Author Topic: Can anyone help ?  (Read 13464 times)

0 Members and 1 Guest are viewing this topic.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Can anyone help ?
« Reply #15 on: January 31, 2008, 10:04:08 PM »
Sheessh, fellas, embarrass the poor kid, why don't you?  :-[
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline TFL

  • Newbie
  • *
  • Posts: 14
Re: Can anyone help ?
« Reply #16 on: February 01, 2008, 10:59:23 AM »
 :o

The one who goes to porn site is another user who shares the account with me.....I think.
Don't misapprehend it guys.  8)

I have removed the cookies, and ran the Norton remove already, seems that the computer run a little bit faster.

The HijackThis report is attached.

What is vundo?
(I am really a poor guy in computer.......)

Offline philly12

  • Full Member
  • ***
  • Posts: 156
  • Boring federal gov worker (slave)
Re: Can anyone help ?
« Reply #17 on: February 01, 2008, 02:28:05 PM »
the last HJT report was AFTER the scans and norton removal correct?  The reason i ask is because you still have all the adware running in the report and the leftovers of Norton antivirus.  I would have expected Superantispyware to do better than that.  If it is not a new HJT report, please post a new one (make sure to overwrite the old report when saving the report or name it something different and upload it). 

Vundo is an especially nasty type of adware that is very common.  The good news, its very common so many programs can remove it.  The bad news, its famous for a reason because its constantly evolving and infecting many computers.

Offline TFL

  • Newbie
  • *
  • Posts: 14
Re: Can anyone help ?
« Reply #18 on: February 01, 2008, 02:33:57 PM »
This is the newest one, but I have only deleted the cookies found, the Vundo variant and My websearch is not yet deleted.....

Or I have just scanned a new one, let see if it is different, maybe I have uploaded a wrong one.
« Last Edit: February 01, 2008, 02:44:29 PM by TFL »

Offline philly12

  • Full Member
  • ***
  • Posts: 156
  • Boring federal gov worker (slave)
Re: Can anyone help ?
« Reply #19 on: February 01, 2008, 04:06:56 PM »
Well that is the updated log.  The good news, Norton is gone.  The bad news, all the adware is still there (although it may not be activated if Superantispyware has them quarantined).  You still have the mywebsearch and vundo IN the quarantine correct?

I wish an avast admin would help...wonder what is keeping them.  You will probably need to fix the following in HJT, but wait until alwil admin confirms it:
please no one click on the following links, you may get adware, you have been warned. TFL, i have added a space between the Http:// and the url to make the links unclickable.  The actual file has them connected, but this creates a clickable link.
    O8 - Extra context menu item: &Search - http:// edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm409EAHK

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager¿ØÖÆÔª¼þ) - http:// dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab

O20 - Winlogon Notify: jkhfg - C:\WINDOWS\system32\jkhfg.dll (file missing)

The next couple are possible nasties, but some (or maybe all) are probably not.  Please wait for an alwil admin to varify if they are safe or not:

O16 - DPF: HKJC Applet - https:// bet.hongkongjockeyclub.com/ib/ch/HKJC.cab

O16 - DPF: {1FFE232A-BBBF-4234-A040-10C0DBEF1EF4} (ClientX Control) - http:// cop.dusee.cn/p2ptest/clientx12500.cab

O16 - DPF: {2C45DF72-E2DF-41E4-B244-A98694F8FE94} (Project1.CopyMemory) - http:// secchist.moderneducation.com.hk/edu_platform/cab/CopyMem.CAB

O16 - DPF: {8A4943CC-1950-44F9-9045-D3D428FD3948} (SecureX Class) - http:// txn02.hkjc.com/BetSlip/object/eWinCtl.cab

O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http:// w ww.gogobox.com.tw/neo.fld/GNowStarter.cab


I'm just curious, did you run a-squared (the normal program or antidialer) at all?  If you didn't that is fine, but if you did I am wondering if it found anything.  And just because the HJT entries of websearch and vundo are still there, they are probably not active if Superantispyware has them in quarantine.  Keep them in quarantine for now.  I will private message an avast admin that has helped me remove my vundo infection in the past.  Please wait for conformation (and remember i'm doing this in my freetime and i am no expert, but I'm still trying to help).

BTW, i noticed that ur Chinese (from the speech to text software).  I know it's early but happy new year (my gf is Chinese).  You may also want to watch what you download from bitcommet.  That might have also caused this in the first place in addition to porn sites.  I'm not trying to embarrass you.  I'm just trying to prevent future infections.

« Last Edit: February 01, 2008, 04:44:55 PM by philly12 »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: Can anyone help ?
« Reply #20 on: February 01, 2008, 05:30:08 PM »
Hi there lets see what I can do - from the log I will need to use this programme

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Offline TFL

  • Newbie
  • *
  • Posts: 14
Re: Can anyone help ?
« Reply #21 on: February 02, 2008, 11:34:41 AM »
Seems that it is useless to explain......forget about it then. I have heard before that there are some program which can ban the porn sites.....can anyone suggest some (no matter it is free or not) ? Just for prevention.

For the a-squared, I have run it after your suggestion. And there is a long list of quarantine, including some value, key and also file. But seems that I can't made a log for it......and the list is too long that I can't use screen caught.....

I have already run the ComboFix and the HJT. The two log is attached.

Thanks to everyone......I felt an immense gratitude to everyone, especially to philly, who pay most attention to this and give a lot of opinion.....

Actually I am from HK.....I am wonder how you found my nationality by my words.......Is it really a big difference or just because my English is very weak?
« Last Edit: February 02, 2008, 11:57:57 AM by TFL »

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Can anyone help ?
« Reply #22 on: February 02, 2008, 11:56:38 AM »
You still need to kill the Vundo entry.

You can do so by following the instructions beginning:

Quote
Please print these instructions out for use in Safe Mode.

and ending:

Quote
Press enter to exit the program then manually reboot your computer.

Here:

http://www.bleepingcomputer.com/forums/lofiversion/index.php/t35849.html

The HijackThis! entry you will need to fix is this one:

O20 - Winlogon Notify: jkhfg - C:\WINDOWS\system32\jkhfg.dll (file missing)
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: Can anyone help ?
« Reply #23 on: February 02, 2008, 12:59:52 PM »
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]
File::
C:\Documents and Settings\Boy\com_securenetasia_p11wrapper2.dll
C:\WINDOWS\system32\jkhfg.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhfg]

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Offline TFL

  • Newbie
  • *
  • Posts: 14
Re: Can anyone help ?
« Reply #24 on: February 02, 2008, 04:11:23 PM »
I have run the combofix, and the log is attached.

But I don't know how to use the VundoFix, when I open the program, it don't shows the message that the instruction shows but only two button--"Scan Vundo" and "Remove Vundo". It seems that the version isn't match, the one I download is v6.7.7 but in the instruction it is v2.15 .
« Last Edit: February 02, 2008, 04:13:52 PM by TFL »

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Can anyone help ?
« Reply #25 on: February 02, 2008, 04:49:06 PM »
The jkhfg.dll entry has gone from your log now, so you don't need those instructions.

jkhfg.dll was a Vundo infection, so you can hit the "scan Vundo" button just to check that Vundo has gone.

If VundoFix finds any traces, run again and hit the "Remove Vundo" button.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: Can anyone help ?
« Reply #26 on: February 02, 2008, 05:58:47 PM »
Logs look clean to me

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done


Offline philly12

  • Full Member
  • ***
  • Posts: 156
  • Boring federal gov worker (slave)
Re: Can anyone help ?
« Reply #27 on: February 02, 2008, 10:46:58 PM »
I figured you were Chinese because you had a Chinese speech to text software program installed on your computer.  I hope your infection is clear and everything runs okay :D

Offline TFL

  • Newbie
  • *
  • Posts: 14
Re: Can anyone help ?
« Reply #28 on: February 03, 2008, 12:30:34 PM »
Is that already clean.....? Seems not as fast as before.....
I have run the VundoFix and find this

C:\WINDOW\system32\RGSS100J.dll

And also there are something left in the quarantine of a-squared and SUPERAntiSpyware, do I need to clear them all?
« Last Edit: February 03, 2008, 12:33:05 PM by TFL »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: Can anyone help ?
« Reply #29 on: February 03, 2008, 01:43:59 PM »
Yes you can empty the quarantine..  I will search for stray files if you wish

Download WinPFind3u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and attach the log. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.