1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan that keeps coming back..msgked.exe

Discussion in 'Virus & Other Malware Removal' started by Jon166, Jun 14, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Jon166

    Jon166 Thread Starter

    Joined:
    Jun 5, 2004
    Messages:
    4
    I keep deleting it, but it comes back. I think it's been unloading a lot of spy ware because when I use ad-aware, hijackthis, spybot, cwshredder, and a ton of other programs, they keep coming back. This is so frustrating, why doesn't it delete.
     
  2. FZWG

    FZWG

    Joined:
    Dec 17, 2000
    Messages:
    974
    Jon166,

    Download HijackThis! from: http://mjc1.com/mirror/hjt/

    Create a folder for this program. Do not download to the Desktop or to removable media.

    Double click on the HijackThis.exe file for the program to launch.

    Click on the Scan button. When the scan is done, a listing of all items found by HijackThis is presented.

    Click on the Save Log button to keep a record of the items listed saved in NotePad.

    Copy and post the results, but do not use the 'Fix' option of this program without the advice of experts!! There are items on the log that are required for the computer to operate effectively.
     
  3. Jon166

    Jon166 Thread Starter

    Joined:
    Jun 5, 2004
    Messages:
    4
    Here it is..

    Logfile of HijackThis v1.97.7
    Scan saved at 8:01:07 PM, on 6/14/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\program files\steam\steam.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trojan Guarder\Trojan Guarder.exe
    C:\Program Files\Ventrilo\Ventrilo.exe

    C:\Documents and Settings\Nguyen Tran\Desktop\Desktop\HIJACKTHIS\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 194.126.43.30:8080
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mseggo.gif
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msnkmi.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [APMLIVE] C:\Documents and Settings\Nguyen Tran\Desktop\apm\apmlive.exe -auto
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
    O4 - Global Startup: Trojan Guarder.lnk = C:\Program Files\Trojan Guarder\Trojan Guarder.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O16 - DPF: {00001015-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter15 Class) - http://www.netmarble.net/game/NMStarter15.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
    O16 - DPF: {5F0B03D4-23D2-403A-B0A4-36B930D9694A} (Launcher Class) - http://mate.joyon.com/ActiveX/Mate.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {7AF8D249-B79B-4624-A01E-66D6C48E4B80} (CDNDown Class) - http://wmpdownload.nefficient.co.kr/wmpdownload/CDNDownx.cab
    O16 - DPF: {A87AC5C4-E4A8-421E-84C8-12A5564EAF2B} (NAudioX Control) - http://download.netmarble.com/NAudioX/NAudioX.cab
    O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.peter-griffin.com/nsvplayx_vp3_mp3.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D7F0CC2E-FB09-4B38-B9A7-6807CBCD4859} (NMChatX Control) - http://download.netmarble.com/NMChatX/NMChatX.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
     
  4. Jon166

    Jon166 Thread Starter

    Joined:
    Jun 5, 2004
    Messages:
    4
    can someone please help me
     
  5. FZWG

    FZWG

    Joined:
    Dec 17, 2000
    Messages:
    974
    Believe this is the file to target:
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe

    When you ran AdAware, was it the latest version, and was it configured with the following settings?:

    To scan, select: Activate in-depth scan

    Select Scan mode by clicking on: Use custom scanning options
    Select: Customize and make sure the following options are turned on:
    In Drives and Folders:
    Scan within archives
    In Memory and Registry:
    Scan active processes
    Scan registry
    Deep scan Registry
    Scan my IE Favorites for banned URL
    Scan my host-files
    Click on: Proceed to save settings

    Click on the gear on top of Ad Aware (Settings), and select the Tweak button
    Under Expert Settings:
    Select: Scanning engine and check: Unload recognized processes during scanning
    Select: Cleaning Engine and check: Let Windows remove files in use after


    Another issue:
    Make sure all hidden files are shown in Windows XP:
    Click Start.
    Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    Click OK.

    Now, reboot into Safe Mode (Tap F8 repeatedly as the computer boots, and choose Safe Mode from the menu provided.)

    Run Hijack this again while in Safe Mode, and with all windows closed, fix the following:

    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msgked.exe

    Then, without rebooting, delete the files: C:\WINDOWS\SYSTEM\msgked.exe
    C:\WINDOWS\SYSTEM\msmc.exe

    If a file does not delete, and a message indicating the file may be in use appears, open Task Manager (by right clicking TaskBar), Processes tab, double click Image Name, and End Task on the process. Then, delete the file.

    Run an online antivirus check from at least one of the following programs:

    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/


    When done with the above, post another HJT log.
     
  6. FZWG

    FZWG

    Joined:
    Dec 17, 2000
    Messages:
    974
    BTW, turn off System Restore.
    In My Computer, go to the System Restore tab and check "Turn off system restore".

    Then restart in Safe Mode and run AdAware. You can also run Spybot Search and restart again in Safe Mode to do the rest.
     
  7. FZWG

    FZWG

    Joined:
    Dec 17, 2000
    Messages:
    974
    BTW Jon166, you have the Clientman's parasite.

    AdAware, configured properly, and updated, should be able to remove this. Would use AdAware a couple of times (after rebooting), for safe measure.

    If it does not go away, then, making sure that only HijackThis is open and everything else is closed, Scan and Fix the following:

    O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mseggo.gif

    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msnkmi.dll

    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe

    also:
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll (file missing)

    Reboot and delete the following:

    C:\WINDOWS\System32\msgked.exe (file)

    C:\Program Files\TV Media (folder)

    If these are not found, that is fine.

    If you wish, post a new HijackThis log to make sure everything is gone.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/238993

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice