Spyware / Trojan Problem .. once again :)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by |blaze|, Mar 18, 2005.

  1. |blaze|

    |blaze| Private E-2

    Hey ,

    I have obviously been infected with spyware , and have tryed several removal programs etc etc. After they kept coming back over and over i decided to cleanly reinstall windows ... the spyware would just came back after a few reboots ... so i tryed again and again .. and its still f****** stuck on here ...
    HijackThis Log will be posted as soon as there is a responce ...

    Tnx .
    |blaze|
     
    |blaze|, Mar 18, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow the below procedure before posting a HijackThis log.

    To help us to best help you, please follow the steps below closely and in the order given and do not skip anything. If you have any difficulty, please post back letting us know what steps you have completed, what you found while doing the scans if anything along with details about any problems you may have encountered in completing the steps. The more details you can provide the better. Don't be afraid to ask for additional help if you don't understand something!

    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENTto your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Mar 18, 2005
    #2
  3. |blaze|

    |blaze| Private E-2

    tnx ...

    * do an online scan at Trend Micro's Free Online Virus Scan <- Found 12 things .. all unable to be removed ..
    * do an online scan at Symantec Security Check <- unable to get scan ..
    * run McAfee AVERT Stinger <- removed one virus/trojan

    then ran the spyware removals programs .. which said they removed things ... now i have rebooted .. seems like the spyware is just back ...so yeah ...

    attached is the hijack this log ...
    looking forward to the reply which will hopefully rid myself of this nasty bit of infection ..

    tnx ..

    ( Wont let me attach the .log .. here is the link for it .. )
    http://members.home.nl/kuiken2/hijackthis.log ;)
     
    |blaze|, Mar 18, 2005
    #3
  4. PhilliePhan

    PhilliePhan Guest

    Hi |blaze|,

    I'll get you started, since Chaslang isn't around!

    #1 - Your XP is way out of date. AFTER you get cleaned up, you MUST go to Windows Updates and get updated!


    Please look in Add or Remove Programs for the following and Uninstall them if found:

    Media Access
    Media Pass
    Internet Optimizer

    Please print out these instructions so that you can operate with All Browser Windows CLOSED.
    Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

    Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:


    csdata32.exe
    win32resc.exe
    wurxct.exe
    msnsched.exe
    dfgdfgd.exe
    MediaAccK.exe
    abasa5jrp.exe
    MediaAccess.exe
    mzecmfdb.exe
    MediaPass.exe
    MediaPassK.exe
    optimize.exe
    salm.exe
    GMx.exe


    Now scan with HijackThis and Check the Boxes for the following:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen

    R3 - Default URLSearchHook is missing

    O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll

    O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)

    O4 - HKLM\..\Run: [Microsoft Data Machine] csdata32.exe
    O4 - HKLM\..\Run: [NDIS Adapter] servenxpp.exe
    O4 - HKLM\..\Run: [msnsched] msnsched.exe
    O4 - HKLM\..\Run: [Services] C:\WINDOWS\System32\mzecmfdb.exe
    O4 - HKLM\..\Run: [*Microsoft Update] wurxct.exe
    O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINDOWS\System32\iexplore.exe
    O4 - HKLM\..\Run: [Windows 32 Rescue] win32resc.exe
    O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
    O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\System32\abasa5jrp.exe
    O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
    O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [mnsrorkl] C:\WINDOWS\mnsrorkl.exe
    O4 - HKLM\..\RunServices: [Microsoft Data Machine] csdata32.exe
    O4 - HKLM\..\RunServices: [NDIS Adapter] servenxpp.exe
    O4 - HKLM\..\RunServices: [msnsched] msnsched.exe
    O4 - HKLM\..\RunServices: [*Microsoft Update] wurxct.exe
    O4 - HKLM\..\RunServices: [Windows 32 Rescue] win32resc.exe
    O4 - HKLM\..\RunOnce: [Microsoft Data Machine] csdata32.exe
    O4 - HKLM\..\RunOnce: [Windows 32 Rescue] win32resc.exe
    O4 - HKCU\..\Run: [Microsoft Data Machine] csdata32.exe
    O4 - HKCU\..\Run: [*Microsoft Update] wurxct.exe
    O4 - HKCU\..\Run: [Windows 32 Rescue] win32resc.exe
    O4 - HKCU\..\RunOnce: [Microsoft Data Machine] csdata32.exe
    O4 - HKCU\..\RunOnce: [Windows 32 Rescue] win32resc.exe

    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

    O16 - DPF: {6211AC26-A1B4-422A-AC52-1E70B7D24465} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/nl/filesharingctrl.cab

    Again, make sure All Browser Windows are Closed when you Click FIX.

    NOW:
    Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

    C:\WINDOWS\System32\csdata32.exe
    C:\WINDOWS\System32\win32resc.exe
    C:\WINDOWS\System32\wurxct.exe
    C:\WINDOWS\System32\msnsched.exe
    C:\dfgdfgd.exe
    C:\WINDOWS\System32\abasa5jrp.exe
    C:\Program Files\Media Access ---> The Folder
    C:\WINDOWS\System32\mzecmfdb.exe
    C:\Program Files\Media Pass ---> The Folder
    C:\Program Files\Internet Optimizer ---> The Folder
    c:\temp\salm.exe
    C:\GMx.exe
    C:\WINDOWS\nem220.dll
    C:\WINDOWS\mnsrorkl.exe
    servenxpp.exe ---> You'll have run a search of computer for this one
    C:\WINDOWS\System32\mzecmfdb.exe


    NEXT:
    Run CCleaner and Spybot S&D and have Spybot fix what it finds.

    Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin

    And Click OK.

    Reboot to Normal Windows and Scan with HijackThis and attach that log.
    Let us know of any problems you may have encountered with the above instructions and how your computer is running now.

    The above ought to give you a good start . . . Chaslang will likely check back soon.

    Best luck :)
    PP
     
    PhilliePhan, Mar 18, 2005
    #4
  5. |blaze|

    |blaze| Private E-2

    yay.. i though ...

    ran through all the steps deleting any of the programs / folders that i found ...
    then ran the programs u told me to ...
    S&D couldnt repair 6 files all of which where registery key entries ...

    then i restarted ... all looked fine ...then tiny bit later .. they were there once again ...

    new log attached ...
     

    Attached Files:

    |blaze|, Mar 19, 2005
    #5
  6. PhilliePhan

    PhilliePhan Guest

    I guess that was to be expected with an unupdated XP and no AV app!

    You should update your XP to SP1a - (But NOT to SP2 until your machine is clean!) and install a good AV such as one of the free ones listed in this link:
    How to Protect yourself from malware!

    Then, the removal instructions are pretty much the same as first time:

    Please look in Add or Remove Programs for the following and Uninstall them if found:

    Media Access
    Media Pass
    Internet Optimizer

    Please print out these instructions so that you can operate with All Browser Windows CLOSED.
    Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

    Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

    wurxct.exe
    salm.exe
    optimize.exe
    dwhmv.exe
    abasa5jrp.exe
    MediaAccK.exe
    MediaAccess.exe
    MediaPass.exe
    MediaPassK.exe
    GMx.exe
    GMx.exe

    Now scan with HijackThis and Check the Boxes for the following:
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll

    O4 - HKLM\..\Run: [*Microsoft Update] wurxct.exe
    O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [dwhmv] C:\WINDOWS\dwhmv.exe
    O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\System32\abasa5jrp.exe
    O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
    O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
    O4 - HKLM\..\RunServices: [*Microsoft Update] wurxct.exe
    O4 - HKLM\..\RunOnce: [KB840987] rundll32.exe apphelp.dll,ShimFlushCache
    O4 - HKCU\..\Run: [*Microsoft Update] wurxct.exe
    Again, make sure All Browser Windows are Closed when you Click FIX.

    NOW:
    Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

    C:\WINDOWS\System32\wurxct.exe
    C:\temp\salm.exe
    C:\Program Files\Internet Optimizer --->The Folder
    C:\WINDOWS\nem220.dll
    C:\WINDOWS\dwhmv.exe
    C:\WINDOWS\System32\abasa5jrp.exe
    C:\Program Files\Media Access --->The Folder
    C:\Program Files\Media Pass --->The Folder
    C:\GMx.exe

    NEXT:
    Run CCleaner and Spybot S&D and have Spybot fix what it finds.

    Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin

    And Click OK.

    Reboot to Normal Windows and Scan with HijackThis and attach that log.

    Make sure to follow the recommendations in the link I gave you, or these will just come right back!

    PP :)
     
    Last edited by a moderator: Mar 19, 2005
    PhilliePhan, Mar 19, 2005
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds