Jump to content


Photo

bad infection


  • Please log in to reply
7 replies to this topic

#1 shipwreck

shipwreck

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 23 June 2004 - 10:10 AM

ok i got infected this morning what do i remove from here ? thanks for your help


Logfile of HijackThis v1.97.
Scan saved at 11:08:34 AM, on 6/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\nted32.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\sdkgm32.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Digital Image\Monitor.exe
C:\Program Files\Sony\USBSircs\usbsircs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Hector Lopez\Desktop\SIERRA\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jgkof.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jgkof.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jgkof.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jgkof.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jgkof.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jgkof.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B5661F6-E169-C5E2-B4B1-47BCE745AF26} - C:\WINDOWS\system32\atllg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [sdkgm32.exe] C:\WINDOWS\sdkgm32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Digital Image Monitor.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Remocon Driver.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe

#2 shipwreck

shipwreck

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 23 June 2004 - 10:29 AM

anybody ?

#3 shipwreck

shipwreck

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 23 June 2004 - 10:32 AM

it takes me to res://jgkof.dll/index.html#96676 or http://69.31.87.248:...n/index.cgi?c=0

Edited by shipwreck, 23 June 2004 - 11:00 AM.


#4 shipwreck

shipwreck

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 23 June 2004 - 10:48 AM

im running from a sony vaio windows xp if that helps..... please someone help me and tell me what to remove please

#5 Guest_splintercell990_*

Guest_splintercell990_*
  • Guests

Posted 23 June 2004 - 01:24 PM

Just so that you know you are not being ignored - I will handle this case for you but I need to ask for your patience while I review the log. Please keep an eye on this message for a resolution shortly :)

#6 Guest_splintercell990_*

Guest_splintercell990_*
  • Guests

Posted 23 June 2004 - 01:47 PM

***Please do not reboot until it is requested. Rebooting during this process will cause reinfection!***

Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button.

O2 - BHO: (no name) - {0B5661F6-E169-C5E2-B4B1-47BCE745AF26} - C:\WINDOWS\system32\atllg.dll
O4 - HKLM\..\Run: [sdkgm32.exe] C:\WINDOWS\sdkgm32.exe


Next, hold down the Ctrl+Shift keys on your keyboard and tap the Esc key. This will open task manager. End each of the following processes by selecting it and pressing the End Process button and clicking Yes to the confirmation message:

sdkgm32.exe

Download About:Buster from either of the following locations.

http://www.atribune....AboutBuster.zip
or
http://tools.zerosre...AboutBuster.zip

Run AboutBuster.exe and click ok and then start. Paste this exact line into the text box in About:Buster:

res://jgkof.dll/index.html#96676

Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!!

Next click Ok and allow the program to run. After it runs copy its report and paste it back into this thread.

Next, go to c:\documents and Settings\{username}\local settings\Temp and delete all files in that temp folder.

Then delete the following files (If About:Buster could not delete them)

C:\WINDOWS\sdkgm32.exe<---file
C:\WINDOWS\system32\atllg.dll<---file

Reboot and post a new HijackThis log along with the report from About:Buster if there were any errors in it.

Edited by splintercell990, 23 June 2004 - 02:19 PM.


#7 shipwreck

shipwreck

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 23 June 2004 - 02:49 PM

thank you .............

#8 Guest_splintercell990_*

Guest_splintercell990_*
  • Guests

Posted 23 June 2004 - 03:39 PM

Does this mean everything is ok ;)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button