http://lop.com/passthrough/newpass2.html

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Pattib, Jan 23, 2005.

  1. Pattib

    Pattib Private E-2

    I've run through all the steps you've indicated, and the darn thing is STILL there. I've read in to the next steps, but don't want to do something I shouldn't...can someone help? :)
     
  2. TheOldThug

    TheOldThug First Sergeant

    Try and be a little more specific. What happened after running your tests and what is your problem now. Chaslang or PP may ask you for a HJT log but wait until they ask. In the meantime you can Download it here.

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    TheOldThug
     
  3. TheOldThug

    TheOldThug First Sergeant

    A little more on the HJT program.

    All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

    Wait to post until they ask.

    TheOldThug :)
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You can post you HJT log but first do this. Go to Add/Remove programs and look for Messenger Plus 3 (or any number) and uninstall it. It is more than likely the cause of your problem. It installs lop and a bunch of other crap.
     
  5. Pattib

    Pattib Private E-2

    I went to add/remove,and didn't see anything that said MSN Messenger or anything similar. Here is my log


    Edit by chaslang: Inline, incomplete log change to attachment
     

    Attached Files:

    Last edited by a moderator: Jan 23, 2005
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please post complete logs without cutting anything out! And they must be posted as an attachment to your message. And no browsers should be running. Read the instructions you were given again.
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: (no name) - {E99EFB06-B877-4509-B2CF-19F1CEDEE9D5} - C:\WINDOWS\SYSTEM\MSJETU35.DLL (file missing)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {0AD5D2D2-B270-C68B-ED6A-13EBE8D78F08} - C:\WINDOWS\PROFILES\ 000\APPLICATION DATA\WAVEMAPIBITS\FACE SEND.EXE
    O3 - Toolbar: (no name) - {757B1F58-F47A-4D31-B8DD-2E794328D3D9} - (no file)
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [zango] c:\program files\zango\zango.exe
    O4 - HKLM\..\Run: [kcdlfd] C:\WINDOWS\SYSTEM\AQZMGA.EXE
    O4 - HKLM\..\Run: [phone bore date frag] C:\WINDOWS\All Users\Application Data\Dog Internet Phone Bore\move cake.exe
    O4 - HKCU\..\Run: [cast 1] C:\WINDOWS\APPLIC~1\STARTB~1\Help Tool.exe
    O9 - Extra button: Downloads - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\nge-kazemule-uk\index.html
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://unkmail2.unk.edu/iNotes6.cab


    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\PROFILES\ 000\APPLICATION DATA\WAVEMAPIBITS <--- remove this whole folder
    c:\program files\zango <--- remove this whole folder
    C:\WINDOWS\SYSTEM\AQZMGA.EXE
    C:\WINDOWS\All Users\Application Data\Dog Internet Phone Bore <--- remove this whole folder
    C:\WINDOWS\APPLIC~1\STARTB~1\Help Tool.exe
    c:\nge-kazemule-uk <--- remove this whole folder

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
  8. Pattib

    Pattib Private E-2

    Thanks for your help. I'm sorry, but I wasn't aware of any browsers running when I did the scan. I only had the Hijack window upen. I didn't look far enough down and didn't know how to post on here as an attachment. I have figured this out, and did attach my most current Hijack This! log. I have posted log in it's entirety both times. Should there be more? I also had the system restore disabled, as well as viewing of hidden files enabled.

    I did go through the list you provided me and did as instructed. I, however, was not able to find the following:
    c:\program files\zango <--- remove this whole folder
    C:\WINDOWS\SYSTEM\AQZMGA.EXE
    C:\WINDOWS\APPLIC~1\STARTB~1\Help Tool.exe

    The dreaded toolbar that started this entire mess is now gone, but how do I protect myself from being targeted again? Thanks again for your help.
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This time you posted the complete log! Last time you did not! What you left out the first time was the most important starting information. Which was these lines:
    Logfile of HijackThis v1.99.0
    Scan saved at 3:46:30 PM, on 1/23/2005
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! Do all the steps in the below link (some you may already have):

    How to Protect yourself from malware!
     
  11. Pattib

    Pattib Private E-2

    Ugh! It's back again!

    I hadn't had a chance yet to do what you said to protect myself, and when I logged on, it's back again. It's an annoying blue MSN looking toolbar at the bottom of my screen that will not close, even when I exit IE.

    I'm also getting annoying pop ups from the Spywear Guard and S&D everytime something tries to invade. How do I stop this?
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Ugh! It's back again!

    Patti,

    It would be better for you to have posted back in your previous thread since it is still from today. Otherwise you would be starting all over again from the READ ME FIRST. I'm merging you into the old thread.

    Post a new HJT log.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds