Skip to main content

ky331

3 Apprentice

 • 

15.6K Posts

January 11th, 2006 12:00

you have THREE (3) vundo trojans
 
download VirtumundoBeGone from:

http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

* Save it to your Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the desktop
* Follow the directions as indicated

please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.

 just reboot if your system "jams"

*********************

make sure your system has rebooted!!   this is a critical step in order to continue.

based on your particular configuration, this should have removed (only) TWO of the THREE vundo trojans.   So you'll need to run VirtumundoBeGone a second time!!!   this should remove the third trojan.

********************

It's now time to report back to us:

VirtumundoBeGone generated a "log" file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here, along with your latest HJT log.

 

papipeliner2001

7 Posts

January 11th, 2006 17:00

Logfile of HijackThis v1.99.1
Scan saved at 2:12:26 PM, on 1/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Documents and Settings\travis\Desktop\LimeWire\LimeWire.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: jkkji - C:\WINDOWS\system32\jkkji.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

ky331

3 Apprentice

 • 

15.6K Posts

January 11th, 2006 17:00

looks like you had some system changes between the time you generated your HJT log, and the time you ran VBG... 

VBG successfully removed TWO bad WinFixer/Vundo files... one of which was in your original HJT log, but the other one wasn't.

have you noticed any difference, in terms of WinFixer popups, warnings about trojan vundo/virtumundo, and/or overall system speed/performance?

 

 

Next, i'll help you with a non-critical "remnant' of vundo:

Run HiJackThis. click on DO A SYSTEM SCAN ONLY

Place a check-mark in the box in front of the line:

O20 - Winlogon Notify: jkkji - C:\WINDOWS\system32\jkkji.dll (file missing)

Note:  If you have knowingly/intentionally removed WebRoot's SpySweeper, then you can also check the line      O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)


 

Click on FIX CHECKED. Close HiJackThis. Reboot.

******************

it appears you're running Sun Java j2re1.4.2_03 .   there is much speculation that a "hole" in this particular version is being exploited by WinFixer.   so we should upgrade to the latest version, 1.5.0_06 from http://www.java.com/en/download/manual.jsp
my personal preference is to download the MANUAL (OFFline) installation version (16 MB).  but if you prefer the online installation, that choice is yours.
 
AFTER you successfully install the new java, go to your control panel, ADD/REMOVE programs, and UNinstall all older versions of Java (if any) that still show up there.... especially the 1.4.2_03.
 
when you're done, REPLY here, and post an updated/revised HJT log.
 

At that point, I'm gonna try to ask someone else to step-in, to determine additional problems (if any) that you might have. Please be advised that we're very "understaffed" at the moment, so I can't make any guarantee as to when  the next helper will arrive.

 

Good luck.

Message Edited by ky331 on 01-11-2006 03:00 PM

papipeliner2001

7 Posts

January 11th, 2006 17:00

[01/11/2006, 11:04:55] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\josh\Desktop\VirtumundoBeGone.exe" )
[01/11/2006, 11:05:02] - Detected System Information:
[01/11/2006, 11:05:02] -  Windows Version: 5.1.2600, Service Pack 2
[01/11/2006, 11:05:02] -  Current Username: josh (Admin)
[01/11/2006, 11:05:02] -  Windows is in NORMAL mode.
[01/11/2006, 11:05:02] - Searching for Browser Helper Objects:
[01/11/2006, 11:05:02] -  BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[01/11/2006, 11:05:02] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/11/2006, 11:05:02] -  BHO 3: {2353FCBC-012D-487B-8BF3-865C0929FBEB} (ATLDistrib Object)
[01/11/2006, 11:05:02] - ALERT: Found ATLDistrib Object!
[01/11/2006, 11:05:02] -  BHO 4: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} ()
[01/11/2006, 11:05:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/11/2006, 11:05:02] -  Checking for HKLM\...\Winlogon\Notify\deSrcAs
[01/11/2006, 11:05:02] -  Key not found: HKLM\...\Winlogon\Notify\deSrcAs, continuing.
[01/11/2006, 11:05:02] -  BHO 5: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[01/11/2006, 11:05:02] -  BHO 6: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[01/11/2006, 11:05:02] - Finished Searching Browser Helper Objects
[01/11/2006, 11:05:02] - *** Detected ATLDistrib Object
[01/11/2006, 11:05:02] - Trying to remove ATLDistrib Object...
[01/11/2006, 11:05:03] -    Terminating Process: IEXPLORE.EXE
[01/11/2006, 11:05:03] -    Terminating Process: RUNDLL32.EXE
[01/11/2006, 11:05:03] -    Disabling Automatic Shell Restart
[01/11/2006, 11:05:03] -    Terminating Process: EXPLORER.EXE
[01/11/2006, 11:05:04] -    Suspending the NT Session Manager System Service
[01/11/2006, 11:05:04] -    Terminating Windows NT Logon/Logoff Manager
[01/11/2006, 11:05:04] -    Re-enabling Automatic Shell Restart
[01/11/2006, 11:05:04] -   File to disable: C:\WINDOWS\system32\ssttt.dll
[01/11/2006, 11:05:04] -  Renaming C:\WINDOWS\system32\ssttt.dll -> C:\WINDOWS\system32\ssttt.dll.vir
[01/11/2006, 11:05:04] -  File successfully renamed!
[01/11/2006, 11:05:04] -   Removing HKLM\...\Browser Helper Objects\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
[01/11/2006, 11:05:04] -   Removing HKCR\CLSID\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
[01/11/2006, 11:05:04] -   Adding Kill Bit for ActiveX for GUID: {2353FCBC-012D-487B-8BF3-865C0929FBEB}
[01/11/2006, 11:05:04] -   Deleting ATLEvents/MSEvents Registry entries
[01/11/2006, 11:05:04] -   Removing HKLM\...\Winlogon\Notify\ssttt
[01/11/2006, 11:05:04] - Searching for Browser Helper Objects:
[01/11/2006, 11:05:04] -  BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[01/11/2006, 11:05:04] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/11/2006, 11:05:04] -  BHO 3: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} ()
[01/11/2006, 11:05:04] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/11/2006, 11:05:04] -  Checking for HKLM\...\Winlogon\Notify\deSrcAs
[01/11/2006, 11:05:04] -  Key not found: HKLM\...\Winlogon\Notify\deSrcAs, continuing.
[01/11/2006, 11:05:04] -  BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[01/11/2006, 11:05:04] -  BHO 5: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[01/11/2006, 11:05:04] - Finished Searching Browser Helper Objects
[01/11/2006, 11:05:04] - Finishing up...
[01/11/2006, 11:05:04] - A restart is needed.
[01/11/2006, 11:05:04] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[01/11/2006, 11:05:15] - Attempting to Restart via STOP error (Blue Screen!)
[01/11/2006, 11:21:44] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\josh\Desktop\VirtumundoBeGone.exe" )
[01/11/2006, 11:21:47] - Detected System Information:
[01/11/2006, 11:21:47] -  Windows Version: 5.1.2600, Service Pack 2
[01/11/2006, 11:21:47] -  Current Username: josh (Admin)
[01/11/2006, 11:21:47] -  Windows is in NORMAL mode.
[01/11/2006, 11:21:47] - Searching for Browser Helper Objects:
[01/11/2006, 11:21:47] -  BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[01/11/2006, 11:21:47] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/11/2006, 11:21:47] -  BHO 3: {2353FCBC-012D-487B-8BF3-865C0929FBEB} (ATLDistrib Object)
[01/11/2006, 11:21:47] - ALERT: Found ATLDistrib Object!
[01/11/2006, 11:21:47] -  BHO 4: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} ()
[01/11/2006, 11:21:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/11/2006, 11:21:47] -  Checking for HKLM\...\Winlogon\Notify\deSrcAs
[01/11/2006, 11:21:47] -  Key not found: HKLM\...\Winlogon\Notify\deSrcAs, continuing.
[01/11/2006, 11:21:47] -  BHO 5: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[01/11/2006, 11:21:47] -  BHO 6: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[01/11/2006, 11:21:47] - Finished Searching Browser Helper Objects
[01/11/2006, 11:21:47] - *** Detected ATLDistrib Object
[01/11/2006, 11:21:47] - Trying to remove ATLDistrib Object...
[01/11/2006, 11:21:48] -    Terminating Process: IEXPLORE.EXE
[01/11/2006, 11:21:48] -    Terminating Process: RUNDLL32.EXE
[01/11/2006, 11:21:48] -    Disabling Automatic Shell Restart
[01/11/2006, 11:21:48] -    Terminating Process: EXPLORER.EXE
[01/11/2006, 11:21:48] -    Suspending the NT Session Manager System Service
[01/11/2006, 11:21:48] -    Terminating Windows NT Logon/Logoff Manager
[01/11/2006, 11:21:49] -    Re-enabling Automatic Shell Restart
[01/11/2006, 11:21:49] -   File to disable: C:\WINDOWS\system32\awtqo.dll
[01/11/2006, 11:21:49] -  Renaming C:\WINDOWS\system32\awtqo.dll -> C:\WINDOWS\system32\awtqo.dll.vir
[01/11/2006, 11:21:49] -  File successfully renamed!
[01/11/2006, 11:21:49] -   Removing HKLM\...\Browser Helper Objects\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
[01/11/2006, 11:21:49] -   Removing HKCR\CLSID\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
[01/11/2006, 11:21:49] -   Adding Kill Bit for ActiveX for GUID: {2353FCBC-012D-487B-8BF3-865C0929FBEB}
[01/11/2006, 11:21:49] -   Deleting ATLEvents/MSEvents Registry entries
[01/11/2006, 11:21:49] -   Removing HKLM\...\Winlogon\Notify\awtqo
[01/11/2006, 11:21:49] - Searching for Browser Helper Objects:
[01/11/2006, 11:21:49] -  BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[01/11/2006, 11:21:49] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/11/2006, 11:21:49] -  BHO 3: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} ()
[01/11/2006, 11:21:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/11/2006, 11:21:49] -  Checking for HKLM\...\Winlogon\Notify\deSrcAs
[01/11/2006, 11:21:49] -  Key not found: HKLM\...\Winlogon\Notify\deSrcAs, continuing.
[01/11/2006, 11:21:49] -  BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[01/11/2006, 11:21:49] -  BHO 5: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[01/11/2006, 11:21:49] - Finished Searching Browser Helper Objects
[01/11/2006, 11:21:49] - Finishing up...
[01/11/2006, 11:21:49] - A restart is needed.
[01/11/2006, 11:21:49] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[01/11/2006, 11:21:50] - Attempting to Restart via STOP error (Blue Screen!)
[01/11/2006, 11:24:35] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\josh\Desktop\VirtumundoBeGone.exe" )
[01/11/2006, 11:24:37] - Detected System Information:
[01/11/2006, 11:24:37] -  Windows Version: 5.1.2600, Service Pack 2
[01/11/2006, 11:24:37] -  Current Username: josh (Admin)
[01/11/2006, 11:24:37] -  Windows is in NORMAL mode.
[01/11/2006, 11:24:37] - Searching for Browser Helper Objects:
[01/11/2006, 11:24:37] -  BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[01/11/2006, 11:24:37] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/11/2006, 11:24:37] -  BHO 3: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} ()
[01/11/2006, 11:24:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/11/2006, 11:24:37] -  Checking for HKLM\...\Winlogon\Notify\deSrcAs
[01/11/2006, 11:24:37] -  Key not found: HKLM\...\Winlogon\Notify\deSrcAs, continuing.
[01/11/2006, 11:24:37] -  BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[01/11/2006, 11:24:37] -  BHO 5: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[01/11/2006, 11:24:37] - Finished Searching Browser Helper Objects
[01/11/2006, 11:24:37] - Finishing up...
[01/11/2006, 11:24:37] - Nothing found! Exiting...

RKinner

2 Intern

 • 

5.9K Posts

January 11th, 2006 18:00

After you remove the file missing entries the log will be clean.  UNless you have other issues I think we are done.

 

Ron

A Few Recommendations:


Make sure you have System Restore running (toggle it off and On today to get rid of any bad stuff it may have retained)
and then you can just go back to an earlier time if you hit a bad site.

http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx

One way to make an infection more obvious is to check everything in your current HijackThis and Add to Ignore List then set up Hijackthis to run at boot and to show you if it finds anything new.

 
To avoid going to a bad site you might want to install IE-SpyAd and SpywareBlaster and make the other changes recommended at:.
http://www.mvps.org/winhelp2002/restricted.htm
I used to recommend Spybot's Immunize system but have recently learned it is not as good as the one at:
http://www.mvps.org/winhelp2002/hosts.htm

Always run a firewall.  The one in XP SP2 is pretty good tho I think the free one from Zone Alarm is better.

http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=home_freedownloads

Turn on Autoupdates so you always get the latest patches from Windows.

Never hurts to do one of the free on line scans from Panda or Trend.  They take a while but are pretty good.
www.pandasoftware.com/activescan/activescan.asp?
http://housecall.trendmicro.com/
In addition to Microsoft AntiSpy
http://www.microsoft.com/athome/security/downloads/default.mspx
I like to run Spybot S&D. 
http://www.safer-networking.org/en/download/index.html
Also like to run AdAware once in a while. 
http://www.lavasoftusa.com/software/adaware/

Get the latest version of
Java:
http://www.java.com/en/download/windows_automatic.jsp

 Make sure you have removed any older versions of Java or JRE  with Control Panel, Add/Remove Programs.  Updates do not remove the older versions which have exploitable flaws.

If you are not running the latest version of Adobe you should consider updating.  There are reports of a loophole for hackers in pre 7.03 versions.
As an alternative you can dump adobe completely and use fox-it instead:
http://www.foxitsoftware.com/pdf/rd_intro.php

papipeliner2001

7 Posts

January 11th, 2006 19:00

Logfile of HijackThis v1.99.1
Scan saved at 4:04:32 PM, on 1/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Documents and Settings\travis\Desktop\LimeWire\LimeWire.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

RKinner

2 Intern

 • 

5.9K Posts

January 11th, 2006 22:00

Looks good.

 

Ron

papipeliner2001

7 Posts

January 11th, 2006 23:00

id like to thank everyone who helped me i really appreciate it thanks again

 

Was this post helpful?

View All

No Events found!

Top