* Save it to your Desktop * Close all running programs (including your Internet Browser) * Double-click VirtumundoBeGone.exe on the desktop * Follow the directions as indicated
please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.
just reboot if your system "jams"
*********************
It's now time to report back to us:
VirtumundoBeGone
generated a "log" file of its own, which it should have placed on your Desktop... please
REPLY to this thread, and
copy/
paste the
VirtumundoBeGone log back here, along with your latest
HJT log.
please be sure to let me know what changes (if any) you've noticed, and what problems (if any) you still have.
Looks like VirtumundoBeGone successfully deactivated the bad WinFixer/Vundo file -- and it also appears that HJT has successfully deactivated MorWilSearch as well... have you noticed any difference, in terms of WinFixer popups, warnings about trojan vundo/virtumundo, MorWilSearch, and/or overall system speed/performance?
*******************************
it appears you're running some "mixture" of Sun Java j2re1.4.2_03 and MS-Java virtual machine. there is much speculation that a "hole" in this particular SUN version is being exploited by WinFixer; and moreover, Microsoft's java VM is being phased out. so we should upgrade to the latest SUN version, 1.5.0_06 from http://www.java.com/en/download/manual.jsp
my personal preference is to download the MANUAL (OFFline) installation version (16 MB). but if you prefer the online installation, that choice is yours.
AFTER you successfully install the new java, go to your control panel, ADD/REMOVE programs, and
UNinstall all older versions of Sun Java (if any) that still show up there.... especially the 1.4.2_03.
Additionally, please verify that the Sun version has been activated (and the microsoft version DE-activated....) I believe you can do so in internet explorer by clicking on TOOLS,
Internet Options,
Advanced,
make sure that Java (Sun) Use JRE 1.5.0_06 for (applet) is checked,
and that any reference to Microsoft's Java Virtual Machine is[/are] UNchecked.
when you're done,
REPLY here, and post an updated/revised HJT log.
ky331
3 Apprentice
•
15.6K Posts
0
January 3rd, 2006 11:00
for MorWilSearch:
close your internet browse
Run HJT. click on DO A SYSTEM SCAN ONLY
Place a check-mark in the box in front of the line:
O2 - BHO: (no name) - {b8e59336-6da3-4084-b4a0-fbc4bfdf1f36} - C:\WINDOWS\system32\litwfmeh.dll
Click on FIX CHECKED. Close HJT. Reboot.
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
* Save it to your Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the desktop
* Follow the directions as indicated
please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.
just reboot if your system "jams"*********************
It's now time to report back to us:
VirtumundoBeGone
generated a "log" file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/ paste the VirtumundoBeGone log back here, along with your latest HJT log.please be sure to let me know what changes (if any) you've noticed, and what problems (if any) you still have.
mkksteele
2 Posts
0
January 3rd, 2006 18:00
[01/03/2006, 14:14:10] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\KURT STEELE\Desktop\VirtumundoBeGone.exe" )
[01/03/2006, 14:14:19] - Detected System Information:
[01/03/2006, 14:14:19] - Windows Version: 5.1.2600, Service Pack 2
[01/03/2006, 14:14:19] - Current Username: KURT STEELE (Admin)
[01/03/2006, 14:14:19] - Windows is in NORMAL mode.
[01/03/2006, 14:14:19] - Searching for Browser Helper Objects:
[01/03/2006, 14:14:19] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/03/2006, 14:14:19] - BHO 2: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} ()
[01/03/2006, 14:14:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/03/2006, 14:14:19] - Checking for HKLM\...\Winlogon\Notify\deSrcAs
[01/03/2006, 14:14:19] - Key not found: HKLM\...\Winlogon\Notify\deSrcAs, continuing.
[01/03/2006, 14:14:19] - BHO 3: {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} (Big Fish Games Toolbar)
[01/03/2006, 14:14:19] - BHO 4: {52706EF7-D7A2-49AD-A615-E903858CF284} (X1IEHook Class)
[01/03/2006, 14:14:19] - BHO 5: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[01/03/2006, 14:14:19] - BHO 6: {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} (MSEvents Object)
[01/03/2006, 14:14:19] - ALERT: Found MSEvents Object!
[01/03/2006, 14:14:19] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/03/2006, 14:14:19] - Finished Searching Browser Helper Objects
[01/03/2006, 14:14:19] - *** Detected MSEvents Object
[01/03/2006, 14:14:19] - Trying to remove MSEvents Object...
[01/03/2006, 14:14:20] - Terminating Process: IEXPLORE.EXE
[01/03/2006, 14:14:20] - Terminating Process: RUNDLL32.EXE
[01/03/2006, 14:14:20] - Disabling Automatic Shell Restart
[01/03/2006, 14:14:20] - Terminating Process: EXPLORER.EXE
[01/03/2006, 14:14:20] - Suspending the NT Session Manager System Service
[01/03/2006, 14:14:20] - Terminating Windows NT Logon/Logoff Manager
[01/03/2006, 14:14:21] - Re-enabling Automatic Shell Restart
[01/03/2006, 14:14:21] - File to disable: C:\WINDOWS\system32\jkhhf.dll
[01/03/2006, 14:14:21] - Renaming C:\WINDOWS\system32\jkhhf.dll -> C:\WINDOWS\system32\jkhhf.dll.vir
[01/03/2006, 14:14:21] - File successfully renamed!
[01/03/2006, 14:14:21] - Removing HKLM\...\Browser Helper Objects\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}
[01/03/2006, 14:14:21] - Removing HKCR\CLSID\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}
[01/03/2006, 14:14:21] - Adding Kill Bit for ActiveX for GUID: {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}
[01/03/2006, 14:14:21] - Deleting ATLEvents/MSEvents Registry entries
[01/03/2006, 14:14:21] - Removing HKLM\...\Winlogon\Notify\jkhhf
[01/03/2006, 14:14:21] - Searching for Browser Helper Objects:
[01/03/2006, 14:14:21] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/03/2006, 14:14:21] - BHO 2: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} ()
[01/03/2006, 14:14:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/03/2006, 14:14:21] - Checking for HKLM\...\Winlogon\Notify\deSrcAs
[01/03/2006, 14:14:21] - Key not found: HKLM\...\Winlogon\Notify\deSrcAs, continuing.
[01/03/2006, 14:14:21] - BHO 3: {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} (Big Fish Games Toolbar)
[01/03/2006, 14:14:21] - BHO 4: {52706EF7-D7A2-49AD-A615-E903858CF284} (X1IEHook Class)
[01/03/2006, 14:14:21] - BHO 5: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[01/03/2006, 14:14:21] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/03/2006, 14:14:21] - Finished Searching Browser Helper Objects
[01/03/2006, 14:14:21] - Finishing up...
[01/03/2006, 14:14:21] - A restart is needed.
[01/03/2006, 14:14:21] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[01/03/2006, 14:14:31] - Attempting to Restart via STOP error (Blue Screen!)
Logfile of HijackThis v1.99.1
Scan saved at 2:20:09 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://onlinedesigner.hgtv.com/images/app/view22rte.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4661/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
ky331
3 Apprentice
•
15.6K Posts
0
January 3rd, 2006 18:00
Looks like VirtumundoBeGone successfully deactivated the bad WinFixer/Vundo file -- and it also appears that HJT has successfully deactivated MorWilSearch as well... have you noticed any difference, in terms of WinFixer popups, warnings about trojan vundo/virtumundo, MorWilSearch, and/or overall system speed/performance?
*******************************
it appears you're running some "mixture" of Sun Java j2re1.4.2_03 and MS-Java virtual machine. there is much speculation that a "hole" in this particular SUN version is being exploited by WinFixer; and moreover, Microsoft's java VM is being phased out. so we should upgrade to the latest SUN version, 1.5.0_06 from http://www.java.com/en/download/manual.jsp