to clear lists such as the start\run list)

    under "System"

    Tick ALL these ...


    under "Advanced"

    no need to tick any of these (but you can if you want, and realise what they do)


    Applications tab...

    These will mostly clean out old log files for these applications...

    Clean:- (if you use them)

    Firefox/Mozilla (optional - leave the cookies - see note)
    Opera
    Sun Java
    ZoneAlarm

    ...
    Personally I clean everything in the applications tab... but you tick what you want...

    Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your passward when you next visit that site) ... click options > cookies > then keep the cookies you want.

    click "analyse" if you want to see a list of what is going to be removed, before it is removed.

    Or

    click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

    "This process will permanently delete files from your system. Are you sure you wish to proceed?"

    click OK.

    THEN........

    Download ewido security suite install, update and run it.

    Please set up as :-

    1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

    2. Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

    3. From the main ewido screen, click on update in the left menu, then click the Start update button.

    4. After the update finishes (the status bar at the bottom will display "Update successful")

    5. You may need to manually update the definitions which you can get HERE

    6. Exit Ewido. DO NOT scan yet.

    Boot into safemode...and scan with Ewido

    7. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.

    8. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

    9. Once the ewido scan has completed, there will be a button located on the bottom of the screen called Save report.

    Important - You need to click "Save report" and Save it to your desktop, or you wont have a log

    reboot

    post a new hijackthis log + the ewido log

    cheers

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  7. #7
    Member
    Join Date
    Jan 2003
    Posts
    12,000
    Points
    1191

    Default

    Just butting in here, but I am not seeing a running Anti virus program, nor ever been updated to at least SP1a for both XP/IE.

    Also, really don't have enough RAM to run XP very well.

    BG

  8. #8
    Member
    Join Date
    Mar 2006
    Posts
    9
    Points
    0

    Default

    i did nearly everything that was prescibed except online scans-which take a long time to load and run on modem connection. i downloaded the ccleaner and ewido. i post my ewido log here-

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 16:01:13, 14/03/2006
    + Report-Checksum: D1273B1B

    + Scan result:

    C:\Program Files\outlook\outlook.exe -> Worm.VB.dw : Ignored
    C:\Program Files\outlook\v.tmp -> Worm.VB.dw : Ignored
    C:\Program Files\outlook\p.zip/Setup.exe -> Worm.VB.dw : Ignored
    HKU\S-1-5-21-515967899-1563985344-1343024091-1007\Software\Coulomb -> Dialer.Generic : Cleaned with backup
    HKU\S-1-5-21-515967899-1563985344-1343024091-1007\Software\Coulomb\Hardcore -> Dialer.Generic : Cleaned with backup
    HKU\S-1-5-21-515967899-1563985344-1343024091-1007\Software\IST -> Adware.ISTBar : Cleaned with backup
    HKU\S-1-5-21-515967899-1563985344-1343024091-1007\Software\PowerScan -> Adware.PowerScan : Cleaned with backup
    [216] C:\WINDOWS\system32\winqig32.dll -> Downloader.Small.cml : Cleaned with backup
    C:\RECYCLED\Q237649.exe -> Downloader.Murlo.de : Cleaned with backup
    C:\WINDOWS\winres.dll -> Downloader.IstBar.eq : Cleaned with backup
    C:\WINDOWS\shost.exe -> Backdoor.SdBot.aig : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\UERSI_0001_LPNetInstaller.exe -> Not-A-Virus.Downloader.Win32.Agent.d : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\Q237649.exe -> Downloader.Murlo.de : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\ieloader.exe -> Downloader.Murlo.de : Cleaned with backup
    C:\WINDOWS\SYSTEM32\mbslgn32.exe -> Downloader.Agent.am : Cleaned with backup
    C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8PWBOXUT\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup
    C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8PWBOXUT\AppWrap[2].exe -> Adware.AdURL : Cleaned with backup
    C:\WINDOWS\SYSTEM32\qpqnpun.dll -> Downloader.Qoologic.az : Cleaned with backup
    C:\WINDOWS\SYSTEM32\vbsys.dll_old -> Hijacker.Agent.ac : Cleaned with backup
    C:\WINDOWS\SYSTEM32\winqig32.dll -> Downloader.Small.cml : Cleaned with backup
    C:\WINDOWS\SYSTEM32\winlog.exe -> Backdoor.Rbot : Cleaned with backup
    C:\WINDOWS\SYSTEM32\mshlpa.exe -> Downloader.Mediket.br : Cleaned with backup
    C:\WINDOWS\SYSTEM32\eraseme_86101.exe -> Backdoor.SdBot.aig : Cleaned with backup
    C:\WINDOWS\SYSTEM32\eraseme_65687.exe -> Backdoor.SdBot.aig : Cleaned with backup
    C:\Program Files\HijackThis\backups\backup-20060313-141955-886-svchost.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Program Files\winupdates\winupdates.exe -> Worm.VB.an : Cleaned with backup
    C:\s.tmp -> Worm.VB.an : Cleaned with backup
    C:\Documents and Settings\Computer\Cookies\computer@com[1].txt -> TrackingCookie.Com : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0004197.EXE -> Dropper.VB.lu : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005202.exe -> Dropper.Agent.aix : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005218.exe -> Backdoor.Rbot : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005220.exe -> Backdoor.Rbot : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005365.exe -> Not-A-Virus.PSWTool.Win32.PassView.162 : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005366.exe -> Dropper.VB.lu : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005367.exe -> Downloader.VB.yj : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005386.exe -> Worm.VB.an : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005390.dll -> Adware.Softomate : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005438.dll -> Downloader.Small.cml : Cleaned with backup


    ::Report End



    the other hijackthis log is as follows-

    Logfile of HijackThis v1.99.1
    Scan saved at 16:15:39, on 14/03/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Windows Media Components\Encoder\Wmencagt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\System32\efeca.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: SafeIE Utility - {B5D4581D-ED6A-4905-A267-25BAF7BE79C1} - C:\WINDOWS\System32\safeie.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe"
    O4 - HKLM\..\RunServices: [csr] csrrs.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
    O8 - Extra context menu item: &Download all by WellGet - C:\Program Files\WellGet\nxall.htm
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmcache.html
    O8 - Extra context menu item: Download by &WellGet - C:\Program Files\WellGet\nxcatch.htm
    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: WellGet - {35980F6E-A258-4E50-953D-813BB8556899} - C:\Program Files\WellGet\WellGet.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O16 - DPF: Win32 Classes -
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193423} - http://www.www2.p0rt2.com/files/777.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193429} - http://www.www2.p0rt2.com/files/_ipsec_.cab
    O16 - DPF: {33331111-1111-1111-1111-615111193427} -
    O16 - DPF: {33331111-1131-1111-1111-611111193428} -
    O16 - DPF: {33331111-1234-1111-1111-615111193427} - http://www.www2.p0rt2.com/files/epl7bd.cab
    O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/webma...rtload618a.exe
    O16 - DPF: {43331111-1111-1111-1111-611111195622} - http://www.www2.p0rt2.com/files/MirarSetup-875498.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1141974840174
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141974780077
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
    O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A5E766F5-7281-434D-9AEE-B55D1A952659}: NameServer = 61.0.160.33 61.0.0.5
    O20 - Winlogon Notify: efeca - C:\WINDOWS\SYSTEM32\efeca.dll
    O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\n64slgh7164.dll (file missing)
    O20 - Winlogon Notify: winqig32 - winqig32.dll (file missing)
    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe (file missing)



    i hope it is allright now since that j.m3gak00rt.info dialogue box stopped comming. tell me f there is anything left.

  9. #9
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    There's a lot left... you still have worms and Trojans, even though you have got rid of a lot...

    First we'll clean hijackthis ...

    Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

    O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\System32\efeca.dll

    O4 - HKLM\..\RunServices: [csr] csrrs.exe

    O16 - DPF: {33331111-1111-1111-1111-611111193423} - http://www.www2.p0rt2.com/files/777.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193429} - http://www.www2.p0rt2.com/files/_ipsec_.cab
    O16 - DPF: {33331111-1111-1111-1111-615111193427} -
    O16 - DPF: {33331111-1131-1111-1111-611111193428} -
    O16 - DPF: {33331111-1234-1111-1111-615111193427} - http://www.www2.p0rt2.com/files/epl7bd.cab
    O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarrevenue.com/webma...rtload618a.exe
    O16 - DPF: {43331111-1111-1111-1111-611111195622} - http://www.www2.p0rt2.com/files/MirarSetup-875498.cab

    O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab

    O20 - Winlogon Notify: efeca - C:\WINDOWS\SYSTEM32\efeca.dll
    O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\n64slgh7164.dll (file missing)
    O20 - Winlogon Notify: winqig32 - winqig32.dll (file missing)

    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)

    O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe (file missing)


    THEN.....

    Please download VundoFix.exe to your desktop.
    1. Double-click VundoFix.exe to run it.
    2. Put a check next to Run VundoFix as a task.
    3. You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    4. When VundoFix re-opens - Click the "Scan for Vundo" button.
    5. Once it's done scanning, click the "Remove Vundo" button.
    6. You will receive a prompt asking if you want to remove the files, click "YES".
    7. Once you click yes, your desktop will go blank as it starts removing Vundo.
    8. When completed, VundoFix will prompt that it will shutdown your computer; click "OK".
    9. Turn your computer back on.
    10. Please post the contents of C:\vundofix.txt in your next post ...

    THEN.....

    EWIDO got rid of a lot of rubbish, but why didn't you let it fix these :-

    C:\Program Files\outlook\outlook.exe -> Worm.VB.dw : Ignored
    C:\Program Files\outlook\v.tmp -> Worm.VB.dw : Ignored
    C:\Program Files\outlook\p.zip/Setup.exe -> Worm.VB.dw : Ignored

    This is a worm, a virus.... it has nothing to do with Microsoft Outlook e-mail program, that Outlook.exe runs from the Microsoft Office folder ... This on is a virus ... so run ewido again and this time let it delete all it finds.

    Then.....

    You really should do the on-line scans ... but I can't make you... so once we have everything else cleared up, I want you to download and install AVG, a good free anti-virus program ... someone will instruct you on that later...

    So follow the above instructions and post me a new hijackthis log + a new ewido log + the C:\vundofix.txt

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  10. #10
    Member
    Join Date
    Mar 2006
    Posts
    9
    Points
    0

    Default

    i have deleted the remaining viruses and downloaded and run vundofix. i also fixed the hijack this problems. the logs are as follows-

    VUNDO FIX-

    VundoFix V4.2.33

    Checking Java version...

    Java version is 1.5.0.6

    Scan started at 12:45:05 15/03/2006

    Listing files found while scanning....


    C:\WINDOWS\SYSTEM32\wacfe.bak1
    C:\WINDOWS\SYSTEM32\wacfe.ini
    C:\WINDOWS\SYSTEM32\efcaw.dll
    Attempting to delete C:\WINDOWS\SYSTEM32\wacfe.bak1
    C:\WINDOWS\SYSTEM32\wacfe.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\SYSTEM32\wacfe.ini
    C:\WINDOWS\SYSTEM32\wacfe.ini Has been deleted!

    Attempting to delete C:\WINDOWS\SYSTEM32\efcaw.dll
    C:\WINDOWS\SYSTEM32\efcaw.dll Has been deleted!

    Performing Repairs to the registry.
    Done!



    EWIDO-

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 13:22:53, 15/03/2006
    + Report-Checksum: CFAB302E

    + Scan result:

    C:\Program Files\outlook\outlook.exe -> Worm.VB.dw : Cleaned with backup
    C:\Program Files\outlook\v.tmp -> Worm.VB.dw : Cleaned with backup
    C:\Program Files\outlook\p.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup
    C:\Documents and Settings\Computer\Cookies\computer@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005441.exe -> Downloader.Murlo.de : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005442.dll -> Downloader.IstBar.eq : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005443.exe -> Backdoor.SdBot.aig : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005444.exe -> Downloader.Agent.am : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005445.dll -> Downloader.Qoologic.az : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005446.exe -> Backdoor.Rbot : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005447.exe -> Downloader.Mediket.br : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005448.exe -> Backdoor.SdBot.aig : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005449.exe -> Backdoor.SdBot.aig : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005450.exe -> Dropper.VB.lu : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005451.exe -> Worm.VB.an : Cleaned with backup
    C:\System Volume Information\_restore{AB9B3F47-7050-48AD-AA53-11B3AB455F5B}\RP3\A0005453.dll -> Downloader.Small.cml : Cleaned with backup


    ::Report End


    HIJACKTHIS-
    Logfile of HijackThis v1.99.1
    Scan saved at 15:58:10, on 15/03/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\CTFMON.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Windows Media Components\Encoder\Wmencagt.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: RawExecAction Object - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - C:\WINDOWS\System32\efcaw.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: SafeIE Utility - {B5D4581D-ED6A-4905-A267-25BAF7BE79C1} - C:\WINDOWS\System32\safeie.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
    O8 - Extra context menu item: &Download all by WellGet - C:\PROGRAM FILES\WELLGET\nxall.htm
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsearch.html
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZHxdm057YYIN
    O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmcache.html
    O8 - Extra context menu item: Download by &WellGet - C:\PROGRAM FILES\WELLGET\nxcatch.htm
    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra button: WellGet - {35980F6E-A258-4E50-953D-813BB8556899} - C:\Program Files\WellGet\WellGet.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O16 - DPF: Win32 Classes -
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1141974840174
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1141974780077
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe (file missing)

    i'will download avg but it is going to take time. i'll tell you about it tomorrow. there is another problem- hijackthis stops responding when it reaches- enumerating trusted sites. i got this log from the other user account.

Page 1 of 2 12 LastLast