Sign in to follow this  
narrow88

help win.tmp.exe

Recommended Posts

i've been getting popups for winantivirus. Symantec detected and 'removed' trojan.startpage, adware.purityscan, adware.mainsearch, trojan.zlob, and trojan.adclicker. i think one source was cowabanga.exe.

 

Logfile of HijackThis v1.99.1

Scan saved at 12:03:58 AM, on 02/07/2006

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Windows\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Windows\System32\ctfmon.exe

C:\Windows\System32\devldr32.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\PROGRA~1\YAHOO!\YOP\yop.exe

C:\PROGRA~1\YAHOO!\browser\ycommon.exe

C:\help\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\J Choe\Application Data\Mozilla\Profiles\default\6jf9nk35.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\J Choe\Application Data\Mozilla\Profiles\default\6jf9nk35.slt\prefs.js)

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_2_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {411F0C6B-D7BF-485D-B21B-28D6DD9230F9} - C:\Windows\System32\ursqq.dll (file missing)

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)

O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_2_0.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKCU\..\Run: [update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\System32\ctfmon.exe

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\PROGRAM FILES\ATI MULTIMEDIA\TV\EXPLBAR.DLL (file missing)

O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: Win32 Classes -

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab

O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartphotocentre.ca/activex/PCAXSetup.cab?

O20 - Winlogon Notify: NavLogon - C:\Windows\

O20 - Winlogon Notify: pmnommj - C:\Windows\

O20 - Winlogon Notify: winonn32 - C:\Windows\SYSTEM32\winonn32.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

Share this post


Link to post
Share on other sites

Hi narrow88, Welcome

 

You have traces of the Vundo infection and Trojan Agent so this will take a couple of posts to help you get the PC clean again. Spybot's TeaTimer appears to be making abit of a mess in the registry so I think you should leave that feature off, we do need to disable it anyway before we start as it will interfere with the Trojan Removal and HijackThis fixes. Norton is also missing its Winlogon file so that may need to be re-installed once we get the system clean.

 

The obvious problem is you have no Service Packs installed so the system is wide open to infections as there is too many security holes that can be exploited on a PC with no Service Packs or Security Updates.

 

Disable Spybot's TeaTimer Protection

  • Run Spybot-S&D
  • Go to the Mode menu, and make sure "Advanced Mode" is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer" and OK any prompts

You may want to copy and paste this reply to notepad and then save it to your desktop as some of the steps will require reboots.

 

Open hijackthis and click Open the Misc Tools section

 

Then click Delete a file on reboot

 

In the File Name field, copy and paste this:

 

C:\Windows\SYSTEM32\winonn32.dll

 

Then click Open

 

Hijackthis will tell you that this file will be deleted when the system reboots and ask you if you want to reboot now. Click Yes

 

Your system should then reboot

 

After Reboot Please download VundoFix.exe to your desktop.

 

http://www.atribune.org/ccount/click.php?id=4

  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt into your next reply.

Next run Hijack This and choose Do A System Scan then place a check next to these entries

O2 - BHO: (no name) - {411F0C6B-D7BF-485D-B21B-28D6DD9230F9} - C:\Windows\System32\ursqq.dll (file missing)

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)

O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)

O16 - DPF: Win32 Classes -

O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

O20 - Winlogon Notify: pmnommj - C:\Windows\

O20 - Winlogon Notify: winonn32 - C:\Windows\SYSTEM32\winonn32.dll

Close all open browser and other windows except for Hijack This and press the Fix Checked button

 

Finally can you generate a list of your Add/Remove screen to make sure there is no problems showing.

 

Open Hijackthis, Click Open the Misc tools section Then click the Open Uninstall Manager... button.

The Add/Remove Programs Manager panel should appear.

In this panel click the Save list button.

Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply.

 

 

Please then post back the C:\vundofix.txt file, the Uninstall list and a new HijackThis log, let us know if you have any problems or questions.

 

Thanks

 

Andy

Share this post


Link to post
Share on other sites

thank you Andy for the quick reply. I want to confess that i previously ran vundo and it gave me a log. Vundo does not re-open after i chech run vundofix as a task.

 

here is the previous vundofix file:

VundoFix V4.2.84

 

Checking Java version...

 

Java version is 1.5.0.2

 

Java version is 1.5.0.4

 

Java version is 1.5.0.6

 

Scan started at 12:43:20 AM 01/07/2006

 

Listing files found while scanning....

 

 

C:\Windows\SYSTEM32\qqsru.bak1

C:\Windows\SYSTEM32\qqsru.ini

C:\Windows\SYSTEM32\ursqq.dll

Attempting to delete C:\Windows\SYSTEM32\qqsru.bak1

C:\Windows\SYSTEM32\qqsru.bak1 Has been deleted!

 

Attempting to delete C:\Windows\SYSTEM32\qqsru.ini

C:\Windows\SYSTEM32\qqsru.ini Has been deleted!

 

Attempting to delete C:\Windows\SYSTEM32\ursqq.dll

C:\Windows\SYSTEM32\ursqq.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

 

VundoFix V4.2.84

 

Checking Java version...

 

Java version is 1.5.0.2

 

Java version is 1.5.0.4

 

Java version is 1.5.0.6

 

Scan started at 12:49:33 AM 01/07/2006

 

Listing files found while scanning....

 

 

No infected files were found.

 

 

VundoFix V4.2.84

 

Checking Java version...

 

Java version is 1.5.0.2

 

Java version is 1.5.0.4

 

Java version is 1.5.0.6

 

Scan started at 12:51:03 AM 01/07/2006

 

Listing files found while scanning....

 

 

No infected files were found.

 

 

VundoFix V4.2.84

 

Checking Java version...

 

Scan started at 1:06:49 AM 01/07/2006

 

Listing files found while scanning....

 

 

No infected files were found.

 

 

VundoFix V4.2.84

 

Checking Java version...

 

Scan started at 7:54:22 AM 02/07/2006

 

Listing files found while scanning....

 

 

No infected files were found.

 

uninstall:

Ad-Aware SE Personal

Adobe Acrobat 7.0.1 and Reader 7.0.1 Update

Adobe Acrobat 7.0.2 and Reader 7.0.2 Update

Adobe Acrobat 7.0.3 and Reader 7.0.3 Update

Adobe Atmosphere Player for Acrobat and Adobe Reader

Adobe Reader 7.0

Ahead Nero - Burning Rom

AsusUpdate V3.26

ATI Multimedia Center

DirectX 9 Hotfix - KB839643

DivX

Dora Backpack

Easy CD Creator 5 Platinum

HijackThis 1.99.1

Java 2 Runtime Environment, SE v1.4.0_03

Java 2 Runtime Environment, SE v1.4.1_02

LiveReg (Symantec Corporation)

LiveUpdate 2.6 (Symantec Corporation)

Macromedia Shockwave Player

Microsoft Data Access Components KB870669

Microsoft IntelliPoint 4.0

Microsoft Office PowerPoint Viewer 2003

Microsoft Office Professional Edition 2003

Mozilla Firefox (1.5)

Netscape (7.1)

Nick Aracde Toolbar

OLYMPUS CAMEDIA Master 4.2

Outlook Express Q823353

QuickTime

RealPlayer

Rogers Self Healing (remove only)

Rogers Update Manager (remove only)

Rogers Yahoo! Applications

Shockwave

Sony Digital Voice Editor 2

Sound Blaster Live! Value

Spybot - Search & Destroy 1.4

Symantec AntiVirus

Windows XP Application Compatibility Update[Q319580]

Windows XP Hotfix - KB810217

Windows XP Hotfix - KB821253

Windows XP Hotfix - KB821557

Windows XP Hotfix - KB823182

Windows XP Hotfix - KB823559

Windows XP Hotfix - KB824105

Windows XP Hotfix - KB824141

Windows XP Hotfix - KB824146

Windows XP Hotfix - KB825119

Windows XP Hotfix - KB828028

Windows XP Hotfix - KB828035

Windows XP Hotfix - KB828741

Windows XP Hotfix - KB833407

Windows XP Hotfix - KB833987

Windows XP Hotfix - KB834707

Windows XP Hotfix - KB835732

Windows XP Hotfix - KB837001

Windows XP Hotfix - KB839645

Windows XP Hotfix - KB840315

Windows XP Hotfix - KB840374

Windows XP Hotfix - KB840987

Windows XP Hotfix - KB841356

Windows XP Hotfix - KB841533

Windows XP Hotfix - KB841873

Windows XP Hotfix - KB842773

Windows XP Hotfix - KB873376

Windows XP Hotfix - KB883357

Windows XP Hotfix - KB887811

Windows XP Hotfix - KB887822

Windows XP Hotfix (SP1) [see Q307869 for more information]

Windows XP Hotfix (SP1) [see Q309521 for more information]

Windows XP Hotfix (SP1) [see Q310510 for more information]

Windows XP Hotfix (SP1) [see Q311542 for more information]

Windows XP Hotfix (SP1) [see Q311889 for more information]

Windows XP Hotfix (SP1) [see Q311967 for more information]

Windows XP Hotfix (SP1) [see Q313450 for more information]

Windows XP Hotfix (SP1) [see Q314862 for more information]

Windows XP Hotfix (SP1) [see Q315000 for more information]

Windows XP Hotfix (SP1) [see Q315403 for more information]

Windows XP Hotfix (SP1) [see Q316397 for more information]

Windows XP Hotfix (SP1) [see Q317277 for more information]

Windows XP Hotfix (SP1) [see Q318138 for more information]

Windows XP Hotfix (SP1) [see Q318966 for more information]

Windows XP Hotfix (SP1) [see Q319322 for more information]

Windows XP Hotfix (SP1) [see Q319949 for more information]

Windows XP Hotfix (SP1) [see Q320174 for more information]

Windows XP Hotfix (SP1) [see Q320552 for more information]

Windows XP Hotfix (SP1) [see Q320678 for more information]

Windows XP Hotfix (SP1) [see Q323172 for more information]

Windows XP Hotfix (SP1) [see Q324096 for more information]

Windows XP Hotfix (SP1) [see Q324380 for more information]

Windows XP Hotfix (SP1) [see Q326830 for more information]

Windows XP Hotfix (SP1) [see Q328940 for more information]

Windows XP Hotfix (SP1) [see Q329048 for more information]

Windows XP Hotfix (SP1) [see Q329390 for more information]

Windows XP Hotfix (SP1) [see Q329441 for more information]

Windows XP Hotfix (SP1) [see Q329834 for more information]

Windows XP Hotfix (SP1) Q329170

Windows XP Hotfix (SP1) Q810577

Windows XP Hotfix (SP1) Q810833

Windows XP Hotfix (SP1) Q811493

Windows XP Hotfix (SP1) Q815021

Windows XP Hotfix (SP1) Q817606

Windows XP Hotfix (SP1) Q819696

Windows XP Hotfix (SP2) [see Q329115 for more information]

WinRAR archiver

WinZip

XviD MPEG-4 Video Codec

Yahoo! Photos Easy Upload Tool 1v3

 

hijackthis:

Logfile of HijackThis v1.99.1

Scan saved at 8:07:05 AM, on 02/07/2006

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\Windows\System32\smss.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\System32\svchost.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Windows\System32\ctfmon.exe

C:\Windows\System32\devldr32.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Windows\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Windows\system32\fxssvc.exe

C:\Windows\System32\wuauclt.exe

C:\help\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.ca/0SEENCA/SAOS01

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\J Choe\Application Data\Mozilla\Profiles\default\6jf9nk35.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\J Choe\Application Data\Mozilla\Profiles\default\6jf9nk35.slt\prefs.js)

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_2_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_2_0.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Windows\System32\msdxm.ocx

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKCU\..\Run: [update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\System32\ctfmon.exe

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\PROGRAM FILES\ATI MULTIMEDIA\TV\EXPLBAR.DLL (file missing)

O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab

O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartphotocentre.ca/activex/PCAXSetup.cab?

O20 - Winlogon Notify: NavLogon - C:\Windows\

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

 

thank you again.

Share this post


Link to post
Share on other sites

Hi narrow88

 

Thanks for the logs, Ive had a similar problem with the run as a task option in the past when Ive used Atribune's Look2me Destroyer and sometimes it takes more than a few minutes to re-open and also sometimes helps to choose the run as a task again then it tends to open fine on the second attempt, this isnt needed here as you have been able to run it at some stage and it has removed the vundo files that were present which is nice to see :)

 

Is there any reason why you cannot update the system to Service Pack 2 as its a much needed upgrade and is essential these days to help prevent infections and make the system more secure.

 

Can you goto Start Menu > Control Panel > Add or Remove programs and remove these:

Java 2 Runtime Environment, SE v1.4.0_03

Java 2 Runtime Environment, SE v1.4.1_02

Once they are removed please the install the latest version of Java (5.0 Update 7) from Sun's website Here

 

Your current HJT log looks fine but can you run a couple of malware scans to make sure there is no remaining problems.

 

Download Ewido Anti-Spyware

  1. Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  2. After the update finishes (the status bar at the bottom will display "Update successful")
  3. Click on the Scanner tab at the top and then click on Complete System Scan
  4. Ewido will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will then display "All actions have been applied" on the right.
  5. Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back

Finally run Panda Activescan from Here.

 

Once you are on the Panda site click the Scan your PC button

- A new window will open...click the Check Now button

- Enter your Country

- Enter your State/Province

- Enter your e-mail address and click send

- Select either Home User or Company

- Click the big Scan Now button

- If it wants to install an ActiveX component allow it

- It will start downloading the files it requires for the scan

(Note: It may take a couple of minutes)

- When the download is complete, click on Local Disks to start the scan

- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.

 

Please then post back the Ewido scan report and the Panda Active scan log

 

Cheers

 

Andy

Share this post


Link to post
Share on other sites

I'm so grateful for your help. Either you don't require sleep or are in a different time zone from me.

 

My computer will not uninstall

Java 2 Runtime Environment, SE v1.4.0_03

Java 2 Runtime Environment, SE v1.4.1_02.

I get a message stating "An installation support file could not be installed. the system cannot find the specified file"

 

as for the updates for sp2, i'm working on that. i believe that i purchased pirated software. sometime this week i'll be buying win xp pro from my university.

 

for the ewido scan and panda scan, i'll post those reports shortly.

 

thank you

Share this post


Link to post
Share on other sites

I must be in a different Timezone, I can assure you I do sleep :)

 

Regarding the errors when you try to uninstall Java there is some indications that its connected to a corrupt registry value

 

http://support.installshield.com/kb/view.a...ticleid=Q107969

 

But Id rather not remove anything from the registry as the same values exist on two of my machines and Im still able to install and uninstall Java

 

 

Can you re-install both versions one at a time and then reboot and remove them :) We could just remove their entries from the Add/Remove screen but as old versions of Java are vulnerable to infections Id rather re-install then reboot and uninstall so we can be sure they have been fully removed from the system.

 

You can get the version SE v1.4.0_03 from here

 

https://sdlc4d.sun.com/ECom/EComActionServl...E1702A808D033C0

 

 

Then Version SE v1.4.1_02 from here

 

https://sdlc5e.sun.com/ECom/EComActionServl...094E50B926F679B

 

 

Let us know how it goes

 

Cheers

 

Andy

Share this post


Link to post
Share on other sites

I can't seem to find the jave versions that i need. I'm going to purchase winxp pro this week. if you can help me then i would greatly appreciate it.

 

but here are ewido and panda logs:

 

for ewido, i deleted the infections.

---------------------------------------------------------

ewido anti-spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 4:50:36 PM 02/07/2006

 

+ Scan result:

 

 

 

C:\WINDOWS\SYSTEM32\pmnommj.dll -> Adware.Virtumonde : No action taken.

:mozilla.316:C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.

:mozilla.317:C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.

:mozilla.318:C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.

:mozilla.89:C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt -> TrackingCookie.Com : No action taken.

:mozilla.65:C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.

:mozilla.71:C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.

:mozilla.72:C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.

:mozilla.73:C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.

:mozilla.74:C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.

:mozilla.23:C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.

:mozilla.24:C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.

:mozilla.38:C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.

:mozilla.39:C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.

:mozilla.40:C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.

 

 

::Report end

 

 

 

Incident Status Location

 

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\pmnommj.dll

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0000041.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0000112.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0000364.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0000653.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0000662.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0000702.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0000762.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0000873.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0000902.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0001127.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0001131.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0001172.~]

Virus:W32/Netsky.AE.worm Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[message.scr]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0001273.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0001464.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0001664.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0001791.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0001875.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0001969.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0001981.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0002037.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0002084.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0002094.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0002098.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0002165.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0002229.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0002252.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0002303.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0003822.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0003863.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0003874.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0003878.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0003896.~]

Virus:Exploit/iFrame Disinfected C:\WINDOWS\APPLICATION DATA\Mozilla\Profiles\S C\c53b35em.slt\Mail\pop\Inbox[~0003912.~]

Spyware:Cookie/Versiontracker Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13F.tmp

Spyware:Cookie/Atwola Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq14B.tmp

Spyware:Cookie/Atwola Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq14C.tmp

Spyware:Cookie/Atwola Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq14D.tmp

Spyware:Cookie/Atwola Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq14E.tmp

Spyware:Cookie/bravenetA Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq153.tmp

Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq163.tmp

Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq164.tmp

Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq165.tmp

Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq166.tmp

Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq167.tmp

Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq168.tmp

Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq169.tmp

Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16A.tmp

Spyware:Cookie/DomainSponsor Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16B.tmp

Spyware:Cookie/Gorillanation Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq174.tmp

Spyware:Cookie/Maxserving Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17A.tmp

Spyware:Cookie/Maxserving Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17B.tmp

Spyware:Cookie/Maxserving Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17C.tmp

Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq188.tmp

Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq189.tmp

Spyware:Cookie/RealMedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq389.tmp

Spyware:Cookie/Clicktracks Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqCE.tmp

Spyware:Cookie/Humanclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3.tmp

Spyware:Cookie/Humanclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5.tmp

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\J Choe\Desktop\SmitfraudFix\Process.exe

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][2].txt

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\J Choe\Cookies\[email protected][2].txt

Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\J Choe\Cookies\[email protected][2].txt

Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][2].txt

Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][1].txt

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][1].txt

Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][1].txt

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][1].txt

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\J Choe\Cookies\[email protected][3].txt

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][3].txt

Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][3].txt

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][5].txt

Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][2].txt

Spyware:Cookie/Lop Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][1].txt

Spyware:Cookie/888 Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][1].txt

Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][1].txt

Spyware:Cookie/64.62.232 Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][2].txt

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][6].txt

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][2].txt

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][1].txt

Spyware:Cookie/360i Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][1].txt

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][2].txt

Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][1].txt

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][4].txt

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][3].txt

Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][2].txt

Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][1].txt

Spyware:Cookie/360i Not disinfected C:\Documents and Settings\J Choe\Cookies\j [email protected][2].txt

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\J Choe\Application Data\Mozilla\Profiles\default\6jf9nk35.slt\cookies.txt[.go.com/]

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\J Choe\Application Data\Mozilla\Profiles\S C\c53b35em.slt\cookies.txt[.ath.belnk.com/]

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\J Choe\Application Data\Mozilla\Profiles\S C\c53b35em.slt\cookies.txt[.atwola.com/]

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\J Choe\Application Data\Mozilla\Profiles\S C\c53b35em.slt\cookies.txt[.belnk.com/]

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\J Choe\Application Data\Mozilla\Profiles\S C\c53b35em.slt\cookies.txt[.dist.belnk.com/]

Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\J Choe\Application Data\Mozilla\Profiles\S C\c53b35em.slt\cookies.txt[.maxserving.com/]

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\J Choe\Application Data\Mozilla\Profiles\S C\c53b35em.slt\cookies.txt[.realmedia.com/]

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\J Choe\Application Data\Mozilla\Profiles\Default User\bb9talky.slt\cookies.txt[.atwola.com/]

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt[.statcounter.com/]

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt[ad.yieldmanager.com/]

Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt[.ads.pointroll.com/]

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt[.atwola.com/]

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt[.com.com/]

Spyware:Cookie/360i Not disinfected C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt[.ct.360i.com/]

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt[.go.com/]

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt[.realmedia.com/]

Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cookies.txt[searchportal.information.com/]

Share this post


Link to post
Share on other sites

Sorry about that, the link must only stay valid for a short amount of time as its now re-directing me to a login page

 

Try these links and click download on the JRE area:

 

1.4.0_03

 

http://java.sun.com/products/archive/j2se/...0_03/index.html

 

 

1.4.1_02

 

http://java.sun.com/products/archive/j2se/...1_02/index.html

 

You need to run VundoFix again as there is still an infection present, give it some time to open after choosing Run as a task, if it doesnt open after a few minutes then repeat the steps and see if it can then open

 

Let us know if you have problems

 

Andy

Share this post


Link to post
Share on other sites

Glad we got half of it done :D

 

Regarding Vundo, its not currently hooked to Winlogon so It shouldnt be that difficult to remove,

 

Open hijackthis and click Open the Misc Tools section

 

Then click Delete a file on reboot

 

In the File Name field, copy and paste this:

 

C:\WINDOWS\SYSTEM32\pmnommj.dll

 

Then click Open

 

Hijackthis will tell you that this file will be deleted when the system reboots and ask you if you want to reboot now. Click Yes

 

Your system should then reboot

 

Then give VirtumundoBeGone a try to make sure it shows clear:

 

Download VirtumundoBegone and save it to your desktop.

 

Double click VirtumundoBeGone.exe and follow the instructions.

 

 

Run a final malware scan to make sure there's nothing left that needs attention

 

Run Kaspersky WebScanner

  • Please go HERE and click Kaspersky Online Scanner
  • Read and Accept the Agreement
  • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • If you see a Windows dialog asking if you want to install this software, click the Install button.
  • The program will launch and then begin downloading the latest definition files,
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  • Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
  • When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.

Post the scan log back if it detects any problems, It may also be a good idea to re-install or try repair Symantec with it missing its Winlogon file, See if you get the option when you run the installation disk.

 

Andy

Share this post


Link to post
Share on other sites

i don't think that anything is working.

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Sunday, July 02, 2006 11:23:07 PM

Operating System: Microsoft Windows XP Professional, (Build 2600)

Kaspersky Online Scanner version: 5.0.83.0

Kaspersky Anti-Virus database last update: 3/07/2006

Kaspersky Anti-Virus database records: 204272

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

A:\

C:\

D:\

E:\

F:\

G:\

 

Scan Statistics:

Total number of scanned objects: 42669

Number of viruses found: 4

Number of infected objects: 11 / 0

Number of suspicious objects: 0

Duration of the scan process: 00:59:03

 

Infected Object Name / Virus Name / Last Action

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\index.dat Object is locked skipped

C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\CSC\00000001 Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Debug\oakley.log Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\ModemLog_Generic 56K HCF Data Fax Modem.txt Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07CC0000.VBN Infected: Trojan-PSW.Win32.Lineage.gk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07CC0002.VBN Infected: Trojan-PSW.Win32.Lineage.gk skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BAC0000.VBN Infected: not-a-virus:AdWare.Win32.BHO.w skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BAC0001.VBN Infected: not-a-virus:AdWare.Win32.BHO.w skipped

C:\Documents and Settings\J Choe\ntuser.dat Object is locked skipped

C:\Documents and Settings\J Choe\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\J Choe\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\J Choe\Desktop\SmitfraudFix\keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\J Choe\Desktop\SmitfraudFix\keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\J Choe\Desktop\SmitfraudFix\keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\J Choe\Desktop\SmitfraudFix\keyfinder.exe RarSFX: infected - 3 skipped

C:\Documents and Settings\J Choe\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\J Choe\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\J Choe\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\J Choe\Application Data\Identities\{8E7C0479-EE95-4396-8671-95115447AF18}\Microsoft\Outlook Express\Hotmail - Inbox.dbx/[From [email protected]][Date Sat, 24 Jul 2004 17:33:29 -1000]/UNNAMED/document.pif Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\J Choe\Application Data\Identities\{8E7C0479-EE95-4396-8671-95115447AF18}\Microsoft\Outlook Express\Hotmail - Inbox.dbx/[From [email protected]][Date Sat, 24 Jul 2004 17:33:29 -1000]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped

C:\Documents and Settings\J Choe\Application Data\Identities\{8E7C0479-EE95-4396-8671-95115447AF18}\Microsoft\Outlook Express\Hotmail - Inbox.dbx Mail MS Outlook 5: infected - 2 skipped

C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\history.dat Object is locked skipped

C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\parent.lock Object is locked skipped

C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\cert8.db Object is locked skipped

C:\Documents and Settings\J Choe\Application Data\Mozilla\Firefox\Profiles\gxk9ksm3.default\key3.db Object is locked skipped

C:\Documents and Settings\J Choe\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

 

Scan process completed.

 

i repaired symantec antivirus.

 

thank you for your patients.

Share this post


Link to post
Share on other sites

Sorry for the delay, Im having afew issues with my Broadband connection at the moment :D

 

That's not as bad as it looks, the locked items are fine, there is a keyfinding tool inside SmitfraudFix's folder so did you download that yourself and put it into the SmitfraudFix folder ?

 

It's not a component of SmitfraudFix so if you didnt download it yourself then the folder should be removed by deleting the SmitfraudFix folder on your desktop

 

Norton has also removed a Password Stealer (PSW.Win32.Lineage.gk) from your system at some stage. You should clear Symantecs Quarantine area which you will find information on Here

 

Then clear your Outlook Express\Hotmail - Inbox of any emails that you do not know the source especially any with attachments as there is a Worm attached to the email from flood

 

Apart from that it looks OK, you need to change Passwords for any sites you use especially confidential sites such as Ebay, Paypal, Banking, email etc... as there is no way of knowing what information may of been stolen by the Password Stealer Symantec found or how long it was able to be active on your system

 

Let us know how things are running now and if your having any problems

 

Thanks

 

Andy

Share this post


Link to post
Share on other sites

Your Welcome :D

 

I have included afew recommended steps below to help protect your computer from future malware infections.

 

You should get a genuine version of Windows as soon as possible to prevent infections and keep the system secure. Please see Here and Here for information on how to tell if a version of Windows is genuine and general advise on avoiding Piracy.

 

Keep Ewido on the system as it works fine after the trial has expired as a "On-Demand" scanner and remover which you can manually update and use anytime.

 

Consider installing SpywareBlaster

A tutorial on using SpywareBlaster to prevent spyware may be found Here

 

Please make sure to run your Antivirus software regularly, and to keep it up-to-date.

 

More information on how to prevent malware and to explain how you got infected can be found Here (By Tony Klein) and Here

 

By following these steps it will lower the chances of getting any more malware issues but let us know if you have questions or problems anytime.

 

Happy Surfing :)

 

Andy

Share this post


Link to post
Share on other sites
Sign in to follow this