Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win Fixer 2005


  • Please log in to reply

#1
newks44

newks44

    Member

  • Member
  • PipPip
  • 15 posts
Here is my Hijackthis Logfile.
Hopefully you can now tell me how to get rid of these annoying Pop up Ads/Download Prompts.










Logfile of HijackThis v1.99.1
Scan saved at 09:57:01, on 22/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdswitch.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\EPSON\ESM2\STMS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\CUJMM2X2\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eclipse.net.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
O2 - BHO: Poly HTML Filter BHO - {0140DF95-9128-4053-AE72-F43F0CFCA062} - C:\WINDOWS\system32\SiKernel.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSEvents Object - {9068A414-3AF9-4F79-AF1C-E6EA415BAF52} - C:\WINDOWS\repair\javacom.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [requester] "C:\WINDOWS\system32\requester.10.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\CONFLICT.10\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender8\bdnagent.exe
O4 - Startup: Launch Internet Explorer Browser.lnk = C:\Program Files\Internet Explorer\iexplore.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup151.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btin...bcontrol023.cab
O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq...D_v4_Member.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{17DDC148-BA6A-4201-902F-53080E4E06DE}: NameServer = 212.104.130.9 212.104.130.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{17DDC148-BA6A-4201-902F-53080E4E06DE}: NameServer = 212.104.130.9 212.104.130.65
O20 - Winlogon Notify: javacom - C:\WINDOWS\repair\javacom.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender8\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi newks44 and Welcome to GeekstoGo!

We will need a few tools to help us out!

Download this NOD32 removal tool
http://www.nod32.it/...pl?tool=AgentCS

Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php
There is a Direct Download and a description of what the Program does inside this link.

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingc...showtutorial=62

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/

O2 - BHO: Poly HTML Filter BHO - {0140DF95-9128-4053-AE72-F43F0CFCA062} - C:\WINDOWS\system32\SiKernel.dll

O2 - BHO: MSEvents Object - {9068A414-3AF9-4F79-AF1C-E6EA415BAF52} - C:\WINDOWS\repair\javacom.dll

O4 - HKLM\..\Run: [requester] "C:\WINDOWS\system32\requester.10.exe"

O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\CONFLICT.10\UWFX5LP_0001_0614NetInstaller.exe

O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab

O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btin...bcontrol023.cab

O20 - Winlogon Notify: javacom - C:\WINDOWS\repair\javacom.dll

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!

Open Pocket Killbox-> Copy&Paste each entries below into Killbox

C:\WINDOWS\system32\SiKernel.dll
C:\WINDOWS\system32\requester.10.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.10
C:\WINDOWS\repair\javacom.dll
C:\WINDOWS\repair\javacom.bak1
C:\WINDOWS\repair\javacom.bak2
C:\WINDOWS\repair\javacom.ini
C:\WINDOWS\repair\javacom.ini2
C:\WINDOWS\repair\javacom.tmp
C:\WINDOWS\repair\mocavaj.dll
C:\WINDOWS\repair\mocavaj.bak1
C:\WINDOWS\repair\mocavaj.bak2
C:\WINDOWS\repair\mocavaj.ini
C:\WINDOWS\repair\mocavaj.ini2
C:\WINDOWS\repair\mocavaj.tmp


As each is pasted into Killbox,place a tick by "Delete on Reboot"

Click "Yes" to Confirm

Click "No" to Reboot

Once at the last file,make the same selections and just leave killbox open(DO NOT CLOSE KILLBOX)

Open the Removal Tool From NOD32

Now Double Click on "AGCSCLEAN.exe" to open it-> Click on "Run System Check" and let it Roll!

It Should Restart the System Automatically!

If it Doesnt,Restart Manually!


Post back with a fresh HijackThis log and lets have a look!
  • 0

#3
newks44

newks44

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thank you Cretemonster for the information.

Unfortunately as I said in my original posting I am by no means an expert on Computers.

I was able to follow your instructions until I got to those relating to Killbox. I was at a loss as to where to copy the entries from and where after ticking "Delete on Reboot" to click "Yes" to Confirm and "No" to Reboot.

Thanks for your efforts anyway.
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
No Problems partner!

Do this,Copy&Paste my previous Instructions to Notepad and Save them your Desktop!

Once you are in Safe Mode and have run HijackThis as Instructed!

Open Killbox and Open the Notepad Page you saved!

Copy&Paste each entry listed,into Killbox-> Put a tick by "Delete on Reboot" then click the red circle to start the delete process!

A window will pop up asking you to confirm that you wan to delete this file!

Click "YES"

Another Window will Pop up asking if you want to Reboot Now!

Click "NO"

Once you are at the last file and you click "NO" to Reboot,just leave Killbox sitting there!

Now you Open the NOD32 Removal tool and run it as Instructed!

It will attempt to restart the computer!

Sometimes this is not successful so you might have to restart the PC manually!

If you have any other questions before procedding,feel free to ask!

Thats why I am here! :tazz:
  • 0

#5
newks44

newks44

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thanks for your further help Cretemonster.

Unfortunately when I open the Removal Tool from NOD32 ,double click on "AGSCLEAN.exe" and click on "Run System Check" a warning comes up which reads:

"Could not find ,CS infected DLL, scanning the Registry. Please select the infected DLL manually."

I am at a loss as to what do now. Can you advise?
  • 0

#6
newks44

newks44

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here's my latest HijackThislog but bear in mind what I said about the System Check on AGCSCLEAN.exe (NOD32) in my previous posting.





Logfile of HijackThis v1.99.1
Scan saved at 20:55:16, on 23/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdswitch.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\EPSON\ESM2\STMS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
C:\Documents and Settings\John\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eclipse.net.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSEvents Object - {9068A414-3AF9-4F79-AF1C-E6EA415BAF52} - C:\WINDOWS\repair\javacom.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender8\bdnagent.exe
O4 - Startup: Launch Internet Explorer Browser.lnk = C:\Program Files\Internet Explorer\iexplore.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup151.cab
O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq...D_v4_Member.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{17DDC148-BA6A-4201-902F-53080E4E06DE}: NameServer = 212.104.130.9 212.104.130.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{17DDC148-BA6A-4201-902F-53080E4E06DE}: NameServer = 212.104.130.9 212.104.130.65
O20 - Winlogon Notify: javacom - C:\WINDOWS\repair\javacom.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender8\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
  • 0

#7
newks44

newks44

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi Cretemonster!

The Win Fixer 2005 Pop up ads and download prompts seem to have stopped, at least for the moment.

Thanks for your help. If they have stopped permanently rest assured I will be making a donation for the fight against Malware.

Perhaps you would still have a look at my latest Hijackthis Logfile and comment on the warning received when I ran the System Check on AGCSclean.exe (NOD 32)
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Well,that can only mean that the files have been deleted!

Lets do this,open HijackThis and put a check by these

O2 - BHO: MSEvents Object - {9068A414-3AF9-4F79-AF1C-E6EA415BAF52} - C:\WINDOWS\repair\javacom.dll

O20 - Winlogon Notify: javacom - C:\WINDOWS\repair\javacom.dll

Make sure all Windows and Browsers are Closed and Click "Fix Check"

Open Pocket Killbox and Copy&Paste each file below into it and Select "Delete on Reboot"

C:\WINDOWS\repair\javacom.dll
C:\WINDOWS\repair\javacom.bak1
C:\WINDOWS\repair\javacom.bak2
C:\WINDOWS\repair\javacom.ini
C:\WINDOWS\repair\javacom.ini2
C:\WINDOWS\repair\javacom.tmp
C:\WINDOWS\repair\mocavaj.dll
C:\WINDOWS\repair\mocavaj.bak1
C:\WINDOWS\repair\mocavaj.bak2
C:\WINDOWS\repair\mocavaj.ini
C:\WINDOWS\repair\mocavaj.ini2
C:\WINDOWS\repair\mocavaj.tmp


Click the Red Circle to begin the Delete process!

When Prompted,Click "Yes" to Confirm and Click "No" to Reboot!

When you enter the last file,Click "Yes" to Confirm and Click "Yes" to Reboot!

Once Killbox Restarts the Computer,have the PC scanned here please
http://www.pandasoft...n_principal.htm

Save the Results of that Scan and post them along with a fresh HijackThis log!
  • 0

#9
newks44

newks44

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Cretemonster

Here are the results of the the latest Hijack this and the result of the Panda Software scan. I started getting Win Fixer Pop up ads and download prompts again after rebooting following using Killbox

Logfile of HijackThis v1.99.1
Scan saved at 15:39:43, on 24/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdswitch.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\EPSON\ESM2\STMS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
C:\Documents and Settings\John\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eclipse.net.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSEvents Object - {9068A414-3AF9-4F79-AF1C-E6EA415BAF52} - C:\WINDOWS\repair\javacom.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender8\bdnagent.exe
O4 - Startup: Launch Internet Explorer Browser.lnk = C:\Program Files\Internet Explorer\iexplore.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse....eX/FileXfer.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup151.cab
O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq...D_v4_Member.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{17DDC148-BA6A-4201-902F-53080E4E06DE}: NameServer = 212.104.130.9 212.104.130.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{17DDC148-BA6A-4201-902F-53080E4E06DE}: NameServer = 212.104.130.9 212.104.130.65
O20 - Winlogon Notify: javacom - C:\WINDOWS\repair\javacom.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender8\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


Incident Status Location

Possible Virus. No disinfected C:\WINDOWS\repair\javacom.dll
Adware:adware/gator No disinfected C:\DOCUMENTS AND SETTINGS\JOHN\LOCAL SETTINGS\TEMP\bundle.inf
Spyware:spyware/dluca No disinfected C:\DOCUMENTS AND SETTINGS\JOHN\LOCAL SETTINGS\TEMP\delwbi.tmp
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\msxct1.ini
Adware:adware/ncase No disinfected C:\PROGRAM FILES\180searchassistant
Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\JOHN\FAVORITES\Going Places
Spyware:spyware/virtumonde No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MSEVENTS.MSEVENTS
Spyware:spyware/istbar No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\ISTSVC
Possible Virus. No disinfected C:\Documents and Settings\John\Desktop\backups\backup-20050723-173800-204.dll
Possible Virus. No disinfected C:\Documents and Settings\John\Desktop\backups\backup-20050724-090353-830.dll
Adware:Adware/nCase No disinfected C:\Documents and Settings\John\Local Settings\Temp\180sainstallersilsais1.exe
Adware:Adware/nCase No disinfected C:\Documents and Settings\John\Local Settings\Temp\DelB.tmp
Spyware:Spyware/Virtumonde No disinfected C:\Documents and Settings\John\Local Settings\Temp\eryakgyq.exe
Adware:Adware/nCase No disinfected C:\Documents and Settings\John\Local Settings\Temp\resC.tmp
Spyware:Spyware/Virtumonde No disinfected C:\Documents and Settings\John\Local Settings\Temp\wjhhcqpa.exe
Adware:Adware/nCase No disinfected C:\Program Files\180searchassistant\sais.exe
Possible Virus. No disinfected C:\WINDOWS\repair\javacom.dll
Virus:Trj/Stealus.A Disinfected Local Folders\Sent Items\Fw: URGENT eBay Fraud Department Alert ID : 87743-65-x3 URGENT [~000002.@x@]
Virus:Trj/Stealus.A Disinfected Local Folders\Sent Items\Fw: eBay Safeharbour Faud Notice URGENT[~000002.@x@]
  • 0

#10
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,so this is going to be a stubborn little bug!

Download the Attached Zip file,it contains a Reg file to use in Safe Mode!

Reboot into SAFE MODE(Tap F8 when restarting)

Open HijackThis and put a check by these

O2 - BHO: MSEvents Object - {9068A414-3AF9-4F79-AF1C-E6EA415BAF52} - C:\WINDOWS\repair\javacom.dll

O20 - Winlogon Notify: javacom - C:\WINDOWS\repair\javacom.dll

Make sure all Windows and Browsers are Closed and Click "Fix Check"


Open Pocket Killbox and Copy&Paste each file below into it

C:\WINDOWS\msxct1.ini
C:\WINDOWS\repair\javacom.dll
C:\WINDOWS\repair\javacom.bak1
C:\WINDOWS\repair\javacom.bak2
C:\WINDOWS\repair\javacom.ini
C:\WINDOWS\repair\javacom.ini2
C:\WINDOWS\repair\javacom.tmp
C:\WINDOWS\repair\mocavaj.dll
C:\WINDOWS\repair\mocavaj.bak1
C:\WINDOWS\repair\mocavaj.bak2
C:\WINDOWS\repair\mocavaj.ini
C:\WINDOWS\repair\mocavaj.ini2
C:\WINDOWS\repair\mocavaj.tmp
C:\DOCUMENTS AND SETTINGS\JOHN\LOCAL SETTINGS\TEMP\bundle.inf
C:\DOCUMENTS AND SETTINGS\JOHN\LOCAL SETTINGS\TEMP\delwbi.tmp
C:\Documents and Settings\John\Local Settings\Temp\180sainstallersilsais1.exe
C:\Documents and Settings\John\Local Settings\Temp\DelB.tmp
C:\Documents and Settings\John\Local Settings\Temp\eryakgyq.exe
C:\Documents and Settings\John\Local Settings\Temp\resC.tmp
C:\Documents and Settings\John\Local Settings\Temp\wjhhcqpa.exe
C:\PROGRAM FILES\180searchassistant


As you paste each in,place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"


Click the Red Circle with the White X in the Middle to Delete!

Now Double Click the Reg File I had you download and Allow it to merge into the Registry!

Now locate the NOD32 Removal Tool and run it once more,allowing it to Reboot the PC if Prompted!

Once back in Normal Mode-> Do a Manual Temp file cleaning

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)

C:\Windows\Temp\

C:\Windows\System32\Temp\

C:\Documents and Settings\Owner\Local Settings\Temp\

C:\Documents and Settings\<Your Profile>\Local Settings\Temp\

C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\

Empty your "Recycle Bin"

Open Internet Explorer,
Select Tools,
Select Internet Options
Select Delete Cookies and Delete Files(Check the box for Delete all offline content)

Go to Start,
Select All Programs
Select Accessories
Select System Tools
Select and Run Disk Cleanup(Make sure that all boxes are checked for cleaning!!)


Post back with a fresh HijackThis log once completed!

Edited by Cretemonster, 24 July 2005 - 09:36 AM.

  • 0

Advertisements


#11
newks44

newks44

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Cretemonster. Contrary to my previous posting these Winfixer Pop up ads/download prompts do seem to have stopped. Do you still think that I should carry out the recommendations in your last posting?
  • 0

#12
newks44

newks44

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Cretemonster. If you still think I should carry out your last set of recommendations there doesn't appear to be a download link for the Zip file that you referred to.
  • 0

#13
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Sorry about that but even if the popups have stopped,we still have to clean up the registry and remove the files that exist!

We sure dont want this coming back!

The Zip Folder is attached below

Attached Files

  • Attached File  vun.zip   451bytes   202 downloads

  • 0

#14
newks44

newks44

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Cretemonster. Thank you for your prompt reply once again. As I have explained before my knowledge of computers is limited so could you please explain in more detail how to carry out the manual temp file cleaning operation. i.e. deleting files/folders from the Directories which you have listed but not the Directories themselves.

I have had a Win Fixer pop up again so obviously I need to carry out these further instructions. I will do this as soon as I possibly can only I am somewhat "under the weather" at the moment.

I really appreciate your help and as I said before I will be showing my appreciation in the form of a donation to the fight against Malware.
  • 0

#15
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,How bout a Do Over?? :tazz:


Post a fresh HijackThis log and lets have a look!

Since you allready have the tools we need and I am home all week,whatcha say we hook up via a messenger program and I walk you through a trial run before sending you to Safe Mode!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP