first, your version of HJT v1.
98.0 is VERY OLD ; please be sure to update to the latest version 1.
99.1 from a site such as
http://majorgeeks.com/download3155.html
(i'm taking for granted you know how to unzip and run it)
Note: If you have previously download this file on another occasion, please download it again, to be absolutely sure you have the most current version.
* Save it to your Desktop * Close all running programs (including your Internet Browser) * Double-click VirtumundoBeGone.exe on the desktop * Follow the directions as indicated
please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.
just reboot if your system "jams"
*********************
After rebooting, it's now time to run FixVundo (which you had downloaded earlier).
Make sure all other programs, including your Internet Browser, are closed.
Double-click the FixVundo.exefile to start the removal tool.
Click Start to begin the process, and then allow this tool to run.
Important: Do not launch any new applications while the tool is running!
Reboot your computer.
Run the FixVundo removal tool again to ensure that the system is clean.
*********************
It's now time to report back to us:
VirtumundoBeGone generated a "log" file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here, along with your latest HJT log (version 1.99.1, please!).
I tried to download hijackthis1.99.1 but no matter where i download it from McAfee deletes it saying it is infected with w32/generic.worm!p2p. Let me know if there is a way around this. in the mean time here are my virtumondobegone log and my hijack this 1.98 log. Thanks for your help!
[11/23/2005, 13:01:04] - Starting Process... [11/23/2005, 13:01:04] - Looking for Browser Helper Object [MSEvents Object] [11/23/2005, 13:01:04] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class [11/23/2005, 13:01:04] - 2: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - PCTools Site Guard [11/23/2005, 13:01:04] - 3: {5CA3D70E-1895-11CF-8E15-001234567890} - DriveLetterAccess [11/23/2005, 13:01:04] - 4: {B313D637-F405-4052-AC37-E2119AB3C8F8} - MSEvents Object [11/23/2005, 13:01:04] - Found MSEvents Object! [11/23/2005, 13:01:04] - File location: C:\WINDOWS\system32\ssttu.dll [11/23/2005, 13:01:04] - Attempting to kill C:\WINDOWS\system32\ssttu.dll [11/23/2005, 13:01:04] - Terminating Process: RUNDLL32.EXE [11/23/2005, 13:01:05] - Terminating Process: IEXPLORE.EXE [11/23/2005, 13:01:05] - Disabling Automatic Shell Restart [11/23/2005, 13:01:05] - Terminating Process: EXPLORER.EXE [11/23/2005, 13:01:06] - Suspending the NT Session Manager System Service [11/23/2005, 13:01:06] - Terminating Windows NT Logon/Logoff Manager [11/23/2005, 13:01:07] - Re-enabling Automatic Shell Restart [11/23/2005, 13:01:07] - Renaming C:\WINDOWS\system32\ssttu.dll -> C:\WINDOWS\system32\ssttu.dll.vir [11/23/2005, 13:01:07] - File successfully renamed! [11/23/2005, 13:01:07] - Removing Registry references to {B313D637-F405-4052-AC37-E2119AB3C8F8} [11/23/2005, 13:01:07] - Adding Internet Explorer Protection (Kill ActiveX) for {B313D637-F405-4052-AC37-E2119AB3C8F8} [11/23/2005, 13:01:07] - Removing Winlogon Notify Entry: ssttu [11/23/2005, 13:01:07] - BHO list has been changed! Starting over... [11/23/2005, 13:01:07] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class [11/23/2005, 13:01:07] - 2: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - PCTools Site Guard [11/23/2005, 13:01:07] - 3: {5CA3D70E-1895-11CF-8E15-001234567890} - DriveLetterAccess [11/23/2005, 13:01:07] - 4: {B56A7D7D-6927-48C8-A975-17DF180C71AC} - PCTools Browser Monitor [11/23/2005, 13:01:07] - Finished searching for [MSEvents Object] [11/23/2005, 13:01:07] - Finishing up... [11/23/2005, 13:01:07] - Enabling Automatic Reboot on STOP Error. [11/23/2005, 13:01:07] - Attempting to Restart via STOP error (Blue Screen!)
Logfile of HijackThis v1.98.0 Scan saved at 1:48:29 PM, on 11/23/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
i know there have been SEVERAL occasions in the past, when McAfee (or some other anti-virus program) picked up on HiJackThis as containing a virus. in all such cases, it was a "false positive".
Have you tried updating your McAfee definition/signature [or whatever else they call it] files?
by the way, there's no point to downloading HJT from several different sites... if McAfee generates a false-positive at one site, it will do so at all sites.
I'm gonna be calling in someone else, to see if they can offer an alternative suggestion.
*******************
Nice work. Looks like VitrumundoBeGone successfully deactivated the bad WinFixer file. Have you noticed any difference, in terms of WinFixer popups, and overall system speed/performance?
At this point, I'm gonna try to ask someone else to step-in, to determine additional problems (if any) that you might have. Please be advised that we're very "understaffed" at the moment, so I can't make any guarantee as to when (or even if) the next helper will arrive.
The log looks OK and I don't see any processes running so I guess it is clean.
Obviously a false positive from McAfee.
Ron
Make sure you have System Restore running (toggle it off and On today to get rid of any bad stuff it may have retained) and then you can just go back to an earlier time if you hit a bad site.
One way to make this more obvious is to check everything in your current HijackThis and Add to Ignore List then set up Hijackthis to run at boot and to show you if it finds anything new. Then you can google on the .dll or .exe file in the entry and decide if you want to keep it.
ky331
3 Apprentice
•
15.6K Posts
0
November 17th, 2005 12:00
Download [but do *NOT* yet run] FixVundo from
http://securityresponse.symantec.com/avcenter/FixVundo.exe
[we'll have you run it later]
Note: If you have previously download this file on another occasion, please download it again, to be absolutely sure you have the most current version.
********************
Next, download VirtumundoBeGone from:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
* Save it to your Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the desktop
* Follow the directions as indicated
please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.
just reboot if your system "jams"*********************
After rebooting, it's now time to run FixVundo (which you had downloaded earlier).
Make sure all other programs, including your Internet Browser, are closed.
Double-click the FixVundo.exe file to start the removal tool.
Click Start to begin the process, and then allow this tool to run.
Important: Do not launch any new applications while the tool is running!
Reboot your computer.
Run the FixVundo removal tool again to ensure that the system is clean.
*********************
It's now time to report back to us:
VirtumundoBeGone generated a "log" file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here, along with your latest HJT log (version 1.99.1, please!).
bdug
2 Posts
0
November 23rd, 2005 16:00
Hi,
I tried to download hijackthis1.99.1 but no matter where i download it from McAfee deletes it saying it is infected with w32/generic.worm!p2p. Let me know if there is a way around this. in the mean time here are my virtumondobegone log and my hijack this 1.98 log. Thanks for your help!
[11/23/2005, 13:01:04] - Starting Process...
[11/23/2005, 13:01:04] - Looking for Browser Helper Object [MSEvents Object]
[11/23/2005, 13:01:04] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/23/2005, 13:01:04] - 2: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - PCTools Site Guard
[11/23/2005, 13:01:04] - 3: {5CA3D70E-1895-11CF-8E15-001234567890} - DriveLetterAccess
[11/23/2005, 13:01:04] - 4: {B313D637-F405-4052-AC37-E2119AB3C8F8} - MSEvents Object
[11/23/2005, 13:01:04] - Found MSEvents Object!
[11/23/2005, 13:01:04] - File location: C:\WINDOWS\system32\ssttu.dll
[11/23/2005, 13:01:04] - Attempting to kill C:\WINDOWS\system32\ssttu.dll
[11/23/2005, 13:01:04] - Terminating Process: RUNDLL32.EXE
[11/23/2005, 13:01:05] - Terminating Process: IEXPLORE.EXE
[11/23/2005, 13:01:05] - Disabling Automatic Shell Restart
[11/23/2005, 13:01:05] - Terminating Process: EXPLORER.EXE
[11/23/2005, 13:01:06] - Suspending the NT Session Manager System Service
[11/23/2005, 13:01:06] - Terminating Windows NT Logon/Logoff Manager
[11/23/2005, 13:01:07] - Re-enabling Automatic Shell Restart
[11/23/2005, 13:01:07] - Renaming C:\WINDOWS\system32\ssttu.dll -> C:\WINDOWS\system32\ssttu.dll.vir
[11/23/2005, 13:01:07] - File successfully renamed!
[11/23/2005, 13:01:07] - Removing Registry references to {B313D637-F405-4052-AC37-E2119AB3C8F8}
[11/23/2005, 13:01:07] - Adding Internet Explorer Protection (Kill ActiveX) for {B313D637-F405-4052-AC37-E2119AB3C8F8}
[11/23/2005, 13:01:07] - Removing Winlogon Notify Entry: ssttu
[11/23/2005, 13:01:07] - BHO list has been changed! Starting over...
[11/23/2005, 13:01:07] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/23/2005, 13:01:07] - 2: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - PCTools Site Guard
[11/23/2005, 13:01:07] - 3: {5CA3D70E-1895-11CF-8E15-001234567890} - DriveLetterAccess
[11/23/2005, 13:01:07] - 4: {B56A7D7D-6927-48C8-A975-17DF180C71AC} - PCTools Browser Monitor
[11/23/2005, 13:01:07] - Finished searching for [MSEvents Object]
[11/23/2005, 13:01:07] - Finishing up...
[11/23/2005, 13:01:07] - Enabling Automatic Reboot on STOP Error.
[11/23/2005, 13:01:07] - Attempting to Restart via STOP error (Blue Screen!)
Logfile of HijackThis v1.98.0
Scan saved at 1:48:29 PM, on 11/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
ky331
3 Apprentice
•
15.6K Posts
0
November 23rd, 2005 17:00
i know there have been SEVERAL occasions in the past, when McAfee (or some other anti-virus program) picked up on HiJackThis as containing a virus. in all such cases, it was a "false positive".
Have you tried updating your McAfee definition/signature [or whatever else they call it] files?
by the way, there's no point to downloading HJT from several different sites... if McAfee generates a false-positive at one site, it will do so at all sites.
I'm gonna be calling in someone else, to see if they can offer an alternative suggestion.
*******************
Nice work. Looks like VitrumundoBeGone successfully deactivated the bad WinFixer file. Have you noticed any difference, in terms of WinFixer popups, and overall system speed/performance?
At this point, I'm gonna try to ask someone else to step-in, to determine additional problems (if any) that you might have. Please be advised that we're very "understaffed" at the moment, so I can't make any guarantee as to when (or even if) the next helper will arrive.
Good luck.
RKinner
2 Intern
•
5.9K Posts
0
November 24th, 2005 00:00
One way to make this more obvious is to check everything in your current HijackThis and Add to Ignore List then set up Hijackthis to run at boot and to show you if it finds anything new. Then you can google on the .dll or .exe file in the entry and decide if you want to keep it.
http://www.mvps.org/winhelp2002/restricted.htm
I used to recommend Spybot's Immunize system but have recently learned it is not as good as the one at:
http://www.mvps.org/winhelp2002/hosts.htm
Never hurts to do one of the free on line scans from Panda or Trend. They take a while but are pretty good.
www.pandasoftware.com/activescan/activescan.asp?
http://housecall.trendmicro.com/
In addition to Microsoft AntiSpy
http://www.microsoft.com/athome/security/downloads/default.mspx I like to run Spybot S&D.
http://www.safer-networking.org/en/download/index.html
Also like to run the free version of AdAware once in a while.
http://www.lavasoftusa.com/software/adaware/