Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Virtumode and Vondo Keep Coming back after cleaning

  • Please log in to reply
2 replies to this topic

#1 somdcelt


  • Members
  • 3 posts
  • Local time:10:49 AM

Posted 07 October 2008 - 09:00 AM

Ran Macfee
Ran Spybot
Ran Spysweaper
Ran Stinger
Ran Hijackthis

Sat , sunday found Virtumode . Cleaned with Viturmodebegone machine seamed to be running ok . Machine restarted early sunday am to install Windows Update.

Monday , machine booted up went into Spybot boot check mode , could not open 58 files , stayed on Blue screen never went away in couple hours I was forced hard boot

After reboot I stopped scan disk and started windows.

After couple of times with Firefox , I got pages opening in IE over and over.

Few minutes later Macfee alert Vondo.gen.k Trojan found and blocked

This happened several times over the night same message.

So I started all over again

Then Ran Spysweeper again it found that Virtumode again and quarantine the file

Ran Virtumodebgone.exe from Macfee nothing found see trace below

Machine is infected again over and over I cant get rid of this stuff , I thought it was gone after yesterday but its back again
and now I get the Vundo problem

Currently I have firewall locked down because its has Automatic IE openings jacking to sites while using Firefox.

I left the machine on all night with firewall locked and Virus Scan running , it found 2 files Vondo.gen and one C:/windows system32/xxxxxx something .dll was not able to delete, requested me to restart and re run Virus scan I noticed this file name in prosesses before , I am at work now and forgot to write the file name down but I am sure its one of the ones in t he Hijack trace ) could be kpnkqi.dll or klgrbd.dll not sure.

One other thing I tried to run the machine in Safe mode , its dosnt work , no keyboard functions it just locks up so trying anything in Safe is useless

Here are two traces Virtumundo be gone and the Hijack file
VirtumundoBeGone Trace

[10/05/2008, 13:46:46] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Bill\Desktop\VirtumundoBeGone.exe" )
[10/05/2008, 13:46:54] - Detected System Information:
[10/05/2008, 13:46:54] - Windows Version: 5.1.2600, Service Pack 3
[10/05/2008, 13:46:54] - Current Username: Bill (Admin)
[10/05/2008, 13:46:54] - Windows is in NORMAL mode.
[10/05/2008, 13:46:54] - Searching for Browser Helper Objects:
[10/05/2008, 13:46:54] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[10/05/2008, 13:46:54] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[10/05/2008, 13:46:54] - BHO 3: {6a53d6e9-3b45-4900-85f1-bb64a4adfbb9} ()
[10/05/2008, 13:46:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/05/2008, 13:46:54] - Checking for HKLM\...\Winlogon\Notify\klgrbd
[10/05/2008, 13:46:54] - Key not found: HKLM\...\Winlogon\Notify\klgrbd, continuing.
[10/05/2008, 13:46:54] - BHO 4: {74210255-D309-4BE1-84AA-887CD651A16A} ()
[10/05/2008, 13:46:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/05/2008, 13:46:54] - Checking for HKLM\...\Winlogon\Notify\khfFxWPg
[10/05/2008, 13:46:54] - Key not found: HKLM\...\Winlogon\Notify\khfFxWPg, continuing.
[10/05/2008, 13:46:54] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/05/2008, 13:46:54] - BHO 6: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[10/05/2008, 13:46:54] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[10/05/2008, 13:46:54] - BHO 8: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} (McAfee SiteAdvisor BHO)
[10/05/2008, 13:46:55] - Finished Searching Browser Helper Objects
[10/05/2008, 13:46:55] - Finishing up...
[10/05/2008, 13:46:55] - Nothing found! Exiting...

[10/06/2008, 22:09:51] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Bill\Desktop\VirtumundoBeGone.exe" )
[10/06/2008, 22:10:13] - User choose NOT to continue. Exiting...

[10/07/2008, 0:12:08] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Bill\Desktop\VirtumundoBeGone.exe" )
[10/07/2008, 0:12:11] - Detected System Information:
[10/07/2008, 0:12:11] - Windows Version: 5.1.2600, Service Pack 3
[10/07/2008, 0:12:11] - Current Username: Bill (Admin)
[10/07/2008, 0:12:12] - Windows is in NORMAL mode.
[10/07/2008, 0:12:12] - Searching for Browser Helper Objects:
[10/07/2008, 0:12:12] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[10/07/2008, 0:12:12] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[10/07/2008, 0:12:12] - BHO 3: {74210255-D309-4BE1-84AA-887CD651A16A} ()
[10/07/2008, 0:12:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/07/2008, 0:12:13] - Checking for HKLM\...\Winlogon\Notify\khfFxWPg
[10/07/2008, 0:12:13] - Key not found: HKLM\...\Winlogon\Notify\khfFxWPg, continuing.
[10/07/2008, 0:12:13] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/07/2008, 0:12:13] - BHO 5: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[10/07/2008, 0:12:13] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[10/07/2008, 0:12:13] - BHO 7: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} (McAfee SiteAdvisor BHO)
[10/07/2008, 0:12:13] - Finished Searching Browser Helper Objects
[10/07/2008, 0:12:13] - Finishing up...
[10/07/2008, 0:12:13] - Nothing found! Exiting...

[10/07/2008, 0:22:39] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Bill\Desktop\VirtumundoBeGone.exe" )
[10/07/2008, 0:22:41] - Detected System Information:
[10/07/2008, 0:22:41] - Windows Version: 5.1.2600, Service Pack 3
[10/07/2008, 0:22:41] - Current Username: Bill (Admin)
[10/07/2008, 0:22:42] - Windows is in NORMAL mode.
[10/07/2008, 0:22:42] - Searching for Browser Helper Objects:
[10/07/2008, 0:22:42] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[10/07/2008, 0:22:42] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[10/07/2008, 0:22:42] - BHO 3: {74210255-D309-4BE1-84AA-887CD651A16A} ()
[10/07/2008, 0:22:42] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/07/2008, 0:22:42] - Checking for HKLM\...\Winlogon\Notify\khfFxWPg
[10/07/2008, 0:22:42] - Key not found: HKLM\...\Winlogon\Notify\khfFxWPg, continuing.
[10/07/2008, 0:22:42] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/07/2008, 0:22:42] - BHO 5: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[10/07/2008, 0:22:42] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[10/07/2008, 0:22:42] - BHO 7: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} (McAfee SiteAdvisor BHO)
[10/07/2008, 0:22:42] - Finished Searching Browser Helper Objects
[10/07/2008, 0:22:42] - Finishing up...
[10/07/2008, 0:22:42] - Nothing found! Exiting...

Here is the Hijack file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:59 AM, on 10/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Documents and Settings\Bill\Desktop\stinger.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Bill\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.somd.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {74210255-D309-4BE1-84AA-887CD651A16A} - C:\WINDOWS\system32\khfFxWPg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe"
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [UMonit] "C:\WINDOWS\system32\umonit.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] "C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] "C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [UpdReg] "C:\WINDOWS\UpdReg.EXE"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Tiqyno] "C:\WINDOWS\??mantec\csrss.exe"
O4 - HKCU\..\Run: [VnrBlock21] "C:\Program Files\VnrBlock\VnrBlock21.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: kpnkqi.dll podvzn.dll klgrbd.dll
O20 - Winlogon Notify: xxyaayWP - xxyaayWP.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0182921223344681) (0182921223344681mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\018292~1.EXE (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sunbelt VIPRE Antivirus Service (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

End of file - 12251 bytes

Any suggestions to stop the mess before I have to wipe the disk and start over its crazy

Thanks Bill

BC AdBot (Login to Remove)


#2 OldTimer


    Malware Expert

  • Members
  • 11,092 posts
  • Gender:Male
  • Location:North Carolina
  • Local time:10:49 AM

Posted 08 October 2008 - 12:00 PM

Hello somdcelt and welcome to BC. Let's see what we can find.

Before running a new scan let's clean out the temporoary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Do not change any settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessry).
Use the Add Reply button and Attach the scan back here (it will be too big to copy/paste). It will be located in the OTScanIt2 folder and named OTScanIt.txt.

I will review it when it comes in.


I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.

Posted Image

#3 somdcelt

  • Topic Starter

  • Members
  • 3 posts
  • Local time:10:49 AM

Posted 13 October 2008 - 09:26 AM

Hey there Old Timer , Sorry for getting back to you so late I had to go out of town and the last minute for work. I will be back home on Friday this week if everything works here as planned , once I am home and can get time to download and run all the things you wanted I will get back to you as soon as I can.

Before I left the other day I ran CC Cleaner to clean all the temp files and clean reg settings. The machine was running pretty good , SpySweeper and Spybot didnt find anything. I havent run the machine to much after that. I powered it off before I left so unless my wife decided to use my computer it should be sitting there off til I get back .

thanks again for all your help

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users