Virus alert?

and here is the second part of it

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135526062\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [isDeleteMe] "C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\CHARLI~1\LOCALS~1\Temp\isDel.bat"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIP] C:\WINDOWS\aip.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)
 
THANK YOU!!!! Problem fixed! I analyzed my hijackthis log on hijackthis.de. thanks for all of the help people! you got me out of a dire situation!
 
First things first, you need to uninstall one of your anti-virus programs. Running both McAfee and AVG at the same time is doing your machine's performance no favours at all. Both programs will be detecting each other's virus signatures in memory. As a result, you are actually lowering your security by having both.

You may wish to save these instructions to notepad or print them out for use while in Safe Mode.


Step 1

Re-configure Windows Explorer to show hidden files & folders:
How to Show Hidden Files & Folders

Ensure you're familiar with rebooting into Safe Mode:
How to Boot into Safe mode


Download the trial version of Ewido Anti-Malware

When installing Ewido, under "Additonal Options" uncheck "Install Background Guard" and "Install Scan Via Context Menu".

Launch Ewido and click "Update" on the left side of the main screen to update the definitions file.

Then click "Start Update".

When you receive the "Update successful" prompt, close Ewido.

Note: If you have any problems with the updater, you can Update Ewido Manually.



Step 2

Next, please reboot your computer in Safe Mode - Very Important !!

Scan with HijackThis again and checkmark the boxes before the following entries:-

R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp
O2 - BHO: (no name) - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - (no file)
O2 - BHO: Great Offers Displayer - {CE05B815-6F98-4ADD-AEB7-60BB2D4264F1} - c:\WINDOWS\bh.dll (file missing)
O4 - HKLM\..\RunOnce: [isDeleteMe] "C:\WINDOWS\system32\cmd.exe" /c "C:\DOCUME~1\CHARLI~1\LOCALS~1\Temp\isDel.bat"
O4 - HKCU\..\Run: [AIP] C:\WINDOWS\aip.exe

Close ALL OTHER WINDOWS and click "Fix Checked"


Step 3

Use Windows Explorer to locate & delete the following file in bold:

C:\WINDOWS\aip.exe

*Right click the file and select delete.


Step 4

Clean your Cache and Cookies in IE:
Go to Control Panel > Internet Options > General tab.
Click the "Delete Cookies" button and then the "Delete Files" button next to it.
When prompted, place a check in: "Delete all offline content", click OK.

Clean your Cache and Cookies in Firefox (if you also have Firefox installed):
Go to Tools > Options. Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to close the Options window.
Alternatively, you can clear all information stored while browsing by clicking "Clear All".
A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin
Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.


Step 5

Now open the SmitfraudFix folder on your desktop and double-click smitfraudfix.cmd

Select option #2 - "Clean" by typing 2 and pressing "Enter" to delete the infected files.

You will then receive the following prompt:

"Registry cleaning - Do you want to clean the registry ? (y/n)"

Type Y for yes and press "Enter" to remove the Desktop background and clean the associated registry keys for this infection.

The tool will then check if the file wininet.dll is infected.

You may be prompted to replace the infected file with another copy from your machine (if found):

"Replace infected file ? (y/n)"

Type Y for yes and press "Enter" to restore a clean copy of the file on your machine.

Restart your computer to complete the removal process.

(A log file of the fix can be found at the root of your system drive, usually at C:\rapport.txt)


Step 6

Reboot back into Safe Mode again and open Ewido Anti-Malware.

Click on Scanner and then Complete System Scan to begin scanning.

Warning: Do NOT open any other windows or your Control Panel while scanning as it may prevent scan completion!!

At the first infection, select "Remove" and checkmark the boxes beside "Perform action on all infections" and "Create encrypted backup" in the left corner.

Upon scan completion, click the Save report button and save the report.txt to your desktop.

Then close Ewido.


Step 7

Next go to Start > Control Panel and click Display | Desktop | Customise Desktop | Web | Webpages and uncheck any pages listed.

Reboot back to normal Windows mode and run an online scan at Panda ActiveScan

Once on the Panda site click the Scan your PC button and then the Check Now button on the nex screen.

Enter your details in the required fields.

Then click the big Scan Now button.

Allow the Active X component to install and download the necessary files.

When the download is complete, click on Local Disks to start the scan.

Upon scan completion, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.


Step 8

Post the the following in your next reply please:
  • Fresh HijackThis log (generated after the Panda scan)
  • C:\rapport.txt
  • Ewido Log.
  • Panda scan results.


Note: Your current Sun Java installation is very vulnerable to infection and needs updating. Click here for details.
 
Just seen your last post while I was preparing some instructions.

HijackThis.de is an utter joke. You're best leaving that site well alone in the future. ;)
 
alright i'll be sure to follow your steps just to be safe and your way seems more thorough.
 
It's not a question of thorough Gnarly. HijackThis.de is a tool with a pre-defined database of entries. It can't tell you how to fix your computer, it often fails to flag malicious entries and like all HijackThis logs, only comments on certain areas of your registry. You only have to look at the SmitfraudFix Option 1 log to see what malicious files were detected. How many of those are in your HJT log? Not many!!

Ewido will probably find quite a bit as well which you'd never have known about if relying on HijackThis.de ;)

HijackThis logs only give us an ruff idea of whats going on in your computer and should never be relied upon as absolute proof of a clean machine. Only by running numerous anti-malware tools can we give you a clean bill of health.
 
alright i'll be sure to follow your steps just to be safe and your way seems more thorough.
 
John McKenna said:
Just seen your last post while I was preparing some instructions.

HijackThis.de is an utter joke. You're best leaving that site well alone in the future. ;)
Click to expand...

no ones saying its perfect, but its not that bad at pinpointing stuff.
 
You must log in or register to reply here.

Similar threads

B
i keep getting an alert from AVG every minute or so. super annoying!
2
Replies
18
Views
2K
alyssa.robert235
A
P
ComboFix Replacement
Replies
5
Views
513
PC_Cone
P
Captain Xarzu
How do I ensure I properly get text alerts on my Android phone?
Replies
2
Views
862
Joe C
Joe C
D
JavaScript: console.log vs alert()
Replies
7
Views
1K
Software Dev Expert
S
O
hello & mostly clueless & would appreciate mac security help after trojan attack!
Replies
0
Views
926
once2023
O
Back
Top Bottom