Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Hjt Log: Almost Clean

Started by jjy , Apr 07 2007 09:40 AM

  • This topic is locked This topic is locked
10 replies to this topic

#1 jjy

jjy

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 07 April 2007 - 09:40 AM

Hello,

I have a computer that seems to be infected with a number of different things. I know has or had Vundo and the PE386 Rootkit. I think it's almost clean, but I keep getting popups from amaena.com. Here is my HJT log. Thanks in advance and happy Easter.

--------------

Logfile of HijackThis v1.99.1
Scan saved at 11:30:06 AM, on 4/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Velocity.Net Accelerator\vnaccelcore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Velocity.Net Accelerator\vnaccelgui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\Jen\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Velocity.Net Accelerator\PBHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: (no name) - {ee8b8f6b-bc59-49ce-bcc4-711951dccdd9} - C:\WINDOWS\system32\comote.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Velocity.Net Accelerator\vnaccelcore.exe"
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\pmlklk.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Velocity.Net Web Accelerator.lnk = C:\Program Files\Velocity.Net Accelerator\vnaccelgui.exe
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Velocity.Net Accelerator\gui_resource.dll/327
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Velocity.Net Accelerator\gui_resource.dll/328
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1175888875312
O17 - HKLM\System\CCS\Services\Tcpip\..\{05125D82-C8D3-43BD-9A5D-F993D6622C6D}: NameServer = 66.211.211.22 66.211.211.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{05125D82-C8D3-43BD-9A5D-F993D6622C6D}: NameServer = 66.211.211.22 66.211.211.21
O20 - AppInit_DLLs:
O20 - Winlogon Notify: comote - C:\WINDOWS\SYSTEM32\comote.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: E - Unknown owner - C:\DOCUME~1\Jen\LOCALS~1\Temp\E.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

    Advertisements

Register to Remove

#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 April 2007 - 10:44 AM

Hello and welcome to the forum.

Important: Do this before any fix.

Please put your HijackThis in it's own folder, (I create a new folder in C:\ named HJT).
You can do a Right Click on any open area on the desktop, New> Folder, then rename the folder HJT.

Go to where your HijackThis is and Right Click on HijackThis.exe, select Cut, then open the new folder you just created (HJT) Right Click in the folder and select paste.

The reason we do this is Hijackthis creates backup files just in case you'd need to restore one and we'll be cleaning out the temp files.



After the above:


* Download VirtumundoBegone, place it on your desktop.
http://secured2k.hom...mundoBeGone.exe

Doubleclick VirtumundoBeGone.exe to start the tool.
Follow the instructions on the screen.
Don't worry if you'll get a Blue screen with an error in it - this is normal.
After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

O2 - BHO: (no name) - {ee8b8f6b-bc59-49ce-bcc4-711951dccdd9} - C:\WINDOWS\system32\comote.dll
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\pmlklk.dll",realset
O20 - AppInit_DLLs:
O20 - Winlogon Notify: comote - C:\WINDOWS\SYSTEM32\comote.dll
O23 - Service: E - Unknown owner - C:\DOCUME~1\Jen\LOCALS~1\Temp\E.exe (file missing)

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Post the contents of the log VBG.TXT which will be present on your desktop together with a new HijackThis log in your next reply.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#3 jjy

jjy

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 07 April 2007 - 11:23 AM

LDTate,

Thanks for the fast reply. I did as requested. Here are the logs.


[04/07/2007, 13:09:28] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Jen\Desktop\VirtumundoBeGone.exe" )
[04/07/2007, 13:09:36] - Detected System Information:
[04/07/2007, 13:09:36] - Windows Version: 5.1.2600, Service Pack 2
[04/07/2007, 13:09:36] - Current Username: Jen (Admin)
[04/07/2007, 13:09:36] - Windows is in NORMAL mode.
[04/07/2007, 13:09:36] - Searching for Browser Helper Objects:
[04/07/2007, 13:09:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/07/2007, 13:09:36] - BHO 2: {4115122B-85FF-4DD3-9515-F075BEDE5EB5} (PBlockHelper Class)
[04/07/2007, 13:09:36] - BHO 3: {57E218E6-5A80-4f0c-AB25-83598F25D7E9} ()
[04/07/2007, 13:09:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/07/2007, 13:09:36] - Checking for HKLM\...\Winlogon\Notify\tmp18.tmp
[04/07/2007, 13:09:36] - Key not found: HKLM\...\Winlogon\Notify\tmp18.tmp, continuing.
[04/07/2007, 13:09:36] - BHO 4: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[04/07/2007, 13:09:36] - BHO 5: {ee8b8f6b-bc59-49ce-bcc4-711951dccdd9} ()
[04/07/2007, 13:09:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/07/2007, 13:09:36] - Checking for HKLM\...\Winlogon\Notify\comote
[04/07/2007, 13:09:36] - Found: HKLM\...\Winlogon\Notify\comote - This is probably Virtumundo.
[04/07/2007, 13:09:36] - Assigning {ee8b8f6b-bc59-49ce-bcc4-711951dccdd9} MSEvents Object
[04/07/2007, 13:09:36] - BHO list has been changed! Starting over...
[04/07/2007, 13:09:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/07/2007, 13:09:36] - BHO 2: {4115122B-85FF-4DD3-9515-F075BEDE5EB5} (PBlockHelper Class)
[04/07/2007, 13:09:37] - BHO 3: {57E218E6-5A80-4f0c-AB25-83598F25D7E9} ()
[04/07/2007, 13:09:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/07/2007, 13:09:37] - Checking for HKLM\...\Winlogon\Notify\tmp18.tmp
[04/07/2007, 13:09:37] - Key not found: HKLM\...\Winlogon\Notify\tmp18.tmp, continuing.
[04/07/2007, 13:09:37] - BHO 4: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[04/07/2007, 13:09:37] - BHO 5: {ee8b8f6b-bc59-49ce-bcc4-711951dccdd9} (MSEvents Object)
[04/07/2007, 13:09:37] - ALERT: Found MSEvents Object!
[04/07/2007, 13:09:37] - Finished Searching Browser Helper Objects
[04/07/2007, 13:09:37] - *** Detected MSEvents Object
[04/07/2007, 13:09:37] - Trying to remove MSEvents Object...
[04/07/2007, 13:09:38] - Terminating Process: IEXPLORE.EXE
[04/07/2007, 13:09:38] - Terminating Process: RUNDLL32.EXE
[04/07/2007, 13:09:38] - Disabling Automatic Shell Restart
[04/07/2007, 13:09:38] - Terminating Process: EXPLORER.EXE
[04/07/2007, 13:09:38] - Suspending the NT Session Manager System Service
[04/07/2007, 13:09:38] - Terminating Windows NT Logon/Logoff Manager
[04/07/2007, 13:09:39] - Re-enabling Automatic Shell Restart
[04/07/2007, 13:09:39] - File to disable: C:\WINDOWS\system32\comote.dll
[04/07/2007, 13:09:39] - Renaming C:\WINDOWS\system32\comote.dll -> C:\WINDOWS\system32\comote.dll.vir
[04/07/2007, 13:09:39] - File successfully renamed!
[04/07/2007, 13:09:39] - Removing HKLM\...\Browser Helper Objects\{ee8b8f6b-bc59-49ce-bcc4-711951dccdd9}
[04/07/2007, 13:09:39] - Removing HKCR\CLSID\{ee8b8f6b-bc59-49ce-bcc4-711951dccdd9}
[04/07/2007, 13:09:39] - Adding Kill Bit for ActiveX for GUID: {ee8b8f6b-bc59-49ce-bcc4-711951dccdd9}
[04/07/2007, 13:09:39] - Deleting ATLEvents/MSEvents Registry entries
[04/07/2007, 13:09:39] - Removing HKLM\...\Winlogon\Notify\comote
[04/07/2007, 13:09:39] - Searching for Browser Helper Objects:
[04/07/2007, 13:09:39] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/07/2007, 13:09:39] - BHO 2: {4115122B-85FF-4DD3-9515-F075BEDE5EB5} (PBlockHelper Class)
[04/07/2007, 13:09:39] - BHO 3: {57E218E6-5A80-4f0c-AB25-83598F25D7E9} ()
[04/07/2007, 13:09:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/07/2007, 13:09:39] - Checking for HKLM\...\Winlogon\Notify\tmp18.tmp
[04/07/2007, 13:09:39] - Key not found: HKLM\...\Winlogon\Notify\tmp18.tmp, continuing.
[04/07/2007, 13:09:39] - BHO 4: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[04/07/2007, 13:09:39] - Finished Searching Browser Helper Objects
[04/07/2007, 13:09:39] - Finishing up...
[04/07/2007, 13:09:39] - A restart is needed.
[04/07/2007, 13:09:39] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[04/07/2007, 13:09:53] - Attempting to Restart via STOP error (Blue Screen!)

-------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 1:19:04 PM, on 4/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Velocity.Net Accelerator\vnaccelcore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Velocity.Net Accelerator\vnaccelgui.exe
C:\WINDOWS\System32\svchost.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Velocity.Net Accelerator\PBHelper.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp18.tmp.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Velocity.Net Accelerator\vnaccelcore.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Velocity.Net Web Accelerator.lnk = C:\Program Files\Velocity.Net Accelerator\vnaccelgui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1175888875312
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 April 2007 - 11:26 AM

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\system32\tmp18.tmp.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Close ALL windows and browsers except HijackThis and click "Fix checked"


Delete this File if listed:
C:\WINDOWS\system32\tmp18.tmp.dll



You need to update SunJava.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the Posted Image icon next to it.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on 6-windowsi586-p.exe to install the newest version.
Once installed you can test to see that it is in fact installed
Sun Java Test
http://www.java.com/...d/installed.jsp


Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#5 jjy

jjy

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 07 April 2007 - 12:31 PM

I'm downloading version 5 update 11 of java. I'm not running IE 7. Is JRE v.6 only for IE 7?

I haven't gotten any popups or virus alerts since doing the steps you requested.

-----------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:29:09 PM, on 4/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Velocity.Net Accelerator\vnaccelcore.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Velocity.Net Accelerator\vnaccelgui.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Velocity.Net Accelerator\PBHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Velocity.Net Accelerator\vnaccelcore.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Velocity.Net Web Accelerator.lnk = C:\Program Files\Velocity.Net Accelerator\vnaccelgui.exe
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\Velocity.Net Accelerator\gui_resource.dll/327
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\Velocity.Net Accelerator\gui_resource.dll/328
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1175888875312
O17 - HKLM\System\CCS\Services\Tcpip\..\{05125D82-C8D3-43BD-9A5D-F993D6622C6D}: NameServer = 66.211.211.22 66.211.211.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{05125D82-C8D3-43BD-9A5D-F993D6622C6D}: NameServer = 66.211.211.22 66.211.211.21
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 April 2007 - 12:37 PM

Is JRE v.6 only for IE 7?

I don't think so, but check that web site.
Also be sure to use add/remove programs and uninstall all the older versions.

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.co...ne_Inst_Win.cab

Close ALL windows and browsers except HijackThis and click "Fix checked"

Reboot and describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#7 jjy

jjy

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 07 April 2007 - 01:15 PM

Computer seems to be running fine still. No popups and no virus scan alerts.

------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:12:08 PM, on 4/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Velocity.Net Accelerator\vnaccelcore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Velocity.Net Accelerator\vnaccelgui.exe
C:\WINDOWS\System32\svchost.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Velocity.Net Accelerator\PBHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\Velocity.Net Accelerator\vnaccelcore.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Velocity.Net Web Accelerator.lnk = C:\Program Files\Velocity.Net Accelerator\vnaccelgui.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1175888875312
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 April 2007 - 01:17 PM

You can remove any programs I had you install. Use Add/Remove Programs to remove if listed there:

Log looks good :D


You need to create a new Clean restore point.

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.



If you dont have any programs like these, I would recommend that you get them.
Spywareblaster,
Spywareguard.


Also get a FREE FIREWALL and FREE ANTI VIRUS if you need one.

Only run one Anti-Virus and Firewall program.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Do not use Ad-aware if you have McAfee's VirusScan and AntiSpyware


Safe Surfing. :D

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#9 jjy

jjy

    New Member

  • New Member
  • Pip
  • 5 posts

Posted 07 April 2007 - 02:49 PM

Thanks for all the help. I guess all those years of not running any kind of virus protection finally caught up with me or more so my wife. I believe she got infected through myspace.com. She's says all she did was visit someone's profile and all kinds of things started popping up. Again, thanks for the help.

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 April 2007 - 02:51 PM

Thanks for all the help. I guess all those years of not running any kind of virus protection finally caught up with me or more so my wife.

I believe she got infected through myspace.com. She's says all she did was visit someone's profile and all kinds of things started popping up.

Again, thanks for the help.

That would do it.


You're more then welcome.
Glad we were able to help

Peace be with you :wavey:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#11 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 07 April 2007 - 02:51 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·