Avast WEBforum
Other => Viruses and worms => Topic started by: tryan21 on July 08, 2007, 06:01:54 PM
-
I've got the below viruses on my computer. They're in the chest, but something is still wierd with my computer. It's running really really slow and it keeps trying to sign online by itself ALL the time.
Anyhow, what do I do now? ???
Virus has been detected!
File Name: awttq.dll
FileID: 7
Virus Description: Win32:Virtumonde-BD [Adw]
C:\WINDOWS\system32
Virus has been detected!
File Name: k11u72.exe
FileID: 6
Virus Description: Win32:VB-TGS [Trj]
C:\Program Files\poolsv
Virus has been detected!
File Name: k11u72[1].exe
FileID: 5
Virus Description: Win32:VB-TGS [Trj]
C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IES\CD2JS…
Virus has been detected!
File Name: retadpu77.exe
FileID: 4
Virus Description: Win32:Agent-HKJ [Trj]
C:\WINDOWS
-
Leave then in the chest, there is a special tool to deal with the Virtumonde malware.
VIRTUMONDE - Vundo Fix - Aliases - WinFixer / Virtumonde / Msevents / Trojan.vundo.
Here are the cleansing instructions for Virtumonde: http://www.bleepingcomputer.com/forums/topic18610.html (http://www.bleepingcomputer.com/forums/topic18610.html)
Download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.
A log will be produced which you can post in your next response.
Below is an example of a Vundo infection, though there are many different filenames.
O2 - BHO: (no name) - {EFCB1D95-FFF6-47BB-B6C9-61A523F04322} - C:\WINDOWS\system32\vturr.dll
[/b]O20 - Winlogon Notify: vturr - C:\WINDOWS\system32\vturr.dll[/b]
-
I ran the VundoFix, it found something but it couldn't be deleted so it had to do it on reboot. Although it never produced a log, I'm not sure why. I then rebooted my computer again and I started getting virus warnings like crazy, I just couldn't keep up with it! Then I tried signing online (I have dial-up) and it won't let me. I just keep getting various error messages. I'm pretty sure that has something to do with this virus. Not sure what to do considering I can't get online with that computer.
-
The log will be C:\Vundofix.txt
-
Here's the log:
VundoFix V6.5.4
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 8:50:05 AM 7/10/2007
Listing files found while scanning....
C:\windows\system32\jkkllkj.dll
Beginning removal...
Attempting to delete C:\windows\system32\jkkllkj.dll
C:\windows\system32\jkkllkj.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\jkkllkj.dll
C:\windows\system32\jkkllkj.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.4
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 9:17:21 AM 7/10/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.4
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 10:41:10 AM 7/10/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
-
:(
-
Hi tryan21,
Please download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
After posting the ComboFix log Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe
- Save HJTsetup.exe to your desktop.
- Doubleclick on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialog boxes until you get to the Select Addition Tasks dialog.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialog box click Finish and it will launch Hijack This.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
EDIT: Forgot to ask you to donwload/install the latest version of Java which you can get here
http://filehippo.com/download_java_runtime/
When installation is complete, open Add/Remove Programs in the Control Panel and uninstall any versions of Java older than the one you just downloaded. You have an exploitable version and the update process will not remove it automatically.
-
here's the combofix log:
"Tara & Paul" - 2007-07-13 16:19:52 - ComboFix 07-07-13.8 - Service Pack 2, v.2096 NTFS
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\poolsv
C:\Program Files\poolsv\is67389.exe
C:\Program Files\poolsv\svhost.exe
C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe
C:\Program Files\svhost
C:\WINDOWS\poolsv.exe
C:\WINDOWS\svhost.exe
((((((((((((((((((((((((( Files Created from 2007-06-13 to 2007-07-13 )))))))))))))))))))))))))))))))
2007-07-13 15:53 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-13 10:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NetZero
2007-07-12 12:18 <DIR> d-------- C:\Program Files\NetZero
2007-07-10 08:50 <DIR> d-------- C:\VundoFix Backups
2007-07-04 09:24 126,976 --a------ C:\WINDOWS\xhelper.dll
2007-06-30 19:26 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-13 17:56:18 -------- d-----w C:\Program Files\Connection Wizard
2007-07-04 16:13:17 -------- d-----w C:\Program Files\mobile PhoneTools
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52706EF7-D7A2-49AD-A615-E903858CF284}]
2005-06-27 17:06 175560 --a------ C:\Program Files\NetZero\qsacc\X1IEBHO.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2006-11-09 15:21 440056 --a------ C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-07-04 09:24 126976 --a------ C:\WINDOWS\xhelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar3.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 08:42]
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [2004-08-14 04:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetZero_uoltray"="C:\Program Files\NetZero\exec.exe" [2005-06-28 12:11]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"untd_recovery"="C:\Program Files\NetZero\qsacc\x1exec.exe"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-13 16:23:10
Windows 5.1.2600 Service Pack 2, v.2096 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-13 16:24:50
C:\ComboFix-quarantined-files.txt ... 2007-07-13 16:24
--- E O F ---
-
hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:11 PM, on 7/13/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.adobe.com
O15 - Trusted Zone: http://www.java.com
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
--
End of file - 4832 bytes
-
I'm not an expert on HijackThis... But you can check the automatic analysis of your HijackThis log here (http://www.wikifortio.com/981336/tryan21.html).
You can find more info in the links of the last column of this table.
That info could guide you on the cleaning process.
Anyway, if you have doubts, just post here.
Also, take a careful look at the first column of the table:
1. If you don't recognize a legit program in one of the items marked as FIX IF UNKNOWN, please post it back here and maybe we can help you. Or, if you're sure it's a malware item, you can remove it as posted bellow.
2. If you agree with the automatic classification of the infected items marked as FIX (CHECK NOTES!), you can turn back to HijackThis program, check the box of this item and then remove it using the button 'Fix checked'.
Hope it helps.
-
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
You need to update Sun Java as you are running is out of date. Get the latest version, once you have done this, uninstall all older versions from Control Panel > Add/Remove Programs.
http://www.java.com/en/download/index.jsp (http://www.java.com/en/download/index.jsp)
You don't appear to have an active firewall, or it is disabled or you are using XP's firewall, this is an essential for your security. What is your firewall ?
Redundant BHO entry
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
Adware - Must be fixed! xmlhelper.dll - Parasite detected by Kaspersky, http://www.kaspersky.com/ antivirus as not-a-virus:AdWare.Win32.Agent.db
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll
-
There were a couple backdoor trojans there and I'll want to check a little further to make sure everything is gone.
First, open HJT again and click to Do a System Scan Only. When the scan is finished place a check mark next to these lines
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
Make sure all other windows are closed, including your browser, and click Fix Checked.
Now download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file path below to the clipboard by highlighting it and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\xhelper.dll
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Next, download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically 'C:\SDFix') Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back on
Also, make sure to get those old versions of Java uninstalled.
-
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
File/Folder C:\WINDOWS\xhelper.dll not found.
Created on 07/15/2007 13:14:33
-
Its OK that the file was not found. When we fix an 02 line in HJT it will attempt to delete the file as well as the registry entry. The file deletion isn't always successfull so I wanted to double check that it was truely gone.
Don't forget to run SDFix when you have a chance.
-
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
You need to update Sun Java as you are running is out of date. Get the latest version, once you have done this, uninstall all older versions from Control Panel > Add/Remove Programs.
http://www.java.com/en/download/index.jsp (http://www.java.com/en/download/index.jsp)
You don't appear to have an active firewall, or it is disabled or you are using XP's firewall, this is an essential for your security. What is your firewall ?
Redundant BHO entry
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
Adware - Must be fixed! xmlhelper.dll - Parasite detected by Kaspersky, http://www.kaspersky.com/ antivirus as not-a-virus:AdWare.Win32.Agent.db
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll
I have uninstalled all old versions of java. I cannot update though because I can't get online with that computer. And the only computer that I can get online with doesn't have a CD burner, so all I'm working with is floppy. Also, about the firewall, I'm using XP's firewall and it says it's enabled.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically 'C:\SDFix') Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back on
This will not work. It gets to the screen that says starting repairs then the screen goes black. I then have to restart my computer because it won't do anything. What am I doing wrong? ???
-
Download LSPFix and bring it to the computer we're working on
http://cexx.org/lspfix.htm
If you can fit the uncompressed (exe) version use that as it will run from the floppy. Otherwise use the zip file and uncompress it on the C: drive. The program is pretty straight forward - it will either tell you there were no problems found or list fixes in the Remove pane. If it does find problems clicking the Finish button runs the fix and might restore your internet connection. Let me know if this helps.
I'm not sure why SDFix is not functioning but boot into normal mode and see if any log was produced (c:\rapport.txt). Even if repairs were not made there, may be helpful information in the log if one was created.
-
There is no log under c:\rapport.txt
When I ran LSPFix it said “no problems found”.
I can now get online so something I did along the way must have helped.
Now, the problem I have is that I can’t update Java. I keep getting the following error messages:
Windows Installer
This instillation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package.
Error – Java™ Update
Unable to launch the Java™ Update installer: This instillation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package.
-
We'll take care of installing the new Java a little later - it probably just needs to be downloaded again. The important thing is the exploitable version is gone now.
How is the computer acting now that its back on the internet?
Instead of SDFix, lets take a close look at what's going on.
Download WinPFind3u.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
- Close ALL OTHER PROGRAMS.
- Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
- Under Additional Scans click the checkboxes in front of the following items to select them:
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Copy/Paste the information in you next respons and I will review it. This log will be quite long and will require several posts to fit everything.
-
WinPFind3 logfile created on: 7/17/2007 11:17:50 AM
WinPFind3U by OldTimer - Version 1.0.39 Folder = C:\Documents and Settings\Tara & Paul\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2, v.2096 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2096)
127.53 Mb Total Physical Memory | 56.52 Mb Available Physical Memory | 44.32% Memory free
307.45 Mb Paging File | 161.02 Mb Available in Paging File | 52.37% Paging File free
Paging file location(s): C:\pagefile.sys 192 384;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 6.00 Gb Total Space | 2.82 Gb Free Space | 47.06% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Computer Name: TARA_PAUL
Current User Name: Tara & Paul
Logged in as Administrator.
Current Boot Mode: Normal
[Processes - Non-Microsoft Only]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 75392 bytes | Modified Date = 4/30/2007 8:42:48 AM | Attr = ]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 9:04:38 AM | Attr = ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 8:42:40 AM | Attr = ]
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 8:41:28 AM | Attr = ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 8:29:56 AM | Attr = ]
exec.exe -> %ProgramFiles%\NetZero\exec.exe -> NetZero [Ver = 4, 3, 0, 0 | Size = 768000 bytes | Modified Date = 6/28/2005 12:11:48 PM | Attr = ]
exec.exe -> %ProgramFiles%\NetZero\exec.exe -> NetZero [Ver = 4, 3, 0, 0 | Size = 768000 bytes | Modified Date = 6/28/2005 12:11:48 PM | Attr = ]
jusched.exe -> %ProgramFiles%\Java\jre1.5.0_10\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 49263 bytes | Modified Date = 11/9/2006 3:07:30 PM | Attr = ]
lexbces.exe -> %System32%\LEXBCES.EXE -> Lexmark International, Inc. [Ver = 8.16 | Size = 303104 bytes | Modified Date = 2/24/2003 10:52:00 PM | Attr = ]
lexpps.exe -> %System32%\LEXPPS.EXE -> Lexmark International, Inc. [Ver = 8.16 | Size = 174592 bytes | Modified Date = 2/24/2003 10:50:00 PM | Attr = ]
nzspc.exe -> %ProgramFiles%\NZSearch\nzspc.exe -> United Online, Inc. [Ver = 2.2.05 | Size = 311362 bytes | Modified Date = 7/10/2006 11:00:52 PM | Attr = ]
watchdog.exe -> %ProgramFiles%\mobile PhoneTools\WatchDog.exe -> [Ver = | Size = 45056 bytes | Modified Date = 8/14/2004 4:42:20 AM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.38.0 | Size = 322048 bytes | Modified Date = 6/23/2007 3:15:54 PM | Attr = ]
x1exec.exe -> %ProgramFiles%\NetZero\qsacc\X1Exec.exe -> NetZero, Inc. [Ver = 3.6.00 | Size = 241664 bytes | Modified Date = 6/27/2005 5:06:14 PM | Attr = ]
[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 16512 bytes | Modified Date = 4/30/2007 8:29:56 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 132736 bytes | Modified Date = 4/30/2007 8:42:40 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 243328 bytes | Modified Date = 4/30/2007 9:04:38 AM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 345728 bytes | Modified Date = 4/30/2007 8:41:28 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2096.503.0 | Size = 224768 bytes | Modified Date = 3/11/2004 6:18:58 PM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 2/3/2007 8:03:56 PM | Attr = ]
(LexBceS) LexBce Server [Win32_Own | Auto | Running] -> %System32%\LEXBCES.EXE -> Lexmark International, Inc. [Ver = 8.16 | Size = 303104 bytes | Modified Date = 2/24/2003 10:52:00 PM | Attr = ]
-
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\Reader_sl.exe -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 40048 bytes | Modified Date = 5/11/2007 3:06:32 AM | Attr = ]
avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 75392 bytes | Modified Date = 4/30/2007 8:42:48 AM | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.5.0_10\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 49263 bytes | Modified Date = 11/9/2006 3:07:30 PM | Attr = ]
WatchDog -> %ProgramFiles%\mobile PhoneTools\WatchDog.exe -> [Ver = | Size = 45056 bytes | Modified Date = 8/14/2004 4:42:20 AM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
NetZero_uoltray -> %ProgramFiles%\NetZero\exec.exe -> NetZero [Ver = 4, 3, 0, 0 | Size = 768000 bytes | Modified Date = 6/28/2005 12:11:48 PM | Attr = ]
spc_w -> %ProgramFiles%\NZSearch\nzspc.exe -> United Online, Inc. [Ver = 2.2.05 | Size = 311362 bytes | Modified Date = 7/10/2006 11:00:52 PM | Attr = ]
< RunOnce [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ->
untd_recovery -> %ProgramFiles%\NetZero\qsacc\X1Exec.exe -> NetZero, Inc. [Ver = 3.6.00 | Size = 241664 bytes | Modified Date = 6/27/2005 5:06:14 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 36 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> ÿÿÿÿ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
< HOSTS File > (734 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
-
HKLM: Main\\Default_Search_URL -> http://my.netzero.net/s/search?r=minisearch ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://my.netzero.net/s/search?r=minisearch ->
HKLM: Start Page -> about:blank ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://my.netzero.net/s/search?r=minisearch ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Bar -> http://my.netzero.net/s/search?r=minisearch ->
HKCU: Search Page -> http://my.netzero.net/s/search?r=minisearch ->
HKCU: Start Page -> about:blank ->
HKCU: SearchAssistant -> http://www.google.com/ie ->
HKCU: URLSearchHooks\\{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} [HKLM] -> %ProgramFiles%\NZSearch\SearchEnh1.dll [URLSearchHook Class] -> United Online, Inc. [Ver = 2.2.05 | Size = 102472 bytes | Modified Date = 7/10/2006 10:59:54 PM | Attr = ]
HKCU: ProxyEnable -> 0 ->
HKCU: ProxyOverride -> <local> ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
< Trusted Sites > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
www_adobe.com [http] -> ->
www_java.com [http] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 10/22/2006 11:08:42 PM | Attr = ]
{52706EF7-D7A2-49AD-A615-E903858CF284} [HKLM] -> %ProgramFiles%\NetZero\qsacc\X1IEBHO.dll [Popup-Blocker Class] -> NetZero, Inc. [Ver = 3.6.00 | Size = 175560 bytes | Modified Date = 6/27/2005 5:06:14 PM | Attr = ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_10\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 440056 bytes | Modified Date = 11/9/2006 3:21:52 PM | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R ]
{8E718888-423F-11D2-876E-00A0C9082467} [HKLM] -> %System32%\msdxm.ocx [&Radio] -> [Ver = | Size = 843802 bytes | Modified Date = 3/11/2004 4:08:16 PM | Attr = ]
{F0F8ECBE-D460-4B34-B007-56A92E8F84A7} [HKLM] -> %ProgramFiles%\NetZero\Toolbar.dll [ZeroBar] -> [Ver = 2, 0, 0, 1 | Size = 292304 bytes | Modified Date = 6/27/2005 6:04:26 PM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R ]
WebBrowser\\{A8FB8EB3-183B-4598-924D-86F0E5E37085} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{F0F8ECBE-D460-4B34-B007-56A92E8F84A7} [HKLM] -> %ProgramFiles%\NetZero\Toolbar.dll [ZeroBar] -> [Ver = 2, 0, 0, 1 | Size = 292304 bytes | Modified Date = 6/27/2005 6:04:26 PM | Attr = ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.5.0_10\bin\npjpi150_10.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 75528 bytes | Modified Date = 11/9/2006 3:21:54 PM | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.5.0_10\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 5.0.100.3 | Size = 440056 bytes | Modified Date = 11/9/2006 3:21:52 PM | Attr = ]
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -> %ProgramFiles%\AIM\aim.exe [ButtonText: AIM] -> America Online, Inc. [Ver = 5.9.6089 | Size = 67112 bytes | Modified Date = 8/1/2006 3:35:36 PM | Attr = ]
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
Display All Images with Full Quality -> -> File not found
Display Image with Full Quality -> -> File not found
E&xport to Microsoft Excel -> -> File not found
< Default Protocols [HKLM] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults ->
shell -> shell protocol not assigned ->
-
< Default Protocols [HKCU] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults ->
shell -> shell protocol not assigned ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
msdaipp -> Reg Data - Key not found -> File not found
vnd.ms.radio -> %System32%\msdxm.ocx -> [Ver = | Size = 843802 bytes | Modified Date = 3/11/2004 4:08:16 PM | Attr = ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{406B5949-7190-4245-91A9-30A17DE16AD0} -> Snapfish Activia - CodeBase = http://photos.walmart.com/WalmartActivia.cab ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab ->
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.5.0_10 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab ->
[Files/Folders - Created Within 30 days]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Created Date = 7/13/2007 3:52:32 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 133787648 bytes | Created Date = 1/1/1601 7:00:00 AM | Attr = HS]
QooBox -> %SystemDrive%\QooBox -> [Folder | Created Date = 7/13/2007 4:22:20 PM | Attr = ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Created Date = 7/10/2007 8:50:04 AM | Attr = ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 104960 bytes | Created Date = 7/13/2007 3:53:02 PM | Attr = ]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Created Date = 7/15/2007 1:58:32 PM | Attr = ]
nircmd.exe -> %SystemRoot%\nircmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 7/13/2007 3:53:02 PM | Attr = ]
SxsCaPendDel -> %SystemRoot%\SxsCaPendDel -> [Folder | Created Date = 6/30/2007 7:26:59 PM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.7 | Size = 139776 bytes | Created Date = 7/13/2007 3:53:01 PM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 7/13/2007 3:53:00 PM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 7/13/2007 3:53:00 PM | Attr = ]
vfind.exe -> %System32%\vfind.exe -> [Ver = | Size = 49152 bytes | Created Date = 7/13/2007 3:53:01 PM | Attr = ]
[Files/Folders - Modified Within 30 days]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Modified Date = 7/16/2007 1:54:30 PM | Attr = ]
Documents and Settings -> %SystemDrive%\Documents and Settings -> [Folder | Modified Date = 7/15/2007 2:16:48 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 133787648 bytes | Modified Date = 7/17/2007 11:01:18 AM | Attr = HS]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 7/17/2007 11:08:58 AM | Attr = R ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Modified Date = 7/13/2007 4:22:22 PM | Attr = ]
TEMP -> %SystemDrive%\TEMP -> [Folder | Modified Date = 7/4/2007 9:13:18 AM | Attr = H ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Modified Date = 7/16/2007 1:54:14 PM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 7/15/2007 1:58:34 PM | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 7/17/2007 11:01:20 AM | Attr = S]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 104960 bytes | Modified Date = 7/4/2007 7:21:06 PM | Attr = ]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Modified Date = 7/15/2007 1:58:34 PM | Attr = ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 7/11/2007 10:38:40 AM | Attr = HS]
LEXSTAT.INI -> %SystemRoot%\LEXSTAT.INI -> [Ver = | Size = 814 bytes | Modified Date = 7/17/2007 11:14:16 AM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 7/17/2007 11:15:00 AM | Attr = ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 7/6/2007 4:02:26 PM | Attr = ]
SHELLNEW -> %SystemRoot%\SHELLNEW -> [Folder | Modified Date = 6/21/2007 12:46:54 PM | Attr = ]
SxsCaPendDel -> %SystemRoot%\SxsCaPendDel -> [Folder | Modified Date = 7/1/2007 8:30:44 AM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 7/15/2007 1:10:20 PM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 7/10/2007 9:28:22 AM | Attr = S]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 7/17/2007 11:14:02 AM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 7/17/2007 11:01:56 AM | Attr = H ]
appmgmt -> %System32%\appmgmt -> [Folder | Modified Date = 7/11/2007 10:38:42 AM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 7/13/2007 11:15:18 AM | Attr = ]
CONFIG.NT -> %System32%\CONFIG.NT -> [Ver = | Size = 2626 bytes | Modified Date = 7/6/2007 10:25:40 AM | Attr = ]
drivers -> %System32%\drivers -> [Folder | Modified Date = 7/13/2007 4:22:04 PM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.7 | Size = 139776 bytes | Modified Date = 7/11/2007 4:59:06 PM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 7/17/2007 11:01:24 AM | Attr = ]
[File String Scan - Non-Microsoft Only]
UPX! , UPX0 , -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 997, 0 | Size = 745600 bytes | Modified Date = 4/30/2007 8:46:10 AM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.7 | Size = 139776 bytes | Modified Date = 7/11/2007 4:59:06 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr = ]
< End of report >
-
I don't see any other problems. If the computer is running OK now we'll see if we can get that new Java installed.
-
yeah, everything seems to be working fine now. ;)
By the way, thanks for all your help!
-
yeah, everything seems to be working fine now. ;)
8)
Let's do some house cleaning now. Double click OTMoveIt once again and click the CleanUp! button. If your firewall prompts you that OTMoveIt wants to contact the internet, allow this. A cleanup.txt will be downloaded and a message dialog will ask you if you want to proceed with the cleanup process. Click Yes. This will delete the tools we've downloaded plus itself.
Now download the current version of Java from here
http://filehippo.com/download_java_runtime/
When you get the download dialog click Run. When the download finishes confirm that you want to run the program, if asked. Then, when the License Agreement appears, close your browser first before finishing the installation.
How did this work?
-
Now download the current version of Java from here
http://filehippo.com/download_java_runtime/
Someone told me to dowload a standalone installer of Java Runtime Environment (JRE) 6u2. I did it and it seemed to have worked.
-
That's fine - whichever method works is the one to use.
Now there is a little clean up we should do to finish things up.
First, double click OTMoveIt once again and click the CleanUp! button. You may get prompted by your firewall that OTMoveIt wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.
I would also like to remove your old, possibly infected System Restore points and create a new, clean point.
Click Start > All Programs > Accessories > System Tools > System Restore. Fill the radio button to Create a Restore Point and click Next. Give the new restore point a name you will recognize if you need to find it (like Clean Point) and click Create.
Next, click Start > All Programs > Accessories > System Tools > Disk Cleanup. Now click the More Options tab, then click Clean Up in the System Restore section and OK.
Finally, as DavidR mentioned, you should consider installing a third party firewall. I like Comodo but Zone Alarm, PCTools Firewall, and other are also worth a look. Here's a link to Comodo
http://filehippo.com/download_comodo/