Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Lexmark_X79-55 in autostar winantivirus 2006 malware pop ups

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby sgpatel » March 29th, 2007, 2:13 pm

John,
i followed your steps. Haxfix reported that it did not find any infections. I went through the step to fix the O16 Drive cleaner entry and am posting the new hijack this log. as you will notice the modk32.dll is still present. another bad news is that last nite while doing some work internet explorer got invoked while i wanted to view a pdf file and the pops ups started again. I killed all the iexplore.exe processes as fast as i could but i think i got infected again with a downloader.conhook and Trojan.Agen.av. I havent taken any action as yet in Ewido and am posting a AVG Report also for you to take a look. Additionally i got a symantec anti virus realtime protection warning at the same time for a Downloader(lientnstaller15_02[1]) in the Temporary files which it said it deleted. I am assuming it is the same downloader Please advise and apologize for the trouble. I have also highlighted the new suspicious entries in the hijack this log:
AVG Ewido report:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:07:42 AM 3/29/2007

+ Scan result:

C:\WINDOWS\system32\jkkljjj.dll -> Downloader.ConHook : No action taken.
C:\WINDOWS\system32\rqrrono.dll -> Downloader.ConHook.ah : No action taken.
C:\WINDOWS\jkjjjh.dll -> Trojan.Agent.agv : No action taken.
::Report end

Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 9:54:17 AM, on 3/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\orclobi\ebi\CheckDefrag.exe
C:\WINDOWS\orclobi\ebi\cischd.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Oracle\Messenger\OracleMessenger.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\sgpatel\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.oracle.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *oracle.com;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://ebizsrv.us.oracle.com"); (C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\default\dn7w2w2z.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {782b81d5-cacb-4630-9ae6-ce6349bca6b9} - C:\WINDOWS\system32\modk32.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - D:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - D:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [CheckDefrag] c:\windows\orclobi\ebi\CheckDefrag.exe
O4 - HKLM\..\Run: [Cischd] C:\WINDOWS\orclobi\ebi\cischd.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\jkjjjh.dll",setvm
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Secure Global Desktop Client, 4.2 - http://ebiztta.oraclecorp.com/tarantell ... taF-du.cab
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/re ... nsload.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30355844-0000-0010-8000-00AA00389B71} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {32248CB1-0D1E-4889-AEA3-1A2DA540A380} (Siebel CSSAxCatalogNavigator Class) - http://sdchs20n518.corp.siebel.com/CALL ... igator.cab
O16 - DPF: {3D5E05C4-41B2-4EB5-A5EB-970EBD646B98} (ASEActiveXCtrl Class) - http://le2041.oracleads.com/OA_HTML/dow ... dddase.exe
O16 - DPF: {48D5324D-D593-47DF-AAE4-18CB09F1F86F} (Siebel High Interactivity Framework) - http://sdchs22n110.corp.siebel.com/call ... Client.cab
O16 - DPF: {A07F0AC9-D8AD-449A-BE90-668F5263B261} (Siebel High Interactivity Framework) - http://sdchs20n518.corp.siebel.com/CALL ... Client.cab
O16 - DPF: {AD8A3C8A-ABC8-4BAA-B176-0473BF553930} (Siebel Product Selection) - http://sdchs20n518.corp.siebel.com/CALL ... ection.cab
O16 - DPF: {BFE65CD6-B930-4BD0-BEC1-00E947B2A373} (CSSAxConfigurator Class) - http://sdchs22n110.corp.siebel.com/call ... urator.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - http://adsweb.oracleads.com/download/jinit13121.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A1A481-0DC3-4299-BED3-4ABD619A6BEC}: Domain = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0489001-EB94-433F-AE81-B92A337E243E}: Domain = oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = oracle.com
O20 - Winlogon Notify: modk32 - C:\WINDOWS\SYSTEM32\modk32.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle - C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)


Thanks,
Sachin
sgpatel
Regular Member
 
Posts: 19
Joined: March 16th, 2007, 2:55 pm
Advertisement
Register to Remove

Unread postby John B. » March 30th, 2007, 12:36 pm

Hi,

Lets add the bad file manually... We will take care of the other malware next time.

Run HaxFix in manufix
  • Open this folder program files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
  • Close all other open windows since this step requires a reboot
  • Select option 3. Run manu fix by typing 3 and then pressing Enter
This message will appear:
echo Insert the haxdoorkey,
and then press Enter:

  • Type the following: modk
    When this is a valid choice, the key will be added to delete.
  • There is the possibility to add a new key: Yes (type Y) or No (type N).
    Followed by this message:
    Haxdoorkey xxxx added to delete.

    Do you want to add a new haxdoorkey?

    Press Y for YES or N for NO and then press Enter:

  • Type N for No and press Enter
  • The computer will reboot
  • After reboot a logfile will open > (c:\haxfix.txt)
  • Post the log together with a fresh HJT log

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby sgpatel » March 30th, 2007, 1:21 pm

John,
i went throught the steps for haxfix. However when i enter modk32 it came back saying Haxdoor key not added. Do you want to add haxdoor key y or n?. at this point do i say yes. Your instructions for saying No to this question assumes that haxdoor key is automatically added. Please advise. For now i replied No and it returned back to the main menu saying no infection found.

Thanks,
Sachin
sgpatel
Regular Member
 
Posts: 19
Joined: March 16th, 2007, 2:55 pm

Unread postby sgpatel » March 30th, 2007, 1:22 pm

i did type in modk and not modk32. Aplogize for mistyping it.
sgpatel
Regular Member
 
Posts: 19
Joined: March 16th, 2007, 2:55 pm

Unread postby John B. » March 30th, 2007, 2:55 pm

Hi,

I told you to typ it in without the numbers (modk). So it says it's not added and if you want to add another one?

If so please cancel the fix and I'm going to ask this in our community...

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby sgpatel » March 30th, 2007, 3:33 pm

Yes you mentioned that and i typed in just modk but mistyped it in my post that i had entered modk32. And it said the following
No matching services found
Haxdoorkey has not been added
Do you want to add a new Haxdoorkey
Press Y for Yes or N for NO then press enter

i had cancelled the fix and will wait for your reponse. Apologize for the confusion.
sgpatel
Regular Member
 
Posts: 19
Joined: March 16th, 2007, 2:55 pm

Unread postby John B. » March 31st, 2007, 3:26 am

Hi,

Some other people, the real experts ;) , told me it's another infection so lets try to use that infections' tool...

If VundoFix doesn't find anything in Step 1 please close the program and go on with Step 2 and 3!

If VundoFix does find something in Step 1 please don't do Step 2 and 3!


Step 1: Download and Run: VundoFix
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Step 2: Upload malware to uploadmalware.com
Please go to http://www.uploadmalware.com/

Put your username in the correct box and give a link to this topic.
In the File(s) To Submit: copy and past the following (one line per box):
C:\WINDOWS\SYSTEM32\modk32.dll
<any files with the name 23kdom in C:\WINDOWS\SYSTEM32 (can be multiple file, upload as many as possible)>

Now click Send File and close the window.

Step 3: Run VundoFix
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once the scan is complete, Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the entry below into the top box:
    • C:\WINDOWS\SYSTEM32\modk32.dll
  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby sgpatel » March 31st, 2007, 12:22 pm

John,
Vundo did find the modk32.dll and i followed the instructrions. Here are the vundo log and fresh hijack this log. One thing in noticed in the vundo log is it is saying that my java version is older however i have already installed runtime version 6 and removed any previous versions.

Vundo log:

VundoFix V6.3.18

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Scan started at 8:52:06 AM 3/31/2007

Listing files found while scanning....


VundoFix V6.3.18

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Scan started at 8:58:06 AM 3/31/2007

Listing files found while scanning....

C:\WINDOWS\system32\modk32.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\modk32.dll
C:\WINDOWS\system32\modk32.dll Has been deleted!

Performing Repairs to the registry.
Done!

Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 9:18:05 AM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\orclobi\ebi\CheckDefrag.exe
C:\WINDOWS\orclobi\ebi\cischd.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\sgpatel\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.oracle.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *oracle.com;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://ebizsrv.us.oracle.com"); (C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\default\dn7w2w2z.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {782b81d5-cacb-4630-9ae6-ce6349bca6b9} - C:\WINDOWS\system32\modk32.dll (file missing)
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - D:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - D:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [CheckDefrag] c:\windows\orclobi\ebi\CheckDefrag.exe
O4 - HKLM\..\Run: [Cischd] C:\WINDOWS\orclobi\ebi\cischd.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\jkjjjh.dll",setvm
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Secure Global Desktop Client, 4.2 - http://ebiztta.oraclecorp.com/tarantell ... taF-du.cab
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/re ... nsload.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30355844-0000-0010-8000-00AA00389B71} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {32248CB1-0D1E-4889-AEA3-1A2DA540A380} (Siebel CSSAxCatalogNavigator Class) - http://sdchs20n518.corp.siebel.com/CALL ... igator.cab
O16 - DPF: {3D5E05C4-41B2-4EB5-A5EB-970EBD646B98} (ASEActiveXCtrl Class) - http://le2041.oracleads.com/OA_HTML/dow ... dddase.exe
O16 - DPF: {48D5324D-D593-47DF-AAE4-18CB09F1F86F} (Siebel High Interactivity Framework) - http://sdchs22n110.corp.siebel.com/call ... Client.cab
O16 - DPF: {A07F0AC9-D8AD-449A-BE90-668F5263B261} (Siebel High Interactivity Framework) - http://sdchs20n518.corp.siebel.com/CALL ... Client.cab
O16 - DPF: {AD8A3C8A-ABC8-4BAA-B176-0473BF553930} (Siebel Product Selection) - http://sdchs20n518.corp.siebel.com/CALL ... ection.cab
O16 - DPF: {BFE65CD6-B930-4BD0-BEC1-00E947B2A373} (CSSAxConfigurator Class) - http://sdchs22n110.corp.siebel.com/call ... urator.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - http://adsweb.oracleads.com/download/jinit13121.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A1A481-0DC3-4299-BED3-4ABD619A6BEC}: Domain = oracle
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0489001-EB94-433F-AE81-B92A337E243E}: Domain = oracle
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = oracle.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle - C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

Sachin
sgpatel
Regular Member
 
Posts: 19
Joined: March 16th, 2007, 2:55 pm

Unread postby John B. » March 31st, 2007, 1:31 pm

Hi,

There's a new Java update since two days ;) I would've told you to update today anyway but good of you that you recognized it yourself too! You seem to be talentated (or just reading very good, something a lot of people don't do) in reading logs!

Please copy the fix to Notepad/Word, or print it, because you won't always have internet access!

Step 1: Remove bad HijackThis entries
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O2 - BHO: (no name) - {782b81d5-cacb-4630-9ae6-ce6349bca6b9} - C:\WINDOWS\system32\modk32.dll (file missing)

    O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\jkjjjh.dll",setvm

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.
Step 2: Boot into Safe Mode
Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Step 3: Delete bad file
Use Explorer to navigate to and delete the following file (if present):

C:\WINDOWS\jkjjjh.dll

Now just exit Explorer.

Step 4: Run ATF Cleaner
Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Step 5: Run AVG Anti-Spyware
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Step 6: Reboot
Your comptuer will automatically switch to normal mode.

Step 7: Update Java
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java(TM) SE Runtime Environment 6u1.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
Step 8: Post logs
  • AVG AS log
  • Fresh HJT log
  • Tell me about any problems/questions you've still got!

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby sgpatel » April 2nd, 2007, 1:25 pm

John,
have followed the steps. AVG reported some more infections. I deleted the file jkjjjh.dll from c:\windows. AVG reported an addional copy in the C:\windows\system32 location as you will see in the report. Additionally i noticed hjjjkj.ini file in the c:\windows location. Should i delete this as it has jjj i thought it might be a left over ini file from a previous infection. In any case am posting the logs.
AVG:Scan 1
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:24:18 AM 4/1/2007

+ Scan result:



C:\WINDOWS\system32\jkkljjj.dll -> Downloader.ConHook : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rqrrono.dll -> Downloader.ConHook.ah : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.16:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.30:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.138:C:\Mozilla Files\Mozilla\Profiles\sachin.patel\713vnyft.slt\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.139:C:\Mozilla Files\Mozilla\Profiles\sachin.patel\713vnyft.slt\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.31:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.32:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.33:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.34:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.35:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.36:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.37:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.44:C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\sachin.patel\927v9aan.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\RECYCLER\S-1-5-21-2107854571-459673500-1737835142-3153\Dc25.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).


::Report end

AVG: Scan 2
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:17:13 AM 4/2/2007

+ Scan result:



C:\Documents and Settings\sgpatel\Local Settings\Temp\tmp8AB.tmp.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end



Hijack This:
Logfile of HijackThis v1.99.1
Scan saved at 9:32:32 AM, on 4/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\orclobi\ebi\CheckDefrag.exe
C:\WINDOWS\orclobi\ebi\cischd.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Documents and Settings\sgpatel\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.oracle.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *oracle.com;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://ebizsrv.us.oracle.com"); (C:\Documents and Settings\sgpatel\Application Data\Mozilla\Profiles\default\dn7w2w2z.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - D:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - D:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [CheckDefrag] c:\windows\orclobi\ebi\CheckDefrag.exe
O4 - HKLM\..\Run: [Cischd] C:\WINDOWS\orclobi\ebi\cischd.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Secure Global Desktop Client, 4.2 - http://ebiztta.oraclecorp.com/tarantell ... taF-du.cab
O16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/re ... nsload.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30355844-0000-0010-8000-00AA00389B71} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {32248CB1-0D1E-4889-AEA3-1A2DA540A380} (Siebel CSSAxCatalogNavigator Class) - http://sdchs20n518.corp.siebel.com/CALL ... igator.cab
O16 - DPF: {3D5E05C4-41B2-4EB5-A5EB-970EBD646B98} (ASEActiveXCtrl Class) - http://le2041.oracleads.com/OA_HTML/dow ... dddase.exe
O16 - DPF: {48D5324D-D593-47DF-AAE4-18CB09F1F86F} (Siebel High Interactivity Framework) - http://sdchs22n110.corp.siebel.com/call ... Client.cab
O16 - DPF: {A07F0AC9-D8AD-449A-BE90-668F5263B261} (Siebel High Interactivity Framework) - http://sdchs20n518.corp.siebel.com/CALL ... Client.cab
O16 - DPF: {AD8A3C8A-ABC8-4BAA-B176-0473BF553930} (Siebel Product Selection) - http://sdchs20n518.corp.siebel.com/CALL ... ection.cab
O16 - DPF: {BFE65CD6-B930-4BD0-BEC1-00E947B2A373} (CSSAxConfigurator Class) - http://sdchs22n110.corp.siebel.com/call ... urator.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) - http://adsweb.oracleads.com/download/jinit13121.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A1A481-0DC3-4299-BED3-4ABD619A6BEC}: Domain = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0489001-EB94-433F-AE81-B92A337E243E}: Domain = oracle.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = oracle.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = oracle.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = oracle.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle - C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\system32\MsPMSPSv.exe (file missing)

Thanks
sachin
sgpatel
Regular Member
 
Posts: 19
Joined: March 16th, 2007, 2:55 pm

Unread postby John B. » April 3rd, 2007, 10:16 am

Hi,

This is my normal post for when you are clear - which you now are - or seem to be.
Please advise of any problems you still have. If you think you're clean please give one more reply so that I can archive this topic.

Please delete any copies of jkjjjh or hjjjkj you can find and then also empty your Recycle Bin :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
    Turn off System Restore.
    On the Desktop, right-click My Computer
    Click Properties
    Click the System Restore tab
    Check Turn off System Restore
    Click Apply, and then click OK

    Reboot.

    Turn on System Restore.
    On the Desktop, right-click My Computer
    Click Properties
    Click the System Restore tab
    Uncheck Turn off System Restore
    Click Apply, and then click OK
    NOTE: only do this ONCE, NOT on a regular basis!
  • Re hide your system files. To do so, please follow the steps below:
    • Double-click My Computer.
    • Click the Tools menu, and then click Folder Options.
    • Click the View tab.
    • Put a check by "Hide file extensions for known file types."
    • Under the "Hidden files" folder, select "Do not show hidden files and folders."
    • Check "Hide protected operating system files."
    • Click Apply, and then click OK.
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialise and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  • Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  • Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line - Anti-Malware
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Stand Up and Be Counted!
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you have to be registered to post after registering just find your country room and register your complaint.
The infections you had were AWF (can go to 'General/Unlisted Infections' or 'Is your infection not listed here?') and Vundo.

>> Here << you can see how you can help us.

May your God go with you..

John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby NonSuch » April 13th, 2007, 11:28 pm

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27229
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 16 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware