Correct URL address but goes to same site.

O4 - HKLM\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe

Put on your PC by Trojan.Win32.Krepper and evidently none of the AV programs you tried have removed it.

Here and use the manual removal instructions. They are fairly long but if you follow the steps, it isn't that hard unless you are really gunshy about registry edits. Not really much choice at this point.

The only piece they don't explain completely is how to use Regsvr32 to unregister the .dll files they list and hey, they want to sell you a program so they made a couple things a little tricky to follow.

Just click on start, on run, key in CMD and OK to get a command window (DOS window) and then to remove the first one they list, trojan.win32.krepper.o.dll

Regsvr32 /u trojan.win32.krepper.o.dll and press ENTER. It may give an error and in that case you need to locate the .dll file and change your path to the exact location.

For instance, if the above gave an error, you would use windows explorer to locate the .dll file and then change directory to it's location. If the full location were
c:\somefolder\badplace\trojan.win32.krepper.o.dll
you would key in

Code:

cd c:\somefolder\badplace

and press ENTER to change to that location and then do the Regsvr32 /u command again.

 

Hi Newt,

I have been trying to manually remove kepper - but cannot really understand what I am doing.
Cannot find list of things to remove on Task Manager - they don't appaer there. and where do I go to fing Hkey etc.
Sorry to be so thick - it's real foreign country to me.
I am so grateful to you and the other guys for your help and endless patience!!
Please bear with me

 

Sus - don't feel bad. This is getting pretty techie at this point and I'd guess that over 95% of PC users would have been lost long ago.

HKEY is a part of the name of your registry hives (hives - don't ask). If you do start => run => regedit and OK you should see a box much like the thumbnail picture. Click on a plus sign to expand and keep on doing that as you locate pieces until you get to the target one. So, for instance, when they say

Go to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
If you find the value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\jopa, delete it and reboot the machine immediately.

you would start with a click on HKEY_LOCAL_MACHINE then on Software then on Mocrosoft, and so on. When you finally open the Run section, look for an entry that matches
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\jopa
and if you find one, delete it.

As for the taskmanager part, I'm surprised you don't see any of the listed items on your Processes tab.
O4 - HKLM\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
should certainly have Matrixhere.exe running there somewhere.

 

Hi Sus

Post a new log and mention any problems for the others to look at please.
that nastie sometimes takes a few tries to completly cure

Are you comfortable working in the registry ?

 

Hi guys,

I could'nt find any of the lines to delete in Task manager or the registry - I did delete from the hijackthis log - did this get rid of it or am I being naive??!!
New hijack this log.
HOW CAN I GET E.MAIL TO WORK AGAIN??!! Still cannot get loads of sites - eg google, windows bbs etc !!!

Newt - I have ordered SP2 !

Logfile of HijackThis v1.98.2
Scan saved at 12:28:00, on 26/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis.log.michael\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.freeserve.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


Hi Lonni - thanks for info. Not at all happy but going very slowly!!!

 

Well, from here things are looking better. Not seeing the nasties you started with.

Re: the problem getting to some sites - locate c:\windows\system32\drivers\etc\hosts (a file with no file extension) and rename it to hosts.old and see if that cures your problem. If not, try a couple of the sites using their IP address rather than the site name. For this forum it would be
http://67.15.19.177

Re: email - I may have missed it but what is wrong with your email and what mail client (outlook express, microsoft outlook, etc.) do you use? Also are you using something like hotmail or one of those?

 

I have located the host file in filelocator - but how do I change it?????

As for e.mail I think I have sorted that one myself thanks.

 

File locator ?

You can manualy rename or delete the hosts file or use a tool such as the hoster
Download and unzip the Hoster from here: http://members.aol.com/toadbee/hoster.zip
Run the Program Press 'Restore Original Hosts' and press 'OK'
Exit Program.

 

Post a log from this tool please

Make a new Folder for example C:\Dllconpare
http://download.broadbandmedic.com/DllCompare.exe
Download DllCompare.exe to that folder


Start Program and Click the Run Locate.com and wait a few seconds til the scan says complete.
(default settings usually are sufficient)

Click the Compare button to start the sorting process.

Files in the upper portion have been verified to "exist" as where Files in the bottom section have some form of problem being accessed.
There will be only minimal, if any files listed there... once that Compare scan is complete, and you find you have a few files listed in the lower box.

Click on any of the listed entries to select it.. Right click the mouse and use the Option Rescan Like This

This will run the file through the standard Windows Find and if it does exist, will be removed from the list (to further filter the found objects) Like This

After that if you are left with files that are still not found, click the Make a Log of what was found button, and post that log.

 

Log as requested.


* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\bridge.dll Tue 19 Oct 2004 8:43:14 ..SHR 0 0.00 K
C:\WINDOWS\SYSTEM32\d2kpax.dll Tue 19 Oct 2004 8:43:14 ..SHR 0 0.00 K
C:\WINDOWS\SYSTEM32\msxslab.dll Tue 19 Oct 2004 8:43:14 ..SHR 0 0.00 K
________________________________________________

1,148 items found: 1,148 files (4 H/S), 0 directories.
Total of file sizes: 201,574,578 bytes 192.23 M

Administrator Account = True

 

Hello

Answer Newt's question, we are all wondering what email program you use.
Describe all the problems once more for us please.

we can delete those files though its just a cleanup routine. I dont think they are couse of any problems, heres how.
Download this Tool called Killbox (By Option^Explicit)
http://download.broadbandmedic.com/Killbox.exe

Close all browsers and programs that show in the taskbar

Start Killbox and Copy these paths one at a time into the program..
[X]Place a check next to kill on reboot
then click the Red [X] button to delete it.
(dont worry about any messages of files it cant delete)
It will ask if you want to reboot choose no
C:\WINDOWS\SYSTEM32\bridge.dll
Hit the red X to mark it for deletion when windows restarts.
and one to the next file
C:\WINDOWS\SYSTEM32\d2kpax.dll
C:\WINDOWS\SYSTEM32\msxslab.dll
Exit Killbox Then restart the PC

Run dll compare again and post a log. we might have to go about deleting them another way.

Also (another cleanup proceedure)download the attachment i have made to your desktop.
right click on it and rename from fixme.txt to fixme.reg then run that reg file. answer yes to the prompt. you should get a succeed message, did you ? if so delete that file its not needed any longer.

 

Hi there,

It is Outlook Express and netemedia. A box keeps popping up asking for the username and password, won't let me go any further.

Meanwhile I will do the other things.


PS. I can now go to netemedia homepage but still cannot get google - windows bbs - and other sites. while I have been doing all this work, I have to download to my computer and save to disk and put onto the problem computer.

When I run hostfilereader I have been reseting default - maybe I should be doing one of the other options - please advise!

 

I have run killbox and it is now clear.

No log to post.

Do I need to run fixme. If so please give full instructions - I have changed the name as requested.

Still cannot get any of the sites I require.

 

yes run the reg file and tell us if you get a succeed message ?

run dllcmpare again and post a new log from it.

Also run this tool please
Download System Security Suite.
http://www.igorshpak.net/
Extract it from the zip file and run setup.exe
after the install you can delete setup.exe and the downloaded zip file
Start the program Check all the boxes under the 'Items to Clear' tab and click
'Clear Selected Items'. You will be prompted to reboot, do so.


netemedia. what com net ? i get a "netemedia.com is for sale! "
then some darn toolbar tries to install.

 

Hi - Sorry to be dumb - how do I run the reg file ?????

 

No problem

provided you downloaded it then changed the name to fixme.reg
just double left click on it. we need to know if there was a succeed mesage ?

 

Thanks

No succeed message.


Netemedia.it

 

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\bridge.dll Tue 19 Oct 2004 8:43:14 ..SHR 0 0.00 K
C:\WINDOWS\SYSTEM32\d2kpax.dll Tue 19 Oct 2004 8:43:14 ..SHR 0 0.00 K
C:\WINDOWS\SYSTEM32\jac.dll Tue 19 Oct 2004 8:43:14 ..SHR 0 0.00 K
C:\WINDOWS\SYSTEM32\msxslab.dll Tue 19 Oct 2004 8:43:14 ..SHR 0 0.00 K
________________________________________________

1,148 items found: 1,148 files (4 H/S), 0 directories.
Total of file sizes: 201,574,578 bytes 192.23 M

Administrator Account = True

--------------------End log---------------------
Have downloaded System Security Suite and run it - still no joy -tried to get google and couple of other sites -

 

Ok do this
Set Windows to show Hidden Files:and extensions etc>
Open any folder > Tools > Folder Options - View [tab]:
Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders ".
Select: "Show hidden files and folders ", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply
Click the "Apply to all Folders" button. Close Windows Explorer.
re-download that attacmment rename as before then double left click on it.
any luck ?
Its best to then restart the PC

Ill get back to you on those other files

 

Next open this folder C:\WINDOWS\SYSTEM32\
an easy way is to go start run and past in
C:\WINDOWS\SYSTEM32\
click OK.
Make a new text document in that folder,
copy the bolded below into that new document

attrib -h -r -s D2KPAX.DLL
ren D2KPAX.DLL D2KPAX.bad
del D2KPAX.bad
attrib -h -r -s BRIDGE.DLL
ren BRIDGE.DLL BRIDGE.bad
del BRIDGE.bad
attrib -h -r -s JAC.DLL
ren JAC.DLL JAC.bad
del JAC.bad
attrib -h -r -s MSXSLAB.DLL
ren MSXSLAB.DLL MSXSLAB.bad
del MSXSLAB.bad

name it removebadfile.txt and exit notepad
right-click on that txt file rename to removebadfile.BAT
Now run the bat file by left double clicking it.

run dllcompare and post one more log, id like to see if that did the trick, thanks