need pop-up help!!!
2strokebloke
09-15-2005, 06:21 PM
Okay. Not so long ago, I reformatted our computers hard drive. Everything was fine, until my brother who moved out of the house started coming home every night to use our computer. I told him, "don't use IE, use firefox" so what does the retard do? Uses IE, and downloads a shitload of viruses to the computer.
Now I've got popups coming out the wazoo. I'm not even using IE, and they're poping up in IE windows when I'm using firefox. What can I do, short of short of beating the hell out of my brother to relieve this problem?
Now I've got popups coming out the wazoo. I'm not even using IE, and they're poping up in IE windows when I'm using firefox. What can I do, short of short of beating the hell out of my brother to relieve this problem?
blazee
09-15-2005, 07:00 PM
I'll take a look at it for you.
Download
HijackThis http://www.merijn.org/files/hijackthis.zip
Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT
Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.
Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.
Run HijackThis and save your log file.
Click Save, copy and paste the results in your next post. Do not reboot until told to do so, because some infections change names when the system reboots.
Download
HijackThis http://www.merijn.org/files/hijackthis.zip
Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT
Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.
Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.
Run HijackThis and save your log file.
Click Save, copy and paste the results in your next post. Do not reboot until told to do so, because some infections change names when the system reboots.
Neutrino
09-15-2005, 10:12 PM
on top of that get fom microsoft their free antipyware program right now its probably the best of the bunch. Also get and run adaware and spybot after you update their definition files.
and ofcourse make sure you have a solid ativir program. Mcafee is my personal pref but avg is also supposed to be good and its free.
Also mcafee has a good free ativir-tool you might want to run called stinger.
and ofcourse make sure you have a solid ativir program. Mcafee is my personal pref but avg is also supposed to be good and its free.
Also mcafee has a good free ativir-tool you might want to run called stinger.
Oz
09-15-2005, 11:24 PM
Run as many of those tools as possible in safe mode AFTER UPDATING THE DEFINITIONS TO CURRENT IN NORMAL MODE. This prevents whatever components are causing the problem from loading.
Neutrino
09-16-2005, 01:55 AM
oh and i forgot along wth all that security sofware i higly recomend this hardware based security module to keep other users from fu***up your pc:
http://www.aluminumbats.com/ProductImages/bats/youth/dxlf206.jpg
http://www.aluminumbats.com/ProductImages/bats/youth/dxlf206.jpg
-Davo
09-16-2005, 07:53 AM
Beat up your brother.
blazee
09-16-2005, 12:27 PM
... if you would rather just run a bunch of cleaners......
Print these instructions or save them to a notepad so that you will have them while off line:
Download, Install and Run:
CleanUp! ( this will clear all of your temp files and make the scans faster) - http://www.stevengould.org/downloads/cleanup/CleanUp40.exe
Download, Install and Update: (but don't scan yet)
AdAware SE - http://downloads.pcworld.com/pub/new/privacy___security/anti_spyware_tools/aawsepersonal.exe
SpyBot S&D - http://files1.majorgeeks.com/files/e18455e21cdc9ba50c301e0bc99b56e7/spyware/spybotsd14.exe
Microsoft AntiSpyware Beta - http://majorgeeks.com/downloadget4466-1-0c0a5af0501093b60aba328855a1511e.html
CWShredder - http://www.bleepingcomputer.com/files/Merijn/cwshredder.zip
X-Cleaner (you don't have to install or update this one, it comes ready to run, just make sure you remember where you downloaded it to)- http://www.xblock.com/download/xcleaner_free.exe
If you don't have a firewall or an AntiVirus program you need to get one of each. Download, Install, and Update:
I recommend the free version of ZoneAlarm over all other firewalls (free or paid, except ZoneAlarm Pro) You can get it here - http://download.zonelabs.com/bin/free/1003_zl/zlsSetup_60_667_000.exe
As for AntiVirus, AVG has an great one that is free - http://free.grisoft.com/softw/70free/setup/avg70free_344a618.exe
NOW that you have all the programs, you can start cleaning:
Physically disconnect from the internet.
Restart your computer in safe mode. When the system is booting up, tap F8 a few times after BIOS loads but before you see the windows splash screen. A menu will appear, Choose boot in Safe Mode.
Now you can run your scans:
AdAware SE:
Open AdAware, before scanning you will need to configure it properly for it to be most effective. First click on the Configuration button at the top of the window, it looks like a gear. You will now be presented with a new screen with various options to set.
Click on the General button on the left hand side.
Make sure the following items under the Safety category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
Automatically save logfile
Automatically quarantine objects prior to removal
Safe Mode (always request confirmation)
Next click on the Advanced button on the left hand side.
Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
Include additional object information
Include negligible objects information
Include environment information
Include Alternate data stream details in log file
Next click on the Tweak button on the left hand side.
Then click on the + (plus) sign next to the Log Files section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
Include basic Ad-Aware settings in logfile
Include additional Ad-Aware settings in logfile
Then click on the + (plus) sign next to the Scanning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
Unload recognized processes & modules during scan
Scan registry for all users instead of current user only
Then click on the + (plus) sign next to the Cleaning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
Always try to unload modules before deletion
During removal, unload Explorer and IE if necessary
Let Windows remove files in use at next reboot
Delete quarantined objects after restoring
Once these settings have been completed, you should click on the Proceed button. This will bring you to the preparation screen. Make sure you change the scan mode, to Perform full system scan. Next scan your computer and fix anything that finds.
AdAware is the only one that really needs special configuration. The rest are pretty straight forward. Just make sure that you always choose the complete scan options and don’t forget to use the Immunize feature of SpyBot S&D.
Reboot and see how your computer is running. If the problems persist post a HiJackThis log and I will examine it. If the problems are gone, you need to minimize your risk of reinfection.
1 Kick your brother’s ass
2 Get all the updates from http://www.windowsupdate.com/
3 Use SpywareBlaster - http://www.javacoolsoftware.com/spywareblaster.html
4 Use SpywareGuard - http://www.javacoolsoftware.com/spywareguard.html
5 Secure IE with IE-SPYAD – https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD
6 Kick your brother’s ass regularly
7 Keep all your definitions up to date
8 Scan regularly
9 Use online virus scanners occasionally:
http://housecall.antivirus.com/
http://www.pandasoftware.com/activescan/
Print these instructions or save them to a notepad so that you will have them while off line:
Download, Install and Run:
CleanUp! ( this will clear all of your temp files and make the scans faster) - http://www.stevengould.org/downloads/cleanup/CleanUp40.exe
Download, Install and Update: (but don't scan yet)
AdAware SE - http://downloads.pcworld.com/pub/new/privacy___security/anti_spyware_tools/aawsepersonal.exe
SpyBot S&D - http://files1.majorgeeks.com/files/e18455e21cdc9ba50c301e0bc99b56e7/spyware/spybotsd14.exe
Microsoft AntiSpyware Beta - http://majorgeeks.com/downloadget4466-1-0c0a5af0501093b60aba328855a1511e.html
CWShredder - http://www.bleepingcomputer.com/files/Merijn/cwshredder.zip
X-Cleaner (you don't have to install or update this one, it comes ready to run, just make sure you remember where you downloaded it to)- http://www.xblock.com/download/xcleaner_free.exe
If you don't have a firewall or an AntiVirus program you need to get one of each. Download, Install, and Update:
I recommend the free version of ZoneAlarm over all other firewalls (free or paid, except ZoneAlarm Pro) You can get it here - http://download.zonelabs.com/bin/free/1003_zl/zlsSetup_60_667_000.exe
As for AntiVirus, AVG has an great one that is free - http://free.grisoft.com/softw/70free/setup/avg70free_344a618.exe
NOW that you have all the programs, you can start cleaning:
Physically disconnect from the internet.
Restart your computer in safe mode. When the system is booting up, tap F8 a few times after BIOS loads but before you see the windows splash screen. A menu will appear, Choose boot in Safe Mode.
Now you can run your scans:
AdAware SE:
Open AdAware, before scanning you will need to configure it properly for it to be most effective. First click on the Configuration button at the top of the window, it looks like a gear. You will now be presented with a new screen with various options to set.
Click on the General button on the left hand side.
Make sure the following items under the Safety category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
Automatically save logfile
Automatically quarantine objects prior to removal
Safe Mode (always request confirmation)
Next click on the Advanced button on the left hand side.
Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
Include additional object information
Include negligible objects information
Include environment information
Include Alternate data stream details in log file
Next click on the Tweak button on the left hand side.
Then click on the + (plus) sign next to the Log Files section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
Include basic Ad-Aware settings in logfile
Include additional Ad-Aware settings in logfile
Then click on the + (plus) sign next to the Scanning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
Unload recognized processes & modules during scan
Scan registry for all users instead of current user only
Then click on the + (plus) sign next to the Cleaning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
Always try to unload modules before deletion
During removal, unload Explorer and IE if necessary
Let Windows remove files in use at next reboot
Delete quarantined objects after restoring
Once these settings have been completed, you should click on the Proceed button. This will bring you to the preparation screen. Make sure you change the scan mode, to Perform full system scan. Next scan your computer and fix anything that finds.
AdAware is the only one that really needs special configuration. The rest are pretty straight forward. Just make sure that you always choose the complete scan options and don’t forget to use the Immunize feature of SpyBot S&D.
Reboot and see how your computer is running. If the problems persist post a HiJackThis log and I will examine it. If the problems are gone, you need to minimize your risk of reinfection.
1 Kick your brother’s ass
2 Get all the updates from http://www.windowsupdate.com/
3 Use SpywareBlaster - http://www.javacoolsoftware.com/spywareblaster.html
4 Use SpywareGuard - http://www.javacoolsoftware.com/spywareguard.html
5 Secure IE with IE-SPYAD – https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD
6 Kick your brother’s ass regularly
7 Keep all your definitions up to date
8 Scan regularly
9 Use online virus scanners occasionally:
http://housecall.antivirus.com/
http://www.pandasoftware.com/activescan/
xokayxo
09-16-2005, 04:53 PM
i have winfixer crapping all over my computer here at work. so i downloaded hijackthis and here is my logfile. teach me your ways, blazee, jedi master of computer virus ass kicking!!!
please and thank you :biggrin:
Logfile of HijackThis v1.99.1
Scan saved at 12:49:08 PM, on 9/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.c
om/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.c
om
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.anchoragepress.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.dell4me.com/mywaybiz
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -
C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} -
C:\WINDOWS\Help\Tours\logmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} -
c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
/disabled
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update
Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media
Experience\PCMService.exe"
O4 - HKLM\..\Run: [MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe
-logon
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch
Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
/autorun
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe"
/startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program
files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program
files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
- C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com -
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyPoker\IEExtension.dll
O9 - Extra button: MUSICMATCH MX Web Player -
{d81ca86b-ef63-42af-bee3-4502d9a03c2d} -
http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) -
http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating
System Class) -
http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class)
-
http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O20 - Winlogon Notify: GoToMyPC - C:\WINDOWS\SYSTEM32\G2WinLogon.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: logmain - C:\WINDOWS\Help\Tours\logmain.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common
Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program
Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner -
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee,
Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) -
Networks Associates Technology, Inc -
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Netnumberlpd - Unknown owner -
C:\WINDOWS\system32\EXE2BIN.EXE
please and thank you :biggrin:
Logfile of HijackThis v1.99.1
Scan saved at 12:49:08 PM, on 9/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.c
om/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.c
om
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.anchoragepress.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.dell4me.com/mywaybiz
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -
C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} -
C:\WINDOWS\Help\Tours\logmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} -
c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
/disabled
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update
Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media
Experience\PCMService.exe"
O4 - HKLM\..\Run: [MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe
-logon
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch
Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
/autorun
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe"
/startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program
files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program
files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
- C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com -
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyPoker\IEExtension.dll
O9 - Extra button: MUSICMATCH MX Web Player -
{d81ca86b-ef63-42af-bee3-4502d9a03c2d} -
http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) -
http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating
System Class) -
http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class)
-
http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O20 - Winlogon Notify: GoToMyPC - C:\WINDOWS\SYSTEM32\G2WinLogon.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: logmain - C:\WINDOWS\Help\Tours\logmain.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common
Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program
Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner -
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee,
Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) -
Networks Associates Technology, Inc -
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Netnumberlpd - Unknown owner -
C:\WINDOWS\system32\EXE2BIN.EXE
blazee
09-16-2005, 09:26 PM
i have winfixer crapping all over my computer here at work. so i downloaded hijackthis and here is my logfile. teach me your ways, blazee, jedi master of computer virus ass kicking!!!
please and thank you :biggrin:
You are infected with the Vundo trojan. This looks like a lot, but it really isn’t that bad. The AdAware and Ewido scans will kill a lot of time, though, but they are necessary because this infection is often installed by other malicious programs. You need to print the following instructions, so that you can refer to them later, read over it and if you have any questions ask them now so that you don’t have to repeat the procedure:
STEP 1
- Download Process Explorer (http://www.sysinternals.com/files/procexpnt.zip) by Systernals and extract it to your desktop. Do not run this now as we will use it later.
- Download KillBox (http://www.bleepingcomputer.com/files/killbox.php) and extract it to your desktop. Do not run this now as we will use it later.
STEP 2
- Open notepad. (Start > All Programs > Accessories > Notepad
- Copy and Paste the following listed in Bold to the notepad exactly as it is shown:
REGEDIT4
[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]
[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEve nts]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEve nts.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]
[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B5527 4-0F9A-41E5-9067-A3539BD9E860}]
[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{39D2FC9B-041C-470E-AE72-F8C001247626}]
[-HKEY_CLASSES_ROOT\CLSID\{39D2FC9B-041C-470E-AE72-F8C001247626}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6}]
[-HKEY_CLASSES_ROOT\CLSID\{AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]
[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{CBE0D59D-F985-4AC6-8826-FEE957065D42}]
[-HKEY_CLASSES_ROOT\CLSID\{CBE0D59D-F985-4AC6-8826-FEE957065D42}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{7BF451AC-2010-4804-B256-DB2F0A8D9EB6}]
[-HKEY_CLASSES_ROOT\CLSID\{7BF451AC-2010-4804-B256-DB2F0A8D9EB6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{827DC836-DD9F-4A68-A602-5812EB50A834}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{827DC83 6-DD9F-4A68-A602-5812EB50A834}]
[-HKEY_CLASSES_ROOT\CLSID\{827DC836-DD9F-4A68-A602-5812EB50A834}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{39D2FC9B-041C-470E-AE72-F8C001247626}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CBE0D59D-F985-4AC6-8826-FEE957065D42}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7BF451AC-2010-4804-B256-DB2F0A8D9EB6}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{827DC836-DD9F-4A68-A602-5812EB50A834}]
"Compatibility Flags"=dword:00000400
- Save it to the desktop as vundofix.reg and in the save as type box choose all files.
- Close NotePad
STEP 3
Reboot your computer into Safe Mode
STEP 4
- Double-click on “procexp.exe” which is the Process Explorer that we downloaded earlier.
- In the top section of the Process Explorer screen double-click on winlogon.exe to bring up the winlogon.exe properties screen.
- Click on the Threads tab at the top.
- Once you see this screen click on the file listed in bold below and click on the kill button. If you see any files listed that are the same name but end with .bak or .ini or are the name in reverse, you can kill those as well. Write down any variants that you discover exactly as they appear for later.
logmain.dll
- After you have killed all of the instances of the DLL under winlogon click on the OK button.
- Now in the top section of the Process Explorer screen double-click on explorer.exe, select the Threads tab, and again click once on each instance of the file above. Once they are highlighted click on the Kill button like you did before. If you have disabled the BHO (O2) in some manner, you will not find this dll listed in this step and can move on.
- When this is done, click on the OK button again.
STEP 5
- Now run HijackThis again, close all windows, and press the Scan button.
- Place a check next to each of the following entries:
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} -C:\WINDOWS\Help\Tours\logmain.dll
O20 - Winlogon Notify: logmain - C:\WINDOWS\Help\Tours\logmain.dll
If you don’t recognize this entry, it should be checked as well:
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) -http://www.miniclip.com/zenpuzzlega...pGameLoader.dll
- Once all the entries are checked, press the Fix button and then exit HijackThis.
STEP 6
- Now double-click on the vundofix.reg file that you created earlier and allow it to merge the information.
STEP 7
- Now run killbox and enter the following Bold text in to the box, select delete on reboot then press the red X button, say yes to the prompt but no to reboot now
C:\WINDOWS\Help\Tours\logmain.dll
- Then repeat by typing in the full name of any of the reverse named .bak or .ini or other files that you discovered in step 4.
- After you have input the last file name then reboot.
STEP 8
- Download Lavasoft\'s Ad-Aware (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html) and the VX2 Cleaner Plug-in (http://www.lavasoft.de/software/addons/vx2cleaner.shtml). Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.
- Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.
- Reboot your PC
- Open AdAware
- First click on the Configuration button at the top of the window, it looks like a gear. You will now be presented with a new screen with various options to set.
- Click on the General button on the left hand side.
- Make sure the following items under the Safety category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
Automatically save logfile
Automatically quarantine objects prior to removal
Safe Mode (always request confirmation)
- Next click on the Advanced button on the left hand side.
- Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
Include additional object information
Include negligible objects information
Include environment information
Include Alternate data stream details in log file
- Next click on the Tweak button on the left hand side.
- Then click on the + (plus) sign next to the Log Files section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
Include basic Ad-Aware settings in logfile
Include additional Ad-Aware settings in logfile
- Then click on the + (plus) sign next to the Scanning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
Unload recognized processes & modules during scan
Scan registry for all users instead of current user only
- Then click on the + (plus) sign next to the Cleaning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
Always try to unload modules before deletion
During removal, unload Explorer and IE if necessary
Let Windows remove files in use at next reboot
Delete quarantined objects after restoring
- Once these settings have been completed, you should click on the Proceed button. This will bring you to the preparation screen. Make sure you change the scan mode, to Perform full system scan. Next scan your computer and fix anything that finds.
- You may be prompted to set Ad-Aware to run on reboot, If so, click "OK". Exit Ad-Aware and restart your PC once again.
STEP 9
- Download ewido security suite.
http://www.ewido.net/en/download/ (http://www.ewido.net/en/download/)
- Install ewido security suite
- When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
- Launch ewido, there should be an icon on your desktop double-click it.
- The program will now go to the main screen
You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click Update
- Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
http://www.ewido.net/en/download/updates/ (http://www.ewido.net/en/download/updates/)
Once the updates are installed do the following:
- Boot to safe mode and open Ewido.
- Click on scanner
- Click on Complete System Scan and the scan will begin.
- While the scan is in progress you will be prompted to clean files, click OK
- When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
- Once the scan has completed, there will be a button located on the bottom of the screen named Save report
- Click Save report.
- Save the report .txt file to your desktop.
Now close ewido security suite.
STEP 10
- Reboot, Scan with HiJackThis and post a new log. Tell me how your computer is running.
please and thank you :biggrin:
You are infected with the Vundo trojan. This looks like a lot, but it really isn’t that bad. The AdAware and Ewido scans will kill a lot of time, though, but they are necessary because this infection is often installed by other malicious programs. You need to print the following instructions, so that you can refer to them later, read over it and if you have any questions ask them now so that you don’t have to repeat the procedure:
STEP 1
- Download Process Explorer (http://www.sysinternals.com/files/procexpnt.zip) by Systernals and extract it to your desktop. Do not run this now as we will use it later.
- Download KillBox (http://www.bleepingcomputer.com/files/killbox.php) and extract it to your desktop. Do not run this now as we will use it later.
STEP 2
- Open notepad. (Start > All Programs > Accessories > Notepad
- Copy and Paste the following listed in Bold to the notepad exactly as it is shown:
REGEDIT4
[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]
[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEve nts]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEve nts.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]
[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B5527 4-0F9A-41E5-9067-A3539BD9E860}]
[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{39D2FC9B-041C-470E-AE72-F8C001247626}]
[-HKEY_CLASSES_ROOT\CLSID\{39D2FC9B-041C-470E-AE72-F8C001247626}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6}]
[-HKEY_CLASSES_ROOT\CLSID\{AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]
[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{CBE0D59D-F985-4AC6-8826-FEE957065D42}]
[-HKEY_CLASSES_ROOT\CLSID\{CBE0D59D-F985-4AC6-8826-FEE957065D42}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{7BF451AC-2010-4804-B256-DB2F0A8D9EB6}]
[-HKEY_CLASSES_ROOT\CLSID\{7BF451AC-2010-4804-B256-DB2F0A8D9EB6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{827DC836-DD9F-4A68-A602-5812EB50A834}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{827DC83 6-DD9F-4A68-A602-5812EB50A834}]
[-HKEY_CLASSES_ROOT\CLSID\{827DC836-DD9F-4A68-A602-5812EB50A834}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{39D2FC9B-041C-470E-AE72-F8C001247626}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CBE0D59D-F985-4AC6-8826-FEE957065D42}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7BF451AC-2010-4804-B256-DB2F0A8D9EB6}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{827DC836-DD9F-4A68-A602-5812EB50A834}]
"Compatibility Flags"=dword:00000400
- Save it to the desktop as vundofix.reg and in the save as type box choose all files.
- Close NotePad
STEP 3
Reboot your computer into Safe Mode
STEP 4
- Double-click on “procexp.exe” which is the Process Explorer that we downloaded earlier.
- In the top section of the Process Explorer screen double-click on winlogon.exe to bring up the winlogon.exe properties screen.
- Click on the Threads tab at the top.
- Once you see this screen click on the file listed in bold below and click on the kill button. If you see any files listed that are the same name but end with .bak or .ini or are the name in reverse, you can kill those as well. Write down any variants that you discover exactly as they appear for later.
logmain.dll
- After you have killed all of the instances of the DLL under winlogon click on the OK button.
- Now in the top section of the Process Explorer screen double-click on explorer.exe, select the Threads tab, and again click once on each instance of the file above. Once they are highlighted click on the Kill button like you did before. If you have disabled the BHO (O2) in some manner, you will not find this dll listed in this step and can move on.
- When this is done, click on the OK button again.
STEP 5
- Now run HijackThis again, close all windows, and press the Scan button.
- Place a check next to each of the following entries:
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} -C:\WINDOWS\Help\Tours\logmain.dll
O20 - Winlogon Notify: logmain - C:\WINDOWS\Help\Tours\logmain.dll
If you don’t recognize this entry, it should be checked as well:
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) -http://www.miniclip.com/zenpuzzlega...pGameLoader.dll
- Once all the entries are checked, press the Fix button and then exit HijackThis.
STEP 6
- Now double-click on the vundofix.reg file that you created earlier and allow it to merge the information.
STEP 7
- Now run killbox and enter the following Bold text in to the box, select delete on reboot then press the red X button, say yes to the prompt but no to reboot now
C:\WINDOWS\Help\Tours\logmain.dll
- Then repeat by typing in the full name of any of the reverse named .bak or .ini or other files that you discovered in step 4.
- After you have input the last file name then reboot.
STEP 8
- Download Lavasoft\'s Ad-Aware (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html) and the VX2 Cleaner Plug-in (http://www.lavasoft.de/software/addons/vx2cleaner.shtml). Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.
- Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.
- Reboot your PC
- Open AdAware
- First click on the Configuration button at the top of the window, it looks like a gear. You will now be presented with a new screen with various options to set.
- Click on the General button on the left hand side.
- Make sure the following items under the Safety category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
Automatically save logfile
Automatically quarantine objects prior to removal
Safe Mode (always request confirmation)
- Next click on the Advanced button on the left hand side.
- Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
Include additional object information
Include negligible objects information
Include environment information
Include Alternate data stream details in log file
- Next click on the Tweak button on the left hand side.
- Then click on the + (plus) sign next to the Log Files section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
Include basic Ad-Aware settings in logfile
Include additional Ad-Aware settings in logfile
- Then click on the + (plus) sign next to the Scanning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
Unload recognized processes & modules during scan
Scan registry for all users instead of current user only
- Then click on the + (plus) sign next to the Cleaning Engine section. This will expand the section. Make sure the following items under the Logfile Detail Level category have a green check in them. If they do not, click once on the circle next to them to put a checkmark in it.
Always try to unload modules before deletion
During removal, unload Explorer and IE if necessary
Let Windows remove files in use at next reboot
Delete quarantined objects after restoring
- Once these settings have been completed, you should click on the Proceed button. This will bring you to the preparation screen. Make sure you change the scan mode, to Perform full system scan. Next scan your computer and fix anything that finds.
- You may be prompted to set Ad-Aware to run on reboot, If so, click "OK". Exit Ad-Aware and restart your PC once again.
STEP 9
- Download ewido security suite.
http://www.ewido.net/en/download/ (http://www.ewido.net/en/download/)
- Install ewido security suite
- When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
- Launch ewido, there should be an icon on your desktop double-click it.
- The program will now go to the main screen
You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click Update
- Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
http://www.ewido.net/en/download/updates/ (http://www.ewido.net/en/download/updates/)
Once the updates are installed do the following:
- Boot to safe mode and open Ewido.
- Click on scanner
- Click on Complete System Scan and the scan will begin.
- While the scan is in progress you will be prompted to clean files, click OK
- When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
- Once the scan has completed, there will be a button located on the bottom of the screen named Save report
- Click Save report.
- Save the report .txt file to your desktop.
Now close ewido security suite.
STEP 10
- Reboot, Scan with HiJackThis and post a new log. Tell me how your computer is running.
xokayxo
09-17-2005, 12:14 AM
i am currently running ewido on my computer (right now i'm using the other computer in the back office) and its taken 22 minutes so far and it's only about 77% done!!!! ahhhhhh.... ive already collected 1 hr and 15 mins of overtime trying to cure this thing and at this rate i'll be here for another 30 mins. i cant say i wasnt forewarned, though. i guess i'm at least towards the end of the procedure you posted. will update with a hijackthis log whenever it decides to come back to life and finish scanning!
xokayxo
09-17-2005, 12:24 AM
brilliant. it's done. check this out, blazee. and thank you sooooo much for your help! as of right now my computer is in fine condition. when i'm back here at work tomorrow i will make sure its status remains as such.
Logfile of HijackThis v1.99.1
Scan saved at 8:23:06 PM, on 9/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.c
om/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.c
om
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.anchoragepress.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.dell4me.com/mywaybiz
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -
C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} -
c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
/disabled
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update
Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media
Experience\PCMService.exe"
O4 - HKLM\..\Run: [MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe
-logon
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch
Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
/autorun
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe"
/startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program
files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program
files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
- C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com -
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyPoker\IEExtension.dll
O9 - Extra button: MUSICMATCH MX Web Player -
{d81ca86b-ef63-42af-bee3-4502d9a03c2d} -
http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating
System Class) -
http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class)
-
http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O20 - Winlogon Notify: GoToMyPC - C:\WINDOWS\SYSTEM32\G2WinLogon.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common
Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program
Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program
Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner -
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee,
Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) -
Networks Associates Technology, Inc -
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Netnumberlpd - Unknown owner -
C:\WINDOWS\system32\EXE2BIN.EXE
Logfile of HijackThis v1.99.1
Scan saved at 8:23:06 PM, on 9/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.c
om/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.c
om
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.anchoragepress.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.dell4me.com/mywaybiz
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -
C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} -
c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
/disabled
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update
Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media
Experience\PCMService.exe"
O4 - HKLM\..\Run: [MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe
-logon
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch
Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
/autorun
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe"
/startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program
files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program
files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
- C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com -
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program
Files\PartyPoker\IEExtension.dll
O9 - Extra button: MUSICMATCH MX Web Player -
{d81ca86b-ef63-42af-bee3-4502d9a03c2d} -
http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating
System Class) -
http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class)
-
http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O20 - Winlogon Notify: GoToMyPC - C:\WINDOWS\SYSTEM32\G2WinLogon.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common
Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program
Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program
Files\Citrix\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner -
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee,
Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) -
Networks Associates Technology, Inc -
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Netnumberlpd - Unknown owner -
C:\WINDOWS\system32\EXE2BIN.EXE
xokayxo
09-17-2005, 05:38 AM
im sorry, i just realized i totally jacked this thread!!!
blazee
09-17-2005, 09:16 AM
Your log looks clean. :thumbsup:
Did AdAware and Ewido find anything?
WinFixer is included in many 'free programs' or modified versions of free programs downloaded from untrusted sites or file sharing networks. There have been reports that some installations of Limewire and a modified but unauthorised release of Internet Explorer 7 Beta have had WinFixer inserted. As a general rule, during the installation of free software, take a moment or two to see if they mention other bundled programs.
Most quality free programs do not have a budget to advertise, so beware of ads that offer something for free. Normally they include some kind of adware/spyware.
Because it is often installed with other programs (some of which may appear to be legit, making it hard to identify the culprit) there is a chance that you may become infected again. If you have anymore problems, let me know
To lower your risk for new infections, please refer to my other post about which cleaners to use and what prevention steps to take.
After a day or two, if your system is good you will need to clear all the old "System Restore" points, because using one of the old restore points will also restore the infection. To clear your restore points:
- Right click "MY Computer"
- Select "Properties"
- Click the "System Restore" tab
- Check the "Turn off System Restore on all drives" box
- Click apply
- Uncheck the "Turn off System Restore on all drives" box
- Click apply
- Click OK
Did AdAware and Ewido find anything?
WinFixer is included in many 'free programs' or modified versions of free programs downloaded from untrusted sites or file sharing networks. There have been reports that some installations of Limewire and a modified but unauthorised release of Internet Explorer 7 Beta have had WinFixer inserted. As a general rule, during the installation of free software, take a moment or two to see if they mention other bundled programs.
Most quality free programs do not have a budget to advertise, so beware of ads that offer something for free. Normally they include some kind of adware/spyware.
Because it is often installed with other programs (some of which may appear to be legit, making it hard to identify the culprit) there is a chance that you may become infected again. If you have anymore problems, let me know
To lower your risk for new infections, please refer to my other post about which cleaners to use and what prevention steps to take.
After a day or two, if your system is good you will need to clear all the old "System Restore" points, because using one of the old restore points will also restore the infection. To clear your restore points:
- Right click "MY Computer"
- Select "Properties"
- Click the "System Restore" tab
- Check the "Turn off System Restore on all drives" box
- Click apply
- Uncheck the "Turn off System Restore on all drives" box
- Click apply
- Click OK
xokayxo
09-17-2005, 05:48 PM
ewido found about 200 bad files.
ad-aware found 866 but only removed about 493.
i decided to stop using IE and start using firefox because ive heard so many good things about it and also because every time i tried to send an email with Hotmail i would get a message in the status bar saying "Error on page."
im not the kind of person to download random programs, especially at work, so i dont think that whatever is/was wrong was part of a bundle. anyway, if i do download a program from the internet that is questionable in any way i make sure (to the best of my ability) that it does not come with any bundled adware or other stuff.
firefox seems to be working just fine though. no popups, no winfixer!! if anything changes i will keep ya posted. thanks again :)
ad-aware found 866 but only removed about 493.
i decided to stop using IE and start using firefox because ive heard so many good things about it and also because every time i tried to send an email with Hotmail i would get a message in the status bar saying "Error on page."
im not the kind of person to download random programs, especially at work, so i dont think that whatever is/was wrong was part of a bundle. anyway, if i do download a program from the internet that is questionable in any way i make sure (to the best of my ability) that it does not come with any bundled adware or other stuff.
firefox seems to be working just fine though. no popups, no winfixer!! if anything changes i will keep ya posted. thanks again :)
blazee
09-17-2005, 08:06 PM
You're welcome. You did a great job. You must be pretty knowledgeable with computers, it isn't very common for someone to get it right the first time.
With AdAware and Ewido finding that many things, it shows that you definitely need to step up your security a little.
Firefox is a good choice. I use it myself. Make sure that you check out the available extensions for firefox. They've got some awesome ones. AdBlock is great, I surf AF with no ads, plus it's faster because you don't have to wait for the ads to load. I've also heard good things about Opera, but I haven't tried it yet.
If you need anymore help, just let me know. And don't forget to clear your restore points.
With AdAware and Ewido finding that many things, it shows that you definitely need to step up your security a little.
Firefox is a good choice. I use it myself. Make sure that you check out the available extensions for firefox. They've got some awesome ones. AdBlock is great, I surf AF with no ads, plus it's faster because you don't have to wait for the ads to load. I've also heard good things about Opera, but I haven't tried it yet.
If you need anymore help, just let me know. And don't forget to clear your restore points.
xokayxo
09-17-2005, 09:44 PM
just scanned agian with ewido and adaware and both found ZERO infections. yay!! i should do this on my computer at home. oh, and another question: if i have three separate password protected user profiles on my computer at home (running winXP) and i run these antivirus programs, will it scan EVERY file on EVERY profile? OR do i have to run them separately on each profile? i guess i could disable the passwords on each profile and that would scan every file on each profile, right?
and i guess i have two more questions.....
1) how did you know which files were the "bad" ones? i am so amazed by that!!
2) is there a way in firefox to make links that i click on open in a new TAB and not a new WINDOW? i cant seem to find it.
and i guess i have two more questions.....
1) how did you know which files were the "bad" ones? i am so amazed by that!!
2) is there a way in firefox to make links that i click on open in a new TAB and not a new WINDOW? i cant seem to find it.
Rally Sport
09-17-2005, 10:32 PM
Beat up your brother.
I think this is easier and a more satisfying thing to do. :lol2:
I think this is easier and a more satisfying thing to do. :lol2:
blazee
09-18-2005, 04:14 PM
just scanned agian with ewido and adaware and both found ZERO infections. yay!! i should do this on my computer at home. oh, and another question: if i have three separate password protected user profiles on my computer at home (running winXP) and i run these antivirus programs, will it scan EVERY file on EVERY profile? OR do i have to run them separately on each profile? i guess i could disable the passwords on each profile and that would scan every file on each profile, right?
and i guess i have two more questions.....
1) how did you know which files were the "bad" ones? i am so amazed by that!!
2) is there a way in firefox to make links that i click on open in a new TAB and not a new WINDOW? i cant seem to find it.
Just make sure that you run your scans from an Adminstrator account. The instructions that I gave you were for a specific infection, if you want to do your home computer, you will need to follow the instructions I gave in post 7 (I think). You can add the Ewido scan to the instructions if you'd like. The scans will be more effective if you show all hidden files and folders. From any XP window click tools > folder options...... > "view" tab > select "show hidden files and folders" > click "apply" > click "OK"
It takes a little experience to find the bad files. After doing it a while, you kinda learn what to look for. Vundo (it causes adware popups. including winfixer) will always show up in O2 (BHO - Browser Helper Objects) and O20 entries (AppInit_DLLs). BHOs are plugins that are added to your browser, some are good, some are bad. The AppInit_DLLs registry value is a list of DLL files that are loaded when the system file user32.dll is loaded. Virtumundo creates a random file name, which most of the time appears to be legit, so it can't be identified by the file name, luckily the CLSID gives it away because it stays the same. Different variations of virtumundo have different CLSIDs and also require different methods of removal. Because of the O20 entry they can be a real pain in the ass to get rid of if not done correcty. Your version of vundo had the {827DC836-DD9F-4A68-A602-5812EB50A834} CLSID, and was removed by shutting it done, deleteing the entries, changing the registry so that it wouldn't restart it, and then deleting the file itself.
For your firefox question..... Go to the firefox website and get the tabbed browsing extension and install it.
To change the way that links are opened:
Click "Tools" > Options... > Tabbed Browsing > Then choose your settings from the pull down menus, in this case choose to load links in "new tabs" and load external links in "new tabs" > click OK
and i guess i have two more questions.....
1) how did you know which files were the "bad" ones? i am so amazed by that!!
2) is there a way in firefox to make links that i click on open in a new TAB and not a new WINDOW? i cant seem to find it.
Just make sure that you run your scans from an Adminstrator account. The instructions that I gave you were for a specific infection, if you want to do your home computer, you will need to follow the instructions I gave in post 7 (I think). You can add the Ewido scan to the instructions if you'd like. The scans will be more effective if you show all hidden files and folders. From any XP window click tools > folder options...... > "view" tab > select "show hidden files and folders" > click "apply" > click "OK"
It takes a little experience to find the bad files. After doing it a while, you kinda learn what to look for. Vundo (it causes adware popups. including winfixer) will always show up in O2 (BHO - Browser Helper Objects) and O20 entries (AppInit_DLLs). BHOs are plugins that are added to your browser, some are good, some are bad. The AppInit_DLLs registry value is a list of DLL files that are loaded when the system file user32.dll is loaded. Virtumundo creates a random file name, which most of the time appears to be legit, so it can't be identified by the file name, luckily the CLSID gives it away because it stays the same. Different variations of virtumundo have different CLSIDs and also require different methods of removal. Because of the O20 entry they can be a real pain in the ass to get rid of if not done correcty. Your version of vundo had the {827DC836-DD9F-4A68-A602-5812EB50A834} CLSID, and was removed by shutting it done, deleteing the entries, changing the registry so that it wouldn't restart it, and then deleting the file itself.
For your firefox question..... Go to the firefox website and get the tabbed browsing extension and install it.
To change the way that links are opened:
Click "Tools" > Options... > Tabbed Browsing > Then choose your settings from the pull down menus, in this case choose to load links in "new tabs" and load external links in "new tabs" > click OK
Automotive Network, Inc., Copyright ©2025