* Save it to your Desktop * Close all running programs (including your Internet Browser) * Double-click VirtumundoBeGone.exe on the desktop * Follow the directions as indicated
please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.
just reboot if your system "jams"
*********************
It's now time to report back to us:
VirtumundoBeGone generated a "log" file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here, along with your latest HJT log.
P.S. Be sure to post your ENTIRE HJT log this time... rather than stopping after an O16 section, it should go all the way thru O23
[03/02/2006, 8:43:13] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Philip\Desktop\VirtumundoBeGone.exe" )
[03/02/2006, 8:43:18] - Detected System Information:
[03/02/2006, 8:43:18] - Windows Version: 5.1.2600, Service Pack 2
[03/02/2006, 8:43:18] - Current Username: Philip (Admin)
[03/02/2006, 8:43:18] - Windows is in NORMAL mode.
[03/02/2006, 8:43:18] - Searching for Browser Helper Objects:
[03/02/2006, 8:43:18] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/02/2006, 8:43:18] - BHO 2: {86059629-45EE-4AA6-A994-672B68AC8B44} (ATLDistrib Object)
[03/02/2006, 8:43:18] - ALERT: Found ATLDistrib Object!
[03/02/2006, 8:43:18] - BHO 3: {86059629-45EE-4AA6-A994-672B68AC8B44} (ATLDistrib Object)
[03/02/2006, 8:43:18] - ALERT: Found ATLDistrib Object!
[03/02/2006, 8:43:18] - BHO 4: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} ()
[03/02/2006, 8:43:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/02/2006, 8:43:18] - Checking for HKLM\...\Winlogon\Notify\ssqrq
[03/02/2006, 8:43:18] - Found: HKLM\...\Winlogon\Notify\ssqrq - This is probably Virtumundo.
[03/02/2006, 8:43:18] - Assigning {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} MSEvents Object
[03/02/2006, 8:43:18] - BHO list has been changed! Starting over...
[03/02/2006, 8:43:18] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/02/2006, 8:43:18] - BHO 2: {86059629-45EE-4AA6-A994-672B68AC8B44} (ATLDistrib Object)
[03/02/2006, 8:43:18] - ALERT: Found ATLDistrib Object!
[03/02/2006, 8:43:18] - BHO 3: {86059629-45EE-4AA6-A994-672B68AC8B44} (ATLDistrib Object)
[03/02/2006, 8:43:18] - ALERT: Found ATLDistrib Object!
[03/02/2006, 8:43:18] - BHO 4: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} (MSEvents Object)
[03/02/2006, 8:43:18] - ALERT: Found MSEvents Object!
[03/02/2006, 8:43:18] - Finished Searching Browser Helper Objects
[03/02/2006, 8:43:18] - *** Detected ATLDistrib Object
[03/02/2006, 8:43:18] - *** Detected MSEvents Object
[03/02/2006, 8:43:18] - Trying to remove ATLDistrib Object...
[03/02/2006, 8:43:19] - Terminating Process: IEXPLORE.EXE
[03/02/2006, 8:43:19] - Terminating Process: RUNDLL32.EXE
[03/02/2006, 8:43:20] - Disabling Automatic Shell Restart
[03/02/2006, 8:43:20] - Terminating Process: EXPLORER.EXE
[03/02/2006, 8:43:20] - Suspending the NT Session Manager System Service
[03/02/2006, 8:43:20] - Terminating Windows NT Logon/Logoff Manager
[03/02/2006, 8:43:20] - Re-enabling Automatic Shell Restart
[03/02/2006, 8:43:20] - File to disable: C:\WINDOWS\AppPatch\pstcp.dll
[03/02/2006, 8:43:20] - Removing HKLM\...\Browser Helper Objects\{86059629-45EE-4AA6-A994-672B68AC8B44}
[03/02/2006, 8:43:20] - Removing HKCR\CLSID\{86059629-45EE-4AA6-A994-672B68AC8B44}
[03/02/2006, 8:43:20] - Adding Kill Bit for ActiveX for GUID: {86059629-45EE-4AA6-A994-672B68AC8B44}
[03/02/2006, 8:43:20] - Deleting ATLEvents/MSEvents Registry entries
[03/02/2006, 8:43:20] - Removing HKLM\...\Winlogon\Notify\pstcp
[03/02/2006, 8:43:20] - Trying to remove MSEvents Object...
[03/02/2006, 8:43:21] - Terminating Process: IEXPLORE.EXE
[03/02/2006, 8:43:21] - Terminating Process: RUNDLL32.EXE
[03/02/2006, 8:43:21] - Disabling Automatic Shell Restart
[03/02/2006, 8:43:21] - Terminating Process: EXPLORER.EXE
[03/02/2006, 8:43:21] - Suspending the NT Session Manager System Service
[03/02/2006, 8:43:21] - Terminating Windows NT Logon/Logoff Manager
[03/02/2006, 8:43:21] - Re-enabling Automatic Shell Restart
[03/02/2006, 8:43:21] - File to disable: C:\WINDOWS\system32\ssqrq.dll
[03/02/2006, 8:43:21] - Renaming C:\WINDOWS\system32\ssqrq.dll -> C:\WINDOWS\system32\ssqrq.dll.vir
[03/02/2006, 8:43:21] - File successfully renamed!
[03/02/2006, 8:43:21] - Removing HKLM\...\Browser Helper Objects\{EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[03/02/2006, 8:43:21] - Removing HKCR\CLSID\{EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[03/02/2006, 8:43:21] - Adding Kill Bit for ActiveX for GUID: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[03/02/2006, 8:43:21] - Deleting ATLEvents/MSEvents Registry entries
[03/02/2006, 8:43:21] - Removing HKLM\...\Winlogon\Notify\ssqrq
[03/02/2006, 8:43:21] - Searching for Browser Helper Objects:
[03/02/2006, 8:43:22] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/02/2006, 8:43:22] - Finished Searching Browser Helper Objects
[03/02/2006, 8:43:22] - Finishing up...
[03/02/2006, 8:43:22] - A restart is needed.
[03/02/2006, 8:43:22] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[03/02/2006, 8:43:30] - Attempting to Restart via STOP error (Blue Screen!)
HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 8:49:06 AM, on 3/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Looks like VirtumundoBeGone successfully deactivated the bad WinFixer/Vundo file... have you noticed any difference, in terms of WinFixer popups, warnings about trojan vundo/virtumundo, and/or overall system speed/performance?
However, your log still shows a (non-critical) "remnant" of some infections, which we can easily remove now:
close your internet browser
Run HiJackThis. click on DO A SYSTEM SCAN ONLY
Place a check-mark in the box in front of each of the lines:
it appears that you have multiple versions of Sun Java on your system... it looks like you're running
jre1.5.0_03 ; but still have "remnants" of
j2re1.4.2_03 . there is much speculation that a "hole" in
j2re1.4.2_03 is being exploited by WinFixer. so we should upgrade to the latest version,
1.5.0_06 from
http://www.java.com/en/download/manual.jsp
my personal preference is to download the MANUAL (OFFline) installation version (16 MB). but if you prefer the online installation, that choice is yours.
AFTER you successfully install the new java, go to your control panel, ADD/REMOVE programs, and
UNinstall all older versions of Java (if any) that still show up there.... especially the 1.4.2_03.
when you're done,
REPLY here, and post an updated/revised HJT log.
**************************
At that point, I'm gonna try to ask someone else to step-in, to determine additional problems (if any) that you might have. Please be advised that we're very "understaffed" at the moment, so I can't make any guarantee as to when the next helper will arrive.
looks like i still have the winfixer virus...opened up ie and there it was.
Logfile of HijackThis v1.99.1
Scan saved at 10:27:11 PM, on 3/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
there was a Winfixer "remnant", which was appearing twice in your original log, that now still appears once. I don't believe that's the real problem, but let's try to take care of this first.
close your internet browser
Run HiJackThis. click on DO A SYSTEM SCAN ONLY
Place a check-mark in the box in front of each of the lines:
be advised that your HJT log does
not show any of the "standard" signs of winfixer --- no
active vundo/virtumundo trojan, no surfAccuracy, nor installers.
there's one "stealth" (hidden) version that we can test for:
follow the directions in the following link to download, setup, and run
rootkitrevealer from:
Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the
Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click aproposfix.exe and unzip it to the
desktop. Open the aproposfix folder on your desktop and run RunThis.bat.
Follow the prompts.
When the tool is finished, please reboot back into normal mode, run rootkitrevealer again and see if things look any better now.
Please generate a new/revised HJT log,
REPLY to this thread, paste it here, and let us know what's happening.
This is Ron. KY331 asked me to take over. Your last log still shows a particularly nasty bug. Don't know if he is giving you the winfixer ads or not but he needs to go. You can read one writeup on hime here:
Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see the PC maker's logo. Keep tapping until it tells you it is going to Safe Mode or you see the Safe Mode menu. Select the top option. Log in as your usual login or you won't find the programs you put on the desktop and some of the entries we want to remove will not appear in HijackTHis.
Run HijackThis and just do a Scan only. Check then Fix Checked the following:
okay. Please
REPLY and post an updated/revised HJT log... we need to verify that the O2-ATLDistrib and O4-winupdates lines I mentioned above were successfully removed.
I assume you're still getting [specifically]
WinFixer popups [as opposed to any
other type of popup] -- the word
WinFixer, or
WinAntiVirus, or
WinAntiSpyware shows up?? If not, what names or identifying keywords do you see there, that make you believe it's WinFixer?
As mentioned previously --- and since I don't see any signs of WinFixer anymore --- I'm trying to get someone else to continue analysis of your log....
Logfile of HijackThis v1.99.1
Scan saved at 2:02:51 PM, on 3/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
The first two are from the latest version of Java but normally there is only one running. Java never used these before but they have been found to slow down Internet Explorer and removing them doesn't hurt.
yeah im actually noticing that it happens when i open my documents. its pretty random though. winfixer 2006 pops up and then opens a new tab in firefox.
If you have Microsoft Word and this happens when you open a document then: Close Word. Start, Search, For Files or Folders, All Files and Folders, More Advanced Options. Check Search System Folders, Search Hidden Files and Folders,Search Subfolders. Then where it says "All or part of the file name:" put in: normal.dot then Search. When it finishes, right click on each normal.dot and rename to anormal.dot. Open Word (by using Start, All Programs, (Microsoft Office). Microsoft Word. Do not open an existing document yet!
In Word, Tools, Options, Save, and check Prompt to Save Normal template, OK.
Also Tools, Macros, Security, and set it to highest. OK.
Now close Word and allow it to save the Normal.dot template this time but after this tell it no.
Now open a document and see if you get any notices about winfixer.
If you do not have word and this happens when you enter the folder My Documents then:
First open Windows Explorer (right click on Windows and select Explore.)
Second make sure Windows will let you see the system and hidden files and extensions:
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known file types.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK
Third locate My Documents folder and look for any files named desktop.ini. Delete them. Do you see any other .ini files?
ky331
3 Apprentice
•
15.6K Posts
0
March 2nd, 2006 11:00
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
* Save it to your Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the desktop
* Follow the directions as indicated
please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.
just reboot if your system "jams"*********************
It's now time to report back to us:
VirtumundoBeGone generated a "log" file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here, along with your latest HJT log.
P.S. Be sure to post your ENTIRE HJT log this time... rather than stopping after an O16 section, it should go all the way thru O23
noisemeup
6 Posts
0
March 2nd, 2006 14:00
[03/02/2006, 8:43:13] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Philip\Desktop\VirtumundoBeGone.exe" )
[03/02/2006, 8:43:18] - Detected System Information:
[03/02/2006, 8:43:18] - Windows Version: 5.1.2600, Service Pack 2
[03/02/2006, 8:43:18] - Current Username: Philip (Admin)
[03/02/2006, 8:43:18] - Windows is in NORMAL mode.
[03/02/2006, 8:43:18] - Searching for Browser Helper Objects:
[03/02/2006, 8:43:18] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/02/2006, 8:43:18] - BHO 2: {86059629-45EE-4AA6-A994-672B68AC8B44} (ATLDistrib Object)
[03/02/2006, 8:43:18] - ALERT: Found ATLDistrib Object!
[03/02/2006, 8:43:18] - BHO 3: {86059629-45EE-4AA6-A994-672B68AC8B44} (ATLDistrib Object)
[03/02/2006, 8:43:18] - ALERT: Found ATLDistrib Object!
[03/02/2006, 8:43:18] - BHO 4: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} ()
[03/02/2006, 8:43:18] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/02/2006, 8:43:18] - Checking for HKLM\...\Winlogon\Notify\ssqrq
[03/02/2006, 8:43:18] - Found: HKLM\...\Winlogon\Notify\ssqrq - This is probably Virtumundo.
[03/02/2006, 8:43:18] - Assigning {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} MSEvents Object
[03/02/2006, 8:43:18] - BHO list has been changed! Starting over...
[03/02/2006, 8:43:18] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/02/2006, 8:43:18] - BHO 2: {86059629-45EE-4AA6-A994-672B68AC8B44} (ATLDistrib Object)
[03/02/2006, 8:43:18] - ALERT: Found ATLDistrib Object!
[03/02/2006, 8:43:18] - BHO 3: {86059629-45EE-4AA6-A994-672B68AC8B44} (ATLDistrib Object)
[03/02/2006, 8:43:18] - ALERT: Found ATLDistrib Object!
[03/02/2006, 8:43:18] - BHO 4: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} (MSEvents Object)
[03/02/2006, 8:43:18] - ALERT: Found MSEvents Object!
[03/02/2006, 8:43:18] - Finished Searching Browser Helper Objects
[03/02/2006, 8:43:18] - *** Detected ATLDistrib Object
[03/02/2006, 8:43:18] - *** Detected MSEvents Object
[03/02/2006, 8:43:18] - Trying to remove ATLDistrib Object...
[03/02/2006, 8:43:19] - Terminating Process: IEXPLORE.EXE
[03/02/2006, 8:43:19] - Terminating Process: RUNDLL32.EXE
[03/02/2006, 8:43:20] - Disabling Automatic Shell Restart
[03/02/2006, 8:43:20] - Terminating Process: EXPLORER.EXE
[03/02/2006, 8:43:20] - Suspending the NT Session Manager System Service
[03/02/2006, 8:43:20] - Terminating Windows NT Logon/Logoff Manager
[03/02/2006, 8:43:20] - Re-enabling Automatic Shell Restart
[03/02/2006, 8:43:20] - File to disable: C:\WINDOWS\AppPatch\pstcp.dll
[03/02/2006, 8:43:20] - Removing HKLM\...\Browser Helper Objects\{86059629-45EE-4AA6-A994-672B68AC8B44}
[03/02/2006, 8:43:20] - Removing HKCR\CLSID\{86059629-45EE-4AA6-A994-672B68AC8B44}
[03/02/2006, 8:43:20] - Adding Kill Bit for ActiveX for GUID: {86059629-45EE-4AA6-A994-672B68AC8B44}
[03/02/2006, 8:43:20] - Deleting ATLEvents/MSEvents Registry entries
[03/02/2006, 8:43:20] - Removing HKLM\...\Winlogon\Notify\pstcp
[03/02/2006, 8:43:20] - Trying to remove MSEvents Object...
[03/02/2006, 8:43:21] - Terminating Process: IEXPLORE.EXE
[03/02/2006, 8:43:21] - Terminating Process: RUNDLL32.EXE
[03/02/2006, 8:43:21] - Disabling Automatic Shell Restart
[03/02/2006, 8:43:21] - Terminating Process: EXPLORER.EXE
[03/02/2006, 8:43:21] - Suspending the NT Session Manager System Service
[03/02/2006, 8:43:21] - Terminating Windows NT Logon/Logoff Manager
[03/02/2006, 8:43:21] - Re-enabling Automatic Shell Restart
[03/02/2006, 8:43:21] - File to disable: C:\WINDOWS\system32\ssqrq.dll
[03/02/2006, 8:43:21] - Renaming C:\WINDOWS\system32\ssqrq.dll -> C:\WINDOWS\system32\ssqrq.dll.vir
[03/02/2006, 8:43:21] - File successfully renamed!
[03/02/2006, 8:43:21] - Removing HKLM\...\Browser Helper Objects\{EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[03/02/2006, 8:43:21] - Removing HKCR\CLSID\{EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[03/02/2006, 8:43:21] - Adding Kill Bit for ActiveX for GUID: {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D}
[03/02/2006, 8:43:21] - Deleting ATLEvents/MSEvents Registry entries
[03/02/2006, 8:43:21] - Removing HKLM\...\Winlogon\Notify\ssqrq
[03/02/2006, 8:43:21] - Searching for Browser Helper Objects:
[03/02/2006, 8:43:22] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/02/2006, 8:43:22] - Finished Searching Browser Helper Objects
[03/02/2006, 8:43:22] - Finishing up...
[03/02/2006, 8:43:22] - A restart is needed.
[03/02/2006, 8:43:22] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[03/02/2006, 8:43:30] - Attempting to Restart via STOP error (Blue Screen!)
HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 8:49:06 AM, on 3/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Philip\My Documents\hihihi\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLDistrib Object - {86059629-45EE-4AA6-A994-672B68AC8B44} - C:\WINDOWS\AppPatch\pstcp.dll (file missing)
O2 - BHO: ATLDistrib Object - {86059629-45EE-4AA6-A994-672B68AC8B44} - C:\WINDOWS\AppPatch\pstcp.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9C60450-B999-4FAB-8FE6-58AB39F8F6ED}: NameServer = 68.94.156.1 68.94.157.1
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
ky331
3 Apprentice
•
15.6K Posts
0
March 2nd, 2006 15:00
Looks like VirtumundoBeGone successfully deactivated the bad WinFixer/Vundo file... have you noticed any difference, in terms of WinFixer popups, warnings about trojan vundo/virtumundo, and/or overall system speed/performance?
However, your log still shows a (non-critical) "remnant" of some infections, which we can easily remove now:
close your internet browser
Run HiJackThis. click on DO A SYSTEM SCAN ONLY
Place a check-mark in the box in front of each of the lines:
O2 - BHO: ATLDistrib Object - {86059629-45EE-4AA6-A994-672B68AC8B44} - C:\WINDOWS\AppPatch\pstcp.dll (file missing)
O2 - BHO: ATLDistrib Object - {86059629-45EE-4AA6-A994-672B68AC8B44} - C:\WINDOWS\AppPatch\pstcp.dll (file missing)
Click on FIX CHECKED. Close HiJackThis. Reboot.
*******************
At that point, I'm gonna try to ask someone else to step-in, to determine additional problems (if any) that you might have. Please be advised that we're very "understaffed" at the moment, so I can't make any guarantee as to when the next helper will arrive.
Good luck.
Message Edited by ky331 on 03-02-2006 12:34 PM
noisemeup
6 Posts
0
March 3rd, 2006 04:00
Logfile of HijackThis v1.99.1
Scan saved at 10:27:11 PM, on 3/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\AOL\1135930313\ee\aolsoftware.exe
c:\program files\common files\aol\1135930313\ee\aim6.exe
C:\Documents and Settings\Philip\My Documents\hihihi\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ATLDistrib Object - {86059629-45EE-4AA6-A994-672B68AC8B44} - C:\WINDOWS\AppPatch\pstcp.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9C60450-B999-4FAB-8FE6-58AB39F8F6ED}: NameServer = 68.94.156.1 68.94.157.1
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
ky331
3 Apprentice
•
15.6K Posts
0
March 3rd, 2006 12:00
there was a Winfixer "remnant", which was appearing twice in your original log, that now still appears once. I don't believe that's the real problem, but let's try to take care of this first.
close your internet browser
Run HiJackThis. click on DO A SYSTEM SCAN ONLY
Place a check-mark in the box in front of each of the lines:
O2 - BHO: ATLDistrib Object - {86059629-45EE-4AA6-A994-672B68AC8B44} - C:\WINDOWS\AppPatch\pstcp.dll (file missing)
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
Click on FIX CHECKED. Close HiJackThis. Reboot.**********************
If WinFixer still appears after this reboot:
http://swandog46.geekstogo.com/aproposfix.exe
Save it to your desktop but do NOT run it yet.
Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the
Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click aproposfix.exe and unzip it to the
desktop. Open the aproposfix folder on your desktop and run RunThis.bat.
Follow the prompts.
When the tool is finished, please reboot back into normal mode, run rootkitrevealer again and see if things look any better now.
noisemeup
6 Posts
0
March 3rd, 2006 15:00
RKinner
2 Intern
•
5.9K Posts
0
March 3rd, 2006 16:00
This is Ron. KY331 asked me to take over. Your last log still shows a particularly nasty bug. Don't know if he is giving you the winfixer ads or not but he needs to go. You can read one writeup on hime here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.bc.html
Download the killbox:
http://www.bleepingcomputer.com/files/killbox.php
Unzip it to your desktop but don't run it.
Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option. Log in as your usual login or you won't find the programs you put on the desktop
and some of the entries we want to remove will not appear in HijackTHis.
Run HijackThis and just do a Scan only. Check then Fix Checked the following:
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
Where it says Full Path of File to Delete you need to type:
It will say: File Will Be Removed On Reboot, Do you want to reboot Now.
Tell it YES.
ky331
3 Apprentice
•
15.6K Posts
0
March 3rd, 2006 16:00
noisemeup
6 Posts
0
March 3rd, 2006 20:00
Scan saved at 2:02:51 PM, on 3/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Philip\My Documents\hihihi\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ATLDistrib Object - {86059629-45EE-4AA6-A994-672B68AC8B44} - C:\WINDOWS\AppPatch\pstcp.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures06.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
RKinner
2 Intern
•
5.9K Posts
0
March 4th, 2006 11:00
Close Internet Explorer and run Hijackthis (scan only) and check these then Fix Checked:
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ATLDistrib Object - {86059629-45EE-4AA6-A994-672B68AC8B44} - C:\WINDOWS\AppPatch\pstcp.dll (file missing)
The first two are from the latest version of Java but normally there is only one running. Java never used these before but they have been found to slow down Internet Explorer and removing them doesn't hurt.
Are you still getting the WinFixer popups?
Ron
noisemeup
6 Posts
0
March 4th, 2006 16:00
RKinner
2 Intern
•
5.9K Posts
0
March 5th, 2006 12:00
If you have Microsoft Word and this happens when you open a document then: Close Word. Start, Search, For Files or Folders, All Files and Folders, More Advanced Options. Check Search System Folders, Search Hidden Files and Folders,Search Subfolders. Then where it says "All or part of the file name:" put in: normal.dot then Search. When it finishes, right click on each normal.dot and rename to anormal.dot. Open Word (by using Start, All Programs, (Microsoft Office). Microsoft Word. Do not open an existing document yet!
In Word, Tools, Options, Save, and check Prompt to Save Normal template, OK.
Also Tools, Macros, Security, and set it to highest. OK.
Now close Word and allow it to save the Normal.dot template this time but after this tell it no.
Now open a document and see if you get any notices about winfixer.
If you do not have word and this happens when you enter the folder My Documents then:
First open Windows Explorer (right click on Windows and select Explore.)
Second make sure Windows will let you see the system and hidden files and extensions:
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known file types.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK
Third locate My Documents folder and look for any files named desktop.ini. Delete them. Do you see any other .ini files?
Any better?
Ron