• Welcome Guest, to the Spybot Forums! It's 2025, and we just upgraded our forum software.

    Today is Safer Internet Day, and with our new forum, you can finally use passkeys to login. That was about time!

    Of course, you could ask if a forum is still useful, with so many social media networks out there where you might already have an account, and met a lot of users. You can now use your login from some of those networks to log in here. And by posting here, your question and data is stored on our servers and not automatically shared with a whole social media network.

    We'll also start using the forum for small bits of information, announcements and more again.

Pipas-A

E

elizabeth

New member
Hello

i'm new in here. I have been infected with what i believe is a trojan infection. I have tried running my pc in safe mode to fix it but it has'nt worked. I have tried following some of the threads on here, but i don't understand what some of the logs are eg...what is a HJT scan?

I am running Spybot and i update it regularly, i also run Kaspersky fire wall and AVG anti-virus program. I am at my wits end can you please help me to get rid if this pesky infection? :(
 
Hello,

Do you run Spybot Search and Destroy version 1.4 and the latest updates from the 2006/16/06?

Please* *download *HijackThis*© Merijn from: http://www.thespykiller.co.uk/files/HJTsetup.exe

*Clean* out your *Temporary Internet files*. Proceed like this:

* Quit Internet Explorer and quit any instances of Windows Explorer.
* Click *Start*, click *Control Panel*, and then double-click
*Internet Options*.
* On the *General* tab, click *Delete Files* under *Temporary
Internet Files*.
* In the *Delete Files* dialog box, tick the *Delete all offline
content check box* , and then click *OK*.
* On the *General* tab, click *Delete Cookies* under *Temporary
Internet Files*, and then click *OK*.
* Click on the *Programs* tab then click the *Reset Web Settings*
button. Click *Apply* then *OK*.
* Click *OK*.

Next Click *Start*, click *Control Panel* and then double-click *Display*. Click on the *Desktop* tab, then click the *Customize Desktop* button. Click on the *Web* tab. Under *Web Pages* you should see a checked entry called *Security info* or something similar. If it is there, select that entry and click the *Delete* button. Click *Ok* then *Apply* and *Ok*.
*Empty* the Recycle Bin by right-clicking the *Recycle Bin* icon on your Desktop, and then clicking *Empty Recycle Bin.

*Reboot *Windows*.

* Double click *HijackThis.exe*.
* Hit None Of The Above, just start the program.
* Hit Scan.
* When the scan is finished, the "Scan" button will change into a
"Save Log" button.
* Click that, save the log somewhere.

Best regards
Sandra
Team Spybot
 
Hi Sandra

I followed your instructions, but unfortunatley it hasn't worked. Although i did notice that when i came to empty the recycle bin there was nothing in it, and also the 'security info' entry was not present in 'Display' just a 'my current homepage' entry. i don't know if that means anything. After following your instructions i ran my spybot again and the infection was either still there.

I do run Spybot search and destroy 1.4.
 
RE pipas-A

Hello again Sandra

i have been trying to upload a copy of the HJT log i did to you but the attachment tool keeps saying either ivalid file or upload of file failed.

Elizabeth:confused:
 
Hello Elizabeth,

Please send the file as .txt attachment to detections(at)spybot.info .
I will have a look at it. :-)

Best regards
Sandra
Team Spybot
 
Hi Sandra

here is the log that you asked me for:

Logfile of HijackThis v1.99.1
Scan saved at 16:14:58, on 22/06/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\WebRebates4\webrebates.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - Default URLSearchHook is missing
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ADefaultSearch Class - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [Microsoft sddcE Contol] teskmangr.exe
O4 - HKLM\..\Run: [Mi7sft sdce] scorti.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [webrebates] "C:\Program Files\WebRebates4\webrebates.exe"
O4 - HKLM\..\Run: [dmdfj.exe] C:\WINDOWS\System32\dmdfj.exe
O4 - HKLM\..\RunServices: [Microsoft sddcE Contol] teskmangr.exe
O4 - HKLM\..\RunServices: [Mi7sft sdce] scorti.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [mahjongSetup.exe] C:\DOCUME~1\LIZZYS~1\MYDOCU~1\MAHJON~1.EXE /r
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\aw_player52\awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140872680116
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37590.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B1DB5F0-AE64-4AE3-A7E6-8735F01B5D29}: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CS2\Services\Tcpip\..\{8B1DB5F0-AE64-4AE3-A7E6-8735F01B5D29}: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CS3\Services\Tcpip\..\{8B1DB5F0-AE64-4AE3-A7E6-8735F01B5D29}: NameServer = 85.255.116.91,85.255.112.234
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: ICFCFFIE - {1BF76B08-1F47-0FE7-00DE-64A757B11C11} - C:\WINDOWS\System32\Jacnnf32.dll (file missing)
O21 - SSODL: mtklefa - {46696ACF-4FB5-4ED2-B29D-C8E9BF2265E6} - C:\WINDOWS\System32\fbjf32.dll (file missing)
O21 - SSODL: mtklefap - {65BD9CA7-98B0-4114-D39A-8B82EEE05398} - C:\WINDOWS\System32\blbke32.dll (file missing)
O21 - SSODL: mtklef - {B3B56C67-280F-4C88-A494-4A367CDB1289} - C:\WINDOWS\System32\vkaq32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

I had to cut and paste it, sorry.

Liz.
 
Last edited by a moderator:
Start Hijackthis and place a check next to these items If there.
R3 - Default URLSearchHook is missing
O2 - BHO: ADefaultSearch Class - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [Microsoft sddcE Contol] teskmangr.exe
O4 - HKLM\..\Run: [Mi7sft sdce] scorti.exe
O4 - HKLM\..\Run: [webrebates] "C:\Program Files\WebRebates4\webrebates.exe"
O4 - HKLM\..\RunServices: [Mi7sft sdce] scorti.exe
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B1DB5F0-AE64-4AE3-A7E6-8735F01B5D29}: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CS2\Services\Tcpip\..\{8B1DB5F0-AE64-4AE3-A7E6-8735F01B5D29}: NameServer = 85.255.116.91,85.255.112.234
O17 - HKLM\System\CS3\Services\Tcpip\..\{8B1DB5F0-AE64-4AE3-A7E6-8735F01B5D29}: NameServer = 85.255.116.91,85.255.112.234
O21 - SSODL: ICFCFFIE - {1BF76B08-1F47-0FE7-00DE-64A757B11C11} - C:\WINDOWS\System32\Jacnnf32.dll (file missing)
O21 - SSODL: mtklefa - {46696ACF-4FB5-4ED2-B29D-C8E9BF2265E6} - C:\WINDOWS\System32\fbjf32.dll (file missing)
O21 - SSODL: mtklefap - {65BD9CA7-98B0-4114-D39A-8B82EEE05398} - C:\WINDOWS\System32\blbke32.dll (file missing)
O21 - SSODL: mtklef - {B3B56C67-280F-4C88-A494-4A367CDB1289} - C:\WINDOWS\System32\vkaq32.dll (file missing)

Fix this also unless you intentionaly installed it
O4 - HKCU\..\Run: [mahjongSetup.exe] C:\DOCUME~1\LIZZYS~1\MYDOCU~1\MAHJON~1.EXE /r
====================================
Hit fix checked and close Hijackthis.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

Note:
If You have connection problems or those 017's ~ 85.255.116.91,85.255.112.234, return >
Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.

Do that for every conntection listed.


Also, be sure to mention any current problems.
 
Hello Lonny

Thank you for the information.

I waited for the report from the Fixwareout to open but it didn't, but here is the new HJT log that you asked for:

Logfile of HijackThis v1.99.1
Scan saved at 13:19:35, on 23/06/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [Microsoft sddcE Contol] teskmangr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\aw_player52\awswaxf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140872680116
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37590.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Liz
 
Its should be here
c:\fixwareout\report.txt

Scan with hijackthis and fix this item
O4 - HKLM\..\RunServices: [Microsoft sddcE Contol] teskmangr.exe
Close it and restart your pc

Post back with a new log
 
Hello

I have just run another bot scan and all seems fine the pest has finally gone

Thank you for your help. Thank you.

Liz.
 
This topic is closed.

If you need it re-opened please send me a pm and provide a link to the thread.
Applies only to the original topic starter.
 
You must log in or register to reply here.
Back
Top