Your Java application is out of date.
Please follow these steps to remove older version Java components
1. Close any open programs you may have running, especially your web
browser.
2. Click Start-->Control Panel-->Add or Remove Programs.
For those just reading this thread: Depending on your OS, you may have to click Start-->Settings-->Control Panel-->Add or Remove Programs.
3. Click once on any item listing Java Runtime Environment in the name (to highlight it) then click the "Remove" or "Change/Remove" button.
Not every version of Java will begin with "Java" so be sure to read each entry in the list. Repeat step 3 as many times as necessary to remove all versions of Java.
**If you are asked to reboot at any point during the uninstallations, please do so. Then go back to Add/Remove and continue with the rest of the removals...when finished uninstalling all of them, reboot the computer.
4. Navigate to and delete:
C:\Program Files\ Java =this folderif found
5. Then go to
this page.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications"and click the "Download" button to the right.
6. Check the box that says: "Accept License Agreement"
the page will refresh and click on the link to download Windows Offline Installation with or without Multi-language. Save it to your desktop.
Then from your desktop double-click on jre-1_5_0_08-windowsi586-p.exe to install the newest version.
Open killbox.exe.
First click on Tools>Delete Temp Files.
A box will open with a list of all user profiles.
Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.
Temporary Internet Files
Temp Files
XP Prefetch
If you want to clean your cookies, history, and list of recent files run you may check those boxes as well.
Then, click on the Button titled "Delete Selected Temp Files".
Exit by clicking the Button titled "Exit(Save Settings)".
Once back into the main killbox program, check the box:
Delete on Reboot
Highlight the entries below in
Bold text and then copy them.
C:\PROGRA~1\TEXAST~1\texas.dll C:\WINDOWS\system32\nvsvcd.exe
Then in killbox click File>>Paste from Clipboard
At this point the "All Files" button should be enabled so you can click it.
Click the "All Files" button.
Then click the
Red X ...and for the confirmation message that will appear, you will need to click
Yes.
A second message will ask to Reboot now? you will need to click
No for now.
Note: Killbox will let you know if a file does not exist.
If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the
Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until you've completed the instructions below.
Please run HijackThis again and check the following:
O2 - BHO: XBTP00129 Class - {0EDB9047-FEF0-4598-A380-BA61F41E242A} - C:\PROGRA~1\TEXAST~1\texas.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Texas Toolbar - {AA2C2B4F-9C61-4DFF-BE0D-2CCC21E823C0} - C:\Program Files\Texas Toolbar\texas.dll O15 - Trusted Zone: *.musicmatch.com (HKLM) O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe (file missing)
Close all windows except for HijackThis then click
Fix Checked.
Reboot the computer and post a new HijackThis log. How is the computer running now?
I can't say the computer is running poorly now or even that it was running poorly before. I became aware of a problem when I could not launch MSConfig or Regedit. I knew then that something had to be wrong and it had to be fixed before things got worse. I am hoping the parasites have finally been removed. I must say I thought I took adequate care of my pc by constantly keeping an updated anti-virus program running and using Ad-Aware SE and SpyBot Search and Destroy. I had no idea a parasite could slip past my anti-virus protection and still do this much damage. I certainly have learned a lesson and will be more careful going forward. :-)
My goal now is to repair the damaged files left behind, hopefully without having to re-install Windows XP. Please provide assistance if at all possible. I want to thank you very much for the advice you have provided so far. Now any assistance I can receive with repairing the damaged files will be greatly appreciated.
I completed all of the steps exactly as you instructed and then ran a new HJT scan. Here is the log.
Cheers, =KYLE=
Logfile of HijackThis v1.99.1
Scan saved at 6:39:06 PM, on 9/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
The entry below is new and needs to go:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
...and as well, when I first glanced over your log, I missed a couple entries that are spurious and also need to go. I looked past them as they appear legit at first glance:
O4 - HKLM\..\Run: MSNMSGR.EXE
O4 - HKCU\..\RunOnce: MSNMSGR.EXE
...however, msn messenger does not run from the run key and should not invoke the runonce key.
Best yet, it has no business in the System32 folder referenced here:
C:\WINDOWS\system32\MSNMSGR.EXE
So...let's do this:
Download
Ewido anti-spyware to your desktop.
This is a 30 day free trial. At the end of the 30-day trial period the full version features (active guard, automatic updates...) will be deactivated and the program will become a feature-limited freeware version...You can still keep it and use it for "On Demand" scanning.
Double click the icon on the desktop to launch the set up program.
Select Change state to inactivate "Resident Shield" and "Automatic Updates". Right click on ewido in the system tray and uncheck "Start with Windows".
Once the setup is complete you will need to update the definition files.
On the main screen select the icon Update then click the Start Update button.
The update will start and a progress bar will show the updates being installed.
Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
Once in the Settings screen click on Recommended actions and then select Quarantine.
Under Reports
Select Automatically generate report after every scan
Un-Select Only if threats were found
Close ewido anti-spyware.
Please boot into Safe mode:
Restart the computer and immediately begin tapping the F8 key (or F5 on some Dell machines).
Use the arrow keys to highlight Safe Mode and press the Enter key. Once in safe mode, continue with the instructions below:
Launch ewido anti-spyware by double-clicking the icon on your desktop.
Select the Scanner icon at the top, then the Scan tab then click on Complete System Scan.
ewido will now begin the scanning process, be patient this may take some time.
When prompted of an infection, please select Apply all actions
Once the scan is complete do the following:
Next select the Reports icon at the top.
Select the Save report as button in the lower left hand of the screen and save it to your Desktop.
Now close ewido anti-spyware.
Please run HijackThis again and check the following that may still exist:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O4 - HKLM\..\Run: MSNMSGR.EXE O4 - HKCU\..\RunOnce: MSNMSGR.EXE
Close all windows now except for HijackThis then click
Fix Checked.
Locate and delete the following file indicated in
Bold text:
C:\WINDOWS\system32\
MSNMSGR.EXE
Reboot the computer to properly record the changes made to the disk.
Please download:
Dr.Web Cure it. Double click on the
cureit.exe then click "Start".
During the scan infected files are cured, incurable files are moved to the quarantine directory. When the scanning is finished, the log file and the quarantined item/s will not be deleted. Once you determine that the quarantined file is indeed bad, you must manually delete it/them.
To scan your computer with the most up-to-date Dr.Web virus bases next time you scan, you should download a new Dr.Web CureIt! package. To do this, press the "Update" link on the first utility screen, which leads to the ftp-server where the latest version of CureIt! is located. Download the utility anew and run it again. Be sure to delete the out dated version each time.
Please post back the contents of the log generated during the scan along with a fresh HijackThis log. Thanks!
Hopefully, your Regedit and Msconfig along with Task Manager (You didn't mention that but you might want to check that too) will work after the malware scans. If not, there is a
VB 6 script utility written by Mr. Doug Knox MSMVP that you could use. It creates useable copies of those utilities in an effort to assist you in removing the virus that more than likely caused the problem.
Once again I followed your instructions as written and was utterly amazed by the results of the Ewido scan. Even after all of the scans I have run Ewido still found almost 300 parasites and two of them were critical! The CureIt scan came back without finding any threats. Also, it looks like Ewido corrected some of the problems you asked me to fix with HJT and delete with KillBox. The two logs you asked for are below and I have highlighted (by an extra line break) the problems Ewido identified as critical. Again, thanks for the outstanding service you are providing. I look forward to receiving further instructions from you.
Also, I had to delete most of the lines in the Ewido log because my reply was too long to post here. I only deleted tracking cookies and according to Ewido they are not much of a threat. If you need to see the complete list of tracking cookies I can email the log to you upon request.
C:\WINDOWS\system32\SI_APP.dll -> Adware.FCAdvice : Cleaned with backup (quarantined).
C:\WINDOWS\system32\SiPlugins.dll -> Adware.FCAdvice : Cleaned with backup (quarantined).
C:\WINDOWS\system32\msnmsgr.exe -> Backdoor.Bifrose.xx : Cleaned with backup (quarantined).
HKU\S-1-5-21-436374069-287218729-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DC9377A2-2E8D-44A1-99DB-F8A821DF254D} -> Hijacker.Generic : Cleaned with backup (quarantined).
:mozilla.371:C:\Documents and Settings\KYLE FRASIER\Application Data\Mozilla\Firefox\Profiles\ni8lb9q0.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.536:C:\Documents and Settings\KYLE FRASIER\Application Data\Mozilla\Firefox\Profiles\ni8lb9q0.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.544:C:\Documents and Settings\KYLE FRASIER\Application Data\Mozilla\Firefox\Profiles\ni8lb9q0.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.364:C:\Documents and Settings\KYLE FRASIER\Application Data\Mozilla\Firefox\Profiles\ni8lb9q0.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.365:C:\Documents and Settings\KYLE FRASIER\Application Data\Mozilla\Firefox\Profiles\ni8lb9q0.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
::Report end
************************************
Logfile of HijackThis v1.99.1
Scan saved at 2:10:32 AM, on 9/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Now that your system is clean, let's create a new restore point.
Please click "Start > Programs > Accessories > System Tools > System Restore"
In the new window, check the 'Create a restore point' in the right pane and click "Next".
In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20060101_Clean)
Click "Create" and reboot your computer.
In the future, there are some things you can do to prevent spyware infections:
Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox from
http://www.mozilla.org
If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.
Run
CCleaner often
or Disk Cleanup ("Start > Programs > Accessories > System Tools > Disk Cleanup" ) and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files
1972vet
3.3K Posts
0
September 13th, 2006 18:00
Please follow these steps to remove older version Java components
1. Close any open programs you may have running, especially your web
browser.
2. Click Start-->Control Panel-->Add or Remove Programs.
For those just reading this thread:
Depending on your OS, you may have to click Start-->Settings-->Control Panel-->Add or Remove Programs.
3. Click once on any item listing Java Runtime Environment in the name (to highlight it) then click the "Remove" or "Change/Remove" button.
Not every version of Java will begin with "Java" so be sure to read each entry in the list.
Repeat step 3 as many times as necessary to remove all versions of Java.
**If you are asked to reboot at any point during the uninstallations, please do so. Then go back to Add/Remove and continue with the rest of the removals...when finished uninstalling all of them, reboot the computer.
4. Navigate to and delete:
- C:\Program Files\ Java =this folder if found
5. Then go to this page.Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications"and click the "Download" button to the right.
6. Check the box that says: "Accept License Agreement" the page will refresh and click on the link to download Windows Offline Installation with or without Multi-language. Save it to your desktop.
Then from your desktop double-click on jre-1_5_0_08-windowsi586-p.exe to install the newest version.
Open killbox.exe.
First click on Tools>Delete Temp Files.
A box will open with a list of all user profiles.
Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.
Temporary Internet Files
Temp Files
XP Prefetch
If you want to clean your cookies, history, and list of recent files run you may check those boxes as well.
Then, click on the Button titled "Delete Selected Temp Files".
Exit by clicking the Button titled "Exit(Save Settings)".
Once back into the main killbox program, check the box:
Delete on Reboot
Highlight the entries below in Bold text and then copy them.
C:\PROGRA~1\TEXAST~1\texas.dll
C:\WINDOWS\system32\nvsvcd.exe
Then in killbox click File>>Paste from Clipboard
At this point the "All Files" button should be enabled so you can click it.
Click the "All Files" button.
Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes.
A second message will ask to Reboot now? you will need to click No for now.
Note: Killbox will let you know if a file does not exist.
If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until you've completed the instructions below.
Please run HijackThis again and check the following:
O2 - BHO: XBTP00129 Class - {0EDB9047-FEF0-4598-A380-BA61F41E242A} - C:\PROGRA~1\TEXAST~1\texas.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Texas Toolbar - {AA2C2B4F-9C61-4DFF-BE0D-2CCC21E823C0} - C:\Program Files\Texas Toolbar\texas.dll
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe (file missing)
Close all windows except for HijackThis then click Fix Checked.
Reboot the computer and post a new HijackThis log. How is the computer running now?
CenTex
5 Posts
0
September 13th, 2006 23:00
My goal now is to repair the damaged files left behind, hopefully without having to re-install Windows XP. Please provide assistance if at all possible. I want to thank you very much for the advice you have provided so far. Now any assistance I can receive with repairing the damaged files will be greatly appreciated.
I completed all of the steps exactly as you instructed and then ran a new HJT scan. Here is the log.
Cheers, =KYLE=
Logfile of HijackThis v1.99.1
Scan saved at 6:39:06 PM, on 9/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\runservice.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\MSNMSGR.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
D:\Application Installers\Misc. Software & Utilities\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.statesman.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Distributed Transaction Coordinator Class - {E9DC6D60-BBD5-4FEE-88CF-82B5E267ED27} - C:\WINDOWS\System32\msdtc32.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSN Messenger Service A] MSNMSGR.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [Star Downloader Free] C:\Program Files\Star Downloader\stardown.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\RunOnce: [MSN Messenger Service A] MSNMSGR.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/24d922659635a8da7020/netzip/RdxIE601.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O20 - Winlogon Notify: SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
1972vet
3.3K Posts
0
September 14th, 2006 00:00
The entry below is new and needs to go:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
...and as well, when I first glanced over your log, I missed a couple entries that are spurious and also need to go. I looked past them as they appear legit at first glance:
O4 - HKLM\..\Run: MSNMSGR.EXE
O4 - HKCU\..\RunOnce: MSNMSGR.EXE
...however, msn messenger does not run from the run key and should not invoke the runonce key.
Best yet, it has no business in the System32 folder referenced here:
C:\WINDOWS\system32\MSNMSGR.EXE
So...let's do this:
Download Ewido anti-spyware to your desktop.
This is a 30 day free trial. At the end of the 30-day trial period the full version features (active guard, automatic updates...) will be deactivated and the program will become a feature-limited freeware version...You can still keep it and use it for "On Demand" scanning.
Close ewido anti-spyware.
Please boot into Safe mode:
Restart the computer and immediately begin tapping the F8 key (or F5 on some Dell machines).
Use the arrow keys to highlight Safe Mode and press the Enter key. Once in safe mode, continue with the instructions below:
Once the scan is complete do the following:
- Next select the Reports icon at the top.
- Select the Save report as button in the lower left hand of the screen and save it to your Desktop.
Now close ewido anti-spyware.Please run HijackThis again and check the following that may still exist:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: MSNMSGR.EXE
O4 - HKCU\..\RunOnce: MSNMSGR.EXE
Close all windows now except for HijackThis then click Fix Checked.
Locate and delete the following file indicated in Bold text:
C:\WINDOWS\system32\ MSNMSGR.EXE
Reboot the computer to properly record the changes made to the disk.
Please download:
Dr.Web Cure it.
Double click on the cureit.exe then click "Start".
During the scan infected files are cured, incurable files are moved to the quarantine directory. When the scanning is finished, the log file and the quarantined item/s will not be deleted. Once you determine that the quarantined file is indeed bad, you must manually delete it/them.
To scan your computer with the most up-to-date Dr.Web virus bases next time you scan, you should download a new Dr.Web CureIt! package. To do this, press the "Update" link on the first utility screen, which leads to the ftp-server where the latest version of CureIt! is located. Download the utility anew and run it again. Be sure to delete the out dated version each time.
Please post back the contents of the log generated during the scan along with a fresh HijackThis log. Thanks!
Hopefully, your Regedit and Msconfig along with Task Manager (You didn't mention that but you might want to check that too) will work after the malware scans. If not, there is a VB 6 script utility written by Mr. Doug Knox MSMVP that you could use. It creates useable copies of those utilities in an effort to assist you in removing the virus that more than likely caused the problem.
CenTex
5 Posts
0
September 14th, 2006 07:00
Also, I had to delete most of the lines in the Ewido log because my reply was too long to post here. I only deleted tracking cookies and according to Ewido they are not much of a threat. If you need to see the complete list of tracking cookies I can email the log to you upon request.
Cheers, =KYLE=
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:15:03 PM 9/13/2006
+ Scan result:
C:\WINDOWS\system32\SI_APP.dll -> Adware.FCAdvice : Cleaned with backup (quarantined).
C:\WINDOWS\system32\SiPlugins.dll -> Adware.FCAdvice : Cleaned with backup (quarantined).
C:\WINDOWS\system32\msnmsgr.exe -> Backdoor.Bifrose.xx : Cleaned with backup (quarantined).
HKU\S-1-5-21-436374069-287218729-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DC9377A2-2E8D-44A1-99DB-F8A821DF254D} -> Hijacker.Generic : Cleaned with backup (quarantined).
:mozilla.371:C:\Documents and Settings\KYLE FRASIER\Application Data\Mozilla\Firefox\Profiles\ni8lb9q0.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.536:C:\Documents and Settings\KYLE FRASIER\Application Data\Mozilla\Firefox\Profiles\ni8lb9q0.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.544:C:\Documents and Settings\KYLE FRASIER\Application Data\Mozilla\Firefox\Profiles\ni8lb9q0.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.364:C:\Documents and Settings\KYLE FRASIER\Application Data\Mozilla\Firefox\Profiles\ni8lb9q0.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
:mozilla.365:C:\Documents and Settings\KYLE FRASIER\Application Data\Mozilla\Firefox\Profiles\ni8lb9q0.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
::Report end
************************************
Logfile of HijackThis v1.99.1
Scan saved at 2:10:32 AM, on 9/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\runservice.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
D:\Application Installers\Misc. Software & Utilities\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.statesman.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Distributed Transaction Coordinator Class - {E9DC6D60-BBD5-4FEE-88CF-82B5E267ED27} - C:\WINDOWS\System32\msdtc32.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [Star Downloader Free] C:\Program Files\Star Downloader\stardown.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - Startup: PowerReg SchedulerV2.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/24d922659635a8da7020/netzip/RdxIE601.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O20 - Winlogon Notify: SABWinLogon - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - SuperAdBlocker.com - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
Message Edited by CenTex on 09-14-200603:16 AM
CenTex
5 Posts
0
September 14th, 2006 07:00
Cheers, =KYLE=
Message Edited by CenTex on 09-14-200603:18 AM
1972vet
3.3K Posts
0
September 14th, 2006 17:00
Now that your system is clean, let's create a new restore point.
Please click "Start > Programs > Accessories > System Tools > System Restore"
In the new window, check the 'Create a restore point' in the right pane and click "Next".
In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20060101_Clean)
Click "Create" and reboot your computer.
In the future, there are some things you can do to prevent spyware infections:
Install the following freeware programs:
SpywareGuard
Spywareblaster
Keep your anti-virus and spyware definitions up to date. Be sure to scan often.
If you do not have a firewall, here are a couple freeware firewalls you can install:
Kerio Personal Firewall
Zone Alarm
Stay updated with the most recent Windows patches using
Microsoft's Windows Update.
Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox from http://www.mozilla.org
If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.
Run CCleaner often
or Disk Cleanup ("Start > Programs > Accessories > System Tools > Disk Cleanup" ) and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files
So how did I get infected in the first place?
Regards, and Happy Surfing!