Greetings. Just registered as a suggestion of another member ripley. I am using XP w/ Service Pack2 and having problems with getting rid of Winfixer.
Recently uninstalled Norton Internet Security and Firewall and installed Avast and am using XP firewall currently. Thorough Avast scan found and removed 2 trojans...one was Win32:ConHook.
Have scanned with updated AdAware and updated Counterspy. Counterspy located Winfixer and was removed, but it is still popping up. Was unable to scan with Spybot...had problems with the install. Have HJT and posted a log. I read in your posting instructions you are wanting a scan with Spybot before posting, and can attempt another install if you would prefer. But for now, can any suggestions be made from my HJT log?
Logfile of HijackThis v1.99.1
Scan saved at 10:40:14 AM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creata Mail\JMSrvr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\system32\mllji.dll
O2 - BHO: Creata Mail - {9FEA5BDA-695A-417B-AA31-B54A06570053} - C:\Program Files\Creata Mail\AgOutlookAddIn.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creata Mail] C:\Program Files\Creata Mail\JMSrvr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Creata Mail - {855159E3-55D5-4a9b-BFC3-0813D7C8E141} - C:\Program Files\Creata Mail\AgOutlookAddIn.dll (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O20 - Winlogon Notify: mllji - C:\WINDOWS\system32\mllji.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Syman
wahneta , hello and welcome :)
Let´s do this:
Please go here and download Ewido Security Suit:
http://www.ewido.net/en/download/
A quick guide is found here:
http://www.greyknight17.com/spy/Tutorials/ewidoQuickGuide.pdf- Install ewido security suite
- Launch ewido, there should be an icon on your desktop double-click it.
- The program will now go to the main screen
You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update
- Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/)
Once the updates are installed close the program for now.Then.......
Please print these instructions out for use in Safe Mode or copy them to a notepad sheet and place it on your desktop
Please download
VundoFix.exe (http://www.atribune.org/downloads/VundoFix.exe) to your desktop.
- Double-click VundoFix.exe to extract the files
- This will create a VundoFix folder on your desktop.
- After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
- Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
- You will first be presented with a warning .
it should look like this
QuoteVundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
- At this point press enter one time.
- Next you will see:
QuoteType in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
- At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\mllji.dll
- Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
- Next you will see:
QuotePlease type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
- At this point please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\system\ijllm.*
- Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
- The fix will run then HijackThis will open.
- In HijackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\system32\mllji.dll
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O20 - Winlogon Notify: mllji - C:\WINDOWS\system32\mllji.dll
- After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
- Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
- Once your machine reboots please continue with the instructions below.
Now run the Ewido program:
- Click on scanner
- Click on Complete System Scan and the scan will begin.
On the first alert, a window will open prompting you to take action. Checkmark "Remove" and "Perform action on all detections".
- Once the scan has completed, there will be a button located on the bottom of the screen named Save report
- Click Save report.
- Save the report .txt file to your desktop.
Now close ewido security suite.
Navigate to your "Program Files" folder and remove "MyWay"
Then, please run this online virus scan:
TrendMicro (http://housecall.trendmicro.com/)
Copy the results of the
TrendMicro scan and paste them here along with a new
HijackThis log and the
vundofix.txt file from the vundofix folder and the Ewido report into this topic.
Regards
Die Hard :)
Die Hard,
Thank you for your quick response...but WOW...there's alot here that looks complicated.
I will follow your instructions to the letter and get back to you. I'm new to Windows XP, just switching from having a Mac for many years.
Just wanted to let you know this will take some time, but I'm on it!
wahneta :)
I can well comprehend your confusion :)
I just imagine myself at a Mac :tease:
Just go through the steps carefully, one at a time and I think you´ll be fine.
I you´re stuck somewhere, please post back and I´ll try to guide you.
regards
Die Hard :)
Hey Die Hard!
Ripley here. :) I'll be on the phone with Wahneta when he follows your instructions.
Few logistics questions. When using the VundoFix we'll be in safe mode...then it automatically triggers HTJ to open? Also in safe mode? :uhm:
I read somewhere that it is not recommended to run/fix with HJT in safe mode...but if that is the case...then we force the re-boot after the HJT fixes...we will still be in safe mode, right?
So, do we run the Ewido scan in safe mode too or should we switch back in normal mode?
This VundoFix gig is new to me...what is it?
Hi, Ripley. I believe Die Hard is off for the night. He is located "across the pond".
The VundoFix© was developed by Atribune specifically for this type of infection. He has devoted an incredible amount of time developing and testing it. As to HJT in safe mode, there are times when that is done. In safe mode, the process(es) that need to be removed is/are not running. When you the PC restarts, it will restart in normal mode for running Ewido, followed by Trend Micro.
Hi Corrine. Thanks for jumping in. Boy, "across the pond" sounds like a place I'd like to be.
What type of injection would this be?
HELP Die Hard!
Ripley here. Was on the phone w/ Wahneta when attempting your instructions. Ewido SS was purchased, dowloaded, updated and closed.
Used the System Configuration Utility and checked Safe Boot and choose re-start. After re-booting, was asked to choose Administrator or Profile name (there is only one profile name). Choose Administrator and a window loads which is black w/ "safe mode" listed in all 4 corners of screen and Windows XP Service Pack 2 version numbers...and that's it! :x
No desktop, no start button...no options! :gah:
Powered down and went thru the process w/ the other profile name and same response.
So what did we do wrong??? And how do I get a desktop w/ safe mode? Or even back to normal mode? HELP!!! :sos:
ripley :)
The reason for this is , it (Virtumundo) adds buggy codes into Explorer that occupies it trying to execute them and the CPU usage is at 100%.
Wether this is deliberately done, or a bug in the file,is still to be determined.
Try this procedure:
When you come to the point where the black screen appears and the text "safe mode" is displayed in the corners,open the taskmanager (Ctrl+Alt+Del) and find "explorer.exe" . Click on it in the list and click "Terminate". This will probably take several minutes.
Once Explorer is terminated, navigating with the mouse will be easy, however you will have a desktop without icons.
Now, remember where you installed the "VundoFix" . Open the taskmanager again, and click "File>Run" in the toolbar. Type in the filepath to the VundoFix in the scrollbar and hit enter.
The default location of the VundoFix is here :
C:\Documents and Settings\YOUR USERNAME\Desktop\VundoFix\KillVundo.bat . Replace "your username" with your actual one.
Then click "ok" and if everything work as planned, you will now be able to run the VundoFix and go on with the procedure I already posted.
Since you during this operation cant navigate via Explorer, its important that you print those instructions. Both this post and the prevoius.
Regards
Die Hard :)
Die Hard,
Ripley here. Was on the phone w/ Wahneta, trying your last suggestion. Before attempting, he closed his browser, all programs, and manually disconnected from his cable connection to the internet. Then re-booted, and while tapping the F8 key, choose "safe mode" in the menu w/ the arrows. At the black screen w/ safe mode in the corners, opened Task Manager and under Processes, there is no explorer.exe listed to choose Terminate. There are only 11 proceeses listed.
Could only get back into normal mode doing a System Restore.
Once back to normal mode, open Task Manager...Processes...and he says explorer.exe was there for about a minute. Then w/o selecting anything...he says it went away and explorer.exe was no longer in the list?????
Would love to run that VundoFix...but still unable to get a functional safe mode to do it. Any suggestions?
Ripley again.
One other piece of info. After tapping f8 key in the menu choices are 3 Safe mode options.
Safe Mode
Safe Mode w/ command prompt
and Safe Mode w/ something else I can't remember.
We are choosing:
Safe Mode, that right?
Quote from: ripley on November 17, 2005, 05:16:42 PM
Ripley again.
We are choosing:
Safe Mode, that right?
Yes, that is the correct one :thumbsup:
QuoteOnce back to normal mode, open Task Manager...Processes...and he says explorer.exe was there for about a minute. Then w/o selecting anything...he says it went away and explorer.exe was no longer in the list?????
That is strange, Explorer.exe is the Windows program that administrate the desktop, among a lot of other things.It has to be running, but it might be something restraining it from being displayed :(
Let´s try this tool, created by
secured2K:
VirtumondoBeGone: http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
It will end it´s process with a blue screen and reboot, this is expected and normal.
It will also create a logfile on the desktop called
VBG.TXT , please post it in the next reply.
Immediately after running this tool, make an online scan at TrendMicro and/or Panda Software:
Panda ActiveScan http://www.pandasoftware.com/activescan/[/color]
Trend Micro HouseCall [/color] http://housecall.trendmicro.com/
Regards
Die Hard :)
Here is the VBG log file and result of Panda scan.
Also completed a Trend Micro scan and no detections were found.
What next?
[11/17/2005, 12:43:09] - Starting Process...
[11/17/2005, 12:43:09] - Looking for Browser Helper Object [MSEvents Object]
[11/17/2005, 12:43:09] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/17/2005, 12:43:09] - 2: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} -
[11/17/2005, 12:43:09] - WARNING: 2: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - BHO Name is blank.
[11/17/2005, 12:43:09] - Checking for WinLogon Notify reference. (File: C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll)
[11/17/2005, 12:43:09] - Couldn't find deSrcAs in Winlogon Notify. Ignoring {4D25F921-B9FE-4682-BF72-8AB8210D6D75}.
[11/17/2005, 12:43:09] - 3: {5CA3D70E-1895-11CF-8E15-001234567890} - DriveLetterAccess
[11/17/2005, 12:43:09] - 4: {8DBF02DA-4360-4A7E-BEA1-347B87816327} - MSEvents Object
[11/17/2005, 12:43:09] - Found MSEvents Object!
[11/17/2005, 12:43:09] - File location: C:\WINDOWS\system32\mllji.dll
[11/17/2005, 12:43:09] - Attempting to kill C:\WINDOWS\system32\mllji.dll
[11/17/2005, 12:43:09] - Terminating Process: RUNDLL32.EXE
[11/17/2005, 12:43:09] - Terminating Process: IEXPLORE.EXE
[11/17/2005, 12:43:09] - Disabling Automatic Shell Restart
[11/17/2005, 12:43:09] - Terminating Process: EXPLORER.EXE
[11/17/2005, 12:43:10] - Suspending the NT Session Manager System Service
[11/17/2005, 12:43:10] - Terminating Windows NT Logon/Logoff Manager
[11/17/2005, 12:43:10] - Re-enabling Automatic Shell Restart
[11/17/2005, 12:43:10] - Renaming C:\WINDOWS\system32\mllji.dll -> C:\WINDOWS\system32\mllji.dll.vir
[11/17/2005, 12:43:10] - File successfully renamed!
[11/17/2005, 12:43:10] - Removing Registry references to {8DBF02DA-4360-4A7E-BEA1-347B87816327}
[11/17/2005, 12:43:10] - Adding Internet Explorer Protection (Kill ActiveX) for {8DBF02DA-4360-4A7E-BEA1-347B87816327}
[11/17/2005, 12:43:10] - Removing Winlogon Notify Entry: mllji
[11/17/2005, 12:43:10] - BHO list has been changed! Starting over...
[11/17/2005, 12:43:10] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/17/2005, 12:43:10] - 2: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} -
[11/17/2005, 12:43:10] - WARNING: 2: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - BHO Name is blank.
[11/17/2005, 12:43:10] - Checking for WinLogon Notify reference. (File: C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll)
[11/17/2005, 12:43:10] - Couldn't find deSrcAs in Winlogon Notify. Ignoring {4D25F921-B9FE-4682-BF72-8AB8210D6D75}.
[11/17/2005, 12:43:10] - 3: {5CA3D70E-1895-11CF-8E15-001234567890} - DriveLetterAccess
[11/17/2005, 12:43:10] - 4: {9FEA5BDA-695A-417B-AA31-B54A06570053} - Creata Mail Helper
[11/17/2005, 12:43:10] - Finished searching for [MSEvents Object]
[11/17/2005, 12:43:10] - Finishing up...
[11/17/2005, 12:43:10] - Enabling Automatic Reboot on STOP Error.
[11/17/2005, 12:43:10] - Attempting to Restart via STOP error (Blue Screen!)
Incident Status Location
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\SYSTEM32\mllji.dll.vir
wahneta, :)
I think we finally have got it.
Please post a new HiJack This log and lets see how it looks. :thumbsup:
Die Hard :)
Die Hard,
Here is my HJT Log.
Logfile of HijackThis v1.99.1
Scan saved at 7:41:44 AM, on 11/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creata Mail\JMSrvr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Creata Mail - {9FEA5BDA-695A-417B-AA31-B54A06570053} - C:\Program Files\Creata Mail\AgOutlookAddIn.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creata Mail] C:\Program Files\Creata Mail\JMSrvr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Creata Mail - {855159E3-55D5-4a9b-BFC3-0813D7C8E141} - C:\Program Files\Creata Mail\AgOutlookAddIn.dll (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Die Hard,
I forgot to run the Ewido scan and just completed it. :Win73:
Here is a copy of my Ewido log. It seems that Ewido detected Virtumundo?
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 12:50:01 PM, 11/18/2005
+ Report-Checksum: D30CB274
+ Scan result:
C:\Documents and Settings\D.Franklin\Cookies\d.franklin@bluemountain[2].txt -> Spyware.Cookie.Bluemountain : Cleaned with backup
C:\Documents and Settings\D.Franklin\Cookies\d.franklin@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\D.Franklin\Cookies\d.franklin@ehg-comcast.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\D.Franklin\Cookies\d.franklin@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\WINDOWS\SYSTEM32\mllji.dll.vir -> Spyware.Virtumonde : Cleaned with backup
::Report End
QuoteIt seems that Ewido detected Virtumundo?
QuoteC:\WINDOWS\SYSTEM32\mllji.dll.vir
That is the neutralized file, renamed by the Vitrumundo cleaner.
You are clean now , well done :thumbsup:
Die Hard :)
Die Hard,
Ripley here.
Wow...the "all clean!" I love reading those words! :Yahoo:
Didn't think we would get there, but thanks to you... :flame:
A few questions...in your previous post 11-14-05, w/ the VundoFix plan that we aborted cuz of the safe mode clitches, you had suggested some fixes w/ HJT.
3 fixes associated w/ MyWaySa, whatever that is, and an R1 ...Internet Settings, ProxyServer=0.
Also to navigate to Program Files and remove My Way. We did not do those. Should we still do those things?
Also can you tell what CreataMail is? It's that CreataMail\AgOutlookAddin.dll Is this something associated w/ Wahneta's ISP Comcast?
And the last in the list of HJT log, an 023 entry referring to Symantec in common files, should we try to find this and delete it since we've uninstalled the Norton programs?
As far as staying clean, these are Wahneta's security programs:
Avast, Counterspy and Ewido Security Suite w/ paid subscriptions to both, AdAware Personal SE, and XP firewall. I am wondering if Spybot and SpywareBlaster would be duplication or install as well?
And maybe the new firewall from AdAware?
Thanks again for your help w/ Virtumundo! :flowers:
I'll leave the major questions to Die Hard. In the meantime, however, take a look at Tony Klein's "So how did I get infected in the first place?" (http://www.landzdown.com/index.php/topic,2783.0.html) for important tips on how to prevent future infections. There is also a lot of helpful information in "Mitch's Good Stuff" linked from here (http://www.landzdown.com/index.php/topic,192.0.html).
ripley :)
It´s not often a user leave the forum with the infection intact, we wont give up until the users are all clean :thumbsup:
It´s a combination of our "buissiness skill " and pride :P :P
I´ll try to answer your questions to my best ability. :exorcize:
QuoteAlso can you tell what CreataMail is? It's that CreataMail\AgOutlookAddin.dll Is this something associated w/ Wahneta's ISP Comcast?
I have never heard of the application before. But when browsing their homepage, I found this quote that makes me suspicious:
http://www.interactive.ag.com/ag_com.pd
QuoteAG.com's email innovation is CreataMail, presented by BlueMountain.com — the best way to add emotion to email. CreataMail offers a host of outstanding content for expression and personalization, including eCards, stationery, animation, clip art, music, sound effects, and much more. For our partners, email opens up another level of convenience and relevance in their relationship to the customer.
It seems to be bundled with advertisments and/or adware program(s)
My suggestion is to uninstall it. If you (wahneta) still wants to add smileys and emoticons to mails, I suggest you try [/b]Incredimail[/b]. It´s a complete e-mail client, supplied with skins, smileys and the lot.I have used it myself for 5 years,and it´s 4 years since I bought it, and it has never failed or malfunctioned. The free version displays an add in the upper right corner of the program and adds a link to "Incredimail" in sent messages. There are no other ads nor add-ons with it.
http://www.incredimail.com/english/index.asp
QuoteAnd the last in the list of HJT log, an 023 entry referring to Symantec in common files, should we try to find this and delete it since we've uninstalled the Norton programs?
Yes, click (Windowskey+R) and type
services.msc>ok and in the window that opens scroll to any entry related to Symantec and doubleclick and in the new window under "Startup type" set it to "Disabled" and hit toe "stop-button, Apply and close. Then fix the line with HJT and navigate to the file and remove it.
Maybe this page could help you further, I´m not that familliar with Norton, exept when I lay my hands on one user PC myself I start with uninstalling it.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2001092114452606
Quote3 fixes associated w/ MyWaySa, whatever that is, and an R1 ...Internet Settings, ProxyServer=0.
Also to navigate to Program Files and remove My Way. We did not do those. Should we still do those things?
Yes :)
MyWay contains a toolbar, displaying advertisments.Nothing wanted nor needed.
A genuine toolbar,very useful is Google:
http://toolbar.google.com/
It also contains a popup stopper.
QuoteAvast, Counterspy and Ewido Security Suite w/ paid subscriptions to both, AdAware Personal SE, and XP firewall. I am wondering if Spybot and SpywareBlaster would be duplication or install as well?
And maybe the new firewall from AdAware?
I think you have the Antispyware programs you need :thumbsup:
A firewall is almost a must. Wether it´s ZoneAlarm or from any other vendor I think is egal. Though ZA is regarded to be the best.
Have you thought about a router? Concidering that a software firewall only comes with a 1-2 year license it could be both economicly and effectively better to invest in one of those. The firewall built-in in a ruoter is much better and the price do not differ too much.
Regards
Die Hard :)
Hi Die Hard,
I uninstalled Creata Mail and with the windows + R, I disabled the symantic file.
Ran HJT and fixed the items that you recommended.
Here is an updated log:
Logfile of HijackThis v1.99.1
Scan saved at 12:34:41 PM, on 11/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [{D32470A1-B10C-4059-BA53-CF0486F68EBC}] RunDll32.exe C:\DOCUME~1\D0942~1.FRA\LOCALS~1\Temp\4.0.1.9-EasyShrx.Dll,_UninstallPlatform@16 C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
wahneta :)
There´s nothing malicious in your log :thumbsup:
To tidy up a little, run HiJack This and put a checkmark next to these items and have them fixed:
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\RunOnce: [{D32470A1-B10C-4059-BA53-CF0486F68EBC}] RunDll32.exe C:\DOCUME~1\D0942~1.FRA\LOCALS~1\Temp\4.0.1.9-EasyShrx.Dll,_UninstallPlatform@16 C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
Your Java plug-in needs to be updated. Please go here and it will update automaticly. When the page has loaded and the system has been scanned for your configurations, you need to click in the yellow bar beneath the IE toolbar and click allow at the prompt to run an ActiveX object.
http://www.java.com/en/download/windows_automatic.jsp
Java is a third party program, used by Windows to display certain contents on webpages, i.e maps with zoom-in/zoom-out function.
There´s no need for another HJT log, your set to go :thumbsup:
best regards
Die Hard :)