The first is perhaps the easiest but I'm not sure how well it works. Since I was told about it I have
recommended it twice and never heard from them again. THis might be a bad sign.
The second is very complex but is pretty certain to succeed and I presume it is safe. Haven't used it but
usually bleepingcomputer is very good.
The third is the standard procedure I have been using. It has worked about 8 times with no problems but 1 user reported
he had to reload windows after use, another had some odd problems and one said it didn't do anything.
The text file with it says you have to have internet access when you run it. It might work better in Safe Mode with Networking.
Make sure before you do anything that your System Restore is working and that you have a recent Restore Point.
That way if something goes wrong you have a chance to recover.
Sorry I didn't catch the Win2K the first time. Of course you have no System Restore. The equivalent is an Emergency Recovery Disk with a full backup of the registry. If you look in the Help you will find out how to do that. Unfortunately it does require a Win2K CD to use it to recover your system.
Since I replied to your post I have had several reports that option 1 does not work (doesn't hurt anything just doesn't find the bug) so you can forget that option. Options 2 or 3 should still work OK with Win2K.
I still see two things that you originally pointed out in my HJT.
O20 - Winlogon Notify: bakras - C:\WINNT\$N26CA~1\bakras.dll O20 - Winlogon Notify: oleinfo - C:\WINNT\AppPatch\oleinfo.dll Does that mean that I still have the virus? Haven't had a pop-up in a while, but still too early to tell.
Below is the HJT. Thanks very much.
Laura
Logfile of HijackThis v1.99.1 Scan saved at 12:22:16 PM, on 9/5/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Doesn't hurt to check them just usually it doesn't do any good. When you run option 3 it should have brought up HijackThis and asked you to check the bad entries then it should go to a blue screen. I have had reports that the button that takes you to this step hides at the bottom of the page and is easy to overlook. You may have to scroll down to see it. Sometimes it takes several tries before it really works. If you can't get it to work then try the bleeping computer link. I have had reports that the link sometimes doesn't work because it wraps in the post so you can get there with:
I think I got it this time with #3. What I didn't realize until I had read the text from bleeping, is that the dll filenames are all different. #3 just says to click the abr.dll, and I didn't have that. Needless to say, NOW I understand, and clicked the proper files on hijack this while running #3, and it appears to have worked.
Thanks very much for your patience with me.
One question - how did I get the trojan in the first place?
Visited a bad site, clicked on a popup, opened a bad email attachment something like that.
One way to make this more obvious is to check everything in your current HijackThis and Add to Ignore List then set up Hijackthis to run at boot and to show you if it finds anything new.
RKinner
2 Intern
•
5.9K Posts
0
September 4th, 2005 02:00
Unfortunately you can't just check them and Fix Checked.
O20 - Winlogon Notify: bakras - C:\WINNT\$N26CA~1\bakras.dll
O20 - Winlogon Notify: oleinfo - C:\WINNT\AppPatch\oleinfo.dll
I have three possible fixes:
http://tinyurl.com/72khc (See Rawe's procedure in Post#2)
The first is perhaps the easiest but I'm not sure how well it works. Since I was told about it I have
recommended it twice and never heard from them again. THis might be a bad sign.
usually bleepingcomputer is very good.
he had to reload windows after use, another had some odd problems and one said it didn't do anything.
That way if something goes wrong you have a chance to recover.
gigglingtravell
7 Posts
0
September 4th, 2005 15:00
gigglingtravell
7 Posts
0
September 5th, 2005 11:00
Never did a system restore. Don't have XP. Tried the first fix from symantec and got "Trojan.Vundo has not been found on your computer."
Will try the next fix.
Laura
RKinner
2 Intern
•
5.9K Posts
0
September 5th, 2005 11:00
Sorry I didn't catch the Win2K the first time. Of course you have no System Restore. The equivalent is an Emergency Recovery Disk with a full backup of the registry. If you look in the Help you will find out how to do that. Unfortunately it does require a Win2K CD to use it to recover your system.
Since I replied to your post I have had several reports that option 1 does not work (doesn't hurt anything just doesn't find the bug) so you can forget that option. Options 2 or 3 should still work OK with Win2K.
Ron
gigglingtravell
7 Posts
0
September 5th, 2005 15:00
Thanks Ron,
I tried option 3 http://tinyurl.com/72khc Also ran "cleanup".
I still see two things that you originally pointed out in my HJT.
O20 - Winlogon Notify: bakras - C:\WINNT\$N26CA~1\bakras.dll
O20 - Winlogon Notify: oleinfo - C:\WINNT\AppPatch\oleinfo.dll
Does that mean that I still have the virus? Haven't had a pop-up in a while, but still too early to tell.
Below is the HJT. Thanks very much.
Laura
Logfile of HijackThis v1.99.1
Scan saved at 12:22:16 PM, on 9/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iPod\Bin\iPodSrv.exe
C:\WINNT\System32\llssrv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\iPod\Bin\iPodWatcher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINNT\system32\internat.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Handspring\HotSync.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINNT\$N26CA~1\bakras.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [iPodWatcher] C:\Program Files\iPod\Bin\iPodWatcher.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HotSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4362/mcfscan.cab
O20 - Winlogon Notify: bakras - C:\WINNT\$N26CA~1\bakras.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: oleinfo - C:\WINNT\AppPatch\oleinfo.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPodSrv - Unknown owner - C:\Program Files\iPod\Bin\iPodSrv.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
gigglingtravell
7 Posts
0
September 5th, 2005 16:00
gigglingtravell
7 Posts
0
September 5th, 2005 21:00
I definitely still have the winfixer trojan after trying 1 and 3. Will try your second suggestion.
Thanks.
Laura
RKinner
2 Intern
•
5.9K Posts
0
September 5th, 2005 21:00
gigglingtravell
7 Posts
0
September 6th, 2005 00:00
Hi Ron,
I think I got it this time with #3. What I didn't realize until I had read the text from bleeping, is that the dll filenames are all different. #3 just says to click the abr.dll, and I didn't have that. Needless to say, NOW I understand, and clicked the proper files on hijack this while running #3, and it appears to have worked.
Thanks very much for your patience with me.
One question - how did I get the trojan in the first place?
Thanks again.
Laura
RKinner
2 Intern
•
5.9K Posts
0
September 6th, 2005 02:00
To avoid going to a bad site you might want to install IE-SpyAd and SpywareBlaster and make the other changes recommended at:.
http://www.mvps.org/winhelp2002/restricted.htm
I used to recommend Spybot's Immunize system but have recently learned it is not as good as the one at:
http://www.mvps.org/winhelp2002/hosts.htm
http://www.pandasoftware.com/activescan/activescan.asp?
http://housecall.trendmicro.com/
In addition to Microsoft AntiSpy
http://www.microsoft.com/athome/security/downloads/default.mspx I like to run Spybot S&D.
http://www.safer-networking.org/en/download/index.html
Also like to run AdAware once in a while.
http://www.lavasoftusa.com/software/adaware/