zonealarm 5.5.062

  • Thread starter Thread starter Franz-Josef
  • Start date Start date
F

Franz-Josef

I installed the MS Spyware beta program. Spyware was
detected and removed. Then zonealarm with antivirus
displayed this message: process 1356/kloqyk.exe wants
acces to the trusted zone. This was the first time that i
read this message and i have no idea what it means.
Sorry for my bad english.
Kind regards
FJ
 
I installed the MS Spyware beta program. Spyware was
detected and removed. Then zonealarm with antivirus
displayed this message: process 1356/kloqyk.exe wants
acces to the trusted zone. This was the first time that i
read this message and i have no idea what it means.
Click to expand...

I believe that file is associated with SpyBot, a worm. Read
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.GEN,
it should provide you with information on how to remove this worm.
 
kloqyk.exe is the W32-Spybot worm. Tell Zone Alarm NO!

Get HijackThis.exe from

http://www.tomcoyote.com/hjt/HijackThis.exe

SCAN your system, SAVE LOG and send me the log (after
running CWShredder) as an attachment or copy and paste the
text here.

I speak German if that will help.

Ron Kinner MVP Servers

rkinner AT att DOT net
 
Dear Ron
thank you so much for your assistance. I just came back
home from a journey. After having followed your advice I
send you my hijackthis.log.

Logfile of HijackThis v1.97.7
Scan saved at 21:02:16, on 18.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works
Shared\WkUFind.exe
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\kloqyk.exe
C:\Programme\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\Hewlett-Packard\AiO\hp officejet v
series\Bin\hpoant07.exe
C:\Programme\Nikon\NkView6\NkvMon.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Programme\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Programme\Gemeinsame Dateien\Microsoft
Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Dokumente und Einstellungen\Franz-
Josef\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.medion.de
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0
\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-
CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-
009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32
\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio]
C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection]
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works
Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SunJavaUpdateSched]
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [gsiafccucjvb] C:\WINDOWS\system32
\kloqyk.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programme\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32
\ctfmon.exe
O4 - HKCU\..\Run: [AOLMIcon] C:\Programme\Gemeinsame
Dateien\AOLSHARE\AOLMIcon.exe
O4 - HKCU\..\Run: [H/PC Connection
Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader - Schnellstart.lnk =
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) -
1.lnk = C:\Programme\Hewlett-Packard\AiO\hp officejet v
series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk =
C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk =
C:\Programme\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search -
res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte
Seite -
res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel
exportieren - res://C:\PROGRA~1\MICROS~4\Office10
\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten -
res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.h
tml
O8 - Extra context menu item: Ähnliche Seiten -
res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.htm
l
O9 - Extra 'Tools' menuitem: Sun Java Konsole (HKLM)
O9 - Extra button: Mobilen Favoriten erstellen (HKLM)
O9 - Extra 'Tools' menuitem: Mobilen Favoriten
erstellen... (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: MedionShop (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.de
O16 - DPF: ppctlcab -
http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C}
(ICSScannerLight Class) -
http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
(PPSDKActiveXScanner.MainScreen) -
http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Control
s/en/x86/client/wuweb_site.cab?1103647168983
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?38138.3071296296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/sw
flash.cab

CWS was not found on my system. Tomorrow I go on a
journey again and won't come back before Friday (I
mention this to explain why it takes so long until I
react on your answer).
Thank you once again and kind regards
Franz-Josef Wodopia
 
Looks fairly simple.



First you need a copy of WinsockXpfix.exe

http://www.iup.edu/house/resnet/winfix.shtm


This is a safety program. You probably won't need it but
it will restore Internet connectivity if you lose it after
removing some malware.





Boot into Safe Mode (F8 without Networking) and run
HijackThis again:



Check

O4 - HKLM\..\Run: [gsiafccucjvb] C:\WINDOWS\system32
\kloqyk.exe

and then hit Fix Checked. If you are not happy with
www.medion.de as a home page then also check the following:



R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.medion.de
O9 - Extra button: MedionShop (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.de



Do not reboot.


While still in Safe Mode, right click on Start and then
select Explore. Change it so you can see system and
hidden files and extensions:



Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show
hidden files and folders.

Uncheck the Hide protected operating system files
(recommended) option.

Uncheck the Hide File Extensions for Known File Types
option.

Click Yes to confirm.

Click OK

Now navigate down to the C:\Windows\System32 folder. Tell
Windows you want to see the files when it protests.



Now up on the second row of the toolbar at the top on the
right you should see a little Icon like a window with a
down arrow. When you go over it with your mouse it will
say Views. Click the Down arrow and select DETAILS. This
should cause the folder to change to show the file name,
the extension and the Modified date.

Look for the file kloqyk.exe. Click on the word Modified
at the top of the date/time column. This will sort things
in date order. Find your kloqyk.exe and delete it and
any other files with the same date and time +/- 5
minutes. Repeat for the folder C:\Windows\System32
\dllcache. Reboot and run another SCAN and send it to me
even if everything appears to be working. If nothing else
it will tell me that my advice helped you and I'm not just
wasting my time.

Ron
 
These lines from your scan are not good:

C:\WINDOWS\system32\kloqyk.exe
O4 - HKLM\..\Run: [gsiafccucjvb] C:\WINDOWS\system32\kloqyk.exe

Looks like you have a trojan on your machine

See if you can mark those lines for deletion.

A visit to a site like http://castlecops.com/ might be in order although
your report doesn't look horrific like some you will find over there!



Dear Ron
thank you so much for your assistance. I just came back
home from a journey. After having followed your advice I
send you my hijackthis.log.

Logfile of HijackThis v1.97.7
Scan saved at 21:02:16, on 18.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works
Shared\WkUFind.exe
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\kloqyk.exe
C:\Programme\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\Hewlett-Packard\AiO\hp officejet v
series\Bin\hpoant07.exe
C:\Programme\Nikon\NkView6\NkvMon.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Programme\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Programme\Gemeinsame Dateien\Microsoft
Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Dokumente und Einstellungen\Franz-
Josef\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.medion.de
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0
\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-
CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-
009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32
\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio]
C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection]
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works
Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SunJavaUpdateSched]
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [gsiafccucjvb] C:\WINDOWS\system32
\kloqyk.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programme\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32
\ctfmon.exe
O4 - HKCU\..\Run: [AOLMIcon] C:\Programme\Gemeinsame
Dateien\AOLSHARE\AOLMIcon.exe
O4 - HKCU\..\Run: [H/PC Connection
Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader - Schnellstart.lnk =
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) -
1.lnk = C:\Programme\Hewlett-Packard\AiO\hp officejet v
series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk =
C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk =
C:\Programme\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search -
res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte
Seite -
res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel
exportieren - res://C:\PROGRA~1\MICROS~4\Office10
\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten -
res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.h
tml
O8 - Extra context menu item: Ähnliche Seiten -
res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.htm
l
O9 - Extra 'Tools' menuitem: Sun Java Konsole (HKLM)
O9 - Extra button: Mobilen Favoriten erstellen (HKLM)
O9 - Extra 'Tools' menuitem: Mobilen Favoriten
erstellen... (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: MedionShop (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.de
O16 - DPF: ppctlcab -
http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C}
(ICSScannerLight Class) -
http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
(PPSDKActiveXScanner.MainScreen) -
http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Control
s/en/x86/client/wuweb_site.cab?1103647168983
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?38138.3071296296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/sw
flash.cab

CWS was not found on my system. Tomorrow I go on a
journey again and won't come back before Friday (I
mention this to explain why it takes so long until I
react on your answer).
Thank you once again and kind regards
Franz-Josef Wodopia
 
Dear Ron
Everything went well. I did not need to run WinsockXpfix.exe .
But you are the expert and therefore I send you the results
of another scan.

Logfile of HijackThis v1.97.7
Scan saved at 14:22:16, on 22.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works
Shared\WkUFind.exe
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\Hewlett-Packard\AiO\hp officejet v
series\Bin\hpoant07.exe
C:\Programme\Nikon\NkView6\NkvMon.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Programme\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Programme\Gemeinsame Dateien\Microsoft
Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Antspy u.a\HijackThis.exe

O2 - BHO: (no name) -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -
{AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Google -
{2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio]
C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection]
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works
Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SunJavaUpdateSched]
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Programme\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOLMIcon] C:\Programme\Gemeinsame
Dateien\AOLSHARE\AOLMIcon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent]
"C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader - Schnellstart.lnk =
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) -
1.lnk = C:\Programme\Hewlett-Packard\AiO\hp officejet v
series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk =
C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk =
C:\Programme\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search -
res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite -
res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel
exportieren -
res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten -
res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten -
res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra 'Tools' menuitem: Sun Java Konsole (HKLM)
O9 - Extra button: Mobilen Favoriten erstellen (HKLM)
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen...
(HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: ppctlcab -
http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows
Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C}
(ICSScannerLight Class) -
http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
(PPSDKActiveXScanner.MainScreen) -
http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1103647168983
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38138.3071296296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


Your advice really helped me.

Thank you once again
Franz-Josef Wodopia



-----Original Message-----
Looks fairly simple.



First you need a copy of WinsockXpfix.exe

http://www.iup.edu/house/resnet/winfix.shtm


This is a safety program. You probably won't need it but
it will restore Internet connectivity if you lose it after
removing some malware.





Boot into Safe Mode (F8 without Networking) and run
HijackThis again:



Check

O4 - HKLM\..\Run: [gsiafccucjvb] C:\WINDOWS\system32
\kloqyk.exe

and then hit Fix Checked. If you are not happy with
www.medion.de as a home page then also check the following:



R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.medion.de
O9 - Extra button: MedionShop (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.de



Do not reboot.


While still in Safe Mode, right click on Start and then
select Explore. Change it so you can see system and
hidden files and extensions:



Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show
hidden files and folders.

Uncheck the Hide protected operating system files
(recommended) option.

Uncheck the Hide File Extensions for Known File Types
option.

Click Yes to confirm.

Click OK

Now navigate down to the C:\Windows\System32 folder. Tell
Windows you want to see the files when it protests.



Now up on the second row of the toolbar at the top on the
right you should see a little Icon like a window with a
down arrow. When you go over it with your mouse it will
say Views. Click the Down arrow and select DETAILS. This
should cause the folder to change to show the file name,
the extension and the Modified date.

Look for the file kloqyk.exe. Click on the word Modified
at the top of the date/time column. This will sort things
in date order. Find your kloqyk.exe and delete it and
any other files with the same date and time +/- 5
minutes. Repeat for the folder C:\Windows\System32
\dllcache. Reboot and run another SCAN and send it to me
even if everything appears to be working. If nothing else
it will tell me that my advice helped you and I'm not just
wasting my time.

Ron

.
Click to expand...
 
Dear John
Thank you for your assistance. The problem has been solved
in the meantime with the help of Ron Kinner.
Kind regards
Franz-Josef
-----Original Message-----
These lines from your scan are not good:

C:\WINDOWS\system32\kloqyk.exe
O4 - HKLM\..\Run: [gsiafccucjvb] C:\WINDOWS\system32\kloqyk.exe

Looks like you have a trojan on your machine

See if you can mark those lines for deletion.

A visit to a site like http://castlecops.com/ might be in order although
your report doesn't look horrific like some you will find over there!



Dear Ron
thank you so much for your assistance. I just came back
home from a journey. After having followed your advice I
send you my hijackthis.log.

Logfile of HijackThis v1.97.7
Scan saved at 21:02:16, on 18.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works
Shared\WkUFind.exe
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\kloqyk.exe
C:\Programme\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programme\Hewlett-Packard\AiO\hp officejet v
series\Bin\hpoant07.exe
C:\Programme\Nikon\NkView6\NkvMon.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Programme\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Programme\Gemeinsame Dateien\Microsoft
Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Dokumente und Einstellungen\Franz-
Josef\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.medion.de
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0
\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-
CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-
009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32
\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio]
C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection]
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works
Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SunJavaUpdateSched]
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programme\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [gsiafccucjvb] C:\WINDOWS\system32
\kloqyk.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programme\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32
\ctfmon.exe
O4 - HKCU\..\Run: [AOLMIcon] C:\Programme\Gemeinsame
Dateien\AOLSHARE\AOLMIcon.exe
O4 - HKCU\..\Run: [H/PC Connection
Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader - Schnellstart.lnk =
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) -
1.lnk = C:\Programme\Hewlett-Packard\AiO\hp officejet v
series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk =
C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk =
C:\Programme\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search -
res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte
Seite -
res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel
exportieren - res://C:\PROGRA~1\MICROS~4\Office10
\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten -
res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.h
tml
O8 - Extra context menu item: Ähnliche Seiten -
res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.htm
l
O9 - Extra 'Tools' menuitem: Sun Java Konsole (HKLM)
O9 - Extra button: Mobilen Favoriten erstellen (HKLM)
O9 - Extra 'Tools' menuitem: Mobilen Favoriten
erstellen... (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: MedionShop (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.de
O16 - DPF: ppctlcab -
http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C}
(ICSScannerLight Class) -
http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
(PPSDKActiveXScanner.MainScreen) -
http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
http://v5.windowsupdate.microsoft.com/v5consumer/V5Control
s/en/x86/client/wuweb_site.cab?1103647168983
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?38138.3071296296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/sw
flash.cab

CWS was not found on my system. Tomorrow I go on a
journey again and won't come back before Friday (I
mention this to explain why it takes so long until I
react on your answer).
Thank you once again and kind regards
Franz-Josef Wodopia


-----Original Message-----
kloqyk.exe is the W32-Spybot worm. Tell Zone Alarm NO!

Get HijackThis.exe from

http://www.tomcoyote.com/hjt/HijackThis.exe

SCAN your system, SAVE LOG and send me the log (after
running CWShredder) as an attachment or copy and paste the
text here.

I speak German if that will help.

Ron Kinner MVP Servers

rkinner AT att DOT net



.
Click to expand...


.
Click to expand...
 
Thank you for your assistance. The problem has been solved
in the meantime with the help of Ron Kinner.
Kind regards
Franz-Josef
 
Back
Top