Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search42


  • Please log in to reply
6 replies to this topic

#1 Davepoth

Davepoth

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 11 May 2005 - 03:13 PM

I can't seem to get it to stop. I've tried adaware, spybot, MS antispyware, and AVG antivrus, and none of them seem to help. Here's my hijackthis log...

Logfile of HijackThis v1.99.1
Scan saved at 21:12:03, on 11/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\explorer.exe
D:\Documents and Settings\Dave\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F821C3C-9FD8-C32D-62E2-E1758E7E3136} - (no file)
O2 - BHO: (no name) - {27D3B6E3-E657-0CBB-ECD4-39D0B459CE01} - (no file)
O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - D:\WINDOWS\mstask.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D752C663-F1D2-97A1-111F-2373744DDD8C} - (no file)
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: DSLMON.lnk = D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105146571581
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O20 - Winlogon Notify: mstask - D:\WINDOWS\mstask.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe

Thanks for your help.

BC AdBot (Login to Remove)

 


m

#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 12 May 2005 - 10:38 AM

Hi Davepoth,

I'll be helping you with your log to help you get cleaned up. Please give me a few minutes and I'll be right with you.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 12 May 2005 - 12:18 PM

Please download Killbox from here:
http://www.bleepingcomputer.com/files/killbox.php

Now print out these instructions or save them to a text editor like Notepad since you won't have access to this webpage during parts of the removal process.

Reboot your computer into Safe Mode <--click here for instructions if you are not sure how.

Unzip Killbox and open the program.
  • Select the Delete on Reboot option
  • In the Full Path of File to Delete field, use copy and paste to enter the following text in bold:
D:\WINDOWS\mstask.dll
  • Click the button that looks like a red circle with a white X in it.
  • When asked if you want to delete this file, say yes.
  • When asked if you want to reboot now, say no.
  • Exit Killbox
Scan again with HijackThis and put a checkmark next to the following entries only:

O2 - BHO: (no name) - {1F821C3C-9FD8-C32D-62E2-E1758E7E3136} - (no file)
O2 - BHO: (no name) - {27D3B6E3-E657-0CBB-ECD4-39D0B459CE01} - (no file)
O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - D:\WINDOWS\mstask.dll
O20 - Winlogon Notify: mstask - D:\WINDOWS\mstask.dll


Close any other open windows and click the Fix Checked button.

Reboot back into normal mode. Scan again with HijackThis and post another log as a reply to this post and let me know if there is any improvement.

Also do this:
Download Registry Search.

- Create a new folder on your desktop named Regsearch
- Extract regsearch.zip file to the newly created folder.
- Open the Regsearch folder and double click regsearch.exe to start the program.
- Use copy and paste to enter the following bold text to search for and click OK.

{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}

- Notepad will be opened with text in it (the file will also be saved in the Regsearch folder as well).

Post this text in your next reply along with the new HijackThis log.

Edited by Papakid, 12 May 2005 - 12:26 PM.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#4 Davepoth

Davepoth
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 12 May 2005 - 01:02 PM

Logfile of HijackThis v1.99.1
Scan saved at 19:01:09, on 12/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Dave\Desktop\regsearch\RegSearch.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Documents and Settings\Dave\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O1 - Hosts: .whenu.com
O1 - Hosts: .whenu.com
O1 - Hosts: c.whenu.com
O1 - Hosts: c.whenu.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F821C3C-9FD8-C32D-62E2-E1758E7E3136} - (no file)
O2 - BHO: (no name) - {27D3B6E3-E657-0CBB-ECD4-39D0B459CE01} - (no file)
O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - D:\WINDOWS\mstask.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D752C663-F1D2-97A1-111F-2373744DDD8C} - (no file)
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: DSLMON.lnk = D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105146571581
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DAAD490-93A1-42D2-9940-B7A48A47E848}: NameServer = 80.225.248.178 80.225.248.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{2DAAD490-93A1-42D2-9940-B7A48A47E848}: NameServer = 80.225.248.178 80.225.248.186
O20 - Winlogon Notify: mstask - D:\WINDOWS\mstask.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe


REGEDIT4

; Registry Search by Bobbi Flekman
; Version: 1.0.1.4

; Results at 12/05/2005 18:59:45 for strings:
; '{44240bb5-bd7d-4d49-a1aa-8ab0f3d3cb44}'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}\ProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}\TypeLib]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}\VersionIndependentProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents\CLSID]
@="{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1\CLSID]
@="{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[HKEY_USERS\S-1-5-21-1844237615-1957994488-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[HKEY_USERS\S-1-5-21-1844237615-1957994488-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}\iexplore]

; End Of The Log...

Thanks.

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 12 May 2005 - 07:00 PM

OK, let's get serious with this bad boy. :thumbsup:

One preliminary note--when you have HijackThis on your Desktop a backups folder will appear when you fix items with the program. Don't delete that folder until after you get the all clear.

Step 1:

Please download Process Explorer by Systernals from HERE


Step 2:

Download the reg file RemoveEvil.reg attached below and save it to your desktop:

Step 3:

Print out the following instructions as you will not have Internet Access for the rest of this fix.

Then boot up in SAFE MODE

The rest of this fix must be done in safe mode.


Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Exlporer screen double-click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of mstask.dll once and then click the kill button.

After you have killed all of the mstask.dll's under winlogon click OK.

If you see any .ini or ,bak files with either the same name or the file name in reverse, kill them as well

Next double-click on explorer.exe, select the Threads tab, and again click once on each instance of mstask.dll then click the kill button.

If you see any .ini or ,bak files with either the same name or the file name in reverse, kill them as well

Once you have done that click OK again.

Next run HijackThis and place a check beside each of the following.

O1 - Hosts: .whenu.com
O1 - Hosts: .whenu.com
O1 - Hosts: c.whenu.com
O1 - Hosts: c.whenu.com
O2 - BHO: (no name) - {1F821C3C-9FD8-C32D-62E2-E1758E7E3136} - (no file)
O2 - BHO: (no name) - {27D3B6E3-E657-0CBB-ECD4-39D0B459CE01} - (no file)
O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - D:\WINDOWS\mstask.dll
O20 - Winlogon Notify: mstask - D:\WINDOWS\mstask.dll


Now click fix checked and close HijackThis.


Now double-click on the RemoveEvil.reg file that you saved on your desktop earlier and allow it to merge with the registry.

Step 4:

Double click on Killbox.exe and then check the delete on reboot button.

Enter the following bold text into the Full Path of File to Delete box:

D:\WINDOWS\mstask.dll

Click the red circle with the white X and say yes to the delete prompt but no to reboot now then repeat with any of the reverse named .bak or .ini files.

After you have input the last file name exit Killbox then reboot.

After your computer has rebooted please run Hijackthis again and post a new HijackThis log..

Attached Files


Edited by Papakid, 12 May 2005 - 07:01 PM.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#6 Davepoth

Davepoth
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 13 May 2005 - 04:31 PM

Logfile of HijackThis v1.99.1
Scan saved at 22:28:42, on 13/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Dave\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F821C3C-9FD8-C32D-62E2-E1758E7E3136} - (no file)
O2 - BHO: (no name) - {27D3B6E3-E657-0CBB-ECD4-39D0B459CE01} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D752C663-F1D2-97A1-111F-2373744DDD8C} - (no file)
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: DSLMON.lnk = D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1105146571581
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe


Seems to be working much better now. Thanks!

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 PM

Posted 14 May 2005 - 10:55 AM

You're welcome. Vundo is gone and your log is clean except for some 02 remnants that keep coming back. I believe these are just leftovers, but if you are having any other problems let me know.

Let's try one more time to clean them up.

It would be a good idea to run Disk Cleanup. Type cleanmgr in the run box by going to Start>Run. Have it clean out the following three:

Temporary Files
Temporary Internet Files
Recycle Bin

Then boot into safe mode and use this method to double-check:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button.

Scan again with HijackThis and check the following:

O2 - BHO: (no name) - {1F821C3C-9FD8-C32D-62E2-E1758E7E3136} - (no file)
O2 - BHO: (no name) - {27D3B6E3-E657-0CBB-ECD4-39D0B459CE01} - (no file)
O2 - BHO: (no name) - {D752C663-F1D2-97A1-111F-2373744DDD8C} - (no file)


Click Fixed Checked and reboot.

Scan again with HijackThis. If the 02's come back try fixing them again in normal mode.

Then rescan and post another log, please.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users