Spyware problem.

Status
Not open for further replies.

ballistica

Posts: 16   +0
Hi, my com's been recently infected by trojan virus and I used smitfraudfix to destroy the virus. However, there still seems to be some spywares and adwares in my com. oh and I can't delete winmbj32.dll. I've attached my HJT log here.
 

Attachments

  • log.txt
    10.8 KB · Views: 7
Hello and welcome to Techspot.

Download the Pocket killbox programme from HERE. Extract it, but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open(except notepad). Have HJT fix the following, by placing a tick in the little box next to(if there).

Fix all 016-DPF entries.

O17 - HKLM\System\CCS\Services\Tcpip\..\{F69DE34D-44DA-4CC4-A126-8003B1A3F594}: NameServer = 203.120.90.40,192.169.33.3<Only fix this, if it doesn`t belong to your ISP.

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: winmbj32 - C:\WINDOWS\SYSTEM32\winmbj32.dll<This is the nasty entry.

Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

This is the filepath you need to input into the killbox programme.

C:\WINDOWS\SYSTEM32\winmbj32.dll

Once your computer has rebooted, turn system restore back on and post a fresh HJT log.

Regards Howard :wave: :wave:
 
thanks. i have successfully deleted that file but i have another prob. i can't use IE at all. The connection is on but i just can't connect IE to the internet. any idea what has happened?
 
If you don`t have any web access at all on that PC,there could be one of three possibilities -

1.You deleted your ISPs name server by mistake,in which case go to config\backup in HJT and restore it(017).

2.Removing the spyware has damaged the Winsock layers for which the fix is HERE

3.Something else.
 
Have HJT fix this entry.

O20 - Winlogon Notify: winmbj32 - winmbj32.dll (file missing)

Other than that, your HJT log is clean.

You are running a completely unpatched version of Windows, which is a huge security risk.

You should download and install at least service pack 1 and preferably service pack 2.

Regards Howard :)
 
thank you so much! i'm so grateful that my com's now clean. however, i have one last problem. i can't seemed to change my homepage to something else rather than MSN.com. is that caused by a spyware or virus?
 
Ok. Have HJT fix this entry and see if you can set your home page.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

Regards Howard :)
 
Try disabling MS Antispyware.It has a reputation for "preferring" MSN.com.
Can`t imagine why :)
 
hmm. how do you disable it? how weird. MS Anti Spyware has been running for months and no such thing has happened.
 
I haven`t used MS Anti for a while,but you should be able to right click on an icon in system tray and choosing exit or some such.

When I used it,it would revert the homepage to MSN.com when there was a suspicion of spyware around.I was thinking that the removal of that spyware may have kicked it into action.

It was just an idea,based on some,but not much evidence.
 
thanks!

i see. hmm. haha. still doesn't work, but that's okae. At least all nasties are cleared from my com thanks to you guys. Well, once again, a big thank you!
 
I have merged your new thread into this one.

Your system is riddled with nasties yet again.

I did advise you to install Windows sp1 or sp2. You haven`t done this. Running an unpatched version of Windows is probably part of the reason for your reinfection.

Run Windows updates and install one of the service packs I advised.

Go HERE and follow the instructions exactly.

Post a fresh HJT log into this thread, only after doing the above.

Regards Howard :)

This thread is for the use of ballistica only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
sorry about this. i'm currently scanning my com. will post a log soon.

i forgot to add. i know how i caught the virus. i accidentally downloaded int codec ver. 6 of some sorts.
 
new log.

i finished scanning with the online scans as well as ewido.
here's my new log. i'm sorry for not merging.

P.S. i even have problems logging in. sigh.
 
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

IntCodec

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

pmsngr.exe
pmmon.exe
isamini.exe
isamonitor.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01

O2 - BHO: (no name) - {1da7dbe8-c51b-4ae4-bc6e-21863349b0b4} - C:\Program Files\IntCodec\isaddon.dll

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://npsdmail4.np.edu.sg/iNotes6W.cab

O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes/SonyISUpload.cab?v=1,0,0,37

O17 - HKLM\System\CCS\Services\Tcpip\..\{F69DE34D-44DA-4CC4-A126-8003B1A3F594}: NameServer = 203.120.90.40,192.169.33.3<Only fix this, if it doesn`t belong to your ISP.

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - (no file)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\IntCodec

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of ballistica only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I can see Howard replying as I speak, and so I shan't tread on his toes here, but I would like to advise you to do yourself a favour by installing and using the latest version of Firefox.
 
Spike said:
I can see Howard replying as I speak, and so I shan't tread on his toes here, but I would like to advise you to do yourself a favour by installing and using the latest version of Firefox.

That`s a good suggestion Spike.

Installing sp1 or sp2 is equally if not more important. Alas, this still hasn`t been done, despite it being pointed out twice(three times now).

Once this system is clean, if any further virus/spyware problems arise and no service pack has been installed. I won`t be helping to clean it again.

Regards Howard :)
 
thanks once again.

First off, sorry to trouble you guys and thanks Howard for helping me clear my com system yet again and thanks Spike for your suggestion!
 
I`d still like you to post a fresh HJT log, then I can make sure your system is clean.

Regards Howard :)

This thread is for the use of ballistica only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Your HJT log is now clean.

It`s very important, that you run Windows updates and install at least sp1. This will help to protect your computer. Also, as Spike said, installing and using Firefox is a lot more secure than IE. Only use IE for Windows updates and the odd site that doesn`t support Firefox. http://www.mozilla.com/firefox/

Take a look at this thread HERE for info on how to keep your computer more secure.

Regards Howard :)
 
Status
Not open for further replies.
Back