Hijack Logs To Tom Coyote

Discussion in 'Computer Security' started by John Gregory, Jun 13, 2006.

  1. John Gregory

    John Gregory Guest

    My McAfee version 9+ took a hit from a surprise flash from WinAntiVirus PRO
    2006 this weekend. I've been frantically trying to resolve it. I ran
    Ad-Aware and Spybot, found the ... thing... and Spybot (I think) cleaned it.
    I got advise on a MS forum from a MVP to run VundoFix from
    http://www.atribe.org. I did and found nothing.

    The problem I'm having is that the Security Center and VirusScan screens of
    McAfee are blank. It appears the virus software is running but the controls
    are hidden.

    The lead guy on the McAfee forum suggested all the things I did but when I
    reported I was still left with blank screens, he suggested I run Tom
    Coyote's HiJackThis program and post the log on one of 4 forums. I guess I
    will... if I have to; I must get this fixed quickly.

    My question here, aside from learning if anyone here has some sage advice
    that will help (we'll call that "Q1"), is this:

    (Q2) Will that log carry my private keys to numerous websites and software;
    passwords and account numbers?

    (Q3) If they are at risk, aside from not posting the log, how can I protect
    the private info?
     
    John Gregory, Jun 13, 2006
    #1
    1. Advertising

  2. John Gregory wrote:

    > I ran Ad-Aware and Spybot, found the ... thing...


    What "thing"?

    > and Spybot (I think) cleaned it.


    Relying on malware removal is stupid. If it was a real, verifiable
    threat, then you should flatten and rebuild ASAP.

    > The problem I'm having is that the Security Center and VirusScan screens of
    > McAfee are blank. It appears the virus software is running but the controls
    > are hidden.


    Most likely it is because MfAcee stuff is totally fucked of with ActiveX
    and MSHTML-nonsense so even disabling ActiveX in IE's security zone
    "Internet" breaks it totally.

    > The lead guy on the McAfee forum suggested all the things I did but when I
    > reported I was still left with blank screens, he suggested I run Tom
    > Coyote's HiJackThis program and post the log on one of 4 forums. I guess I
    > will... if I have to; I must get this fixed quickly.


    Geez, you could have already reinstalled your system. For sure if it is
    for real, you won't fix it.

    Anyway, why don't you give a try to automated evaluation at
    http://www.hijackthis.de?

    > (Q2) Will that log carry my private keys to numerous websites and software;
    > passwords and account numbers?


    Very unlikely.

    > (Q3) If they are at risk, aside from not posting the log, how can I protect
    > the private info?


    Reading the log yourself?
     
    Sebastian Gottschalk, Jun 13, 2006
    #2
    1. Advertising

  3. John Gregory

    John Gregory Guest

    Thanks for the reply, Sebastian. The "thing" is whatever "WinAntiVirus PRO
    2006" is. The guy at McAfee said: "I looked it up and it regarded as spyware
    in most circles."

    >>Relying on malware removal is stupid. If it was a real, verifiable threat,
    >>then you should flatten and rebuild ASAP.<<

    What do you recommend? I've obviously got to make some changes here so now's
    the time to do it right. I'm hoping I may not have to flatten and rebuild
    because that's going to be a bit of a job for me. Years ago, I began putting
    all my user files and critical program files that setup the various programs
    I use into one folder set separate from "My Documents". The plan was to
    automate backup of that entire file set. I bought a new machine two years
    ago but never got educated on using the R/W drive. My data is all set to
    go... but I haven't gone anywhere. So if I've got to reformat, I've got to
    copy that critical folder set first. I know... don't even say it. What an
    idiot I've been.

    As for reading those logs... I don't have that level of knowledge. It has to
    be done by those people on the forums.

    Any suggestions you can give (and I'll take the chiding. I deserve it.)
    would be appreciated.


    "Sebastian Gottschalk" <> wrote in message
    news:...
    > John Gregory wrote:
    >
    >> I ran Ad-Aware and Spybot, found the ... thing...

    >
    > What "thing"?
    >
    >> and Spybot (I think) cleaned it.

    >
    > Relying on malware removal is stupid. If it was a real, verifiable
    > threat, then you should flatten and rebuild ASAP.
    >
    >> The problem I'm having is that the Security Center and VirusScan screens
    >> of
    >> McAfee are blank. It appears the virus software is running but the
    >> controls
    >> are hidden.

    >
    > Most likely it is because MfAcee stuff is totally fucked of with ActiveX
    > and MSHTML-nonsense so even disabling ActiveX in IE's security zone
    > "Internet" breaks it totally.
    >
    >> The lead guy on the McAfee forum suggested all the things I did but when
    >> I
    >> reported I was still left with blank screens, he suggested I run Tom
    >> Coyote's HiJackThis program and post the log on one of 4 forums. I guess
    >> I
    >> will... if I have to; I must get this fixed quickly.

    >
    > Geez, you could have already reinstalled your system. For sure if it is
    > for real, you won't fix it.
    >
    > Anyway, why don't you give a try to automated evaluation at
    > http://www.hijackthis.de?
    >
    >> (Q2) Will that log carry my private keys to numerous websites and
    >> software;
    >> passwords and account numbers?

    >
    > Very unlikely.
    >
    >> (Q3) If they are at risk, aside from not posting the log, how can I
    >> protect
    >> the private info?

    >
    > Reading the log yourself?
     
    John Gregory, Jun 13, 2006
    #3
  4. John Gregory wrote:

    > I'm hoping I may not have to flatten and rebuild because that's going
    > to be a bit of a job for me.


    If your system was compromised, then flattening and rebuilding is the
    only reasonable way to regain a trusted and reliable system. And exactly
    because it's so time-consuming, you should consider some things:

    - When utilizing Least Privilige principle correctly, you only need to
    flatten the user's account.
    - Avoiding the malware in first place safes you from such circumstances.
    - Backups are great!

    > Years ago, I began putting all my user files and critical program
    > files that setup the various programs I use into one folder set
    > separate from "My Documents".


    "My Documents" is a confusing and useless redirect within the file system.

    > The plan was to automate backup of that entire file set.


    Hm... xcopy $src $dst /m /d /e /c /i /f /h /z ? What a hard plan. :)

    > I know... don't even say it. What an idiot I've been.


    Point is that you cannot trust compromised data. So the programs need to
    be downloaded or copied again, whereas the non-executable user data
    should be carefully analyzed for sanity. For your favorite pr0n JPEG
    collection or your savegames this might not make any difference, but is
    relevant for f.e. a spreadsheet with money accounting data - one
    addition '0' in your tax declaration could become a serious problem.

    > As for reading those logs... I don't have that level of knowledge. It
    > has to be done by those people on the forums.


    Hijackthis gives a pretty clear description what this log entries are
    telling. Usually the rest is actually an interpretation based on what
    you know about your system (software installation base, configuration).
    F.e. I'm fully aware that my HOSTS file has been relocated and is not
    writable as a restricted user :)

    > Any suggestions you can give (and I'll take the chiding. I deserve
    > it.) would be appreciated.


    Fix your quoting. :)
     
    Sebastian Gottschalk, Jun 13, 2006
    #4
  5. From: "John Gregory" <>

    | My McAfee version 9+ took a hit from a surprise flash from WinAntiVirus PRO
    | 2006 this weekend. I've been frantically trying to resolve it. I ran
    | Ad-Aware and Spybot, found the ... thing... and Spybot (I think) cleaned it.
    | I got advise on a MS forum from a MVP to run VundoFix from
    | http://www.atribe.org. I did and found nothing.
    |

    < snip >

    Pop-Ups for WinAntiVirus PRO, WinAntiSpyware PRO, and the AMAENA.COM web site are sure signs
    of the Vundo Trojan or Virtumonde adware. This type of malware has been found to exploit
    vulnerable versions of Sun Java.

    Realize that this is NOT the best place for discussions like this. There are anti
    virus/anti malware News Groups specifically for this type of discussion.

    microsoft.public.security.virus
    alt.comp.virus
    alt.comp.anti-virus
    alt.privacy.spyware



    Two phase answer...

    Perform Part 1 then perform Part 2

    If the first two parts don't work, perform the alternate utility.

    It is suggested that you execute each tool in Normal Mode then in Safe Mode.

    If you are using any version of Sun Java that is prior to JRE Version 5.0,
    then you are strongly urged to remove any/all versions that are prior to JRE/JSE
    Version 5.0. There are vulnerabilities in them and they are actively being exploited.
    This is most likely why you got infected with malware.

    Therefore, it is highly suggested that if there are any prior versions of Sun Java
    to Version 5 on the PC that they be removed and Sun Java JRE/JSE Version 5.0 Update 7
    be installed ASAP.

    Simple check, look under...
    C:\Program Files\Java

    The only folder under that folder should be the latest version...

    C:\Program Files\Java\jre1.5.0_07


    http://www.java.com/en/download/manual.jsp



    Part 1
    ------------
    Download Adware-Virtumundo Removal Tool --
    http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

    Information on the Adware-Virtumundo Removal Tool:
    http://forums.mcafeehelp.com/viewtopic.php?t=57049

    Part 2
    ------------
    Download WinFixerFix.exe from the URL --
    http://www.ik-cs.com/programs/virtools/WinFixerFix.exe

    Execute; WinFixerFix.exe { Note: You must accept the default of C:\McAfee }
    Choose; Unzip
    Choose; Close

    NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
    FireWall to enable WGET.EXE to download the needed McAfee related files.

    Execute; c:\mcafee\clean.bat
    { or Double-click on 'Clean Link' in c:\mcafee }

    A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
    C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
    displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
    WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
    shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
    but your PC will automatically be shutdown. It is suggested that you move the report out of
    c:\mcafee before performing another scan.

    It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
    report for each session.


    ALTERNATE:
    --------------

    Download Atribune's VUNDOFIX.EXE
    http://www.atribune.org/ccount/click.php?id=4

    Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.


    Please Copy and Paste the contents of the HTML Log files;
    C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

    * * * Please report back your results * * *



    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Jun 13, 2006
    #5
  6. John Gregory

    John Gregory Guest

    David, that's the most detailed,thorough report I've gotten in all the
    forums. I appreciate this. I was just getting set to run that HijackThis log
    and post it in one of those guru forums like TomCoyote. Would that be
    preferred than doing all this here? Your information certainly won't go to
    waste. I now have an idea of what to expect. And I learned earlier today
    from someone else that Java was a possible open door through which I was
    hit. My version is 2re1.4.2. Should I remove all Java files through Control
    Panel/Add or Remove first then download and install? Or go to the Java site
    and let the automatic download occur then remove the old?

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:a_Gjg.13278$Bj6.1265@trnddc08...
    > From: "John Gregory" <>
    >
    > | My McAfee version 9+ took a hit from a surprise flash from WinAntiVirus
    > PRO
    > | 2006 this weekend. I've been frantically trying to resolve it. I ran
    > | Ad-Aware and Spybot, found the ... thing... and Spybot (I think) cleaned
    > it.
    > | I got advise on a MS forum from a MVP to run VundoFix from
    > | http://www.atribe.org. I did and found nothing.
    > |
    >
    > < snip >
    >
    > Pop-Ups for WinAntiVirus PRO, WinAntiSpyware PRO, and the AMAENA.COM web
    > site are sure signs
    > of the Vundo Trojan or Virtumonde adware. This type of malware has been
    > found to exploit
    > vulnerable versions of Sun Java.
    >
    > Realize that this is NOT the best place for discussions like this. There
    > are anti
    > virus/anti malware News Groups specifically for this type of discussion.
    >
    > microsoft.public.security.virus
    > alt.comp.virus
    > alt.comp.anti-virus
    > alt.privacy.spyware
    >
    >
    >
    > Two phase answer...
    >
    > Perform Part 1 then perform Part 2
    >
    > If the first two parts don't work, perform the alternate utility.
    >
    > It is suggested that you execute each tool in Normal Mode then in Safe
    > Mode.
    >
    > If you are using any version of Sun Java that is prior to JRE Version 5.0,
    > then you are strongly urged to remove any/all versions that are prior to
    > JRE/JSE
    > Version 5.0. There are vulnerabilities in them and they are actively
    > being exploited.
    > This is most likely why you got infected with malware.
    >
    > Therefore, it is highly suggested that if there are any prior versions of
    > Sun Java
    > to Version 5 on the PC that they be removed and Sun Java JRE/JSE Version
    > 5.0 Update 7
    > be installed ASAP.
    >
    > Simple check, look under...
    > C:\Program Files\Java
    >
    > The only folder under that folder should be the latest version...
    >
    > C:\Program Files\Java\jre1.5.0_07
    >
    >
    > http://www.java.com/en/download/manual.jsp
    >
    >
    >
    > Part 1
    > ------------
    > Download Adware-Virtumundo Removal Tool --
    > http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
    >
    > Information on the Adware-Virtumundo Removal Tool:
    > http://forums.mcafeehelp.com/viewtopic.php?t=57049
    >
    > Part 2
    > ------------
    > Download WinFixerFix.exe from the URL --
    > http://www.ik-cs.com/programs/virtools/WinFixerFix.exe
    >
    > Execute; WinFixerFix.exe { Note: You must accept the default of
    > C:\McAfee }
    > Choose; Unzip
    > Choose; Close
    >
    > NOTE: You may have to disable your software FireWall or allow WGET.EXE to
    > go through your
    > FireWall to enable WGET.EXE to download the needed McAfee related files.
    >
    > Execute; c:\mcafee\clean.bat
    > { or Double-click on 'Clean Link' in c:\mcafee }
    >
    > A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
    > C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan,
    > it will be
    > displayed in your browser (Opera, FireFox or Internet Explorer). However,
    > if you are using
    > WinXP, Win2K or Win2003 your system will be left in a state where you will
    > have to manually
    > shutdown/reboot the PC. On Win9x/ME platforms the report will not be
    > shown in your bowser
    > but your PC will automatically be shutdown. It is suggested that you move
    > the report out of
    > c:\mcafee before performing another scan.
    >
    > It would be best to scan in both Safe Mode and in Normal Mode and save a
    > copy of the HTML
    > report for each session.
    >
    >
    > ALTERNATE:
    > --------------
    >
    > Download Atribune's VUNDOFIX.EXE
    > http://www.atribune.org/ccount/click.php?id=4
    >
    > Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.
    >
    >
    > Please Copy and Paste the contents of the HTML Log files;
    > C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your
    > reply.
    >
    > * * * Please report back your results * * *
    >
    >
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
    >
    >
     
    John Gregory, Jun 14, 2006
    #6
  7. From: "John Gregory" <>

    | David, that's the most detailed,thorough report I've gotten in all the
    | forums. I appreciate this. I was just getting set to run that HijackThis log
    | and post it in one of those guru forums like TomCoyote. Would that be
    | preferred than doing all this here? Your information certainly won't go to
    | waste. I now have an idea of what to expect. And I learned earlier today
    | from someone else that Java was a possible open door through which I was
    | hit. My version is 2re1.4.2. Should I remove all Java files through Control
    | Panel/Add or Remove first then download and install? Or go to the Java site
    | and let the automatic download occur then remove the old?
    |


    Your version of Sun Java is certainly a vulnerable version. No doubt about that. There is
    a very good chance that is how you got infected.

    Go to the control panel applet "Add/Remove Programs" and remove any/all Sun Java versuions
    then download and install version 5 update 7 which is the latest version.

    As for HJT. It details Browser Helper Objects (BHOs) and it makes identifiyting them easy
    and the Vundo Trojan/Virtumonde Adware use BHOs.

    Now there is always tyhe chance you have a new version that the utilities I posted are not
    aware of. This family of malware morphs reguarly.

    Go through the steps I provided, if they don't work then well go from there :)

    After you run; VirtumundoBeGone.exe you could post the VBG LOG file

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Jun 14, 2006
    #7
  8. John Gregory

    John Gregory Guest

    There were 3 Java entries. Two were definitely Java programs for browsers
    but I'm not sure I know what the last one is; I haven't removed it. It's
    called "Java Web Start", is 2.06 MB, and was last used 4-5-04 (but I'm not
    sure how accurate that little tool is 'cause Quicken was last used 6-11-06
    but the log says 4-22-05.)

    Delete Java Web Start before I download the latest version of Java?

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    news:jcKjg.26192$X02.23549@trnddc02...
    > From: "John Gregory" <>
    >
    > | David, that's the most detailed,thorough report I've gotten in all the
    > | forums. I appreciate this. I was just getting set to run that HijackThis
    > log
    > | and post it in one of those guru forums like TomCoyote. Would that be
    > | preferred than doing all this here? Your information certainly won't go
    > to
    > | waste. I now have an idea of what to expect. And I learned earlier today
    > | from someone else that Java was a possible open door through which I was
    > | hit. My version is 2re1.4.2. Should I remove all Java files through
    > Control
    > | Panel/Add or Remove first then download and install? Or go to the Java
    > site
    > | and let the automatic download occur then remove the old?
    > |
    >
    >
    > Your version of Sun Java is certainly a vulnerable version. No doubt
    > about that. There is
    > a very good chance that is how you got infected.
    >
    > Go to the control panel applet "Add/Remove Programs" and remove any/all
    > Sun Java versuions
    > then download and install version 5 update 7 which is the latest version.
    >
    > As for HJT. It details Browser Helper Objects (BHOs) and it makes
    > identifiyting them easy
    > and the Vundo Trojan/Virtumonde Adware use BHOs.
    >
    > Now there is always tyhe chance you have a new version that the utilities
    > I posted are not
    > aware of. This family of malware morphs reguarly.
    >
    > Go through the steps I provided, if they don't work then well go from
    > there :)
    >
    > After you run; VirtumundoBeGone.exe you could post the VBG LOG file
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htm
    >
    >
     
    John Gregory, Jun 14, 2006
    #8
  9. John Gregory

    John Gregory Guest

    I think I just answered my own question: "Using Java Web Start technology,
    standalone Java software applications can be deployed with a single click
    over the network. Java Web Start ensures the most current version of the
    application will be deployed, as well as the correct version of the Java
    Runtime Environment (JRE). "

    That came from the Java site. Right about now - according to that
    description - you've got to be asking yourself..."If that's supposed to
    ensure most current version, how this guy get zapped?" Ignorance! That's
    how! I remember seeing a notice to update and I ignored it... because I
    thought it's principally for gamers and I don't want those pop-ups while I'm
    reading all those news services. I now understand. I'll keep Java Web Start
    and install the latest version of Java now.
    "John Gregory" <> wrote in message
    news:iRMjg.58959$...
    > There were 3 Java entries. Two were definitely Java programs for browsers
    > but I'm not sure I know what the last one is; I haven't removed it. It's
    > called "Java Web Start", is 2.06 MB, and was last used 4-5-04 (but I'm not
    > sure how accurate that little tool is 'cause Quicken was last used 6-11-06
    > but the log says 4-22-05.)
    >
    > Delete Java Web Start before I download the latest version of Java?
    >
    > "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
    > news:jcKjg.26192$X02.23549@trnddc02...
    >> From: "John Gregory" <>
    >>
    >> | David, that's the most detailed,thorough report I've gotten in all the
    >> | forums. I appreciate this. I was just getting set to run that
    >> HijackThis log
    >> | and post it in one of those guru forums like TomCoyote. Would that be
    >> | preferred than doing all this here? Your information certainly won't go
    >> to
    >> | waste. I now have an idea of what to expect. And I learned earlier
    >> today
    >> | from someone else that Java was a possible open door through which I
    >> was
    >> | hit. My version is 2re1.4.2. Should I remove all Java files through
    >> Control
    >> | Panel/Add or Remove first then download and install? Or go to the Java
    >> site
    >> | and let the automatic download occur then remove the old?
    >> |
    >>
    >>
    >> Your version of Sun Java is certainly a vulnerable version. No doubt
    >> about that. There is
    >> a very good chance that is how you got infected.
    >>
    >> Go to the control panel applet "Add/Remove Programs" and remove any/all
    >> Sun Java versuions
    >> then download and install version 5 update 7 which is the latest version.
    >>
    >> As for HJT. It details Browser Helper Objects (BHOs) and it makes
    >> identifiyting them easy
    >> and the Vundo Trojan/Virtumonde Adware use BHOs.
    >>
    >> Now there is always tyhe chance you have a new version that the utilities
    >> I posted are not
    >> aware of. This family of malware morphs reguarly.
    >>
    >> Go through the steps I provided, if they don't work then well go from
    >> there :)
    >>
    >> After you run; VirtumundoBeGone.exe you could post the VBG LOG file
    >>
    >> --
    >> Dave
    >> http://www.claymania.com/removal-trojan-adware.html
    >> http://www.ik-cs.com/got-a-virus.htm
    >>
    >>

    >
    >
     
    John Gregory, Jun 14, 2006
    #9
  10. From: "John Gregory" <>

    | There were 3 Java entries. Two were definitely Java programs for browsers
    | but I'm not sure I know what the last one is; I haven't removed it. It's
    | called "Java Web Start", is 2.06 MB, and was last used 4-5-04 (but I'm not
    | sure how accurate that little tool is 'cause Quicken was last used 6-11-06
    | but the log says 4-22-05.)
    |
    | Delete Java Web Start before I download the latest version of Java?
    |

    Yes.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Jun 14, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. awallwork at sign gmail dot com

    WinXP Home SP2 Logs on then Logs off

    awallwork at sign gmail dot com, Oct 13, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    1,917
    Andrew
    Oct 16, 2004
  2. awallwork at sign gmail dot com

    Win XP SP2 Logs in then Logs out

    awallwork at sign gmail dot com, Oct 14, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    2,308
    Andrew
    Oct 16, 2004
  3. Andrew

    Win XP SP2 Logs in then Logs out

    Andrew, Oct 16, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    628
    mhicaoidh
    Oct 16, 2004
  4. Wilbert

    gratis Tom Tom 700 of Laptop

    Wilbert, Feb 21, 2006, in forum: Computer Support
    Replies:
    2
    Views:
    596
  5. Matty F

    Finding location with Tom Tom XL

    Matty F, Dec 29, 2010, in forum: NZ Computing
    Replies:
    9
    Views:
    873
    Simon
    Dec 29, 2010
Loading...

Share This Page