TechSpot

!update-4395[1].0000

By mmejido
Aug 13, 2007
  1. Hi everyone. i've been pulling my hair out over this, with no solution.

    this afternoon i downloaded a program and got hit with a virus. I've literally been on the 'net for the past 8 hours searching the name of it, and following other people's instructions on how to deal with it. Its still there :(

    ok. forgive me if i am not giving the proper logfiles - i believe anyone that helps me is going to need at least the hijack this log? that's what i'll be posting. if you need more, please let me know!

    As we speak, AVG just found I have:

    1) !update.exe c:\Documents and Settings\Michael\Local Settings\Temp\!update.exe

    2) !update-4395[1].0000 c:\Documents and Settings\Michael\Local Settings\Temporary Internet Files\Content.IE5\4JWFKTYL\!update-4395[1].0000


    i've been running AVG, Ad-Aware, VundoFix, HijackThis, everything i can possible think of, and its all still there. sigh :(


    sorry. the txt file is so big i put it on my website:
    http://www.michaelmejido.com/hjt.txt


    Can anyone help? thanks for your time
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Your system is infected with a variety of malware.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of mmejido only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. mmejido

    mmejido TS Rookie Topic Starter

    thank you Howard. I will doing all this right away, but might take me a day or so because i work full time. I will be getting on all this right now though.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Since you're short of time, take a look at this similar thread:
    http://www.techspot.com/vb/topic48164.html

    If this is being shown as a virus, it's this:
    Note: update.exe is registered as the W97M.Exedrop downloader. This process usually comes bundled with a virus or spyware and its main role is to do nothing other than download other viruses/spyware to your computer.

    But it can also be a process belonging to an advertising program, an well as legitimate process for Spyware Doctor Internet Security Product.

    And both of the files you referenced can be deleted as they are temporary internet files and .tmp files.
     
  5. mmejido

    mmejido TS Rookie Topic Starter

    ok. my apologies for this taking so long.

    here are the three logs you wanted:
    http://www.michaelmejido.com/htj.txt
    http://www.michaelmejido.com/avgantispy.txt
    http://www.michaelmejido.com/combo.txt


    the only thing i couldn't get working was adaware. it would always crash no matter how many times i tried installing it.

    the AVG antirootkit scan showed nothing.

    even though the antispy log shows that no action was taken on anything, i did quarentine the 12 things that were 'high' risk.

    I actually had thought i wiped my computer clear of everything halfway through the 15 steps... but i'm noticing that XP is hanging mightily while it loads up (it'll play the XP intro sound, and then hang for like 20 seconds while something loads up.. god only knows what. i'd like to think its all the anti virus software that i now have on the computer, but it might not be).

    during the actual operation of the computer, everything seems ok. again, the only symptom is the the computer taking alot longer to load up Xp and stalling during the 'welcome' screen.

    Also, hijack this is really showing alot of stuff that probably shoudln't be there.


    ok Howard, anything you can suggest me to do, i will do :)

    - Michael
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Download Vundofix from HERE.

    Double click the Vundofix.exe to run it.

    Right click in the vundofix window and click add files.

    Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

    These are the filepaths you need to enter into Vundofix.

    C:\WINDOWS\system32\qhcbbi.dll
    C:\WINDOWS\SYSTEM32\winjyp32.dll

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Viewpoint Manager Service
    SymWMI Service (SymWSC)

    Close the services window.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Viewpoint
    Viewpoint Manager

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    w?auboot.exe
    ViewpointService.exe
    ViewMgr.exe
    mgrs.exe
    PowerReg Scheduler V3.exe
    SymWSC.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

    O2 - BHO: (no name) - {4BF1A7C2-440D-3C8D-2174-3EB67E49A2C8} - C:\WINDOWS\system32\qhcbbi.dll

    O2 - BHO: (no name) - {E5C75780-B092-420E-9928-19D3F0EFF604} - C:\WINDOWS\system32\pmnno.dll (file missing)

    O4 - HKLM\..\Run: [smgr] mgrs.exe

    O4 - HKCU\..\Run: [Ggcy] C:\WINDOWS\system32\??pPatch\w?auboot.exe

    O4 - Startup: PowerReg Scheduler V3.exe

    Fix all O18 - Protocol: entries.

    O20 - Winlogon Notify: nnnomml - nnnomml.dll (file missing)

    O20 - Winlogon Notify: winjyp32 - C:\WINDOWS\SYSTEM32\winjyp32.dll

    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Viewpoint<Delete the entire folder.
    C:\Program Files\Common Files\Symantec Shared<Delete the entire folder.
    C:\WINDOWS\system32\??pPatch<Delete the entire folder.

    PowerReg Scheduler V3.exe<Search your system for this file and delete all instances found.
    mgrs.exe<Search your system for this file and delete all instances found.

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log as an Attachment.

    Regards Howard :)

    This thread is for the use of mmejido only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. mmejido

    mmejido TS Rookie Topic Starter

    ok. just did all that.

    1) deleted qhcbbi.dll & winjyp32.dll

    2) viewpoint manager serivce & symWMI were not in services.msc

    3) viewpoint & viewpoint manager were not there to be removed as programs

    4) all the programs you asked me to delete in the taskbar were not there

    5) none of the hjt entries were there.

    6) deleted the entire viewpoint & Symantic Shared folders. ??pPatch folder was not there.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Unfortunately, you have posted a HJT log from safe mode. Please post a HJT log from normal mode.

    Regards Howard :)

    This thread is for the use of mmejido only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. mmejido

    mmejido TS Rookie Topic Starter

    ok, here you go.

    i'd still tell you that the loadup is funky. and i see it loading up a window in the beginning, and it immediately dissapears. i know its still doing *something* screwy.

    here's the hjt log in normal mode.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your HJT log is clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    The items below are optional and can safely be fixed with HJT. This should help to speed up your system. The more items you have running on startup, the slower your system will boot.

    Feel free to fix any or all the items below.

    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

    O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe

    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r

    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

    O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe -hidden

    O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - Startup: Gmail Notifier.lnk = C:\Program Files\Google\Gmail Notifier\gnotify.exe

    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

    Click on the fix checked button.

    Close HJT.

    The Services listed below are also optional. Feel free to disable any or all.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Adobe LM Service
    AVG Anti-Spyware Guard
    Creative Service for CDROM Access
    GEARSecurity
    Intel(R) Active Monitor (imonNT)
    Windows Media Player Network Sharing Service

    Close the services window and reboot your system.

    Go and read this thread HERE for info on how to speed up your system.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of mmejido only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. mmejido

    mmejido TS Rookie Topic Starter

    howard i will do all of that as soon as possible.

    however i'm noticing yet another problem. xp's time is now military for some reason. right now its saying that my time is 16:01. oy. would you know how to fix that too?

    thanks :(
     
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Passing, by, saw this and thought I'd let you know:
    To change clock back to 12 hour setting>

    In Windows XP:
    Control Panel> Regional Options> Customize> Time tab>
    Change Time format to hh:mm:ss tt for a 12-hour clock.

    (Use the lower case hh for the 12 hour clock. HH is for the 24 hour Military Time which is what you will see)
     
  13. mmejido

    mmejido TS Rookie Topic Starter

    bobby that worked perfectly. thanks. i almost worry about why it got changed in the first place?

    howard, i will get working on your instructions asap!
     
  14. mmejido

    mmejido TS Rookie Topic Starter

    well, things seem to be ok now Howard :) i will wait a few days before making a final conclusion, but you have definitely helped me greatly. thank you SO much.

    you do get paid for this right? ;)
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Nope, I do it because I enjoy it and nothing more, as do the rest of our Techspot regulars.

    Regards Howard :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.