4 replies to this topic

[Jazz5557]

Hi, since my last post I ran HijackThis again and now I have 2 new BTO's that are dll's and corresponding WINLOGON files and my computer would lose a race with a snail when booting up. At startup my McAfee virus scan gives me a warning box that will not go away that states it is detecting a suspicious file, yet when I run a complete scan it does not pick the file(s) up. Would you please look at my log file and advise. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 10:49:18 PM, on 3/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\1142383665\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1142383665\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\1142383665\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\Common Files\AOL\1142383665\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCEvtHdlr.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jane Sohn\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://theledger.com...s.dll/frontpage
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: RawExecAction Object - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - C:\WINDOWS\system32\ssttt.dll
O2 - BHO: (no name) - {ADCD30FF-0119-4906-8A8B-D52D1EED044B} - C:\WINDOWS\system32\jkhhe.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Promosoft LiveUpdate: Recovery Startup] "C:\Program Files\Free Registry Fix\liveupd.exe" /check:[FreeRegistryFix][2.3.0.10][26052005.1625] /xml:http://www.pcreply.com/LiveUpdate/FreeRegistryFix/update.xml
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142383665\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1142383665\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1142383665\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol....oach_core_1.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.m...ted/mvt/mvt.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol....,20/McGDMgr.cab
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\SYSTEM32\jkhhe.dll
O20 - Winlogon Notify: ssttt - C:\WINDOWS\system32\ssttt.dll
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1142383665\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[pskelley]

Hello Jane and welcome to TomCoyote forum. Looks like you have not one, but two Vundo trojans. Let's hope our fix will remove them both at once. If you follow the directions, you can remove them. The Vundo lines may be gone when you run HJT, do not be concerned, just do not miss any.

1) Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas....tehjtfolder.htm

Thanks to Atribune and any others who helped with this fix

2) Please download VundoFix v4.2.35 to the Desktop:
http://www.atribune....tent/view/24/2/
* Double-click VundoFix.exe to run it
* Put a check next to Run VundoFix as a task
* You will receive a message saying VundoFix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click: Scan for Vundo
* Once it's done scanning, click: Remove Vundo
* A prompt asking if you want to remove the files appears, click: Yes
* Once you click yes, the Desktop goes blank as it starts removing Vundo.
* When completed, a prompt to shutdown the computer appears, click OK
* Turn the computer back on.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: RawExecAction Object - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - C:\WINDOWS\system32\ssttt.dll
O2 - BHO: (no name) - {ADCD30FF-0119-4906-8A8B-D52D1EED044B} - C:\WINDOWS\system32\jkhhe.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\SYSTEM32\jkhhe.dll G
O20 - Winlogon Notify: ssttt - C:\WINDOWS\system32\ssttt.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Restart the computer and post the contents of C:\vundofix.txt and a new HJT log along with your comments. How is the computer running now?

Thanks...pskelley
TomCoyote forum
Expert Member

Your Java program is outdated and a security risk, hackers can use bad script to infect you and that may be why you are infected. See this information: http://forums.spybot...read.php?t=2559
C:\Program Files\Java\j2re1.4.2_05\ <<< outdated.

I use no aol but I do use McAfee and I am a little confused by your AV and firewall protection. Looks like aol may be supplying you with the product. What you want to do is make sure if you are using a third party firewall, that the SP2 firewall is turned off. Make sure you are running no more than one antivirus program and no more than one firewall. Keep them updated and run them often for the best protection.

I notice you are linked to the Ledger, I lived in Lakeland for about five years quite a while ago, in Clearwater now

[Jazz5557]

Hi PSKelley, Thank you for your response. I don't live in Lakeland but very close. We have a ranch south of Winter Haven. I have resolved this issue since posting and did exactly what you suggested here. I was using AOL's virus protection and firewall(which allowed the trojans I might add),but have gotten rid of it and I am using a stand alone anti-virus program, windows firewall, Ad-Aware SE, and Ewido. I updated my Java and if I can ever get off this darned dial up connection will be getting rid of AOL as well lol. Just wanted to let you all know so you could close this out. Thanks again! Jane

[pskelley]

Hi Jane, Well that still makes us neightbors Let me take a look at the log and see if I can offer any suggestions. I am assuming because of what you said that you are running aol dialup and that you purchased ewido. These were my instructions:

Restart the computer and post the contents of C:\vundofix.txt and a new HJT log along with your comments. How is the computer running now?

Without looking at those logs I can't say that you are clean. If you wish to post those so I can have a last look, I will be glad to do that for you. Since you own ewido, post a copy of the scan results and I will evaluate that report also. Now if you wish to do none of that, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.o...topic.php?t=957
http://russelltexas....re/allclear.htm
http://forum.malware...wtopic.php?t=14
http://www.bleepingc...topict2520.html
http://cybercoyote.o...not-admin.shtml

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.syma...src=sec_doc_nam

Your topic will be open for a couple of days in case you need it.

Safe surfing...Phil

Thanks...pskelley
TomCoyote forum
Expert Member
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

[pskelley]

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php