PDA

View Full Version : mslaugh + Teekis.exe XP please help me get rid of this



verachion
03-26-2004, 01:53 PM
Hi,

Can anybody possibly help me I too have the same problem my log is below? in order to remove mslaugh and teekids.exe what do I have to do using Hijack this, any help would be appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 18:47:06, on 25/03/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\windows\Explorer.EXE
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\windows\System32\ctfmon.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\BTopenworld\DialBTIAnytime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\System32\wuauclt.exe
C:\Documents and Settings\lisa van gils\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\windows\System32\msdxm.ocx
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [www.hidro.4t.com ] enbiei.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: BT Yahoo! Sidebar (HKLM)
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: Win32 Classes -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\commonyinsthelper.dll
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06308362-3376-4C53-A8B6-36B73B4E498E}: NameServer = 213.1.119.97 213.1.119.98
O17 - HKLM\System\CS1\Services\Tcpip\..\{06308362-3376-4C53-A8B6-36B73B4E498E}: NameServer = 213.1.119.97 213.1.119.98
O17 - HKLM\System\CS2\Services\Tcpip\..\{06308362-3376-4C53-A8B6-36B73B4E498E}: NameServer = 213.1.119.99 213.1.119.100

I would appreciate any feedback,

Darren

mjc
03-26-2004, 02:26 PM
Please run Stinger....

http://vil.nai.com/vil/stinger/

shaffy
03-26-2004, 04:01 PM
are you able to download and run spybot and adaware? If you can, i would suggest you do that.

Also as far as i know, you should use hijackthis to fix:

O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe

there might be more but these are the only ones i know.

so if i were you this is what i would do:
1. fix the items above
2. reboot
3. install and run spybot and adaware
4. try installing sp1 and mcafee

hope this will help.

Budfred
03-26-2004, 08:31 PM
shaffy,

It is nice of you to try to help, but verachion has already start a new thread with the same log. If you want to respond further, you might want to do it:

{merged, link no longer needed}

verachion
03-27-2004, 09:07 AM
Hi,

Thanks for your reply, I am really sorry if I messed up by starting a new thread (I am new to this) I am not a computer genius so I don't really understand all the jargon. If I may, I will tell you what I have done thanks to your help.

1 Downloaded Spybot search and destroy

2 Installed Mcafree virus cleaner

3 downloaded stinger

4 downloaded AVG virus cleaner

I have run spybot and found lots of adware and spyware which has now been deleted the majority of this spyware came from a programme called Gozilla which apparently runs EZULA anyway thats gone.(Less pop ups now) the sytem information tool in spybot still shows mslaugh + teekids are still running behind the scenes.

I have run Mcafree and it found 6x wms blasters and cleaned it however everytime I boot the computer a few of them return as tmp

I ran the stinger and that got rid of the nasty Blasterworm.

I have run AVG and it didn't find any other viruses.

However when I log on to the net mcafree picks up and shows me that I now have nachi.b attached to sytem32 driver.

How can I erradicate this completely from my computer, your help would be very much appreciated.

Darren

PrntRhd
03-27-2004, 09:24 AM
McAfee removal instructions (http://vil.nai.com/vil/content/v_101013.htm#RemovalInstructions) for Nachi.b

You also should kill the XP System Restore Points and manually create a new one after removing the worms.

Budfred
03-27-2004, 10:11 AM
verachion,

I put the link to you own thread so that you and anyone else could post Replies to that thread instead of coming back here to do it and then you did it anyway. Please stick to one thread for one problem and don't piggyback on someone else's thread. It is just too confusing when you talk about the same problem in 2 different places. Now people in the other thread will not know what you have been asked to do in this one and vice versa..... Now you actually have bits and pieces of this problem in three different threads and that is very confusing.... Please stick to one thread and make it one of your own.....

mjc
03-27-2004, 01:26 PM
Verachion, you messedup by posting into other people's threads, starting your own was RIGHT thing to do....now I am having to try and make some order out all of this.............