Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

DNS redirects: jjh.exe suspected

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: DNS redirects: jjh.exe suspected

Unread postby melboy » June 8th, 2010, 8:19 am

Hi

Fix.reg

  • Open Notepad by clicking Start>Run then type Notepad
  • Copy & paste the contents of the Code Box below to Notepad (DO NOT include Code:)
  • Make sure there is NO blank line before Windows Registry Editor Version 5.00

    Code: Select all
     Windows Registry Editor Version 5.00
    
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"
    "Flags"=dword:00000002
    "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
      00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
    "CurrentState"=hex:04,00,00,40
    "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
      ff,ff,04,00,00,00
    "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
      00,00,01,00,00,00 
    
    

  • Go to File>Save as
  • Name the file as fix.reg
  • Change the Save as Type to All Files
  • Save the file to your Desktop. It will look like this Image


Double click on the fix.reg file & when it prompts to Merge click Yes.

Please post back with a fresh HijackThis log (Do a system scan and save a log file) and a description of how the computer is running now.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 8th, 2010, 8:49 am

I'm not noticing any problems with the computer. Probably my imagination (or wishful thinking!), but it seems to be doing things faster, too.

Does this mean we've achieved success? Do I need to get rid of my Norman anti-malware program and replace it with AVG to prevent this from happening again? Is Zonealarm sufficient as a firewall? (It alerted me to jjh.exe's desire to "phone home.")


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:45:41 AM, on 6/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\system32\ZoneLabs\vsmon.exe
C:\WINDOWS.1\Explorer.EXE
C:\WINDOWS.1\system32\spoolsv.exe
C:\Norman\Bin\ZLH.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS.1\system32\RUNDLL32.EXE
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS.1\system32\E_S00RP2.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Norman\Bin\Zanda.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS.1\system32\nvsvc32.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\SearchIndexer.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS.1\system32\taskmgr.exe
C:\WINDOWS.1\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS.1\system32\notepad.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS.1\msagent\AgentSvr.exe
C:\WINDOWS.1\system32\NOTEPAD.EXE
C:\WINDOWS.1\system32\notepad.exe
C:\WINDOWS.1\system32\SearchProtocolHost.exe
C:\Documents and Settings\Paul.FAMILYROOM\Desktop\Computer Management\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ldsblogs.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Bin\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.1\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.1\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS.1\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS.1\system32\GPhotos.scr/200
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 3216818375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2590144765
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS.1\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS.1\System32\browseui.dll
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: EPSON V3 Service2(02) (EPSON_PM_RPCV2_02) - SEIKO EPSON CORPORATION - C:\WINDOWS.1\system32\E_S00RP2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Bin\Zanda.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.1\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS.1\system32\ZoneLabs\vsmon.exe

--
End of file - 6786 bytes
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia

Re: DNS redirects: jjh.exe suspected

Unread postby melboy » June 8th, 2010, 1:16 pm

Hi

Ok, that looks good!

Checking back over your topic, you mentioned in an earlier post a problem with System Restore.
On a related note, my operating system doesn't have System Restore. I think it is supposed to. Is there a way to fix this lack?

Can you explain more? Go to Start>Run and copy/paste sysdm.cpl into the run box and click OK. Then click the System Restore tab and tell me if Drive C: has the Status Monitoring.


ZoneAlarm Spy Blocker

You may have noted here that ESET detected the ZoneAlarm SpyBlocker toolbar as "Win32/Toolbar.MyWebSearch application" as it is essentially an IAC/ASK toolbar, a toolbar that has had a prior unfavorable view within the security community.

Read what noted researcher Ben Edelman had to say in his analysis of Ask Toolbars ine "Current Practices of IAC/Ask Toolbars" (October 21, 2006).

My recommendation would be to uninstall it.



Registry Cleaners + "Tweak" Tools

Re. Advanced SystemCare 3
Glary Registry Repair
Glary Utilities


I don't personally recommend the use of ANY Registry Cleaners or "Tweak" Tools. They are marketed as ways to make your machine run faster and more efficiently ...... Some will actually achieve this .... IF you know how to use them correctly.
Removing "Orphaned/Old/Obsolete" registry entries is fine ..... as long as they actually are "Orphaned/Old/Obsolete", it won't speed up your machine though.
Stopping services & setting policies can speed up your machine ..... as long as you stop & set the right ones, & even then it's debatable if you will notice the improvement.

Remove the wrong registry entry, or stop the wrong service, & not only can you slow your machine .... you could kill it !

To use a Registry Cleaner or "Tweak" tool to its full advantage, you really need to know what it is they are doing & what else the changes may affect.
In short, if you know how to use them safely ----- you don't actually need them.

Discussion on Registry cleaners >> http://forums.whatthetech.com/Regcleaner_t42862.html
And for more good information see what Miekiemoes has to say >> http://miekiemoes.blogspot.com/2008/02/ ... ng_13.html

I particularly wouldn't recommend any IOBit products (Advanced SystemCare 3) for the reasons given here


Do I need to get rid of my Norman anti-malware program and replace it with AVG to prevent this from happening again? Is Zonealarm sufficient as a firewall?

I don't recommend AVG, but I can give you alternate recommendations for anti-virus software if you wish....but all AV's will miss things that others catch and vice versa. One thing you must do is keep it updated!

Despite it's inclusion of the aforementioned toolbar, Zonealarm is sufficient as a firewall.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 8th, 2010, 1:39 pm

My system properties box has no System Restore tab. It has only 6 tabs: General, Computer Name, Hardware, Advanced, Automatic Updates & Remote. Some of the reading I've done since you introduced yourself implies that ERUNT is better than SR, in that it isn't as bloated. So, maybe I don't need SR, but just need to remind myself to backup my registry and my data on a regular basis? Wish there was some way to automate both!

I'll remove the programs you suggested above. I don't use the ZA toolbar, so I don't know why that is present.

Thanks.
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 8th, 2010, 1:46 pm

Oh, and please do recommend an AV. I realize that they all have failings, but I should probably use one anyway.
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia

Re: DNS redirects: jjh.exe suspected

Unread postby melboy » June 8th, 2010, 2:52 pm

Lets see if we can get System Restore working for you. It may be down to the infection you had or even one of the previously mentioned tweak tools that has disabled it.

Go to Start > Run and copy/paste the following command into the Run box and click OK:

cmd /c regedit.exe /e "%userprofile%\Desktop\SR_look.txt" "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT"

A black command prompt windows will open and close. It will create a file called SR_look.txt on your desktop - post the contents of that file.

please do recommend an AV. I realize that they all have failings, but I should probably use one anyway
Just to clarify - to prevent any misunderstandings - your Norman protection is an anti-virus. You should only use one. I'll include some recommendations if need be in my final "all clean" post to you.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 9th, 2010, 7:38 pm

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia

Re: DNS redirects: jjh.exe suspected

Unread postby melboy » June 10th, 2010, 1:59 pm

Hi

Ok let's see if the service is running.


Go to Start > Run and copy/paste the following command into the Run box and click OK:

cmd /c sc query srservice >"%userprofile%\desktop\svc_look.txt" 2>&1

A black command prompt window will open and close. It will create a file called svc_look.txt on your desktop - post the contents of that file.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 10th, 2010, 2:21 pm

Alas, failure:

[SC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia

Re: DNS redirects: jjh.exe suspected

Unread postby melboy » June 10th, 2010, 4:11 pm

Hi

As you have XP Pro, try this:

Go Start > Run and copy/paste gpedit.msc into the Run box & click OK

  • In the Group Policy editor, by clicking the + (plus sign), navigate to Computer Configuration > Administrative Templates > System > System Restore
  • Set Turn off System Restore and Turn off Configuration to Disable
  • Leave the Group Policy window open.

    • Then go to the start menu, right click on My Computer and Select Manage
    • In Computer management, navigate to Services and Applications > Services
    • Scroll down to System Restore Service and double click.
    • On the General tab set Startup Type to Automatic using the drop down list.
    • Click the Start button to start the service
    • Close the Computer Management console

  • Return to System Restore in Group Policy Editor and configure both to Not Configured
  • Close Group Policy Editor and reboot the system


After the reboot is complete, right click My Computer, select Properties and see if the tab for System Restore has been restored.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 10th, 2010, 4:50 pm

I was fine until I got to this step:

# Scroll down to System Restore Service and double click.

no System Restore Service there. Only thing that starts with "System" is "System Event Notification"
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia

Re: DNS redirects: jjh.exe suspected

Unread postby melboy » June 10th, 2010, 5:35 pm

After this step:

  • Set Turn off System Restore and Turn off Configuration to Disable

Is there a button: Apply

If so, click Apply before proceeding with the next step:

  • Then go to the start menu, right click on My Computer and Select Manage
....etc
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 10th, 2010, 7:18 pm

no "apply" button, but the "help" text says that these settings only apply at reboot. should I reboot and then right click on My Computer?
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia

Re: DNS redirects: jjh.exe suspected

Unread postby melboy » June 10th, 2010, 7:57 pm

Hi

No, Do this:


Go to Start > Run and copy/paste the following command into the Run box and click OK:

cmd /c regedit.exe /e "%userprofile%\Desktop\SR_look_2.txt" "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr"

A black command prompt windows will open and close. It will create a file called SR_look_2.txt on your desktop - post the contents of that file.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: DNS redirects: jjh.exe suspected

Unread postby phbrown » June 10th, 2010, 8:43 pm

Tried this twice. Black box opens & closes, but no such file appears on the desktop.

Then I did regedit all by itself, then looked in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\, but didn't find anything labeled "sr." Found srescan & srv, both with + signs next to them & folders underneath.
phbrown
Regular Member
 
Posts: 30
Joined: June 2nd, 2010, 9:31 pm
Location: Virginia
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 411 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware