Jump to content


Photo

WINANTIVIRUS AGAIN ONE YEAR LATER - Duplicate Deleted...


  • This topic is locked This topic is locked
4 replies to this topic

#1 tannersmommy77

tannersmommy77

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 21 April 2007 - 02:50 AM

Edit: Duplicate Topic deleted... Please stick to 1 Topic per computer... Please read the FAQ... Can you think of any reason we wouldn't need your HJT log?? A post from a year ago is not going to make much difference for the current problem...

I had the same problem last year here is the link to my last post
http://forums.spywar...mp;#entry376674
Can you please help me fix it again? Let me know if you want my Hijack This file log, thanks!

Edited by Budfred, 21 April 2007 - 06:56 AM.


#2 tannersmommy77

tannersmommy77

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 22 April 2007 - 11:17 PM

Edit: Duplicate Topic deleted... Please stick to 1 Topic per computer... Please read the FAQ... Can you think of any reason we wouldn't need your HJT log?? A post from a year ago is not going to make much difference for the current problem...

I had the same problem last year here is the link to my last post
http://forums.spywar...mp;#entry376674
Can you please help me fix it again? Let me know if you want my Hijack This file log, thanks!


Here is my hijack this file log:

Logfile of HijackThis v1.99.1
Scan saved at 11:08:12 PM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\KRISTINA\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
O4 - HKLM\..\Run: [KPDrv4XP] C:\PROGRA~1\MICROI~1\INTERN~1\KPDrv4XP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups...plorer1_8us.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com...ageUploader.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.lln...0_15_Silent.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.lln...sal_1_0_0_3.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...eInstallSBC.exe
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

AND HERE IS MY VUNDO FIX LOG FILE:


VundoFix V4.2.29
Scan started at 4:59:08 PM 3/5/2006

Listing files found while scanning....

C:\WINDOWS\System32\ljjhi.dll
C:\WINDOWS\System32\ihjjl.ini
C:\WINDOWS\System32\ihjjl.bak1
C:\WINDOWS\System32\ihjjl.bak2

C:\WINDOWS\SYSTEM32\ihjjl.bak1
C:\WINDOWS\SYSTEM32\ihjjl.bak2
C:\WINDOWS\SYSTEM32\ihjjl.ini
C:\WINDOWS\SYSTEM32\ljjhi.dll
Attempting to delete C:\WINDOWS\System32\ljjhi.dll
C:\WINDOWS\System32\ljjhi.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\ihjjl.ini
C:\WINDOWS\System32\ihjjl.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\ihjjl.bak1
C:\WINDOWS\System32\ihjjl.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ihjjl.bak2
C:\WINDOWS\System32\ihjjl.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.

Scan started at 3:19:33 AM 4/21/2007

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\fweqbexo.dll
C:\WINDOWS\system32\svwxx.bak1
C:\WINDOWS\system32\svwxx.ini
C:\WINDOWS\system32\xxwvs.dll
C:\WINDOWS\SYSTEM32\yemocoke.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\fweqbexo.dll
C:\WINDOWS\SYSTEM32\fweqbexo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\svwxx.bak1
C:\WINDOWS\system32\svwxx.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\svwxx.ini
C:\WINDOWS\system32\svwxx.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxwvs.dll
C:\WINDOWS\system32\xxwvs.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\yemocoke.dll
C:\WINDOWS\SYSTEM32\yemocoke.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.

Scan started at 10:34:53 AM 4/21/2007

Listing files found while scanning....

C:\WINDOWS\system32\aadgh.bak1
C:\WINDOWS\system32\aadgh.ini
C:\WINDOWS\system32\hgdaa.dll
C:\WINDOWS\SYSTEM32\hxsjkywd.dll
C:\WINDOWS\SYSTEM32\weruryko.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\aadgh.bak1
C:\WINDOWS\system32\aadgh.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\aadgh.ini
C:\WINDOWS\system32\aadgh.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hgdaa.dll
C:\WINDOWS\system32\hgdaa.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\hxsjkywd.dll
C:\WINDOWS\SYSTEM32\hxsjkywd.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\weruryko.dll
C:\WINDOWS\SYSTEM32\weruryko.dll Has been deleted!

Performing Repairs to the registry.
Done!
IF YOU NEED ANYTHING PLEASE LET ME KNOW, thanks

#3 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 23 April 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#4 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,325 posts

Posted 25 April 2007 - 05:00 AM

Hi, and Welcome Back

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier.

It's no wonder you are back to remove an infection, you appear to not be running either an antivirus program, or a software firewall, and you abandoned your topic last year before it was completed, and as a result, never received those recommendations. In today's world, it's suicidal to connect a system to the Internet without running an antivirus program and a software firewall (the XP SP2 firewall isn't sufficient protection, it only checks incoming data). That is an open invitation to infection these days. All you need to do to become infected is connect to the Internet. You don't even need to open a browser or actively access the Internet to become infected.

The first things you should do is install an antivirus program, update it, and do a complete system scan. If cost is an issue, try Avira AntiVir PersonalEdition Classic available at http://www.free-av.com, AVG Anti-Virus Free at http://free.grisoft....2/lng/us/tpl/v5, or Free avast! 4 Home Edition at http://www.avast.com...ast_4_home.html.

Another good choice for a free antivirus is Active Virus Shield.
It's based on Kaspersky AntiVirus (which is what I use myself), and it's distributed by AOL. You must however provide an email address to which AOL can send the activation code. Unfortunately, providing the address also authorises AOL and its partner companies to send you advertisement. To avoid this, have the code sent to a disposable e-mail address. It also comes bundled with an additional toolbar for Internet Explorer that shows the PC's security status and contains a password manager, but it can cause problems and should be deselected when installing the scanner.
Active Virus Shield FAQs

You should also install a software firewall. Three free firewalls are Sunbelt Kerio Personal Firewall available from http://www.sunbelt-s...e.com/Kerio.cfm, Zone Alarm from zonelabs.com http://www.zonelabs....reeDownload.jsp, or Agnitum Outpost Free at http://www.agnitum.c...tfree/index.php. There is a tutorial on understanding firewalls at http://www.bleepingc...tutorial60.html.

What did you previously run first, VundoFix, or the HijackThis log?
Please follow the below instruction in the order listed.

Open the HijackThis Folder.
Find the file HijackThis.exe, right-click on the file and select Rename.
Rename Hijackthis.exe to HJT.exe.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://entriq.vo.lln...0_15_Silent.cab
O16 - DPF: {DE0FB644-C59B-46D1-B650-88BA945BC98F} - http://entriq.vo.lln...sal_1_0_0_3.cab


Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Download ComboFix© by sUBs from one of these links:
http://download.blee...Bs/ComboFix.exe
http://www.techsuppo...Bs/ComboFix.exe
Save the file to your Desktop.
Double click combofix.exe & follow the prompts.
Don't click on the ComboFix window while its running; that could cause it to stall.
When finished, and after reboot, it should open a log, combofix.txt.
Post that log in your next reply.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe that you downloaded to install the newest version.
Please post a new HijackThis log, the log from ComboFix (combofix.txt), and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#5 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 14,325 posts

Posted 14 May 2007 - 08:47 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button