winFixerproblem

Started by wahneta, November 13, 2005, 06:42:20 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1 2
User actions

wahneta

November 13, 2005, 06:42:20 PM
Greetings.  Just registered as a suggestion of another member ripley.  I am using XP w/ Service Pack2 and having problems with getting rid of Winfixer.
Recently uninstalled Norton Internet Security and Firewall and installed Avast and am using XP firewall currently.  Thorough Avast scan found and removed 2 trojans...one was Win32:ConHook.
Have scanned with updated AdAware and updated Counterspy.  Counterspy located Winfixer and was removed, but it is still popping up.  Was unable to scan with Spybot...had problems with the install.  Have HJT and posted a log.  I read in your posting instructions you are wanting a scan with Spybot before posting, and can attempt another install if you would prefer.  But for now, can any suggestions be made from my HJT log?

Logfile of HijackThis v1.99.1
Scan saved at 10:40:14 AM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creata Mail\JMSrvr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\system32\mllji.dll
O2 - BHO: Creata Mail - {9FEA5BDA-695A-417B-AA31-B54A06570053} - C:\Program Files\Creata Mail\AgOutlookAddIn.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creata Mail] C:\Program Files\Creata Mail\JMSrvr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Creata Mail - {855159E3-55D5-4a9b-BFC3-0813D7C8E141} - C:\Program Files\Creata Mail\AgOutlookAddIn.dll (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O20 - Winlogon Notify: mllji - C:\WINDOWS\system32\mllji.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Syman

Die Hard

#1
November 14, 2005, 03:36:52 PM
        wahneta , hello and welcome :)

        Let´s do this:


        Please go here and download Ewido Security Suit:
http://www.ewido.net/en/download/

A quick guide is found here:
  http://www.greyknight17.com/spy/Tutorials/ewidoQuickGuide.pdf

  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.

  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed close the program for now.

Then.......

Please print these instructions out for use in Safe Mode or copy them to a notepad sheet and place it on your desktop

Please download VundoFix.exe to your desktop.


  • Double-click VundoFix.exe to extract the files

  • This will create a VundoFix folder on your desktop.

  • After the files are extracted, please reboot your computer into Safe Mode.  You can do this by restarting your computer and continually tapping the F8 key until a menu appears.  Use your up arrow key to highlight Safe Mode then hit enter.

  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat

  • You will first be presented with a warning .
    it should look like this
    QuoteVundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk

  • At this point press enter one time.

  • Next you will see:
    QuoteType in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):


    C:\WINDOWS\system32\mllji.dll
     

  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

  • Next you will see:
    QuotePlease type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.
  • At this point please type the following file path (make sure to enter it exactly as below!):

    C:\WINDOWS\system\ijllm.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

  • The fix will run then HijackThis will open.
  • In HijackThis, please place a check next to the following items and click FIX CHECKED:


    O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\system32\mllji.dll
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
    O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
    O20 - Winlogon Notify: mllji - C:\WINDOWS\system32\mllji.dll


  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
Now run the Ewido program:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
On the first alert, a window will open prompting you to take action. Checkmark "Remove" and "Perform action on all detections".
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.

Navigate to your "Program Files" folder and remove "MyWay"

Then, please run this online virus scan:  TrendMicro

Copy the results of the TrendMicro scan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder and the Ewido report into this topic.

Regards

Die Hard :)

I create and edit my posts in GS-NOTES

wahneta

#2
November 14, 2005, 10:35:18 PM
Die Hard,
Thank you for your quick response...but WOW...there's alot here that looks complicated.
I will follow your instructions to the letter and get back to you.  I'm new to Windows XP, just switching from having a Mac for many years.
Just wanted to let you know this will take some time, but I'm on it!

Die Hard

#3
November 14, 2005, 11:28:49 PM
wahneta :)

I can well comprehend your confusion :)
I just imagine myself at a Mac  :tease:

Just go through the steps carefully, one at a time and I think you´ll be fine.
I you´re stuck somewhere, please post back and I´ll try to guide you.

regards

Die Hard :)
I create and edit my posts in GS-NOTES

Ripley

#4
November 15, 2005, 01:18:45 AM
Hey Die Hard!
Ripley here.   :)  I'll be on the phone with Wahneta when he follows your instructions.
Few logistics questions.  When using the VundoFix we'll be in safe mode...then it automatically triggers HTJ to open?  Also in safe mode?    :uhm:
I read somewhere that it is not recommended to run/fix with HJT in safe mode...but if that is the case...then we force the re-boot after the HJT fixes...we will still be in safe mode, right?
So, do we run the Ewido scan in safe mode too or should we switch back in normal mode?
This VundoFix gig is new to me...what is it?

Corrine

#5
November 15, 2005, 01:29:28 AM
Hi, Ripley.  I believe Die Hard is off for the night.  He is located "across the pond". 

The VundoFix© was developed by Atribune specifically for this type of infection.  He has devoted an incredible amount of time developing and testing it.  As to HJT in safe mode, there are times when that is done.  In safe mode, the process(es) that need to be removed is/are not running.  When you the PC restarts, it will restart in normal mode for running Ewido, followed by Trend Micro.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Ripley

#6
November 15, 2005, 01:46:22 AM
Hi Corrine.  Thanks for jumping in.  Boy, "across the pond" sounds like a place I'd like to be.
What type of injection would this be?

Ripley

#7
November 16, 2005, 12:54:37 AM
HELP Die Hard!
Ripley here.  Was on the phone w/ Wahneta when attempting your instructions.  Ewido SS was purchased, dowloaded, updated and closed.
Used the System Configuration Utility and checked Safe Boot and choose re-start.  After re-booting, was asked to choose Administrator or Profile name (there is only one profile name).  Choose Administrator and a window loads which is black w/ "safe mode" listed in all 4 corners of screen and Windows XP Service Pack 2 version numbers...and that's it!   :x
No desktop, no start button...no options!   :gah:
Powered down and went thru the process w/ the other profile name and same response.
So what did we do wrong???  And how do I get a desktop w/ safe mode?  Or even back to normal mode?  HELP!!!   :sos:

Die Hard

#8
November 16, 2005, 07:27:04 AM
ripley :)

The reason for this is , it (Virtumundo) adds buggy codes into Explorer that occupies it trying to execute them and the CPU usage is at 100%.
Wether this is deliberately done, or a bug in the file,is still to be determined.

Try this procedure:

When you come to the point where the black screen appears and the text "safe mode" is displayed in the corners,open the taskmanager (Ctrl+Alt+Del) and find "explorer.exe" . Click on it in the list and click "Terminate". This will probably take several minutes.
Once Explorer is terminated, navigating with the mouse will be easy, however you will have a desktop without icons.

Now, remember where you installed the "VundoFix" . Open the taskmanager again, and click "File>Run" in the toolbar. Type in the filepath to the VundoFix in the scrollbar and hit enter.
The default location of the VundoFix is here :
C:\Documents and Settings\YOUR USERNAME\Desktop\VundoFix\KillVundo.bat . Replace "your username" with your actual one.
Then click "ok" and if everything work as planned, you will now be able to run the VundoFix and go on with the procedure I already posted.

Since you during this operation cant navigate via Explorer, its important that you print those instructions. Both this post and the prevoius.

Regards

Die Hard :)
I create and edit my posts in GS-NOTES

Ripley

#9
November 17, 2005, 05:12:05 PM
Die Hard,
Ripley here.  Was on the phone w/ Wahneta, trying your last suggestion.  Before attempting, he closed his browser, all programs, and manually disconnected from his cable connection to the internet.  Then re-booted, and while tapping the F8 key, choose "safe mode" in the menu w/ the arrows.  At the black screen w/ safe mode in the corners, opened Task Manager and under Processes, there is no explorer.exe listed to choose Terminate.  There are only 11 proceeses listed.
Could only get back into normal mode doing a System Restore.
Once back to normal mode, open Task Manager...Processes...and he says explorer.exe was there for about a minute.  Then w/o selecting anything...he says it went away and explorer.exe was no longer in the list?????
Would love to run that VundoFix...but still unable to get a functional safe mode to do it.  Any suggestions?

Ripley

#10
November 17, 2005, 05:16:42 PM
Ripley again.
One other piece of info.  After tapping f8 key in the menu choices are 3 Safe mode options.
Safe Mode
Safe Mode w/ command prompt
and Safe Mode w/ something else I can't remember.
We are choosing:
Safe Mode, that right?

Die Hard

#11
November 17, 2005, 08:17:58 PM
Quote from: ripley on November 17, 2005, 05:16:42 PM
Ripley again.
We are choosing:
Safe Mode, that right?

Yes, that is the correct one  :thumbsup:

QuoteOnce back to normal mode, open Task Manager...Processes...and he says explorer.exe was there for about a minute.  Then w/o selecting anything...he says it went away and explorer.exe was no longer in the list?????

That is strange, Explorer.exe is the Windows program that administrate the desktop, among a lot of other things.It has to be running, but it might be something restraining it from being displayed  :(

Let´s try this tool, created by secured2K:
VirtumondoBeGone:  http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
It will end it´s process with a blue screen and reboot, this is expected and normal.
It will also create a logfile on the desktop called VBG.TXT , please post it in the next reply.

Immediately after running this tool, make an online scan at TrendMicro and/or Panda Software:
  Panda ActiveScan http://www.pandasoftware.com/activescan/[/color]

Trend Micro HouseCall [/color] http://housecall.trendmicro.com/

Regards

Die Hard :)

I create and edit my posts in GS-NOTES

wahneta

#12
November 17, 2005, 10:24:29 PM
Here is the VBG log file and result of Panda scan.
Also completed a Trend Micro scan and no detections were found.
What next?


[11/17/2005, 12:43:09] - Starting Process...
[11/17/2005, 12:43:09] - Looking for Browser Helper Object [MSEvents Object]
[11/17/2005, 12:43:09] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/17/2005, 12:43:09] - 2: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} -
[11/17/2005, 12:43:09] - WARNING: 2: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - BHO Name is blank.
[11/17/2005, 12:43:09] - Checking for WinLogon Notify reference. (File: C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll)
[11/17/2005, 12:43:09] - Couldn't find deSrcAs in Winlogon Notify. Ignoring {4D25F921-B9FE-4682-BF72-8AB8210D6D75}.
[11/17/2005, 12:43:09] - 3: {5CA3D70E-1895-11CF-8E15-001234567890} - DriveLetterAccess
[11/17/2005, 12:43:09] - 4: {8DBF02DA-4360-4A7E-BEA1-347B87816327} - MSEvents Object
[11/17/2005, 12:43:09] - Found MSEvents Object!
[11/17/2005, 12:43:09] - File location: C:\WINDOWS\system32\mllji.dll
[11/17/2005, 12:43:09] - Attempting to kill C:\WINDOWS\system32\mllji.dll
[11/17/2005, 12:43:09] - Terminating Process: RUNDLL32.EXE
[11/17/2005, 12:43:09] - Terminating Process: IEXPLORE.EXE
[11/17/2005, 12:43:09] - Disabling Automatic Shell Restart
[11/17/2005, 12:43:09] - Terminating Process: EXPLORER.EXE
[11/17/2005, 12:43:10] - Suspending the NT Session Manager System Service
[11/17/2005, 12:43:10] - Terminating Windows NT Logon/Logoff Manager
[11/17/2005, 12:43:10] - Re-enabling Automatic Shell Restart
[11/17/2005, 12:43:10] - Renaming C:\WINDOWS\system32\mllji.dll -> C:\WINDOWS\system32\mllji.dll.vir
[11/17/2005, 12:43:10] - File successfully renamed!
[11/17/2005, 12:43:10] - Removing Registry references to {8DBF02DA-4360-4A7E-BEA1-347B87816327}
[11/17/2005, 12:43:10] - Adding Internet Explorer Protection (Kill ActiveX) for {8DBF02DA-4360-4A7E-BEA1-347B87816327}
[11/17/2005, 12:43:10] - Removing Winlogon Notify Entry: mllji
[11/17/2005, 12:43:10] - BHO list has been changed! Starting over...
[11/17/2005, 12:43:10] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/17/2005, 12:43:10] - 2: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} -
[11/17/2005, 12:43:10] - WARNING: 2: {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - BHO Name is blank.
[11/17/2005, 12:43:10] - Checking for WinLogon Notify reference. (File: C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll)
[11/17/2005, 12:43:10] - Couldn't find deSrcAs in Winlogon Notify. Ignoring {4D25F921-B9FE-4682-BF72-8AB8210D6D75}.
[11/17/2005, 12:43:10] - 3: {5CA3D70E-1895-11CF-8E15-001234567890} - DriveLetterAccess
[11/17/2005, 12:43:10] - 4: {9FEA5BDA-695A-417B-AA31-B54A06570053} - Creata Mail Helper
[11/17/2005, 12:43:10] - Finished searching for [MSEvents Object]
[11/17/2005, 12:43:10] - Finishing up...
[11/17/2005, 12:43:10] - Enabling Automatic Reboot on STOP Error.
[11/17/2005, 12:43:10] - Attempting to Restart via STOP error (Blue Screen!)


Incident                      Status                        Location                                                                                                                                                                                                                                                       

Spyware:Spyware/Virtumonde    No disinfected                C:\WINDOWS\SYSTEM32\mllji.dll.vir

Die Hard

#13
November 18, 2005, 01:47:19 AM
wahneta, :)

I think we finally have got it.
Please post a new HiJack This log and lets see how it looks.   :thumbsup:

Die Hard :)
I create and edit my posts in GS-NOTES

wahneta

#14
November 18, 2005, 03:42:15 PM
Die Hard,
Here is my HJT Log.

Logfile of HijackThis v1.99.1
Scan saved at 7:41:44 AM, on 11/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creata Mail\JMSrvr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Creata Mail - {9FEA5BDA-695A-417B-AA31-B54A06570053} - C:\Program Files\Creata Mail\AgOutlookAddIn.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creata Mail] C:\Program Files\Creata Mail\JMSrvr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Creata Mail - {855159E3-55D5-4a9b-BFC3-0813D7C8E141} - C:\Program Files\Creata Mail\AgOutlookAddIn.dll (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Print
Go Up Pages1 2
User actions