Spyware removal+HijackThis log

Spyware Detected ! (Please help!)

Hi there,

I'm currently using Windows Xp Professional
And now, it seems that spyware is detected.
Initially, by using SpyBot S&D, 'Webdialer' & 'DSO Exploits' appeared.
However, I don't think they are removed from my system.
I've also tried downloading multiple scanners to remove them but it seems
useless. My Internet Explorer 6.0 has its Homepage tab corrupted, which means, i can't enter a homepage i want.
Furthermore, whenever i activate IE 6.0, it'll keep going to 'about:blank'
and suspicious pop-ups saying:"Spyware Detected, click here to remove it" and etc.
Can you suggest what I should do?

 

Re: Spyware Detected ! (Please help!)

In the world we are living in...it is better to have more then one software to help get rid of all the remnants.

In your case...it seem like CWSHREDDER could be of help...find it

HERE

Install it and run it...there are other tools I use...check my signature

Good luck and have a good day

 

Re: Spyware Detected ! (Please help!)

GREAT ! SOLVED !
Thank You Very Much !
Really, Thank YOU ! ^_^
Thanks!!!

Love u.
haha

 

Re: Spyware Detected ! (Please help!)

OH NO!
...
...
...after a while, the problem came back.
The nasty pop-ups appeared, my homepage back to about:blank...
How? -_-...

 

Re: Spyware Detected ! (Please help!)

Hey Xon,

I have moved your thread to the adware, spyware & hijack cleaning Forum. Please follow the below link and instructions within.

This link---> https://www.wilderssecurity.com/showthread.php?t=15913

then post your HijackThis log with any further description of your problem and one of the experts will give you recommendations on any Malware found.

 

Hi there,

I used the Spybot S&D.
Problems I'm experiencing:
1)IE 6.0 Homepage will not save what I include.
eg. I entered 'www.hotmail.com', it keeps returning to 'about:blank' no matter what.
2)Upon opening IE 6.0, it goes to 'about:blank' with some nasty pop-ups that keeps saying "spyware detected in your system, click to remove" and sorts.
3)Of course, slower IE 6.0 speed, like, it does not open links as fast as it should be anymore.
4)(I'm not sure if this is affected too because of this 'spyware') Whenever I play a video/clip in Windows Media Player 9, the image is corrupted.

HijackThis Log:

Logfile of HijackThis v1.97.7
Scan saved at 9:45:20 PM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\efbgcia.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\efbgcia.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.9617.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\efbgcia.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\efbgcia.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\efbgcia.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\efbgcia.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {8092803D-E1B1-4978-88BF-BF08AE4510CE} - C:\WINDOWS\System32\efbgcia.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\zh-sg\msntb.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [imekrmig] C:\IME\IMKR\imekrmig.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E3489C0D-D07D-4281-A4A7-ADA8E9A0893F} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/cn/filesharingctrl.cab

 

Hi Xon,

Download http://tools.zerosrealm.com/dllfix.exe

Doubleclick it and install in folder of choice on the root drive, in your case C:\

Run start.bat and press option 1. 'output.txt' will be created in the folder
Post the content of that file.

Before I forget later on. For WMP https://www.wilderssecurity.com/showthread.php?t=28027
But don't start with that untill we get rid of CWS

Regards,

Pieter

 

Here's the content of the output.txt file:



--==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Sun 06/06/2004
11:57 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "STUDIO'S" (2CFB:3095) - FS:NTFS clusters:512
Total: 4 318 239 232 [4.0G] - Free: 535 982 592 [511M]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe
*Media Player version :
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;



Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\RESMIK.DLL +++ File read error
\\?\C:\WINDOWS\System32\RESMIK.DLL +++ File read error


Scanning for main Hijacker:
File found was C:\WINDOWS\System32\FKLKDDB.DLL
Md5 tested As 8077C2987B88D4D351B8E0E16D453B51



! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




 

Run start.bat again and choose option 2. Hit '1' and enter dll name manually:
C:\WINDOWS\System32\FKLKDDB.DLL

Download and run AdAware : http://www.lavasoft.de/software/adaware/ (make sure you have latest updates) and run it.

Also run CWShredder finally to clean up other entries

When you are done, run HijackThis again and post the new log, so we can see if it all worked out as planned.

Regards,

Pieter

 

Logfile of HijackThis v1.97.7
Scan saved at 1:16:30 PM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.9617.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\zh-sg\msntb.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [imekrmig] C:\IME\IMKR\imekrmig.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E3489C0D-D07D-4281-A4A7-ADA8E9A0893F} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/cn/filesharingctrl.cab

 

Hi Xon,

Looks good. Only one left.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Please read: Why did I get infected in the first place

Regards,

Pieter

 

Hi Pieter,

After following your instructions, my homepage still cannot be set as what I typed in, in this case, www.hotmail.com.
It keeps returning to about:blank even after I rebooted my com and after fixing the item u mentioned with HijackThis.

How?

 

Hi Xon,

Is about: blank an empty page now?
This is to verify that CWS is gone.

Regards,

Pieter

 

Hello Pieter!

Thanks a lot. The problem is solved. I can now set my homepage the way I want.
Thank U Very Muuuch!

Can you help me yet again in my remaining doubts?
1)If a webpage I visit is supposed to be in English but turned out to be in Mandarin, what's wrong and what can I do to revert it back? (eg. www.neopets.com)
2)While surfing the net, is it common to see the loading status bar at the bottom of IE6.0 occasionally put "opening page: about:blank" even though it did not go to it after opening a particular page?
3)Can you please add some direct links to help me download or tighten my IE6.0 security? (And also to prevent the implantation of such 'virus'/'spy')

Thank You. ^_^
-Xon

 

1) and 2)

Could you try using this for a while:
http://www.corestreet.com/spoofstick/
Let me know if you notice anything suspicious.

3) I actually already did that:
https://www.wilderssecurity.com/showthread.php?t=27971
or almost the same but with some screenshots:
http://home.planet.nl/~kleyn080/Spywareinfoen.html

Regards,

Pieter

 

The URL for www.neopets.com is correct as according to 'Corestreet'.
This website should be in English, however, when mine is open, it's in Mandarin.

 

In IE > Tools > Internet-options > General tab > Delete files (including offline content) and cookies.

There could be something in there that gets you identified wrong.

Regards,

Pieter

 

Yup, deleted them already.
But still the same.

Do you think it has something to do with the 'Encoding'?

 

Encoding could be worth a try.
I am not a very good webmaster so I may miss a few options, but as far as I know multilingual displays can be arranged using cookies, Referer and IP (tricky)

Regards,

Pieter

 

Alright.
One last minor question.
I've installed SpywareBlaster already.
Do get it work, do I have to activate it every time I am online to execute its function, or do I just leave it alone as it will auto detect even when I do not activate it?

 

You can start SpywareBlaster about once a week to check for updates and if all the protection is still in place. That's all it takes.

Regards,

Pieter

 

Alright.

Thanks a lot for all your time since the start!
You've been a great deal of help!
Thank You for all your efforts and advices.

Goodbye
-Xon


^^I'll Be Back!^^