Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winantispyware and malware


  • Please log in to reply

#1
skylineg1

skylineg1

    Member

  • Member
  • PipPip
  • 25 posts
Unfortunately I am also a victim of this malware program. I am in the dark about waht to do here. This is my Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 2:40:53 AM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\HARDWA~1\Keyboard\Ikeymain.exe
C:\PROGRA~1\HARDWA~1\Mouse\Amoumain.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell Support\DSAgnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Warez P2P Client\warez.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\CARL\My Documents\My eBooks\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
R3 - URLSearchHook: HyperSearchHook - {945004E1-7210-4C32-8627-F10C75F48166} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\vtuts.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_98.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\jkhhg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\HARDWA~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\HARDWA~1\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?dc14c637635048ddb735d9cae40d341
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?dc14c637635048ddb735d9cae40d341
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127830829093
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkhhg - C:\WINDOWS\system32\jkhhg.dll
O20 - Winlogon Notify: vtuts - C:\WINDOWS\SYSTEM32\vtuts.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe


Please help me. Thank you in advance.

Edited by skylineg1, 13 November 2005 - 01:42 AM.

  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi skylineg1 and Welcome to GeekstoGo!

Please go to Add\Remove Programs and Remove

NewDotNet
New.Net
Hyperbar
Startnow ToolBar


Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\jkhhg.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\ghhkj.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:R3 - URLSearchHook: HyperSearchHook - {945004E1-7210-4C32-8627-F10C75F48166} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll

    O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\vtuts.dll

    O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\jkhhg.dll

    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)

    O20 - Winlogon Notify: jkhhg - C:\WINDOWS\system32\jkhhg.dll

    O20 - Winlogon Notify: vtuts - C:\WINDOWS\SYSTEM32\vtuts.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.


Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and SpySweepers Session Log paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#3
skylineg1

skylineg1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Here's the sweep results:

********
2:34 PM: | Start of Session, Sunday, November 13, 2005 |
2:34 PM: Spy Sweeper started
2:34 PM: Sweep initiated using definitions version 572
2:34 PM: Starting Memory Sweep
2:37 PM: Memory Sweep Complete, Elapsed Time: 00:02:29
2:37 PM: Starting Registry Sweep
2:37 PM: Found Adware: startnow
2:37 PM: HKCR\appid\hyperbarss3.dll\ (1 subtraces) (ID = 142358)
2:37 PM: HKCR\appid\{c4ac1481-6c39-433e-bd39-2a05fbf45ba7}\ (1 subtraces) (ID = 142362)
2:37 PM: HKCR\clsid\{2f6f5329-6b57-4d2d-b6ab-662793aeb986}\ (12 subtraces) (ID = 142368)
2:37 PM: HKCR\clsid\{39cde95f-7466-463a-81de-ca0cdd7f6687}\ (12 subtraces) (ID = 142374)
2:37 PM: HKCR\clsid\{e895f3c1-632e-4aff-8ded-3ffcb2a3d096}\ (12 subtraces) (ID = 142393)
2:37 PM: HKCR\clsid\{fb3a747d-a8ba-45fb-8196-1d442668796c}\ (12 subtraces) (ID = 142398)
2:37 PM: HKCR\hyperbar.navhelpersearchhook.1\ (3 subtraces) (ID = 142426)
2:37 PM: HKCR\hyperbar.navhelpersearchhook\ (5 subtraces) (ID = 142427)
2:37 PM: HKCR\hyperbar.navhelperservice.1\ (3 subtraces) (ID = 142428)
2:37 PM: HKCR\hyperbar.navhelperservice\ (5 subtraces) (ID = 142429)
2:37 PM: HKCR\hyperbar.navhlpshfactory.1\ (3 subtraces) (ID = 142430)
2:37 PM: HKCR\hyperbar.navhlpshfactory\ (5 subtraces) (ID = 142431)
2:37 PM: HKCR\hyperbar.propsheethandler.1\ (3 subtraces) (ID = 142435)
2:37 PM: HKCR\hyperbar.propsheethandler\ (5 subtraces) (ID = 142436)
2:37 PM: HKCR\interface\{05c3780d-3a0c-485a-b3cf-3af35061c8c1}\ (8 subtraces) (ID = 142449)
2:37 PM: HKCR\interface\{4682934d-bfce-4647-9e61-3d95bd163b6c}\ (8 subtraces) (ID = 142461)
2:37 PM: HKCR\interface\{d639d99d-2377-46b5-81a5-bd91b61c61b0}\ (8 subtraces) (ID = 142465)
2:37 PM: HKLM\software\classes\appid\hyperbarss3.dll\ (1 subtraces) (ID = 142473)
2:37 PM: HKLM\software\classes\appid\{c4ac1481-6c39-433e-bd39-2a05fbf45ba7}\ (1 subtraces) (ID = 142477)
2:37 PM: HKLM\software\classes\clsid\{2f6f5329-6b57-4d2d-b6ab-662793aeb986}\ (12 subtraces) (ID = 142482)
2:37 PM: HKLM\software\classes\clsid\{39cde95f-7466-463a-81de-ca0cdd7f6687}\ (12 subtraces) (ID = 142488)
2:37 PM: HKLM\software\classes\clsid\{e895f3c1-632e-4aff-8ded-3ffcb2a3d096}\ (12 subtraces) (ID = 142506)
2:37 PM: HKLM\software\classes\clsid\{fb3a747d-a8ba-45fb-8196-1d442668796c}\ (12 subtraces) (ID = 142511)
2:37 PM: HKLM\software\classes\hyperbar.navhelpersearchhook.1\ (3 subtraces) (ID = 142543)
2:37 PM: HKLM\software\classes\hyperbar.navhelpersearchhook\ (5 subtraces) (ID = 142544)
2:37 PM: HKLM\software\classes\hyperbar.navhelperservice.1\ (3 subtraces) (ID = 142545)
2:37 PM: HKLM\software\classes\hyperbar.navhelperservice\ (5 subtraces) (ID = 142546)
2:37 PM: HKLM\software\classes\hyperbar.navhlpshfactory.1\ (3 subtraces) (ID = 142547)
2:37 PM: HKLM\software\classes\hyperbar.navhlpshfactory\ (5 subtraces) (ID = 142548)
2:37 PM: HKLM\software\classes\hyperbar.propsheethandler.1\ (3 subtraces) (ID = 142552)
2:37 PM: HKLM\software\classes\hyperbar.propsheethandler\ (5 subtraces) (ID = 142553)
2:37 PM: HKLM\software\classes\interface\{05c3780d-3a0c-485a-b3cf-3af35061c8c1}\ (8 subtraces) (ID = 142566)
2:37 PM: HKLM\software\classes\interface\{4682934d-bfce-4647-9e61-3d95bd163b6c}\ (8 subtraces) (ID = 142578)
2:37 PM: HKLM\software\classes\interface\{d639d99d-2377-46b5-81a5-bd91b61c61b0}\ (8 subtraces) (ID = 142582)
2:37 PM: HKLM\software\classes\typelib\{c4ac1481-6c39-433e-bd39-2a05fbf45ba7}\ (9 subtraces) (ID = 142590)
2:37 PM: HKLM\software\microsoft\windows\currentversion\installer\folders\ || c:\program files\common files\hyperbar\ (ID = 142609)
2:37 PM: HKLM\software\microsoft\windows\currentversion\installer\folders\ || c:\program files\startnow\ (ID = 142610)
2:37 PM: HKLM\software\microsoft\windows\currentversion\installer\folders\ || c:\program files\startnow\navigation helper\ (ID = 142611)
2:37 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\program files\common files\hyperbar\hyperbarss3.dll (ID = 142615)
2:37 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{ede0985b-d652-4573-a89e-803cb2597247}\ (24 subtraces) (ID = 142617)
2:37 PM: HKCR\typelib\{c4ac1481-6c39-433e-bd39-2a05fbf45ba7}\ (9 subtraces) (ID = 142621)
2:37 PM: Found Adware: aksoft
2:37 PM: HKLM\software\aksoft\ (34 subtraces) (ID = 639132)
2:37 PM: Found Adware: winantispyware 2005
2:37 PM: HKLM\system\currentcontrolset\control\class\{29ae0e04-08b8-4d2f-bfbe-83fb0ec73bb7}\ (3 subtraces) (ID = 795420)
2:37 PM: HKLM\software\winfixer2005\ (1 subtraces) (ID = 813086)
2:37 PM: HKLM\software\aksoft\x-tractor\ (33 subtraces) (ID = 982635)
2:37 PM: HKU\S-1-5-21-1728590565-1182351676-3366171415-1006\software\igor v. gunko\ (ID = 142591)
2:37 PM: HKU\S-1-5-21-1728590565-1182351676-3366171415-1006\software\microsoft\installer\features\b5890ede256d37548ae908c32b952774\ (2 subtraces) (ID = 142595)
2:37 PM: HKU\S-1-5-21-1728590565-1182351676-3366171415-1006\software\microsoft\installer\products\b5890ede256d37548ae908c32b952774\ (17 subtraces) (ID = 142596)
2:37 PM: Found Adware: startnow startnow hijack
2:37 PM: HKU\S-1-5-21-1728590565-1182351676-3366171415-1006\software\microsoft\internet explorer\search\ || local page (ID = 142622)
2:37 PM: Registry Sweep Complete, Elapsed Time:00:00:14
2:37 PM: Starting Cookie Sweep
2:37 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
2:37 PM: Starting File Sweep
2:37 PM: c:\documents and settings\all users\application data\hyperbar (2 subtraces) (ID = -2147480230)
2:37 PM: c:\program files\common files\hyperbar (1 subtraces) (ID = -2147480228)
2:37 PM: c:\program files\startnow (1 subtraces) (ID = -2147480227)
2:37 PM: c:\documents and settings\carl\application data\hyperbar (1 subtraces) (ID = -2147480231)
2:37 PM: c:\documents and settings\localservice\application data\hyperbar (1 subtraces) (ID = -2147480231)
2:38 PM: a0001484.dll (ID = 150591)
2:48 PM: Found Adware: icondroppers
2:48 PM: 1scenicid.exe (ID = 188075)
2:48 PM: hyperbarss3.dll (ID = 76936)
2:50 PM: scenicid.exe (ID = 188075)
2:52 PM: config.xml (ID = 76932)
2:53 PM: Warning: Invalid Stream
2:53 PM: Warning: Invalid Stream
2:54 PM: File Sweep Complete, Elapsed Time: 00:17:12
2:54 PM: Full Sweep has completed. Elapsed time 00:20:00
2:54 PM: Traces Found: 409
2:55 PM: Removal process initiated
2:55 PM: Quarantining All Traces: startnow
2:55 PM: Quarantining All Traces: aksoft
2:55 PM: Quarantining All Traces: icondroppers
2:55 PM: Quarantining All Traces: startnow startnow hijack
2:55 PM: Quarantining All Traces: winantispyware 2005
2:56 PM: Removal process completed. Elapsed time 00:00:35
********
2:32 PM: | Start of Session, Sunday, November 13, 2005 |
2:32 PM: Spy Sweeper started
2:32 PM: Your spyware definitions have been updated.
2:34 PM: | End of Session, Sunday, November 13, 2005

Here's the online virus scan:
Incident Status Location

Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\CARL\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-52feedd9-66679ee4.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\CARL\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-52feedd9-66679ee4.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\CARL\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-52feedd9-66679ee4.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\CARL\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-52feedd9-66679ee4.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\CARL\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5da14268-2912983e.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\CARL\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5da14268-2912983e.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\CARL\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5da14268-2912983e.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\CARL\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5da14268-2912983e.zip[Beyond.class]
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_98.exe
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\SYSTEM32\vtuts.dll
|

Edited by skylineg1, 13 November 2005 - 02:54 PM.

  • 0

#4
skylineg1

skylineg1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
The new Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 3:55:07 PM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\HARDWA~1\Keyboard\Ikeymain.exe
C:\PROGRA~1\HARDWA~1\Mouse\Amoumain.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\CARL\My Documents\My eBooks\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\HARDWA~1\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\HARDWA~1\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?dc14c637635048ddb735d9cae40d341
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?dc14c637635048ddb735d9cae40d341
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127830829093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#5
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Lets be extra sure theres nothing leftover

Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingc...torial=62#winxp

Locate and Delete

C:\WINDOWS\NDNuninstall6_98.exe

C:\WINDOWS\SYSTEM32\vtuts.dll


From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient.

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder.


Post back with the results of the WinPFind Scan.
  • 0

#6
skylineg1

skylineg1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
How do I locate those two file that you want me to delete?
  • 0

#7
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Click Start-> Click My Computer-> Click Local Disk(C:)-> Double Click the Windows Folder and locate the file labeled---> NDNuninstall6_98.exe<-- Right Click the file and Select Delete.

Next-> Click Start-> Click My Computer-> Click Local Disk(C:)-> Double Click the Windows Folder-> Double Click the System32 Folder and locate the file labeled---> vtuts.dll<-- Right Click the file and Select Delete.
  • 0

#8
skylineg1

skylineg1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Both those files are not there. I manually looked into all files and then I did a seach for them and I couldn't find them.
  • 0

#9
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Lets be extra sure.

Can you post the results of the WinPFind Scan please?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP