Spyware problems

Discussion in 'Malware Help (A Specialist Will Reply)' started by Zyre, May 31, 2005.

  1. Zyre

    Zyre Private E-2

    I got infected with lots of spyware today. Followed the guide I found here (http://forums.majorgeeks.com/showthread.php?t=35407) and I think I got rid of it all. Only thing that didn't work was the Symantec online virus search, page wouldn't load.
    It seems everything is gone, and I updated windows and all. But there's this one process, called msxct.exe that I don't recall seeing before and I can't find out what is. It's located in c:/windows/system32. And it's on autostarts. Anyone know what it is?

    Also, how do I remove files from the autostart thing?
     
    Zyre, May 31, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I would recommend the following (assuming you are running Win XP or 2000):

    Download and install Microsoft® Windows AntiSpyware and make sure you get the updates but do not run a scan yet.

    Now reboot into safe mode with no network support, make sure you have no browsers opened and then run a full scan with MS Antispyware and let it fix what it finds.

    Now reboot into normal mode and let me know if it found anything and if you are still having problems.
     
    chaslang, May 31, 2005
    #2
  3. Zyre

    Zyre Private E-2

    I downloaded that program, updated it and ran a scan in safe mode as you suggested. It found some Kazaa spyware, but not the file msxct.exe. I checked, and it's still there in c:/windows/system32. I also removed it it, and another program called qojrfsf.exe that was removed during other scans, although it was still marked to run at startup, although the file doesn't exist on my computer.

    I'm going to try and run a few of those alternative scans from the guide.

    EDIT: I just thought of something. When I followed the guide that's in this forum, I never bothered to do step 2 in the preparations because I didn't think it was a Hijack or about:blank since I could access Internet. But later when I ran one of the programs that was supposed to remove stuff that cause that it found a few files that it deleted. Do you think that disabling Network Security, Workstation Netlogon Services & Remote Procedure Call (RPC) Helper would help, and then do more scans?
     
    Zyre, Jun 1, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not sure if you have a hijacker problem from what you have stated. Please follow the steps below and maybe we can figure out what is going on:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Jun 1, 2005
    #4
  5. Zyre

    Zyre Private E-2

    This is the log I got when running HiJack This. Although I did remove the msxct.exe file from autostart. It's still on my computer, but I might try to just delete it.
     

    Attached Files:

    Zyre, Jun 2, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is this next R0 line something you added? If not, fix it.
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.0.0.6/

    You can also fix the below two lines.
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab

    Other than those, you are clean. You should try booting into safe mode and then delete: c:\windows\system32\msxct.exe
     
    chaslang, Jun 3, 2005
    #6
  7. Zyre

    Zyre Private E-2

    Thanks alot. I fixed the last two lines you mentioned, the first line is for my ISP login. I removed the file msxct.exe, didn't do it in safe mode though. But it seems I'm alright now. Again, much thanks to you chaslang and to www.majorgeeks.com. Awesome site! :D
     
    Zyre, Jun 3, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
     
    chaslang, Jun 3, 2005
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds