Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

DNS redirects: jjh.exe suspected

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: DNS redirects: jjh.exe suspected

Unread postby melboy » June 12th, 2010, 7:31 am

Ok - Progress at least. Lets try this.


Start Services

  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

    Code: Select all
    @echo off
    sc Start srservice
    sc config srservice start= Automatic
    sc query srservice >"%userprofile%\desktop\svc_look_2.txt" 2>&1
    Notepad.exe "%userprofile%\desktop\svc_look_2.txt"
    Del %0
    

  • Make sure there are NO blank lines before @echo off
  • Make sure there IS one blank line at the end of the file.
  • Go to File > Save As
  • Save File name as look.bat
  • Change Save as Type to All Files and save the file to your desktop.
  • Close Notepad
  • Double-click look.bat on your Desktop
  • Notepad will open. Post the contents in your next reply. It can also be found on your desktop, named svc_look_2.txt


Also, let's check the image path for SR.sys, As you're using a non default/standard installation (Windows.1)

Go to Start > Run and copy/paste the following command into the Run box and click OK:

cmd /c regedit.exe /e "%userprofile%\Desktop\SR_look_3.txt" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr"

A black command prompt windows will open and close. It will create a file called SR_look_3.txt on your desktop - post the contents of that file.



Also go to Start>Run and copy/paste sysdm.cpl into the run box and click OK. Then click the System Restore tab and tell me if Drive C: has the Status Monitoring.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 12th, 2010, 9:22 am

contents of svc_look_2.txt:


[SC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.


look 3:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters]
"FirstRun"=dword:00000001
"DontBackup"=dword:00000000

no SR tab under system properties
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia

Re: DNS redirects: jjh.exe suspected

Unread postby melboy » June 12th, 2010, 10:05 am

Hi

Well that's an improvement on what you originally had!



Backup the Registry:

Modifying the Registry can create unforseen problems, so it always wise to create a backup before doing so.

  • Start ERUNT by double clicking on the desktop icon >> Click OK at the Welcome prompt.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable. (or windows.1 in your case)
  • Make sure that at least the first two check boxes are selected.(System registry & Current user registry)
  • Click on OK
  • When the Question pop-up appears click on Yes to create the folder.
  • After a short duration the Registry backup is complete! popup will appear
  • Now click on OK. A backup has been created.



Fix.reg

  • Open Notepad by clicking Start>Run then type Notepad
  • Copy & paste the contents of the Code Box below to Notepad (DO NOT include Code:)
  • Make sure there is NO blank line before Windows Registry Editor Version 5.00
  • Make sure there IS one blank line at the end of the file.

    Code: Select all
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr]
    "Type"=dword:00000002
    "Start"=dword:00000000
    "ErrorControl"=dword:00000001
    "Tag"=dword:00000004
    "ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
      52,00,49,00,56,00,45,00,52,00,53,00,5c,00,73,00,72,00,2e,00,73,00,79,00,73,\
      00,00,00
    "DisplayName"="System Restore Filter Driver"
    "Group"="FSFilter System Recovery"
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters]
    "FirstRun"=dword:00000000
    "DontBackup"=dword:00000000
    "MachineGuid"="{EAAFAEEC-4AFE-42BE-83D9-C12FDD4942A6}"
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Security]
    "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
      00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
      00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
      05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
      20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
      00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
      00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Enum]
    "0"="Root\\LEGACY_SR\\0000"
    "Count"=dword:00000001
    "NextInstance"=dword:00000001
    
    

  • Go to File>Save as
  • Name the file as fix_SR.reg
  • Change the Save as Type to All Files
  • Save the file to your Desktop. It will look like this Image


Double click on the fix_SR.reg file & when it prompts to Merge click Yes.


Reboot


Go to Start>Run and copy/paste sysdm.cpl into the run box and click OK. Then click the System Restore tab and see if Drive C: has the Status Monitoring.

IF not:

Start Services

  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

    Code: Select all
    @echo off
    sc Start srservice
    sc config srservice start= Automatic
    sc query srservice >"%userprofile%\desktop\svc_look_2.txt" 2>&1
    Notepad.exe "%userprofile%\desktop\svc_look_3.txt"
    Del %0
    

  • Make sure there are NO blank lines before @echo off
  • Make sure there IS one blank line at the end of the file.
  • Go to File > Save As
  • Save File name as look.bat
  • Change Save as Type to All Files and save the file to your desktop.
  • Close Notepad
  • Double-click look.bat on your Desktop
  • Notepad will open. Post the contents in your next reply. It can also be found on your desktop, named svc_look_3.txt
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 12th, 2010, 10:51 am

no text in svc_look_3.txt file
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 12th, 2010, 10:55 am

and look.bat has disappeared from the desktop
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia

Re: DNS redirects: jjh.exe suspected

Unread postby melboy » June 12th, 2010, 11:03 am

Gah! Typo!

Try it again.

Start Services

  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

    Code: Select all
    @echo off
    sc Start srservice
    sc config srservice start= Automatic
    sc query srservice >"%userprofile%\desktop\svc_look_3.txt" 2>&1
    Notepad.exe "%userprofile%\desktop\svc_look_3.txt"
    Del %0
    

  • Make sure there are NO blank lines before @echo off
  • Make sure there IS one blank line at the end of the file.
  • Go to File > Save As
  • Save File name as look.bat
  • Change Save as Type to All Files and save the file to your desktop.
  • Close Notepad
  • Double-click look.bat on your Desktop
  • Notepad will open. Post the contents in your next reply. It can also be found on your desktop, named svc_look_3.txt
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 12th, 2010, 11:21 am

[SC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia

Re: DNS redirects: jjh.exe suspected

Unread postby melboy » June 12th, 2010, 11:41 am

Hi

Well, sorry, but unfortunately that's me fresh out of ideas. :(
I feel sure this will be down to one of the previously mentioned "tweak" tools.

As this forum specializes in malware removal I think the best and fastest solution for you now is to post on a general PC troubleshooting forum.

These sites have a variety of experts, that are better equipped to investigate and resolve these kinds of issues.

The Elder Geek on Windows
BleepingComputer.com
WhattheTech

Should you start a topic on this, it may be helpful to link to this thread so anybody helping you can see the steps we have taken already.


In the meantime you can use erunt to back up the registry but SR does more so i would recommend you try to solve the problem.

===================


OTM by OldTimer

You should still have this on your Desktop.

  • Double-click OTM.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself


You can delete all the .txt files I had you create on your desktop.


Re-enable WinPatrol
  • Go to Start > All Programs > WinPatrol > WinPatrol
  • Locate the WinPatrol Image icon in the system tray and right-click it and select Options...
  • In the list near the bottom of the window, check Automatically run WinPatrol when computer starts.


Your logs appear to be clean. Congratulations!
This is my general post for when your logs show no more signs of malware.


General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    Uninstall Tools for Major Antivirus Products
  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.


    Recommended Programs

    I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

    • Malwarebytes' Anti-Malware
      As you already have Malwarebytes' Anti-Malware on board I would keep it regularly updated and run regular quick scans with it. (TIP: Cleaning out temp files can reduce scanning times.)
      Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. The Full version includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.
    • Hosts File
      For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 12th, 2010, 12:40 pm

Many thanks. You've gone well beyond what I expected. I'll check elsewhere for more SR help.
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia

Re: DNS redirects: jjh.exe suspected

Unread postby melboy » June 12th, 2010, 1:00 pm

You're welcome :)
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: DNS redirects: jjh.exe suspected

Unread postby Dakeyras » June 12th, 2010, 4:03 pm

Since we have done all we can, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 64 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware