TechSpot

Spyware problem.

By ballistica
Jul 2, 2006
  1. hi, my com's been recently infected by trojan virus and i used smitfraudfix to destroy the virus. However, there still seems to be some spywares and adwares in my com. oh and i can't delete winmbj32.dll. i've attached my HJT log here.
     

    Attached Files:

    • log.txt
      File size:
      10.8 KB
      Views:
      7
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Download the Pocket killbox programme from HERE. Extract it, but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Run HJT with no other programmes open(except notepad). Have HJT fix the following, by placing a tick in the little box next to(if there).

    Fix all 016-DPF entries.

    O17 - HKLM\System\CCS\Services\Tcpip\..\{F69DE34D-44DA-4CC4-A126-8003B1A3F594}: NameServer = 203.120.90.40,192.169.33.3<Only fix this, if it doesn`t belong to your ISP.

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O20 - Winlogon Notify: winmbj32 - C:\WINDOWS\SYSTEM32\winmbj32.dll<This is the nasty entry.

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to input into the killbox programme.

    C:\WINDOWS\SYSTEM32\winmbj32.dll

    Once your computer has rebooted, turn system restore back on and post a fresh HJT log.

    Regards Howard :wave: :wave:
     
  3. ballistica

    ballistica TS Rookie Topic Starter Posts: 16

    thanks. i have successfully deleted that file but i have another prob. i can't use IE at all. The connection is on but i just can't connect IE to the internet. any idea what has happened?
     
  4. Peddant

    Peddant TS Rookie Posts: 1,446

    If you don`t have any web access at all on that PC,there could be one of three possibilities -

    1.You deleted your ISPs name server by mistake,in which case go to config\backup in HJT and restore it(017).

    2.Removing the spyware has damaged the Winsock layers for which the fix is HERE

    3.Something else.
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I agree with peddant.

    Did you fix the 017 entry? If so, restore it.

    Please post a fresh HJT log.

    Regards Howard :)
     
  6. ballistica

    ballistica TS Rookie Topic Starter Posts: 16

    haha, silly me! i've just restored 017 and my IE's working again. here's my new HJT log.
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have HJT fix this entry.

    O20 - Winlogon Notify: winmbj32 - winmbj32.dll (file missing)

    Other than that, your HJT log is clean.

    You are running a completely unpatched version of Windows, which is a huge security risk.

    You should download and install at least service pack 1 and preferably service pack 2.

    Regards Howard :)
     
  8. ballistica

    ballistica TS Rookie Topic Starter Posts: 16

    thank you so much! i'm so grateful that my com's now clean. however, i have one last problem. i can't seemed to change my homepage to something else rather than MSN.com. is that caused by a spyware or virus?
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok. Have HJT fix this entry and see if you can set your home page.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    Regards Howard :)
     
  10. ballistica

    ballistica TS Rookie Topic Starter Posts: 16

    hmm. doesn't seemed to work.
     
  11. Peddant

    Peddant TS Rookie Posts: 1,446

    Try disabling MS Antispyware.It has a reputation for "preferring" MSN.com.
    Can`t imagine why :)
     
  12. ballistica

    ballistica TS Rookie Topic Starter Posts: 16

    hmm. how do you disable it? how weird. MS Anti Spyware has been running for months and no such thing has happened.
     
  13. Peddant

    Peddant TS Rookie Posts: 1,446

    I haven`t used MS Anti for a while,but you should be able to right click on an icon in system tray and choosing exit or some such.

    When I used it,it would revert the homepage to MSN.com when there was a suspicion of spyware around.I was thinking that the removal of that spyware may have kicked it into action.

    It was just an idea,based on some,but not much evidence.
     
  14. ballistica

    ballistica TS Rookie Topic Starter Posts: 16

    thanks!

    i see. hmm. haha. still doesn't work, but that's okae. At least all nasties are cleared from my com thanks to you guys. Well, once again, a big thank you!
     
  15. ballistica

    ballistica TS Rookie Topic Starter Posts: 16

    Trojan infection.

    i'm infected with trojan. help!! here's the log. again. urgh!!
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I have merged your new thread into this one.

    Your system is riddled with nasties yet again.

    I did advise you to install Windows sp1 or sp2. You haven`t done this. Running an unpatched version of Windows is probably part of the reason for your reinfection.

    Run Windows updates and install one of the service packs I advised.

    Go HERE and follow the instructions exactly.

    Post a fresh HJT log into this thread, only after doing the above.

    Regards Howard :)

    This thread is for the use of ballistica only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. ballistica

    ballistica TS Rookie Topic Starter Posts: 16

    sorry about this. i'm currently scanning my com. will post a log soon.

    i forgot to add. i know how i caught the virus. i accidentally downloaded int codec ver. 6 of some sorts.
     
  18. ballistica

    ballistica TS Rookie Topic Starter Posts: 16

    new log.

    i finished scanning with the online scans as well as ewido.
    here's my new log. i'm sorry for not merging.

    P.S. i even have problems logging in. sigh.
     
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    IntCodec

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    pmsngr.exe
    pmmon.exe
    isamini.exe
    isamonitor.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01

    O2 - BHO: (no name) - {1da7dbe8-c51b-4ae4-bc6e-21863349b0b4} - C:\Program Files\IntCodec\isaddon.dll

    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://npsdmail4.np.edu.sg/iNotes6W.cab

    O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes/SonyISUpload.cab?v=1,0,0,37

    O17 - HKLM\System\CCS\Services\Tcpip\..\{F69DE34D-44DA-4CC4-A126-8003B1A3F594}: NameServer = 203.120.90.40,192.169.33.3<Only fix this, if it doesn`t belong to your ISP.

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - (no file)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\IntCodec

    Reboot into normal mode and turn system restore back on.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of ballistica only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  20. Spike

    Spike TS Evangelist Posts: 2,168

    I can see Howard replying as I speak, and so I shan't tread on his toes here, but I would like to advise you to do yourself a favour by installing and using the latest version of Firefox.
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s a good suggestion Spike.

    Installing sp1 or sp2 is equally if not more important. Alas, this still hasn`t been done, despite it being pointed out twice(three times now).

    Once this system is clean, if any further virus/spyware problems arise and no service pack has been installed. I won`t be helping to clean it again.

    Regards Howard :)
     
  22. ballistica

    ballistica TS Rookie Topic Starter Posts: 16

    thanks once again.

    First off, sorry to trouble you guys and thanks Howard for helping me clear my com system yet again and thanks Spike for your suggestion!
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`d still like you to post a fresh HJT log, then I can make sure your system is clean.

    Regards Howard :)

    This thread is for the use of ballistica only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  24. ballistica

    ballistica TS Rookie Topic Starter Posts: 16

    thanks once again.
     
  25. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    It`s very important, that you run Windows updates and install at least sp1. This will help to protect your computer. Also, as Spike said, installing and using Firefox is a lot more secure than IE. Only use IE for Windows updates and the odd site that doesn`t support Firefox. http://www.mozilla.com/firefox/

    Take a look at this thread HERE for info on how to keep your computer more secure.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...