Erratic IE Behavior - Did Perform Steps in Removal Guide

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by MPoised, Jun 11, 2005.

  1. MPoised

    MPoised Private E-2

    Greetings,

    I need to control the MHz! My ISP shut down our modem because someone was broadcasting "insecure" things...spamming and the like. I reallly want someone to check my HiJack This log to make sure my computer is now clean.


    After following all the instructions in the SpyWare/Malware Guide and the HiJack This Guide, my computer is still held prisoner.

    Here's what I noticed:

    1) Could not run http://housecall.trendmicro.com/housecall/start_corp.asp
    because it repeated caused an error in IE 6, which caused the program to terminate (and request sending a report to Microsoft). In FireFox, I was requested to download the Java plugin. Try to run the setupex.exe file, a message said, "C:\Program Files\HTJ\setupex.exe Attempt to access invalid address."

    2) Could not run http://security.norton.com/sscv6/default.asp?langid=ie&venid=sym in IE 6 because a page would displaying saying, "Done" in the Status Bar. This also occurs at other sites, most notably www.wikipidia.org/wiki/Any_Article. In FireFox, I received the message "Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked."

    3) Stinger found one virus: Qhosts.apd (I had previously run Avast!, which added four virus to its "Chest".)

    4) Adaware found about 80 entries to fix. Then Spy Bot found about four, one of which (BackWeb), it could not fix.

    5) Running the HiJack This analyser tools told me to correct a ffis entry. After doing so, it remains.

    Could someone take a look at my HiJack This log, and tell me how to proceed?

    Thanks a bunch,

    Remember, I'm MPoised.
     
  2. BackStaber

    BackStaber Private E-2

    u should try runing the Microsoft AntiSpyWare u could download it from www.microsoft.com
     
  3. MPoised

    MPoised Private E-2

    I ran Microsoft AntiSpyWare. It found svchost.exe and NetBIOS infiltrations and removed them. After running the scan, it found and blocked 7 threats. I then ran a thorough scan with AdAware, which caused my Windows 2000 to Stop with an Unhandle Kmode Exception. Upon restart, the computer found and attempted to install a USB adapter (?), then promptly Stopped again. Upon restart, the system didn't try to install the USB adapter, but Stopped again. So, I booted into Safe Mode, ran AdAware, then ran Avast!, which terminated before finishing its scan.

    I figured I would start in Safe Mode Command Prompt only to delete two .exe files (mszx23.exe and tmpf00.exe) I didn't recogized that appears as recently modified when running a file search. However, the system didn't boot into Safe Mode Command prompt or MS-DOS; it only displays the cursor in the top-left.

    I went ahead with a Normal Boot, and here I am. I don't know what to do next. Wikipedia still displays blank, and Spybot keeps blocking Avenue A, Inc. and Double Click from hotmail.com.

    Please enlighten me.

    P.S. A thought on scans: if a scanner scans files and doesn't know how to deal with a threat, couldn't the access to the file trigger the otherwise dormant virus code into action? Meaning scanners are probably fueling the spread of malicious code.
     
  4. AbbySue

    AbbySue MajorGeeks Administrator

    Please go ahead and attach a current HJT log making sure you have followed the steps outlined below.

    Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
  5. MPoised

    MPoised Private E-2

    Thank you so much for looking into this.
     

    Attached Files:

  6. MPoised

    MPoised Private E-2

    AbbySue - Where are you? Log attached.

    Thanks for looking at my log.
     
  7. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please download DelDomains and unzip it to your desktop. Do not run it yet.

    Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.


    Next,
    Please download: http://www.atribune.org/downloads/HSFix.zip

    Extract the tool from the ZIP File to a folder you can easily find (preferably in its own folder - like c:\HSFix). Then follow the procedure below:

    Boot to Safe Mode open the HSFix Tool folder and DoubleClick hsfix.bat and let it run. It will produce a log here - C:\hslog.txt

    Boot back to normal mode and post the hslog.txt file as an attachment.
     
  8. MPoised

    MPoised Private E-2

    Noticed: Booting into Safe Mode seemed too slow.

    Thanks for looking.
     

    Attached Files:

  9. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Reboot into Safe Mode and run the HSFix one more time. Afterwards reboot back into normal mode and attach the log from the tool and a fresh HJT log.
     
  10. MPoised

    MPoised Private E-2

    Wow, the Wikipedia.org is working again. I guess one of those three files that HSFix deleted had something doing to block it?

    I still notice S&D blocking a lot of Avenue A, Inc and Double Click downloads when I visit hotmail.com.

    Thanks again.
     

    Attached Files:

  11. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Your Operating System and Internet Explorer versions are WAY out of date and represent a major security risk. After we fix your current problems, you must get updated. You need to install Service Pack 4 for security purposes.

    Download Pocket KillBox
    (Don't run it yet)

    Now scan with HijackThis and Check the Boxes for the following:

    Make sure All Browser Windows are Closed when you Click FIX.

    O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe

    O23 - Service: Security Agent (scagent) - Unknown owner - C:\WINDOWS\system32\scagent.exe" start (file missing)

    Again, make sure All Browser Windows are Closed when you Click FIX.

    NEXT:
    Run CCleaner and Spybot S&D and have Spybot fix what it finds.
    Note: Dont forget to update Spybot S&D by selecting "Search For Updates"


    Locate PocketKillbox
    (Procede with this step even if they do not show in blue)

    Now, Copy and Paste C:\WINDOWS\svchost.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

    Allow Killbox to reboot your system. After you have rebooted and windows has loaded attach a fresh HJT log.
     
  12. MPoised

    MPoised Private E-2

    Spy Bot found one thing: Back Web Lite but couldn't fix it.
     

    Attached Files:

  13. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Click Start > Run > type services.msc and Click OK

    Locate Security Agent (scagent) and RightClick on it to bring up the Service Properties Window.
    First: Stop the service by clicking the Stop Button.
    Next: Disable it by changing the Startup Type to Disabled and click Apply

    After you complete the above you must get updated! Procede with the below:

    Download Windows 2000 Service Pack 4

    After you install SP4 reboot and attach a fresh HJT log.
     
  14. MPoised

    MPoised Private E-2

    I had disable the virus scanners while I installed the Service Pack, of course, but it seems to have installed all right.

    Thanks for your help again. I guess next is the Service Pack for IE?
     

    Attached Files:

  15. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Your HJT log is clean, if your not having any further problems I would recommend surfing in to windows updates and getting all critical updates.

    Also, you should see this article on How to Protect yourself from malware!
     
  16. MPoised

    MPoised Private E-2

    Thanks so much. I have just a couple of concerns.

    I used Windows Update to install all critical updates, and I followed the advise in the article you mentioned. I installed the Sygate Firewall, and it's constantly displaying messages about Avast!, Microsoft AntiSpyware, and MSBNTray trying to access the network during startup. Is it safe to always allow these programs access?

    Also, when using merriamwebster.com, SpyBot S&B block the download of Avenue A, Inc and FastClick. However, I did see a window flash on the screen. I think it said adserver....should I be concerned?

    Thanks again.
     
  17. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Personally, I dont use Spybot's features because they get annoying, I would stick with Spyware Guard & Spyware Blaster.

    As far as the firewall, if you know the program its safe to allow.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds