unable to update at MSUpdate

Discussion in 'malware problems & news' started by Fraha, Nov 2, 2003.

Thread Status:
Not open for further replies.
  1. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Hello all,

    At a friends computer i keep getting errormsgs from te MS update site about activeX not being OK.
    Several problems are on this computer including a worm called STEPH

    I think the update problem has an relation with these problems.

    Here's the hijack file:

    Logfile of HijackThis v1.97.3
    Scan saved at 21:57:36, on 1-11-2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\mqsvc.exe
    C:\WINDOWS\System32\mqtgsvc.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\WINDOWS\QOGJ.exe
    C:\WINDOWS\DRFIG.exe
    C:\WINDOWS\RCTKB.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Frans\Local Settings\Temp\Tijdelijke map 1 voor hijackthis[1].zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: (no name) - {0B906603-34C3-4E06-9AC9-12282721C8AD} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
    O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
    O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] javaw -cp "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"
    O4 - HKLM\..\Run: [QOGJ] C:\WINDOWS\QOGJ.exe
    O4 - HKLM\..\Run: [DRFIG] C:\WINDOWS\DRFIG.exe
    O4 - HKLM\..\Run: [RCTKB] C:\WINDOWS\RCTKB.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{805B2433-A4C8-4874-B911-191D7D06D53E}: NameServer = 194.134.5.5 194.134.0.97

    What do I have to do to make this system save again? (AV and Firewall will ben installed soon, Norman)
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    In Hijack This, check all of the following items, then close all browser windows, and press "Fix Checked":

    O3 - Toolbar: (no name) - {0B906603-34C3-4E06-9AC9-12282721C8AD} - (no file)

    O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
    O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
    O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] javaw -cp "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"
    O4 - HKLM\..\Run: [QOGJ] C:\WINDOWS\QOGJ.exe
    O4 - HKLM\..\Run: [DRFIG] C:\WINDOWS\DRFIG.exe
    O4 - HKLM\..\Run: [RCTKB] C:\WINDOWS\RCTKB.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe



    Now restart your computer, and delete:

    Thr C:\Program Files\Acceleration Software folder
    The C:\Program Files\SuperBar folder
    The C:\Program Files\EbatesMoeMoneyMaker folder
    The C:\WINDOWS\QOGJ.exe file
    The C:\WINDOWS\DRFIG.exe file
    The C:\WINDOWS\RCTKB.exe

    As some of the above may have the 'hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show.

    Incidentally, unless of course you installed the MyBar Search bar wittingly, go to Add/Remove Programs, and uninstall the My Way Speed Bar.

    If no joy, have Hijack This fix these as well:

    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL

    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL


    Then restart your computer, and delete the C:\Program files\Myway folder.


    Finally, download Spybot - Search & Destroy

    After installing, first press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds.
     
  3. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
  4. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    BTW, does this sound like your error message?

    Cheers,
     
  5. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Thanks guys,

    I will try these options asap. Problem is that the computer is 90 Km away from me, so it could take a while.

    The security option was tried before but not with all the other options.

    So the good nes is I have at least 2 problems on that machine! ;-)

    Great.

    Thanks again!

    Frans
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    No prob! :)

    Do keep us posted!
     
  7. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    But off course Sir! ;-)

    Greetings from Holland!
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    That was no long distance call. :D
     
  9. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Right! :cool:

    Nice weather, no? :oops:

    What kind of trouble does that machine has? I know about steph but the rest? Can you give me an idication?

    Frans
     
  10. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    ok Guys Thanks!

    Most problems are gone now, only the update at microsoft will not work.
    Still got the activex error and I did try all things in the file above...

    I did found out that SP! was not installed yet. Could that be the problem?

    Frans
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Fraha,

    Since it is advisable to install it anyway, and may very well help, go to this site: http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/default.asp
    select the correct language in the drop down box on the right and follow instructions.

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.