Hi,
Bumping your thread multiple times makes your thread overlooked. As can be seen in Step5 of our
important-read-before-posting-malware-removal-help sticky, we require that no one bump a thread before 72 hrs have passed, and then, only once. Otherwise, it makes it seem as though it's being handled.
We look for 0 or 1 reply threads, working from the back to the front, chronologically. This forum is very busy, and helpers are all volunteers with real life issues and would appreciate patience and following of the rules.
Yes, we also have to perform a triage...if a set of logs does not appear to be infected, unfortunately, that one will get passed over in favor of those with a more immediate need.
Quote:
|
In looking at the registry items listed in Autoruns, I found at least two items that are tagged by http://www.bleepingcomputer.com/startups/ as potential virus or trojan files. The two files I first noticed are userinit.exe and Explorer.exe.
|
They are legitimate Windows files, although they could be used by malware, which doesn’t seem to be the case here.
===============================
Total Physical Memory: 254 MiB (512 MiB recommended).
This is a major cause for sluggishness. You need to increase the memory.
===============================
Scan with HijackThis and put a checkmark against the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Startup: Internet.lnk = ?
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
Are you using this proxy? If not, you can include the following in the fix too:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pc-180-16-215-201.cm.vtr.net:8080
It may be helpful to know that when you put an item in your Trusted Zone, it has pretty much full access to your computer... Are you sure you trust these sites to that degree?? If you're not sure, and/or you do not need these in your trusted zone to facilitate access, or you did not knowingly permit this access yourself, then please check them to be removed:
O15 - Trusted Zone: *.aaa.com (HKCU)
O15 - Trusted Zone: *.buy.com (HKCU)
O15 - Trusted Zone: *.godaddy.com (HKCU)
O15 - Trusted Zone: *.jabberwock.net (HKCU)
O15 - Trusted Zone: http://jhfunds.com (HKCU)
O15 - Trusted Zone: http://jhnetwork.com (HKCU)
O15 - Trusted Zone: http://jhsalesnet.com (HKCU)
O15 - Trusted Zone: *.nickandelsa.com (HKCU)
O15 - Trusted Zone: https://www.sfnclientfacts.com [This is a link to a secure site (https://www.sfnclientfacts.com). The current site is not secure.] (HKCU)
The following activeX controls( Downloaded Program Files)will reinstall when(and if) you revisit that website,
UNLESS you know they are from a safe source, check to remove.
O16 - DPF: {9800DFDB-CC8D-48A3-AC45-2C313C5683CE} () - https://www.sfnclientfacts.com/ba32/...oadPicture.CAB
O16 - DPF: {984425BF-82C1-11D6-8152-00B0D026F003} () - http://hub.jhancock.com/mfcentral/co...nchNotesDB.CAB
O16 - DPF: {B5665C6C-2E8C-4b23-A5B7-B137CF1064EF} () - http://kdx.omn.org/securedelivery/omn/omn.cab
O16 - DPF: {CAA057EE-809B-48E4-BE9C-367C32486C0D} () - https://secure-extranet-integ.jhnetw...intControl.cab
O16 - DPF: {DEF7CADC-83C0-11D0-A0F1-00A024703500} (True OLE DBGrid 7 Control) - https://www.sfnclientfacts.com/ba32/Include/todg7.CAB
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - (no file)
Close all browsers and windows other than HijackThis and click on "fix checked".
==================================
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.- Download the latest version of Java Runtime Environment (JRE) 6 Update 6 and save it to your desktop.
- Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
- Click the "Download" button to the right.
- Select the Windows platform from the dropdown menu.
- Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
- Click on the link to download Windows Offline Installation and save the file to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
- Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java versions.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
- After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
- Applications and Applets
Trace and Log Files
- Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.
==================================
Restart your computer for the changes to take effect.
==================================
There are some infected mail in your thunderbird email client in D drive. Go ahead and delete them. They could be backups or in the junk/spam mail folder. I am not familiar with thunderbird. So, you'll have to figure them out yourself.
D:\data\_thunderbird_email\Mail\Local Folders\Inbox[readme.zip][readme.scr]
D:\data\_thunderbird_email\Mail\mail.??????????.com\Inbox.sbd\spam.sbd\spoofed spam
These appear to be in the Trash folder. Just delete the contents of the folder.
D:\data\_thunderbird_email\Mail\mail.??????????.com\Trash[postcard.exe]
D:\data\_thunderbird_email\Mail\mail.??????????.com\Trash[~0001016.~][Greeting Card.exe]
======================================
Also delete these files:
D:\Download\
bmark.exe
C:\Program Files\Dacris Benchmarks 5.0\DLL\
3dtest.dll
Delete this link from your favorites:
c:\documents and settings\usera276\favorites\
sidestep.url
======================================
Open
notepad. It must be notepad, not wordpad.
Copy and paste the text inside the code box below into notepad, including the blank line at the end. Make sure that wordwrap is turned off in notepad - click the format menu and uncheck wordwrap.
Choose
file save as and set file type to
all files.
Type
fixreg.reg in the file name and save it to your
desktop. It should look like this:
Quote:
REGEDIT4
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
|
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Close notepad.
Make sure that all windows are closed.
Find the
fixreg.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer
yes.
Reboot your computer.
========================================
Please post a fresh HijackThis log.