C:\Documents and Settings\Bill\Local Settings\Temp\HijackThis.exe
When you do so, either HJT will not create its log files and backup files; or if it does, you risk losing them when the TEMP's cache is cleared. It's important that you save these backup files, in case you have to "undo" [restore] some of the things you "FIX" incorrectly.
So you need to move HJT into a separate, non-temporary, non-Desktop, directory of its own. We recommend using the directory C:\HJT , so that it will then appear in your log, under running processes, as C:\HJT\HiJackThis.exe
Note: If you have previously download this file on another occasion, please download it again, to be absolutely sure you have the most current version.
* Save it to your Desktop * Close all running programs (including your Internet Browser) * Double-click VirtumundoBeGone.exe on the desktop * Follow the directions as indicated
please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.
just reboot if your system "jams"
*********************
After rebooting, it's now time to run FixVundo (which you had downloaded earlier).
Make sure all other programs, including your Internet Browser, are closed.
Double-click the FixVundo.exefile to start the removal tool.
Click Start to begin the process, and then allow this tool to run.
Important: Do not launch any new applications while the tool is running!
Reboot your computer.
Run the FixVundo removal tool again to ensure that the system is clean.
*********************
It's now time to report back to us:
VirtumundoBeGone generated a "log" file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here, along with your latest HJT log.
Nice work. Looks like VirtumundoBeGone successfully deactivated twobad WinFixer file. Have you noticed any difference, in terms of WinFixer popups, and overall system speed/performance?
At this point, I'm gonna try to ask someone else to step-in, to determine additional problems (if any) that you might have. Please be advised that we're very "understaffed" at the moment, so I can't make any guarantee as to when (or even if) the next helper will arrive.
Make sure you have System Restore running (toggle it off and On today to get rid of any bad stuff it may have retained) and then you can just go back to an earlier time if you hit a bad site.
One way to make this more obvious is to check everything in your current HijackThis and Add to Ignore List then set up Hijackthis to run at boot and to show you if it finds anything new.
at http://java.sun.com/j2se/1.5.0/download.jsp (You probably want the online install for windows: jre-1_5_0_05-windows-i586-p-iftw.exe Make sure you have removed any older versions of Java or JRE with Control Panel, Add/Remove Programs. Updates do not remove the older versions which have exploitable flaws.
ky331
3 Apprentice
•
15.6K Posts
0
November 30th, 2005 17:00
First: You're running HJT from a TEMP directory:
C:\Documents and Settings\Bill\Local Settings\Temp\HijackThis.exe
When you do so, either HJT will not create its log files and backup files; or if it does, you risk losing them when the TEMP's cache is cleared. It's important that you save these backup files, in case you have to "undo" [restore] some of the things you "FIX" incorrectly.
So you need to move HJT into a separate, non-temporary, non-Desktop, directory of its own. We recommend using the directory C:\HJT , so that it will then appear in your log, under running processes, as C:\HJT\HiJackThis.exe
**************
Download [but do *NOT* yet run] FixVundo from
http://securityresponse.symantec.com/avcenter/FixVundo.exe
[we'll have you run it later]
Note: If you have previously download this file on another occasion, please download it again, to be absolutely sure you have the most current version.
********************
Next, download VirtumundoBeGone from:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
* Save it to your Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the desktop
* Follow the directions as indicated
please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.
just reboot if your system "jams"*********************
After rebooting, it's now time to run FixVundo (which you had downloaded earlier).
Make sure all other programs, including your Internet Browser, are closed.
Double-click the FixVundo.exe file to start the removal tool.
Click Start to begin the process, and then allow this tool to run.
Important: Do not launch any new applications while the tool is running!
Reboot your computer.
Run the FixVundo removal tool again to ensure that the system is clean.
*********************
It's now time to report back to us:
VirtumundoBeGone generated a "log" file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here, along with your latest HJT log.
ky331
3 Apprentice
•
15.6K Posts
0
November 30th, 2005 19:00
Nice work. Looks like VirtumundoBeGone successfully deactivated two bad WinFixer file. Have you noticed any difference, in terms of WinFixer popups, and overall system speed/performance?
At this point, I'm gonna try to ask someone else to step-in, to determine additional problems (if any) that you might have. Please be advised that we're very "understaffed" at the moment, so I can't make any guarantee as to when (or even if) the next helper will arrive.
Good luck.
wdavis07
3 Posts
0
November 30th, 2005 19:00
I changed too the HJT folder as you recommended. Here are the logfiles after following your instructions:
Logfile of HijackThis v1.99.1
Scan saved at 3:34:13 PM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HJT\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094511730207
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirelessUploadControl.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://syncmw.verizonwireless.com/en/SyncInstall.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs8b.instantservice.com/jars/customerxsigned42.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
[11/30/2005, 13:53:46] - Starting Process...
[11/30/2005, 13:53:46] - Looking for Browser Helper Object [MSEvents Object]
[11/30/2005, 13:53:46] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} -
[11/30/2005, 13:53:46] - WARNING: 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - BHO Name is blank.
[11/30/2005, 13:53:46] - Checking for WinLogon Notify reference. (File: C:\WINDOWS\system32\vtsro.dll)
[11/30/2005, 13:53:46] - Found a reference to C:\WINDOWS\system32\vtsro.dll in Winlogon Notify! This is most likely Virtumundo!
[11/30/2005, 13:53:46] - Assigning {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} MSEvents Object
[11/30/2005, 13:53:46] - BHO list has been changed! Starting over...
[11/30/2005, 13:53:46] - 1: {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - MSEvents Object
[11/30/2005, 13:53:46] - Found MSEvents Object!
[11/30/2005, 13:53:46] - File location: C:\WINDOWS\system32\vtsro.dll
[11/30/2005, 13:53:46] - Attempting to kill C:\WINDOWS\system32\vtsro.dll
[11/30/2005, 13:53:46] - Terminating Process: RUNDLL32.EXE
[11/30/2005, 13:53:47] - Terminating Process: IEXPLORE.EXE
[11/30/2005, 13:53:47] - Disabling Automatic Shell Restart
[11/30/2005, 13:53:47] - Terminating Process: EXPLORER.EXE
[11/30/2005, 13:53:47] - Suspending the NT Session Manager System Service
[11/30/2005, 13:53:47] - Terminating Windows NT Logon/Logoff Manager
[11/30/2005, 13:53:48] - Re-enabling Automatic Shell Restart
[11/30/2005, 13:53:48] - Renaming C:\WINDOWS\system32\vtsro.dll -> C:\WINDOWS\system32\vtsro.dll.vir
[11/30/2005, 13:53:48] - File successfully renamed!
[11/30/2005, 13:53:48] - Removing Registry references to {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/30/2005, 13:53:48] - Adding Internet Explorer Protection (Kill ActiveX) for {00DBDAC8-4691-4797-8E6A-7C6AB89BC441}
[11/30/2005, 13:53:48] - Removing Winlogon Notify Entry: vtsro
[11/30/2005, 13:53:48] - BHO list has been changed! Starting over...
[11/30/2005, 13:53:48] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/30/2005, 13:53:48] - 2: {53707962-6F74-2D53-2644-206D7942484F} -
[11/30/2005, 13:53:48] - WARNING: 2: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/30/2005, 13:53:48] - Checking for WinLogon Notify reference. (File: C:\Program Files\Spybot - Search & Destroy\SDHelper.dll)
[11/30/2005, 13:53:48] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/30/2005, 13:53:48] - 3: {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - MSEvents Object
[11/30/2005, 13:53:48] - Found MSEvents Object!
[11/30/2005, 13:53:48] - File location: C:\WINDOWS\System32\rqonl.dll
[11/30/2005, 13:53:48] - Attempting to kill C:\WINDOWS\System32\rqonl.dll
[11/30/2005, 13:53:48] - Terminating Process: RUNDLL32.EXE
[11/30/2005, 13:53:48] - Terminating Process: IEXPLORE.EXE
[11/30/2005, 13:53:48] - Disabling Automatic Shell Restart
[11/30/2005, 13:53:49] - Terminating Process: EXPLORER.EXE
[11/30/2005, 13:53:49] - Suspending the NT Session Manager System Service
[11/30/2005, 13:53:49] - Terminating Windows NT Logon/Logoff Manager
[11/30/2005, 13:53:49] - Re-enabling Automatic Shell Restart
[11/30/2005, 13:53:49] - Renaming C:\WINDOWS\System32\rqonl.dll -> C:\WINDOWS\System32\rqonl.dll.vir
[11/30/2005, 13:53:49] - File successfully renamed!
[11/30/2005, 13:53:49] - Removing Registry references to {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}
[11/30/2005, 13:53:49] - Adding Internet Explorer Protection (Kill ActiveX) for {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}
[11/30/2005, 13:53:49] - Removing Winlogon Notify Entry: rqonl
[11/30/2005, 13:53:49] - BHO list has been changed! Starting over...
[11/30/2005, 13:53:49] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/30/2005, 13:53:49] - 2: {53707962-6F74-2D53-2644-206D7942484F} -
[11/30/2005, 13:53:49] - WARNING: 2: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/30/2005, 13:53:49] - Checking for WinLogon Notify reference. (File: C:\Program Files\Spybot - Search & Destroy\SDHelper.dll)
[11/30/2005, 13:53:49] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/30/2005, 13:53:49] - Finished searching for [MSEvents Object]
[11/30/2005, 13:53:49] - Finishing up...
[11/30/2005, 13:53:49] - Enabling Automatic Reboot on STOP Error.
[11/30/2005, 13:53:49] - Attempting to Restart via STOP error (Blue Screen!)
wdavis07
3 Posts
0
November 30th, 2005 19:00
RKinner
2 Intern
•
5.9K Posts
0
November 30th, 2005 22:00
Log looks OK.
Ron
Make sure you have System Restore running (toggle it off and On today to get rid of any bad stuff it may have retained)
and then you can just go back to an earlier time if you hit a bad site.
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx
One way to make this more obvious is to check everything in your current HijackThis and Add to Ignore List then set up Hijackthis to run at boot and to show you if it finds anything new.
To avoid going to a bad site you might want to install IE-SpyAd and SpywareBlaster and make the other changes recommended at:.
http://www.mvps.org/winhelp2002/restricted.htm
I used to recommend Spybot's Immunize system but have recently learned it is not as good as the one at:
http://www.mvps.org/winhelp2002/hosts.htm
Never hurts to do one of the free on line scans from Panda or Trend. They take a while but are pretty good.
www.pandasoftware.com/activescan/activescan.asp?
http://housecall.trendmicro.com/
In addition to Microsoft AntiSpy
http://www.microsoft.com/athome/security/downloads/default.mspx
I like to run Spybot S&D.
http://www.safer-networking.org/en/download/index.html
Also like to run AdAware once in a while.
http://www.lavasoftusa.com/software/adaware/
Get the latest version of JRE 5.0 Update 5
at http://java.sun.com/j2se/1.5.0/download.jsp (You probably want the online install for windows: jre-1_5_0_05-windows-i586-p-iftw.exe
Make sure you have removed any older versions of Java or JRE with Control Panel, Add/Remove Programs. Updates do not remove the older versions which have exploitable flaws.