Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combo Scan Log And Hjack This Log I Have A Vundo And Can't Get Rid Of It! Help!


  • This topic is locked This topic is locked
15 replies to this topic

#1 bdwaygalinda

bdwaygalinda

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 21 March 2007 - 01:27 PM

I have popups and such and I have run vundofix deleted the three files and everytime I restart my computer I still get the pop ups here are my combo scan and Hjackfix logs:
Thanks in advance!!!!
ComboScan v20070306.20 run by Compaq_Owner on 2007-03-21 at 14:16:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-03-21 19:16:48 UTC - RP1 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as Compaq_Owner.exe) ----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:17:30 PM, on 3/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Owner\Desktop\VundoFix.exe
C:\Documents and Settings\Compaq_Owner\Desktop\comboscan.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\DOCUME~1\COMPAQ~1\Desktop\Compaq_Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D7C8A39-430F-4091-B9BF-3173DFA06DA0} - C:\WINDOWS\system32\pmnkjgf.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {C5E1D2B3-2645-4BAB-874C-2C1EFE947603} - C:\WINDOWS\system32\pmkji.dll (file missing)
O2 - BHO: (no name) - {C657835B-65E8-4FB6-9D17-CE020703C9E5} - C:\WINDOWS\system32\ssqpq.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: pmnkjgf - C:\WINDOWS\SYSTEM32\pmnkjgf.dll
O20 - Winlogon Notify: ssqpq - C:\WINDOWS\system32\ssqpq.dll
O23 - Service: McAfee Application Installer Cleanup (0106821173280925) (0106821173280925mcinstcleanup) - - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe


-- File Associations -----------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3R AgereSoftModem (Agere Systems Soft Modem) - C:\WINDOWS\system32\drivers\AGRSM.sys
3R ALCXSENS (Service for WDM 3D Audio Driver) - C:\WINDOWS\system32\drivers\ALCXSENS.SYS
3R ALCXWDM (Service for Realtek AC97 Audio (WDM)) - C:\WINDOWS\system32\drivers\ALCXWDM.SYS
1R AmdK7 (AMD K7 Processor Driver) - C:\WINDOWS\system32\drivers\amdk7.sys
3R Arp1394 (1394 ARP Client Protocol) - C:\WINDOWS\system32\drivers\arp1394.sys
1R AVG Anti-Spyware Driver - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
1R AvgAsCln (AVG Anti-Spyware Clean Driver) - C:\WINDOWS\system32\drivers\AvgAsCln.sys
0R fasttx2k - C:\WINDOWS\system32\drivers\Fasttx2k.sys
3R FETNDISB (VIA Rhine Family Fast Ethernet Adapter Driver Service) - C:\WINDOWS\system32\drivers\fetnd5b.sys
3R GEARAspiWDM (GEAR CDRom Filter) - C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
3S HDAudBus (Microsoft UAA Bus Driver for High Definition Audio) - C:\WINDOWS\system32\drivers\Hdaudbus.sys
3S ialm - C:\WINDOWS\system32\drivers\ialmnt5.sys
3S IntcAzAudAddService (Service for Realtek HD Audio (WDM)) - C:\WINDOWS\system32\drivers\RtkHDAud.sys
3S intelppm (Intel Processor Driver) - C:\WINDOWS\system32\drivers\intelppm.sys
2R LMIInfo (LogMeIn Kernel Information Provider) - C:\Program Files\LogMeIn\rainfo.sys
3R LMImirr - C:\WINDOWS\system32\drivers\LMImirr.sys
3R mfeavfk (McAfee Inc.) - C:\WINDOWS\system32\drivers\mfeavfk.sys
3R mfebopk (McAfee Inc.) - C:\WINDOWS\system32\drivers\mfebopk.sys
3R mfehidk (McAfee Inc.) - C:\WINDOWS\system32\drivers\mfehidk.sys
3S mferkdk (McAfee Inc.) - C:\WINDOWS\system32\drivers\mferkdk.sys
3R mfesmfk (McAfee Inc.) - C:\WINDOWS\system32\drivers\mfesmfk.sys
1R MPFP - C:\WINDOWS\system32\drivers\Mpfp.sys
3R NIC1394 (1394 Net Driver) - C:\WINDOWS\system32\drivers\nic1394.sys
0R ohci1394 (VIA OHCI Compliant IEEE 1394 Host Controller) - C:\WINDOWS\system32\drivers\ohci1394.sys
3R Ps2 - C:\WINDOWS\system32\drivers\PS2.sys
0R PxHelp20 - C:\WINDOWS\system32\drivers\pxhelp20.sys
3S rtl8139 (Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver) - C:\WINDOWS\system32\drivers\R8139n51.sys
3S SiS315 - C:\WINDOWS\system32\drivers\sisgrp.sys
0R SISAGP (SiS AGP Filter) - C:\WINDOWS\system32\drivers\SISAGPX.SYS
1R SiSkp - C:\WINDOWS\system32\drivers\srvkp.sys
1S sonypvd2 - C:\WINDOWS\system32\drivers\sonypvd2.sys
1R sonypvf2 - C:\WINDOWS\system32\drivers\sonypvf2.sys
0R sonypvl2 - C:\WINDOWS\system32\drivers\sonypvl2.sys
1R sonypvt2 - C:\WINDOWS\system32\drivers\sonypvt2.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
3S usbohci (Microsoft USB Open Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbohci.sys
3R usbprint (Microsoft USB PRINTER Class) - C:\WINDOWS\system32\drivers\usbprint.sys
3S usbscan - C:\WINDOWS\system32\drivers\usbscan.sys
3R USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
0R viaagp1 (VIA AGP Filter) - C:\WINDOWS\system32\drivers\VIAAGP1.SYS
3R viagfx - C:\WINDOWS\system32\drivers\vtmini.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2S 0106821173280925mcinstcleanup (McAfee Application Installer Cleanup (0106821173280925)) -
3S aspnet_state (ASP.NET State Service) - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
2R AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
3S Emproxy (McAfee E-mail Proxy) - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
2R EPSONStatusAgent2 (EPSON Printer Status Agent2) - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
3S IDriverT (InstallDriver Table Manager) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
3R iPodService (iPod Service) - "C:\Program Files\iPod\bin\iPodService.exe"
2R LMIMaint (LogMeIn Maintenance Service) - "C:\Program Files\LogMeIn\RaMaint.exe"
2R LogMeIn - "C:\Program Files\LogMeIn\LogMeIn.exe"
2R McAfee HackerWatch Service - "C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe"
3S mcmispupdmgr (McAfee Update Manager) - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
2R mcmscsvc (McAfee Services) - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
2R McNASvc (McAfee Network Agent) - "c:\program files\common files\mcafee\mna\mcnasvc.exe"
2R McODS (McAfee Scanner) - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
2R mcpromgr (McAfee Protection Manager) - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
2R McRedirector (McAfee Redirector Service) - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
2R McShield (McAfee Real-time Scanner) - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
2R McSysmon (McAfee SystemGuards) - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
2R MpfService (McAfee Personal Firewall Service) - "C:\Program Files\McAfee\MPF\MPFSrv.exe"


-- Scheduled Tasks -------------------------------------------------------------

2007-03-21 14:13:01 414 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job<SYMANT~1.JOB>
2007-03-16 20:34:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>
2007-03-15 01:48:05 364 --a------ C:\WINDOWS\Tasks\McDefragTask.job<MCDEFR~1.JOB>
2007-03-07 10:21:56 366 --a------ C:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2007-02-21 and 2007-03-21 -----------------------------

2007-03-21 13:59:05 1225969 ---hs---- C:\WINDOWS\system32\qpqss.bak1<QPQSS~1.BAK>
2007-03-21 13:58:57 280676 ---hs---- C:\WINDOWS\system32\ssqpq.dll
2007-03-21 13:48:56 280676 ---hs---- C:\WINDOWS\system32\ssttr.dll
2007-03-21 11:45:00 0 d-------- C:\WINDOWS\BDOSCAN8
2007-03-21 11:44:14 0 d---s---- C:\Documents and Settings\Compaq_Owner\UserData
2007-03-21 11:32:41 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-03-21 11:21:52 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-21 11:21:06 0 d-------- C:\Program Files\Grisoft
2007-03-21 11:20:23 0 d--h---c- C:\WINDOWS\ie7
2007-03-21 10:32:11 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-03-21 10:03:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion<YAHOO!~1>
2007-03-21 10:01:15 280676 ---hs---- C:\WINDOWS\system32\jkhfc.dll
2007-03-21 09:53:16 26697 --a------ C:\WINDOWS\system32\pmnkjgf.dll
2007-03-18 16:56:52 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP<AOLOCP~1>
2007-03-18 16:56:44 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2007-03-18 16:47:56 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads<AOLDOW~1>
2007-03-14 11:15:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Homestead<HOMEST~1>
2007-03-11 10:54:50 10752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-03-11 10:54:46 0 d-------- C:\Program Files\ffdshow
2007-03-07 10:37:52 0 d-------- C:\WINDOWS\system32\en-US
2007-03-07 10:26:54 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-03-07 10:25:15 121856 -----n--- C:\WINDOWS\system32\xmllite.dll
2007-03-07 10:22:42 32008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-03-07 10:22:40 37480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-03-07 10:22:38 34184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-03-07 10:22:25 170408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-03-07 10:22:24 71496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-03-07 10:22:12 107608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-03-07 10:21:44 0 d-------- C:\Program Files\McAfee.com
2007-03-07 10:21:33 0 d-------- C:\Program Files\Common Files\McAfee
2007-03-07 10:21:25 0 d-------- C:\Program Files\McAfee
2007-03-07 10:17:34 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-03-07 09:25:49 143360 --a------ C:\WINDOWS\system32\dunzip32.dll


-- Find3M Report ---------------------------------------------------------------

2007-03-21 10:48:29 0 d-------- C:\Program Files\Java
2007-03-21 10:43:57 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-03-21 08:30:37 0 d-------- C:\Program Files\LogMeIn
2007-03-18 16:49:52 0 d-------- C:\Program Files\Viewpoint<VIEWPO~1>
2007-03-18 16:48:36 335 --a----c- C:\WINDOWS\nsreg.dat
2007-03-18 16:48:36 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla
2007-03-17 17:07:18 0 d-------- C:\Program Files\dvdSanta
2007-03-14 12:47:55 0 d-------- C:\Program Files\Kodak
2007-03-07 10:39:33 0 d-------- C:\Program Files\Yahoo!
2007-03-07 10:19:34 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-03-07 09:39:39 0 d---s---- C:\Documents and Settings\Compaq_Owner\Application Data\Microsoft<MICROS~1>
2007-03-07 09:17:55 0 d-------- C:\Program Files\Symantec
2007-03-07 09:11:03 0 d-------- C:\Program Files\Norton AntiVirus<NORTON~1>
2007-02-08 01:58:31 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Apple Computer<APPLEC~1>
2007-02-06 20:10:59 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\MySpace
2007-02-02 19:10:58 0 d-------- C:\Documents and Settings\Compaq_Owner\Application Data\AdobeUM
2007-01-29 14:04:23 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-01-26 14:16:23 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-01-26 14:08:44 0 d-------- C:\Program Files\GIMP-2.0
2007-01-23 20:29:01 0 d--h----- C:\Documents and Settings\Compaq_Owner\Application Data\Move Networks<MOVENE~1>
2007-01-20 17:51:26 5574 --a------ C:\WINDOWS\mozver.dat
2007-01-05 08:31:02 184320 --a------ C:\WINDOWS\system32\OESICore.dll
2007-01-05 08:31:02 45056 --a------ C:\WINDOWS\system32\HSSICore.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"VTTimer"="VTTimer.exe"
"AlcWzrd"="ALCWZRD.EXE"
"Alcmtr"="ALCMTR.EXE"
"AGRSMMSG"="AGRSMMSG.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"AlcxMonitor"="ALCXMNTR.EXE"
"Reminder"="\"C:\\Windows\\Creator\\Remind_XP.exe\""
"Ink Monitor"="C:\\PROGRA~1\\EPSON\\INKMON~1\\InkMonitor.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"LogMeIn GUI"="\"C:\\Program Files\\LogMeIn\\LogMeInSystray.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4D7C8A39-430F-4091-B9BF-3173DFA06DA0}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkjgf
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpq

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



-- End of ComboScan: finished at 2007-03-21 at 14:19:04 ------------------------


Logfile of HijackThis v1.99.1
Scan saved at 12:09:42 PM, on 3/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\mcafee\msc\mcshell.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Documents and Settings\Compaq_Owner\Desktop\VundoFix.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
O23 - Service: McAfee Application Installer Cleanup (0106821173280925) (0106821173280925mcinstcleanup) - - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

BC AdBot (Login to Remove)

 


#2 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:12 PM

Posted 21 March 2007 - 01:58 PM

Hi and welcome. My name is Kairis and I will be helping you.
You have some crap there! But don't worry; we'll get you cleaned up!
Please follow my steps in the right order...
We'll start with this:
You should be able to disable AVG Anti-Spyware guard like this:
  • Open AVG Anti-Spyware by double-clicking it's icon in the system tray.
  • In the 'Your security status' section, toggle the AVG Anti-Spyware Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'.
  • When you reboot, AVG Anti-Spyware will prompt you as to whether you would like to "Restart the guard?".
  • Reply 'No' and set it to 'inactive'
Vundo is there. It's just being difficult.
Open Combofix:
Click Start -> Run
Copy the command below and paste it into the Run box and click Ok.

"%userprofile%desktopcombofix.exe" /v pmnkjgf ssqpq pmnkjgf


When it's done running it will produce a log for you. Please post that log in your next reply.

Edited by kairis, 21 March 2007 - 02:03 PM.


#3 bdwaygalinda

bdwaygalinda
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 21 March 2007 - 02:28 PM

"Compaq_Owner" - 07-03-21 15:12:15 Service Pack 2
ComboFix 07-03-22 - Running from: "C:\Program Files\Mozilla Firefox"

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\system32\jkkjh.dll"


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\jkhfc.dll
C:\WINDOWS\system32\pmkjg.dll


((((((((((((((((((((((((((((((( Files Created from 2007-02-21 to 2007-03-21 ))))))))))))))))))))))))))))))))))


2007-03-21 14:42 1,226,009 ---hs---- C:\WINDOWS\system32\dcbeg.bak1
2007-03-21 14:41 280,676 ---hs---- C:\WINDOWS\system32\gebcd.dll
2007-03-21 13:48 280,676 ---hs---- C:\WINDOWS\system32\ssttr.dll
2007-03-21 11:45 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-03-21 11:44 <DIR> d--hs---- C:\DOCUME~1\COMPAQ~1\UserData
2007-03-21 11:32 <DIR> d-------- C:\VundoFix Backups
2007-03-21 11:21 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-21 10:32 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-21 10:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-03-21 09:53 26,697 --a------ C:\WINDOWS\system32\pmnkjgf.dll
2007-03-18 16:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-03-18 16:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-03-18 16:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-03-14 11:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Homestead
2007-03-11 10:54 10,752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-03-11 10:54 <DIR> d-------- C:\Program Files\ffdshow
2007-03-07 10:26 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-03-07 10:22 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-03-07 10:22 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-03-07 10:22 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-03-07 10:22 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-03-07 10:22 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-03-07 10:22 107,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-03-07 10:21 <DIR> d-------- C:\Program Files\McAfee.com
2007-03-07 10:21 <DIR> d-------- C:\Program Files\McAfee
2007-03-07 10:21 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-03-07 10:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-03-07 09:25 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-21 10:48 -------- d-------- C:\Program Files\java
2007-03-21 08:30 -------- d-------- C:\Program Files\logmein
2007-03-18 16:49 -------- d-------- C:\Program Files\viewpoint
2007-03-18 16:48 335 --a--c--- C:\WINDOWS\nsreg.dat
2007-03-14 12:47 -------- d-------- C:\Program Files\kodak
2007-03-07 10:39 -------- d-------- C:\Program Files\yahoo!
2007-03-07 10:19 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-03-07 09:17 -------- d-------- C:\Program Files\symantec
2007-03-07 09:11 -------- d-------- C:\Program Files\norton antivirus
2007-02-06 20:10 -------- d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\myspace
2007-01-29 14:04 -------- d-------- C:\Program Files\quicktime
2007-01-26 14:16 -------- d--h----- C:\Program Files\installshield installation information
2007-01-26 14:08 -------- d-------- C:\Program Files\gimp-2.0
2007-01-23 20:29 -------- d--h----- C:\DOCUME~1\COMPAQ~1\APPLIC~1\move networks
2007-01-20 17:51 5574 --a------ C:\WINDOWS\mozver.dat
2007-01-05 08:31 45056 --a------ C:\WINDOWS\system32\hssicore.dll
2007-01-05 08:31 184320 --a------ C:\WINDOWS\system32\oesicore.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"VTTimer"="VTTimer.exe"
"AlcWzrd"="ALCWZRD.EXE"
"Alcmtr"="ALCMTR.EXE"
"AGRSMMSG"="AGRSMMSG.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"AlcxMonitor"="ALCXMNTR.EXE"
"Reminder"="\"C:\\Windows\\Creator\\Remind_XP.exe\""
"Ink Monitor"="C:\\PROGRA~1\\EPSON\\INKMON~1\\InkMonitor.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"LogMeIn GUI"="\"C:\\Program Files\\LogMeIn\\LogMeInSystray.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4D7C8A39-430F-4091-B9BF-3173DFA06DA0}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcd
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkjgf

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job
C:\WINDOWS\tasks\Symantec NetDetect.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-21 15:22:29

#4 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:12 PM

Posted 22 March 2007 - 01:36 AM

MOVE HJT:
You currently are running HijackThis from here:
C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

Please make a folder here:
c:\HJT
and place HijackThis in that folder.
DO NOT follow the steps below until you have moved HijackThis.

Renaming HijackThis.exe

1. Right click on the HijackThis icon.
Posted Image

2. Select Rename.
Posted Image

3. Now type the following scanner.exe note: make sure to put period before .exe when typing.
hit the enter key on keyboard.
Posted Image

Please send a fresh HJT log.

#5 bdwaygalinda

bdwaygalinda
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 22 March 2007 - 05:21 AM

my computers becoming slower and slower...PLEASE HELP! Here is the new HJT (renamed scanner) log: thanks!

Logfile of HijackThis v1.99.1
Scan saved at 6:14:51 AM, on 3/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23AF2F54-21F3-49C0-8A4A-83998B30D727} - C:\WINDOWS\system32\gebcd.dll
O2 - BHO: MSEvents Object - {4D7C8A39-430F-4091-B9BF-3173DFA06DA0} - C:\WINDOWS\system32\pmnkjgf.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {C5E1D2B3-2645-4BAB-874C-2C1EFE947603} - C:\WINDOWS\system32\pmkji.dll (file missing)
O2 - BHO: (no name) - {C657835B-65E8-4FB6-9D17-CE020703C9E5} - C:\WINDOWS\system32\ssqpq.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: gebcd - C:\WINDOWS\system32\gebcd.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: pmnkjgf - C:\WINDOWS\SYSTEM32\pmnkjgf.dll
O23 - Service: McAfee Application Installer Cleanup (0106821173280925) (0106821173280925mcinstcleanup) - - (no file)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

#6 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:12 PM

Posted 22 March 2007 - 07:23 AM

Rerun Vundofix and send a log and fresh HJT-log, thanks.

#7 bdwaygalinda

bdwaygalinda
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 22 March 2007 - 08:58 AM

Other computers are trying to hack into my computer. Will my things be safe? I have MCAfee Anti-virus and firewall...I looked this morning and there were 349 computers trying to get in just from last night to this morning. here is my new hjack log I ran vundo fix again like you said and it couldn't delete one file. thanks so much. hopefully I can get this fixed today or tomorrow. its freaking me out!

Logfile of HijackThis v1.99.1
Scan saved at 9:51:21 AM, on 3/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\scanner.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23AF2F54-21F3-49C0-8A4A-83998B30D727} - C:\WINDOWS\system32\gebcd.dll
O2 - BHO: MSEvents Object - {4D7C8A39-430F-4091-B9BF-3173DFA06DA0} - C:\WINDOWS\system32\pmnkjgf.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {C5E1D2B3-2645-4BAB-874C-2C1EFE947603} - C:\WINDOWS\system32\pmkji.dll (file missing)
O2 - BHO: (no name) - {C657835B-65E8-4FB6-9D17-CE020703C9E5} - C:\WINDOWS\system32\ssqpq.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: pmnkjgf - C:\WINDOWS\SYSTEM32\pmnkjgf.dll
O23 - Service: McAfee Application Installer Cleanup (0106821173280925) (0106821173280925mcinstcleanup) - - (no file)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

#8 bdwaygalinda

bdwaygalinda
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 22 March 2007 - 02:40 PM

I did a safe mode with networking Dos Scan and heres the log...I thought this might help you...
McAfee VirusScan for Win32 v5.10.0
Copyright © 1992-2006 McAfee, Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - May 26 2006

Scan engine v5.1.00 for Win32.
Virus data file v4989 created Mar 21 2007
Scanning for 236982 viruses, trojans and variants.



03/22/2007 13:56:24


Options:
/ADL/CLEAN/ALL/REPORT REPORT.TXT

Scanning C: [PRESARIO]
Scanning C:\*.*

Summary report on C:\*.*
File(s)
Total files: ........... 48414
Clean: ................. 48367
Possibly Infected: ..... 0
Cleaned: ............... 0
Non-critical Error(s): 1
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0
Scanning D: [PRESARIO_RP]
Scanning D:\*.*

Summary report on D:\*.*
File(s)
Total files: ........... 8407
Clean: ................. 8407
Possibly Infected: ..... 0
Cleaned: ............... 0
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 00:16.03

#9 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:12 PM

Posted 23 March 2007 - 01:06 AM

Hi. Vundo is still here...
Lets try this:
Download VirtumundoBeGone :
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Save the file to your desktop
Close all running programs (including your Internet Browser)
Double-click VirtumundoBeGone.exe on the desktop
Read the introductory information, and then click Continue
Click Start
When asked if you want to continue, click Yes to run the fix
Click "Save Log"


Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens.
It requires you to manually reboot to restore your normal windows desktop.

The log created by VirtumundoBeGone called VBG.TXT will be on located on your desktop. Please retain VBG.TXT.

Empty Recycle Bin.

Reboot and "copy/paste" a new HijackThis log file along with the VBG.TXT into this thread.
Also please describe how your computer behaves at the moment.

Edited by kairis, 23 March 2007 - 01:09 AM.


#10 bdwaygalinda

bdwaygalinda
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 23 March 2007 - 07:25 AM

Virtumundobegone did nothing....at all. blah. my computer is running fine abut I still have pop ups every now and then... the vundo is still there (and you can see it!) so lets get rid of it ASAP! Here is the Virtumondobegone log as well as the hjackthisnow log:!!! Do vundos take a log time to get rid of?

[03/23/2007, 8:19:27] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Compaq_Owner\Desktop\VirtumundoBeGone.exe" )
[03/23/2007, 8:19:31] - Detected System Information:
[03/23/2007, 8:19:31] - Windows Version: 5.1.2600, Service Pack 2
[03/23/2007, 8:19:31] - Current Username: Compaq_Owner (Admin)
[03/23/2007, 8:19:31] - Windows is in NORMAL mode.
[03/23/2007, 8:19:31] - Searching for Browser Helper Objects:
[03/23/2007, 8:19:31] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[03/23/2007, 8:19:31] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/23/2007, 8:19:31] - BHO 3: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[03/23/2007, 8:19:31] - BHO 4: {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} (CPub Object)
[03/23/2007, 8:19:31] - Finished Searching Browser Helper Objects
[03/23/2007, 8:19:31] - Finishing up...
[03/23/2007, 8:19:31] - Nothing found! Exiting...


Logfile of HijackThis v1.99.1
Scan saved at 8:22:34 AM, on 3/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: McAfee Application Installer Cleanup (0106821173280925) (0106821173280925mcinstcleanup) - - (no file)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe

Edited by bdwaygalinda, 23 March 2007 - 07:32 AM.


#11 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:12 PM

Posted 24 March 2007 - 01:29 AM

Hi.
There is not a vundo anymore...
The logs are clean, but You get still popups, strange.

Please run the
F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction
    Here
    for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning
    (recommended)
    button.
  • Click the Show Report button and Copy&Paste the entire report
    in your next reply.

Edited by kairis, 24 March 2007 - 01:30 AM.


#12 bdwaygalinda

bdwaygalinda
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 24 March 2007 - 09:03 AM

Scanning Report
Saturday, March 24, 2007 09:25:37 - 09:59:20

Computer name: THESMITHS
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\
Result: 0 malware found
Statistics
Scanned:

* Files: 29656
* System: 4465
* Not scanned: 8

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 0
* Submitted: 0

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\TEMP\MCAFEE_37CEXWSGKWBD8HG
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{2D577BC6-F4DE-4DFD-84D4-7797731B5232}.BIN
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{63F9D88D-2D3A-4F58-AF29-80201C3C5731}.BIN
* C:\F99EA04F49F0DD6ADF3E\MRT.EXE
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\B2919ED34CDE629D779C70777313BDAE_BBF6C754-B3FD-4146-A2A6-BE5412B4985C

Options
Scanning engines:

* F-Secure AVP: 7.0.171, 2007-03-24
* F-Secure Blacklight: 1.0.53, 0000-00-00
* F-Secure Draco: 1.0.35, 0260-02-44
* F-Secure Libra: 2.4.2, 2007-03-22
* F-Secure Orion: 1.2.37, 2007-03-23
* F-Secure Pegasus: 1.19.0, 2007-02-14

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
* Use Advanced heuristics

#13 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:12 PM

Posted 25 March 2007 - 10:57 AM

Hi bdwaygalinda.
F-Secure find nothing, that's good.
Still pop ups?

Download : GMER
  • Unzip it and double-click GMER.exe
  • Click the rootkit-tab and click scan.
  • Do NOT check the "Show All" box during the scan!!
  • Once done, click Copy.
  • This will copy the results to clipboard.
  • Paste the results in your next reply

Edited by kairis, 25 March 2007 - 11:05 AM.


#14 bdwaygalinda

bdwaygalinda
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 25 March 2007 - 01:11 PM

It said WARNING GMER has found files relating to rootkit activity...yikes...uh oh! :thumbsup:

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-03-25 14:08:13
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRenameKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwTerminateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!ZwYieldExecution 804FC679 7 Bytes JMP EFD6E5BD \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwOpenKey 805684D5 5 Bytes JMP EFD6E4EB \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwCreateKey 8056F063 5 Bytes JMP EFD6E4FF \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtCreateFile 8057164C 5 Bytes JMP EFD6E57F \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80573789 5 Bytes JMP EFD6E5E9 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtMapViewOfSection 80573C04 7 Bytes JMP EFD6E5D3 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8057494D 7 Bytes JMP EFD6E593 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwSetValueKey 80575527 7 Bytes JMP EFD6E555 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwTerminateProcess 8058AE1E 5 Bytes JMP EFD6E56B \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwDeleteValueKey 80597430 7 Bytes JMP EFD6E53F \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwDeleteKey 8059D6BD 7 Bytes JMP EFD6E513 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwCreateProcess 805B3543 5 Bytes JMP EFD6E5A9 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwRenameKey 8064D39F 7 Bytes JMP EFD6E529 \SystemRoot\system32\drivers\mfehidk.sys

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\services.exe[756] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\services.exe[756] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FE0F7A
.text C:\WINDOWS\system32\services.exe[756] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FE0F8B
.text C:\WINDOWS\system32\services.exe[756] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FE0F9C
.text C:\WINDOWS\system32\services.exe[756] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FE005B
.text C:\WINDOWS\system32\services.exe[756] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FE0FCA
.text C:\WINDOWS\system32\services.exe[756] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FE00B1
.text C:\WINDOWS\system32\services.exe[756] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FE0F69
.text C:\WINDOWS\system32\services.exe[756] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FE0F33
.text C:\WINDOWS\system32\services.exe[756] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FE00CC
.text C:\WINDOWS\system32\services.exe[756] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00FE00F1
.text C:\WINDOWS\system32\services.exe[756] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00FE0FB9
.text C:\WINDOWS\system32\services.exe[756] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00FE001B
.text C:\WINDOWS\system32\services.exe[756] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00FE0094
.text C:\WINDOWS\system32\services.exe[756] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00FE0040
.text C:\WINDOWS\system32\services.exe[756] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\services.exe[756] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00FE0F4E
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A10FBC
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A10F9A
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A10FCD
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A10FDE
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A10057
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A1003C
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\services.exe[756] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A10FAB
.text C:\WINDOWS\system32\services.exe[756] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00800FB3
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008000A8
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00800081
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00800070
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0080004E
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00800F7D
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00800F98
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00800F62
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008000FB
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 0080010C
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 0080005F
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 0080001B
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 008000C3
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 0080003D
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 0080002C
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 008000E0
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 007F0FD1
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 007F0062
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 007F002C
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 007F001B
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 007F0FA5
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 007F003D
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 007F000A
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 007F0FB6
.text C:\WINDOWS\system32\svchost.exe[920] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007D0FE5
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A500C9
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A500B8
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A5009D
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A50080
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A50FDE
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A50F81
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A50F9E
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A50110
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A500FF
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00A5012B
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00A50065
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00A50025
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00A50FB9
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00A50040
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[996] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00A500E4
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A40FD4
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A4006C
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A40025
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A4005B
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A40FAF
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A4000A
.text C:\WINDOWS\system32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A40040
.text C:\WINDOWS\system32\svchost.exe[996] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01820000
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01820F3E
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01820F63
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01820F74
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0182003D
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01820F9B
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 0182007A
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01820069
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 018200CB
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 018200B0
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 01820F17
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 0182002C
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 01820011
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 01820058
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 01820FC0
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 01820FD1
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 0182009F
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01810FC3
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01810F61
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01810FD4
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0181000A
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01810F7C
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01810F97
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01810FEF
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01810FA8
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\svchost.exe[1088] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[1088] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00FE0011
.text C:\WINDOWS\system32\svchost.exe[1088] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 00FE0036
.text C:\WINDOWS\system32\svchost.exe[1088] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00750000
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!VirtualProtectEx 7C801A5D 1 Byte [ E9 ]
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!VirtualProtectEx + 2 7C801A5F 3 Bytes [ F4, F4, 83 ]
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00750F72
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00750F83
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00750036
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00750FB9
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00750084
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00750F3C
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007500B0
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00750095
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00750EFC
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00750F9E
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 0075001B
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00750067
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00750FD4
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00750FE5
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00750F17
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00740FD1
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0074008E
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0074002C
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0074001B
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00740073
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00740062
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00740000
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00740047
.text C:\WINDOWS\system32\svchost.exe[1144] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00720FE5
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00950000
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 7C801A5D 1 Byte [ E9 ]
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtectEx + 2 7C801A5F 3 Bytes [ F4, 14, 84 ]
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00950F7C
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00950056
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00950F97
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00950FC3
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00950F3F
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00950F50
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009500D8
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009500BD
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 009500E9
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00950FA8
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 0095001B
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00950071
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00950FD4
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00950FE5
.text C:\WINDOWS\system32\svchost.exe[1188] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 009500A2
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 006D001B
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 006D0F9E
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 006D0FCA
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 006D005B
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 006D0FAF
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 006D000A
.text C:\WINDOWS\system32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 006D0036
.text C:\WINDOWS\system32\svchost.exe[1188] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006A0FEF
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 006B0FEF
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 006B000A
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 006B0FDE
.text C:\WINDOWS\system32\svchost.exe[1188] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 006B0025
.text C:\WINDOWS\explorer.exe[1552] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02040000
.text C:\WINDOWS\explorer.exe[1552] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02040082
.text C:\WINDOWS\explorer.exe[1552] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02040067
.text C:\WINDOWS\explorer.exe[1552] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0204004A
.text C:\WINDOWS\explorer.exe[1552] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02040F8D
.text C:\WINDOWS\explorer.exe[1552] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02040FC3
.text C:\WINDOWS\explorer.exe[1552] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 020400C1
.text C:\WINDOWS\explorer.exe[1552] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 020400B0
.text C:\WINDOWS\explorer.exe[1552] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02040F28
.text C:\WINDOWS\explorer.exe[1552] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02040F43
.text C:\WINDOWS\explorer.exe[1552] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 02040F17
.text C:\WINDOWS\explorer.exe[1552] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 02040FA8
.text C:\WINDOWS\explorer.exe[1552] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 02040FE5
.text C:\WINDOWS\explorer.exe[1552] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 02040093
.text C:\WINDOWS\explorer.exe[1552] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 0204002F
.text C:\WINDOWS\explorer.exe[1552] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 02040FD4
.text C:\WINDOWS\explorer.exe[1552] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 02040F68
.text C:\WINDOWS\explorer.exe[1552] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 02030025
.text C:\WINDOWS\explorer.exe[1552] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0203004A
.text C:\WINDOWS\explorer.exe[1552] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 02030FD4
.text C:\WINDOWS\explorer.exe[1552] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 02030014
.text C:\WINDOWS\explorer.exe[1552] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 02030F97
.text C:\WINDOWS\explorer.exe[1552] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 02030FB2
.text C:\WINDOWS\explorer.exe[1552] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 02030FEF
.text C:\WINDOWS\explorer.exe[1552] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 02030FC3
.text C:\WINDOWS\explorer.exe[1552] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 016D0000
.text C:\WINDOWS\explorer.exe[1552] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 016D0FE5
.text C:\WINDOWS\explorer.exe[1552] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 016D0FD4
.text C:\WINDOWS\explorer.exe[1552] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 016D0FB9
.text C:\WINDOWS\explorer.exe[1552] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01420FEF
.text C:\WINDOWS\system32\svchost.exe[2348] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00380FE5
.text C:\WINDOWS\system32\svchost.exe[2348] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00380F35
.text C:\WINDOWS\system32\svchost.exe[2348] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00380F46
.text C:\WINDOWS\system32\svchost.exe[2348] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00380F61
.text C:\WINDOWS\system32\svchost.exe[2348] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00380F72
.text C:\WINDOWS\system32\svchost.exe[2348] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00380014
.text C:\WINDOWS\system32\svchost.exe[2348] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00380056
.text C:\WINDOWS\system32\svchost.exe[2348] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00380F1A
.text C:\WINDOWS\system32\svchost.exe[2348] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00380EDF
.text C:\WINDOWS\system32\svchost.exe[2348] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00380078
.text C:\WINDOWS\system32\svchost.exe[2348] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00380ECE
.text C:\WINDOWS\system32\svchost.exe[2348] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00380F8D
.text C:\WINDOWS\system32\svchost.exe[2348] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00380FD4
.text C:\WINDOWS\system32\svchost.exe[2348] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 0038003B
.text C:\WINDOWS\system32\svchost.exe[2348] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00380FB2
.text C:\WINDOWS\system32\svchost.exe[2348] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00380FC3
.text C:\WINDOWS\system32\svchost.exe[2348] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00380067
.text C:\WINDOWS\system32\svchost.exe[2348] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00370040
.text C:\WINDOWS\system32\svchost.exe[2348] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00370087
.text C:\WINDOWS\system32\svchost.exe[2348] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00370FEF
.text C:\WINDOWS\system32\svchost.exe[2348] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0037001B
.text C:\WINDOWS\system32\svchost.exe[2348] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00370076
.text C:\WINDOWS\system32\svchost.exe[2348] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00370FD4
.text C:\WINDOWS\system32\svchost.exe[2348] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0037000A
.text C:\WINDOWS\system32\svchost.exe[2348] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0037005B

---- Modules - GMER 1.0.12 ----

Module (noname) (*** hidden *** ) F59CE000
Module (noname) (*** hidden *** ) EF818000

---- Files - GMER 1.0.12 ----

ADS C:\USERDATA\Favorites\Coco Headbands.url:favicon
ADS C:\USERDATA\Favorites\TMZ.com.url:favicon

---- EOF - GMER 1.0.12 ----

#15 kairis

kairis

  • Members
  • 327 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:12:12 PM

Posted 26 March 2007 - 02:43 AM

Hi bdwaygalinda.

Okey, lets scan with this:

Download AVG Anti-Rootkit

Install and reboot your computer.

Open it and click Search for rootkits.

If something found, please let me know.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users