Could someone review my HJT log?

[alphabetic]

Hi, I am looking for some help with a nasty virus/malware thing I managed to get on my computer. I have read and followed the very useful 15-step instructions that Julio gives in a 12/1/07 post.

I skipped step 12, however, the step that tells you to run Combofix, because when I began to run the program I got a warning that said 1/100 computers are reformatted when they run Combofix. I didn't like the odds and was scared to run the program.

I have gone ahead and changed all the banking and password information I've accessed from this computer in the past, as per other instructions from Julio. Thank you for this reminder! I'm hoping I'm in the clear with this...

I have attached my HJT log. This was run after the cleansing process. I would be very grateful if someone in this community would have a look.

Damon

 

[AurelloSoft]

It looks ok to me.
There really isn't anything that catches my eye in your HJT Log.

 

[alphabetic]

Thanks. That's a relief. This piece of malware took over my desktop image and was causing all sorts of disturbing issues. I'm glad to have it off. ...seems too easy, though.

Besides regularly running the malware/spybot/etc scanning programs I've downloaded. Is there anything else I should be doing to be sure there is no lingering infection hidden somewhere?

 

[AurelloSoft]

Use common sense.
Try to avoid "bad" websites, P2P Programs, and make sure you don't have any Open Ports.
START > Accessories > System Tools > Security
Or in Windows Vista, access it via the command prompt.

Here's a small piece of advice. Before you run anything you download from the internet, try scanning it on www.virustotal.com

That's what I do, and have never been infected.

 

[alphabetic]

Thanks for the solid advice -- I appreciate it.

 

[Bobbye]

Please note: your system is infected with malware. Before reviewing HijackThig, run Malwarebytes,:
Step 4 Malwarebytes' Anti-Malware
* Please download Malwarebytes' Anti-Malware from from here:
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to
o Update Malwarebytes' Anti-Malware
o and Launch Malwarebytes' Anti-Malware
* then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. please attach this log with your reply
o If you accidently close it, the log file is saved here and will be named like this:
o C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

When through, run HijackThis again and attach both logs.

FYI:

C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
Command: wrapper.exe
Description: Added by the W32/Vanebot-D worm and IRC backdoor.
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe

 

[AurelloSoft]

Thanks Bobeye.
I use a program called Maya 7 for rendering...
And I must've saw it and skipped right over it.

I mean, I posted this pretty late...

 

[Bobbye]

But this user went way thinking the system was clean- not good. It is entirely possible that the user will not be back-yet.

 

[alphabetic]

Thanks for catching this! The computer is working very well, and so I had assumed I had scrubbed out any malware. Disturbing to hear I hadn't.

Okay, I ran mbam again, and the log is attached. It didn't catch anything. I have also attach a new hjt log.

Let me know my next steps. I'm very grateful for your help -- thanks.

 

[Bobbye]

Some issues:
You need to temporarily disable any Real Time programs when running malware. This is one of them
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Here are instructions:

http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_Real_Time_Monitoring_Programs

You are way behind in Windows Updates

Windows XP SP1

You have an old version of Adobe:

Adobe\Acrobat 7.0\

You need to update the Adobe Readerv9 but it requires you to have SP2:
Adobe Reader 9 (includes Acrobat.com on Adobe AIR)Adobe Reader Windows XP SP2 - SP3, English
https://www.techspot.com/downloads/2083-adobe-reader-dc.html

Your Java is not current:

Java\jre1.6.0_05

You need to update to Version 6 Update 7. Download for here:
https://www.techspot.com/downloads/6463-java-se.html

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into Safe Mode.
(Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.)

Please go to Start > Control Panel > Add/Remove Programs and remove the following :

C:\Program Files\Adobe\Acrobat 7.0
C:\Program Files\Java\jre1.6.0_05
C:\Program Files\Alias\Maya7.0

Reboot into Normal Mode and rescan with HijackThis> without Tea Timer running. Post the log.

 

[alphabetic]

acrobat 7.0

I am unable to remove the program Acrobat 7.0! This must be the source of the problem. When I try to remove it, a window opens with installation instructions. What to do?

I've followed the instructions above as best I could. (i'm embarrassed to say, I'm having trouble updating Windows -- the updates I receive automatically don't take me past SP1). This Acrobat thing is definitely the issue. How to kill it?

 

[SpiritWind]

Removing Adobe

Hi :

IF having problems removing Adobe, I found the following on the Adobe Support
Forums :
"First you need to go to Microsoft Support and download the Windows Installer Cleanup Utility AKA MSIcuu2.exe Here is the link: http://support.microsoft.com/default.aspx?scid=kb;en-us;290301. Save it to your desktop and get out of the program.

I have XP, so I went to Start, then Search and looked for MSICuu2.exe. When the icon shows up, run the program. After its done its thing, you will get a list of files. Click on Adobe and it will remove it. " IF this does not work, you should consider
using the FREE "Revo Uninstaller" from www.revouninstaller.com .

When you have Win XP SP1 as I do, the appropiate Java from Sun is their 5.0 ( "1.5 " ) Series, NOT their 6.0 ( "1.6" ) Series, so should uninstall your current
Java AND ALL other versions of "it" you have, then go to
http://java.sun.com/javase/downloads/index_jdk5.jsp and click the "Java Runtime Environment (JRE) 5.0 Update 16" Download button . There is a possibility IF you
uninstall the current Java that you MAY be able to more easily uninstall the Adobe !? I have never heard anybody having problems uninstalling Adobe prior to your Post .

 

[Bobbye]

When you have Win XP SP1> SpiritWind

You are also way behind in the Windows UPdates. I suggest you install SP3 as soon as possible.

I'm having trouble updating Windows -- the updates I receive automatically don't take me past SP1> alphabetic

Then there is a problem- either something is blocking the update site or it's not set up correctly. You should have gotten SP2 some years ago and regular numerous update since. You also need to get SP3 on the system as soon as possible. Once done, you should update all programs accordingly, including Adobe.
Please check this Windows Update site: http://www.update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us

Please download the Java v6u7 as previously referred to. The 'only' system requirements for you is Windows XP Home- no Service Pack is specified: https://www.techspot.com/downloads/6463-java-se.html

I'm still not seeing and IE Start and Search pages (R0, R1, R2, R3). You logs starts with BHO=browser helper objects.

Since you'll need a PDF Reader and cannot update Adobe until you have at least SP2, you can get the free FoxIt Reader. This does the same thing as Adobe, with less bloat: https://www.techspot.com/downloads/2713-foxit-reader.html

For the files or programs you cannot uninstall, use the Windows Installer Cleanup Utility. It is a small download, save to your desktop, run from there. Once installed, open the program and remove those files:
http://support.microsoft.com/default.aspx?scid=kb;en-us;290301

When all this is done, we'll run one more HijackThis log and remove any remaining entries.