winFixerproblem

Started by wahneta, November 13, 2005, 06:42:20 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages 1 2
User actions

wahneta

#15
November 18, 2005, 08:53:08 PM
Die Hard,
I forgot to run the Ewido scan and just completed it.  :Win73:
Here is a copy of my Ewido log. It seems that Ewido detected Virtumundo?

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         12:50:01 PM, 11/18/2005
+ Report-Checksum:      D30CB274

+ Scan result:

   C:\Documents and Settings\D.Franklin\Cookies\d.franklin@bluemountain[2].txt -> Spyware.Cookie.Bluemountain : Cleaned with backup
   C:\Documents and Settings\D.Franklin\Cookies\d.franklin@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
   C:\Documents and Settings\D.Franklin\Cookies\d.franklin@ehg-comcast.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\D.Franklin\Cookies\d.franklin@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
   C:\WINDOWS\SYSTEM32\mllji.dll.vir -> Spyware.Virtumonde : Cleaned with backup


::Report End

Die Hard

#16
November 19, 2005, 05:45:44 AM
QuoteIt seems that Ewido detected Virtumundo?

QuoteC:\WINDOWS\SYSTEM32\mllji.dll.vir 

That is the neutralized file, renamed by the Vitrumundo cleaner.
You are clean now , well done  :thumbsup:

Die Hard :)
I create and edit my posts in GS-NOTES

Ripley

#17
November 19, 2005, 11:41:09 AM
Die Hard,
Ripley here.
Wow...the "all clean!"  I love reading those words!  :Yahoo:
Didn't think we would get there, but thanks to you... :flame:
A few questions...in your previous post 11-14-05, w/ the VundoFix plan that we aborted cuz of the safe mode clitches, you had suggested some fixes w/ HJT.
3 fixes associated w/ MyWaySa, whatever that is, and an R1 ...Internet Settings, ProxyServer=0.
Also to navigate to Program Files and remove My Way.  We did not do those.  Should we still do those things?
Also can you tell what CreataMail is?  It's that CreataMail\AgOutlookAddin.dll  Is this something associated w/ Wahneta's ISP Comcast?
And the last in the list of HJT log, an 023 entry referring to Symantec in common files, should we try to find this and delete it since we've uninstalled the Norton programs?
As far as staying clean, these are Wahneta's security programs:
Avast, Counterspy and Ewido Security Suite w/ paid subscriptions to both, AdAware Personal SE, and XP firewall.  I am wondering if Spybot and SpywareBlaster would be duplication or install as well?
And maybe the new firewall from AdAware?
Thanks again for your help w/ Virtumundo!   :flowers:

Corrine

#18
November 19, 2005, 12:51:03 PM
I'll leave the major questions to Die Hard.  In the meantime, however, take a look at Tony Klein's "So how did I get infected in the first place?" for important tips on how to prevent future infections.  There is also a lot of helpful information in "Mitch's Good Stuff" linked from here.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Die Hard

#19
November 19, 2005, 06:01:21 PM
ripley :)

It´s not often a user leave the forum with the infection intact, we wont give up until the users are all clean  :thumbsup:
It´s a combination of our "buissiness skill " and pride  :P :P

I´ll try to answer your questions to my best ability.  :exorcize:

QuoteAlso can you tell what CreataMail is?  It's that CreataMail\AgOutlookAddin.dll  Is this something associated w/ Wahneta's ISP Comcast?

I have never heard of the application before. But when browsing their homepage, I found this quote that makes me suspicious:
http://www.interactive.ag.com/ag_com.pd
QuoteAG.com's email innovation is CreataMail, presented by BlueMountain.com — the best way to add emotion to email. CreataMail offers a host of outstanding content for expression and personalization, including eCards, stationery, animation, clip art, music, sound effects, and much more. For our partners, email opens up another level of convenience and relevance in their relationship to the customer.
It seems to be bundled with advertisments and/or adware program(s)
My suggestion is to uninstall it. If you (wahneta) still wants to add smileys and emoticons to mails, I suggest you try [/b]Incredimail[/b]. It´s a complete e-mail client, supplied with skins, smileys and the lot.I have used it myself for 5 years,and it´s 4 years since I bought it, and it has never failed or malfunctioned. The free version displays an add in the upper right corner of the program and adds a link to "Incredimail" in sent messages. There are no other ads nor add-ons with it.
http://www.incredimail.com/english/index.asp

QuoteAnd the last in the list of HJT log, an 023 entry referring to Symantec in common files, should we try to find this and delete it since we've uninstalled the Norton programs?

Yes, click (Windowskey+R) and type services.msc>ok and in the window that opens scroll  to any entry related to Symantec and doubleclick and in the new window under "Startup type" set it to "Disabled" and hit toe "stop-button, Apply and close. Then fix the line with HJT and navigate to the file and remove it.
Maybe this page could help you further, I´m not that familliar with Norton, exept when I lay my hands on one user PC myself I start with uninstalling it.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2001092114452606

Quote3 fixes associated w/ MyWaySa, whatever that is, and an R1 ...Internet Settings, ProxyServer=0.
Also to navigate to Program Files and remove My Way.  We did not do those.  Should we still do those things?
Yes :)
MyWay contains a toolbar, displaying advertisments.Nothing wanted nor needed.
A genuine toolbar,very useful is Google:
http://toolbar.google.com/
It also contains a popup stopper.
QuoteAvast, Counterspy and Ewido Security Suite w/ paid subscriptions to both, AdAware Personal SE, and XP firewall.  I am wondering if Spybot and SpywareBlaster would be duplication or install as well?
And maybe the new firewall from AdAware?
I think you have the Antispyware programs you need  :thumbsup:
A firewall is almost a must. Wether it´s ZoneAlarm or from any other vendor I think is egal. Though ZA is regarded to be the best.
Have you thought about a router? Concidering that a software firewall only comes with a 1-2 year license it could be both economicly and effectively better to invest in one of those. The firewall built-in in a ruoter is much better and the price do not differ too much.

Regards

Die Hard :)

I create and edit my posts in GS-NOTES

wahneta

#20
November 19, 2005, 08:34:15 PM
Hi Die Hard,
I uninstalled Creata Mail and with the windows + R,  I disabled the symantic file.
Ran HJT and fixed the items that you recommended.
Here is an updated log:

Logfile of HijackThis v1.99.1
Scan saved at 12:34:41 PM, on 11/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [{D32470A1-B10C-4059-BA53-CF0486F68EBC}] RunDll32.exe C:\DOCUME~1\D0942~1.FRA\LOCALS~1\Temp\4.0.1.9-EasyShrx.Dll,_UninstallPlatform@16 C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

Die Hard

#21
November 20, 2005, 12:00:11 AM
wahneta  :)

There´s nothing malicious in your log  :thumbsup:

To tidy up a little, run HiJack This and put a checkmark next to these items and have them fixed:
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\RunOnce: [{D32470A1-B10C-4059-BA53-CF0486F68EBC}] RunDll32.exe C:\DOCUME~1\D0942~1.FRA\LOCALS~1\Temp\4.0.1.9-EasyShrx.Dll,_UninstallPlatform@16 C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll


Your Java plug-in needs to be updated. Please go here and it will update automaticly. When the page has loaded and the system has been scanned for your configurations, you need to click in the yellow bar beneath the IE toolbar and click allow at the prompt to run an ActiveX object.
http://www.java.com/en/download/windows_automatic.jsp

Java is a third party program, used by Windows to display certain contents on webpages, i.e maps with zoom-in/zoom-out function.

There´s no need for another HJT log, your set to go  :thumbsup:

best regards

Die Hard :)
I create and edit my posts in GS-NOTES
Print
Go Up Pages 1 2
User actions