0

Does anyone see a problem with my system? IE keeps opening on its own.

Logfile of HijackThis v1.99.1
Scan saved at 2:37:30 PM, on 10/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2004\EDICT.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mlb.com/"); (C:\Documents and Settings\John Zechiel\Application Data\Mozilla\Profiles\default\o8dohl6q.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\John Zechiel\Application Data\Mozilla\Profiles\default\o8dohl6q.slt\prefs.js)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Net DDE.lnk = C:\WINDOWS\system32\netdde.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .html: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191450472234
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O18 - Protocol: msell2 - {9367D24B-8506-471A-915A-CFBB4BCEB631} - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\MSELL2.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
O23 - Service: tbaspi - Voyetra Turtle Beach, Inc. - C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\TURTLE~1\AUDIOS~1\x10nets.exe

3
Contributors
17
Replies
18
Views
9 Years
Discussion Span
Last Post by crunchie
0

As far as I can tell, your log is clean, but you are running an outdated version.

Can you please do the following.


===============

Download the newest version of HiJackThis; version 2.0.2. Place it in a permanent folder before scanning.

===============

Run hijackthis and hit the Open the Misc Tools Section and then the Open Uninstall Manager.

Then hit the Save List button. Save to the desktop for easy access. Open the log file and copy the entire list and paste it here please.

===========

Copy the bold text below and paste it into notepad. Save it to your desktop as find.bat and make sure type is set to All Files.


cd\
cd Program Files
DIR /AD /B /P > ProgramFiles.txt
start ProgramFiles.txt
cls
exit


Double click find.bat and let it run for a minute. It will open up a report in notepad. Please copy that text and post it here in your next reply.

0

Crunchie -

Here are the files you requested. I should point out that HijackThis.exe would only run once we renamed it to BiJackThis.exe, as if something was watching for it.

uninstall list.txt

Adobe Acrobat 4.0, 5.0
Adobe Flash Player ActiveX
Adobe Reader 6.0
Advanced Networking Pack for Windows XP
Animal
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Audacity 1.2.3
Blender (remove only)
BlitzIn 2
Caesar 3
Capitalism II
Chessmaster 9000
CodeWright 6.6
Command & Conquer Red Alert 2
Command & Conquer Tiberian Sun
Czech
Desktop Toys Window
DILBERT's Desktop Games
Dolet Light for Finale 2005
DriveCopy 2.02
Easy CD Creator 5 Platinum
Easy Screen Saver WorkShop
Easy Screen Saver WorkShop (C:\Program Files\ezscreen\)
eMusic - 50 Free MP3 offer
Encarta Language Learning French
Finale 2005b
Finale NotePad 2005a
Finale Performance Assessment
Finale Performance Assessment Sample Files
FrenchNow!
Google Earth
Google Talk (remove only)
Half-Life: Counter-Strike
Harry Potter
Heretic II
HijackThis 2.0.2
Hoyle Casino '99
Hoyle Solitaire and Mahjong
IBM ViaVoice Personal - US English
Informatik PDF Append
Intel A/V Codecs V2.0
Intel(R) Active Monitor
Intel(R) PRO Network Adapters and Drivers
InterActual Player
iPod Agent 1.1.2.0
iPod for Windows 2005-03-23
iTunes
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
KRISTAL Audio Engine
L&H PC/MM ASR1600 for Windows V3 French
L&H PCMM ASR1600 for Windows V3 Basic
L&H PCMM ASR1600 for Windows V3 Engine
Macromedia Flash 5
Macromedia Generator 2
Magic Set Editor 2 - 0.2.7 beta
Matrix Screen Saver
McAfee SecurityCenter
Micrografx Instant 3D 1.2
Micrografx PhotoMagic 6
Micrografx Windows Draw 6
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Encarta Reference Library 2004
Microsoft Flight Simulator 2000
Microsoft Image Composer 1.5
Microsoft Midtown Madness
Microsoft Office 97, Professional Edition
Microsoft Streets and Trips 2005
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Windows Script Host
Morpher
Mozilla Firefox (2.0.0.7)
MP3 Workshop 1.2
MUSICMATCH Jukebox
MusicTime Deluxe 3.5.5
Netscape (7.1)
Netscape (7.2)
Netscape Browser (remove only)
Network Play System (Patching)
NoLimits Coasters 1.3 (remove only)
NoLimits Coasters Demo 1.31 (remove only)
NTI Backup NOW! 4
NTI DriveBackup! 3 Trial
NTI DVD-Maker
Paint Shop Pro 7 Anniversary Edition
Pegasus Mail
QuickTime
Radio@Netscape Plus
RealOne Player
Renoise V1.5
Roger Wilco
Roll
RollerCoaster Tycoon 2
RollerCoaster Tycoon® 3
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896426)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Shockwave
Sierra Utilities
SimCity 2000® Special Edition
Sony USB Driver
Starcraft
Starship Titanic
SureThing CD Labeler - Stomper Edition 32 bit
The Sims
Turtle Beach AudioStation
Turtle Beach Santa Cruz Driver
U.S. Robotics ControlCenter
Ultimate Ride
Unreal Tournament
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Utopia Sound Scheme
Ventrilo Client
VideoFramer
VideoLAN VLC media player 0.6.2
Warhammer 40,000: Dawn Of War - Gold Edition
Westwood Shared Internet Components
Who Wants To Be A Millionaire
WinAce Archiver
Winamp (remove only)
Window Active
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB820291
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Hotfix - KB896727
Windows XP Hotfix - KB897715
Windows XP Hotfix - KB905915
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
Windows XP Hotfix (SP2) Q322011
Windows XP Hotfix (SP2) q812415
Windows XP Hotfix (SP2) Q814995
Windows XP Hotfix (SP2) Q819696

programfiles.txt

Activision
Adaptec
Adobe
AOD
Apple Software Update
Atari
ATI Technologies
Audacity
Blender Foundation
Common Files
ComPlus Applications
Creative
Disney Imagineering
Disney Interactive
Dreamworks
Dreamworks Interactive
DZWare
EA Games
Electronic Arts
EncoreDxr3
Enigma Software Group
Epic Games
ezscreen
Finale
Finale 2005b
Google
Hasbro Interactive
Hijackthis
IBM
Infogrames Interactive
InstallShield Installation Information
Intel
InterActual
Internet Chess Club
Internet Explorer
InterVideo
iPod
iPodSoft
iTunes
Jasc Software Inc
Java
Java Web Start
Kap.ACT
Kap.SAT
Kodak
Kreatives
Macromedia
Magic Set Editor 2
MatrixScreens
Maxis
McAfee
McAfee.com
Messenger
Micrografx
Microsoft Encarta
microsoft frontpage
Microsoft Games
Microsoft Image Composer
Microsoft Office
Microsoft Streets and Trips
Microsoft Windows Script
Misc Games
Morpher
Movie Maker
Mozilla Firefox
MP3 Workshop
MSN
MSN Gaming Zone
Multimedia Files
MUSICMATCH
MVAPPS
NetMeeting
Netscape
New Folder
NewTech Infosystems
NoLimits Coasters Demo v1.31
NoLimits Coasters v1.1
Online Services
Outlook Express
Passport
Personal
QuickTime
Radio@Netscape Plus
Real
Renoise V1.5
Roger Wilco
Sierra
Sierra On-Line
Starbase
Starcraft
The Digital Village
THQ
TLI
Turtle Beach
U.S. Robotics
Ubi Soft
Uninstall Information
Ventrilo
VideoFramer
VideoLAN
Westwood
WinAce
Winamp
Windows Media Player
Windows Messaging
Windows NT
WindowsUpdate
WinPMail
WON
wsftp
xerox
XoftSpySE
Zechiel

Thanks for all your help.

Dave Zechiel

0

Good news is I cannot see anything bad there. Bad news is the same as the good news :(.
Can you post an hijackthis log from the updated version please.

Is there a reason for having a shortcut to C:\WINDOWS\system32\netdde.exe in the startup folder?

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

C:\WINDOWS\system32\netdde.exe

0

Hi, Crunchie,

As I recall, I put netdde.exe in the start up folders of all our computers years ago so that we could use network chat. In any case, I'll run the tests you suggest.

I suppose I should have mentioned this earlier, but I think this critter got onto my son's machine via a malformed .MP3 file (he was using an old version of WinAmp (which he has since upgraded), and one of his customers sent him an mp3 file to listen to. This is when his problems started. I found several new DLL's in system32, and that were being started from the Run folder in the registry. I removed those startups, but did not delete the dlls. There also seemed to be problems for a while when he would visit certain folders. Another thing I removed along the way was something the kept trying to install an "anti-adware" program of some sort. McAfee noticed this and stopped this program from being installed, but we had to hunt down the installation program and get rid of it.

My son is ready to institute the death penalty for people who write viruses, and I'm beginning to agree with him.

Thanks for all your help,

Dave Zechiel

0

In the meantime, Go here and download then run Silent Runners.vbs. Right click on the download link and select Save Target As. Save it to the desktop or to a folder in a permanent directory. It generates a log which will be created in the same folder you are running it from. Please post the information back in this thread.
If you have a script blocking program, please allow the file to run. It is not malicious.

0

Hi, Crunchie,

I have four reports for you to look at. One of them definitely shows problems:

First, the HiJackThis log using their latest software:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:07 PM, on 10/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD
2004\EDICT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
C:\Documents and Settings\John Zechiel\Desktop\BiJaciThis.exe


N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mlb.com/");
(C:\Documents and Settings\JOHN ZECHIEL\Application
Data\Mozilla\Profiles\default\o8dohl6q.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_0
2.src"); (C:\Documents and Settings\JOHN ZECHIEL\Application
Data\Mozilla\Profiles\default\o8dohl6q.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {535FED16-8B15-407F-B56C-1F516F2F3591} -
C:\WINDOWS\System32\mlljk.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program
Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} -
C:\WINDOWS\System32\xnqdhfii.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices
\Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active
Monitor\imontray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator
5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe
/runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe"
-atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe
"C:\WINDOWS\System32\qnplnhys.dll",sitypnow
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne
Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google
Talk\googletalk.exe" /autostart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat
5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft
Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program
Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Net DDE.lnk = C:\WINDOWS\system32\netdde.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft
Office\Office\OSA.EXE
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} -
C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .html: C:\Program Files\Netscape\Netscape
Browser\PLUGINS\npTrident.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System
Class) -http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_
site.cab?1191450472234
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) -
file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O18 - Protocol: msell2 - {9367D24B-8506-471A-915A-CFBB4BCEB631} - C:\Program
Files\Common Files\Microsoft Shared\Reference Titles\MSELL2.dll
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation
- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program
Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. -
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program
files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. -
C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. -
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. -
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. -
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
O23 - Service: tbaspi - Voyetra Turtle Beach, Inc. - C:\Program Files\Turtle
Beach\AudioStation\tbaspi.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 -
C:\PROGRA~1\TURTLE~1\AUDIOS~1\x10nets.exe


--
End of file - 7370 bytes


=======================================


Next the scan on netdde.exe


File to upload & scan: Virus


Service
Service load:
0%          100%
File:   netdde.exe
Status:
OK
MD5:    f2231f717daca380856ec3256a4da8b7
Packers detected:
-
Bit9 reports:   No threat detected, but known vulnerabilities exist (more info)
Scanner results
Scan taken on 10 Oct 2007 04:03:54 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


=========================


I had my son do a scan of a very suspicious DLL that appears in this system32 directory, that was created yesterday!  Here's that report:


Service load:
0%          100%
File:   qnplnhys.dll
Status:
INFECTED/MALWARE
MD5:    da539b0ddec6204137717cca9e34533c
Packers detected:
-
Bit9 reports:   File not found
Scanner results
Scan taken on 10 Oct 2007 04:07:01 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Dldr.ConHook.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Lop
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found Win32/Adware.Virtumonde application
Norman Virus Control
Found Vundo.gen41
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


===================================


Finally, here's the silent running report:


"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:
---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"RealPlayer" = ""C:\Program Files\Real\RealOne Player\realplay.exe"
/RunUPGToolCommandReBoot" ["RealNetworks, Inc."]
"googletalk" = ""C:\Program Files\Google\Google Talk\googletalk.exe" /autostart"
["Google"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"USRpdA" = "C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA"
["U.S. Robotics Corporation"]
"IMONTRAY" = "C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe"
[empty string]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
-osboot" ["RealNetworks, Inc."]
"AdaptecDirectCD" = ""C:\Program Files\Adaptec\Easy CD Creator
5\DirectCD\DirectCD.exe"" ["Roxio"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
["ATI Technologies, Inc."]
"mcagent_exe" = "C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey"
["McAfee, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple
Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
"SearchIndexer" = "rundll32.exe "C:\WINDOWS\System32\qnplnhys.dll",sitypnow"
[MS]
"TraySantaCruz" = "C:\WINDOWS\system32\tbctray.exe" ["Voyetra Turtle Beach,
Inc."]


HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath   =
"C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat
6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{535FED16-8B15-407F-B56C-1F516F2F3591}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\mlljk.dll"
[null data]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}\(Default) = "scriptproxy"
-> {HKLM...CLSID} = "scriptproxy"
\InProcServer32\(Default) = "C:\Program
Files\McAfee\VirusScan\scriptsn.dll" ["McAfee, Inc."]
{89AD4D75-2429-462e-BD4E-443F233F6033}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) =
"C:\WINDOWS\System32\xnqdhfii.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll"
["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne
Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealOne
Player\rpshellext.dll" ["RealNetworks"]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon
Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft
Office\Office\soa800.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {HKLM...CLSID} = "Microsoft Office Binder Explode"
\InProcServer32\(Default) = "C:\Program Files\Microsoft
Office\Office\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon
Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Program Files\Microsoft
Office\Office\olkfstub.dll" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {HKLM...CLSID} = "Adaptec DirectCD Shell Extension"
\InProcServer32\(Default) =
"C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{B988C8B2-373B-11CF-B6E0-00AA00BBBA9E}" = "ICCompPropPage"
-> {HKLM...CLSID} = "ImageComposer.CompositionPropertyPage"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Image
Composer\SERVER.DLL" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program
Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}"
-> {HKLM...CLSID} = "CtxMenu Class"
\InProcServer32\(Default) = "C:\Program
Files\McAfee\VirusScan\mcctxmnu.dll" ["McAfee, Inc."]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}"
-> {HKLM...CLSID} = "CtxMenu Class"
\InProcServer32\(Default) = "C:\Program
Files\McAfee\VirusScan\mcctxmnu.dll" ["McAfee, Inc."]



Group Policies {policy setting}:
--------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:
-----------------------------


Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\John Zechiel\Local Settings\Application
Data\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\John Zechiel\Local Settings\Application
Data\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:
---------------------


HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sspipes.scr" [MS]



Startup items in "John Zechiel" & "All Users" startup folders:
--------------------------------------------------------------


C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat
5.0\Distillr\AcroTray.exe" ["Adobe Systems Inc."]
"Microsoft Find Fast" -> shortcut to: "C:\Program Files\Microsoft
Office\Office\FINDFAST.EXE" [MS]
"Microsoft Office Shortcut Bar" -> shortcut to: "C:\Program Files\Microsoft
Office\Office\MSOFFICE.EXE" [MS]
"Net DDE" -> shortcut to: "C:\WINDOWS\system32\netdde.exe" [MS]
"Office Startup" -> shortcut to: "C:\Program Files\Microsoft
Office\Office\OSA.EXE -b" [MS]



Winsock2 Service Provider DLLs:
-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Ca
talog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Cat
alog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 24
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:
------------------------------------


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{9455301C-CF6B-11D3-A266-00C04F689C50}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Encarta &Researcher"
\InProcServer32\(Default) = "C:\Program Files\Common
Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\
{9455301C-CF6B-11D3-A266-00C04F689C50}\
"ButtonText" = "Researcher"


{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------


Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI
Technologies Inc."]
Intel(R) Active Monitor, imonNT, "C:\Program Files\Intel\Intel(R) Active
Monitor\imonnt.exe" ["Intel Corp."]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe""
["Apple Inc."]
McAfee Network Agent, McNASvc, ""c:\program files\common
files\mcafee\mna\mcnasvc.exe"" ["McAfee, Inc."]
McAfee Proxy Service, McProxy, "c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe"
["McAfee, Inc."]
McAfee Real-time Scanner, McShield, "C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe"
["McAfee, Inc."]
McAfee Services, mcmscsvc, "C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe" ["McAfee,
Inc."]
McAfee SystemGuards, McSysmon, "C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe"
["McAfee, Inc."]
tbaspi, tbaspi, "C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe"
["Voyetra Turtle Beach, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe"
[MS]



Print Monitors:
---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\
HP LaserJet 5 Language Monitor\Driver = "HPDCMON.DLL" ["Hewlett-Packard"]
HPZLNT09\Driver = "hpzlnt09.dll" ["HP"]
LPR Port\Driver = "lprmon.dll" [MS]
PDF Port\Driver = "C:\WINDOWS\System32\pdfports.dll" ["Adobe Systems
Incorporated."]



---------- (launch time: 2007-10-09 21:13:35)
<<!>>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 308 seconds, including 15 seconds for message
boxes)


==============

Many thanks for all your help.

Sincerely,

David Zechiel

Edited by happygeek: fixed formatting

0

Please download VundoFix.exe
to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

0

Hi, Crunchie,

Here is the information you requested:

====

VundoFix V6.5.9

Checking Java version...

Scan started at 6:43:50 PM 10/10/2007

Listing files found while scanning....

C:\WINDOWS\System32\gcywdgaq.ini
C:\WINDOWS\System32\qagdwycg.dll
C:\WINDOWS\System32\xnqdhfii.dll

Beginning removal...

Attempting to delete C:\WINDOWS\System32\gcywdgaq.ini
C:\WINDOWS\System32\gcywdgaq.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\qagdwycg.dll
C:\WINDOWS\System32\qagdwycg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\xnqdhfii.dll
C:\WINDOWS\System32\xnqdhfii.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\System32\qagdwycg.dll
C:\WINDOWS\System32\qagdwycg.dll Has been deleted!

Performing Repairs to the registry.
Done!

====

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:51 PM, on 10/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\WinPMail\winpm-32.exe
C:\Documents and Settings\John Zechiel\Desktop\BiJaciThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://www.mlb.com/"); (C:\Documents and Settings\JOHN
ZECHIEL\Application
Data\Mozilla\Profiles\default\o8dohl6q.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins
%5CSBWeb_02.src"); (C:\Documents and Settings\JOHN
ZECHIEL\Application
Data\Mozilla\Profiles\default\o8dohl6q.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31629C70-3168-439F-B810-0E597C3F43B5} -
C:\WINDOWS\System32\mlljk.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -
C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} -
(no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe
RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active
Monitor\imontray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program
Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne
Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google
Talk\googletalk.exe" /autostart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program
Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program
Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program
Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Net DDE.lnk = C:\WINDOWS\system32\netdde.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft
Office\Office\OSA.EXE
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-
00C04F689C50} - C:\Program Files\Common Files\Microsoft
Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-
BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .html: C:\Program Files\Netscape\Netscape
Browser\PLUGINS\npTrident.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com
Operating System Class) -
http://download.mcafee.com/molbin/shared/mcinsctl/en-
us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl
Class) -
http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cli
ent/wuweb_site.cab?1191450472234
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document
4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr
Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-
us/1,0,0,23/mcgdmgr.cab
O18 - Protocol: msell2 - {9367D24B-8506-471A-915A-CFBB4BCEB631} -
C:\Program Files\Common Files\Microsoft Shared\Reference
Titles\MSELL2.dll
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. -
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. -
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. -
c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. -
C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. -
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. -
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. -
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
O23 - Service: tbaspi - Voyetra Turtle Beach, Inc. - C:\Program
Files\Turtle Beach\AudioStation\tbaspi.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 -
C:\PROGRA~1\TURTLE~1\AUDIOS~1\x10nets.exe

--
End of file - 7132 bytes

====

We can't tell if this was ultimately successful yet. I did just have my son install the latest version of sun Java on his machine, somehow or another he had v1.4 on it. He's now at v6.3.

If this has done the trick, then you say the word and I will make a donation to whoever you want (daniweb.com, CVF [crunchie vacation fund], whatever).

Thanks for all your help so far,

David Zechiel

0

Crunchie -

Bad news. After the previous actions my son reported that the computer was performing better and we held our breath. Unfortunately after a couple of hours, he said that an IE window popped up and it's still not completely gone. I had him run the log file from HijackThis after the report so that you might compare before/after. I also had him run the VundoFix program again, but this time it reported finding nothing. Do you have any more ideas?

Thanks,

Dave Zechiel

=====

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:38 PM, on 10/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD
2004\EDICT.EXE
C:\Documents and Settings\John Zechiel\Desktop\BiJaciThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mlb.com/");
(C:\Documents and Settings\JOHN ZECHIEL\Application
Data\Mozilla\Profiles\default\o8dohl6q.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_0
2.src"); (C:\Documents and Settings\JOHN ZECHIEL\Application
Data\Mozilla\Profiles\default\o8dohl6q.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {432014D6-525A-4126-BACE-A9CB993C9F81} -
C:\WINDOWS\System32\mlljk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program
Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices
\Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active
Monitor\imontray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator
5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe
/runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe"
-atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne
Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google
Talk\googletalk.exe" /autostart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat
5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft
Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program
Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Net DDE.lnk = C:\WINDOWS\system32\netdde.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft
Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} -
C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .html: C:\Program Files\Netscape\Netscape
Browser\PLUGINS\npTrident.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System
Class) -
http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_
site.cab?1191450472234
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) -
file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O18 - Protocol: msell2 - {9367D24B-8506-471A-915A-CFBB4BCEB631} - C:\Program
Files\Common Files\Microsoft Shared\Reference Titles\MSELL2.dll
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation
- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program
Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. -
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program
files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. -
C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. -
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. -
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. -
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
O23 - Service: tbaspi - Voyetra Turtle Beach, Inc. - C:\Program Files\Turtle
Beach\AudioStation\tbaspi.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 -
C:\PROGRA~1\TURTLE~1\AUDIOS~1\x10nets.exe

--
End of file - 7691 bytes

0

Hi, crunchie,

My son ran VundoFix again, and it reported as below. However, even as he was sending me this log, the problem returned. Obviously there is something else well hidden that is building these new instances of Vundo.

Thanks again for your help in solving this problem.

Dave Zechiel

===

VundoFix V6.5.9

Checking Java version...

Scan started at 9:46:01 PM 10/10/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.9

Checking Java version...

Scan started at 10:17:39 PM 10/10/2007

Listing files found while scanning....

C:\WINDOWS\System32\aygumxdm.ini
C:\WINDOWS\System32\mdxmugya.dll

Beginning removal...

Attempting to delete C:\WINDOWS\System32\aygumxdm.ini
C:\WINDOWS\System32\aygumxdm.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\mdxmugya.dll
C:\WINDOWS\System32\mdxmugya.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\System32\mdxmugya.dll
C:\WINDOWS\System32\mdxmugya.dll Has been deleted!

Performing Repairs to the registry.
Done!

0

First up, when you save the hijackthis log, can you go to the format Tab and check the wordwrap as you log is not working correctly in the tool I use to analyse it.

==

1. Download this file from one of the following links :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply, along with a new hijackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

0

IMO the main problem is that he s using Firefox but IE is still his default browser. He needs to make FF as his default browser.
In your FF browser Go to tools >> options >>main >> check the last option which says Always check if Firefox is the default browser on startup.
This should solve your issue.

0

Certain malware can actually start IE by themselves. Setting FF as the default browser will not remove the trojans that are on the pc now :D

0

Hi, crunchie,

Here's the log from ComboFix.exe:

ComboFix 07-10-12.4 - John Zechiel 2007-10-11 20:17:08.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.1.1252.1.1033.18.648 [GMT -7:00]
Running from: C:\Documents and Settings\John Zechiel\Desktop\ComboFix.exe
* Created a new restore point
.


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\Documents and Settings\John Zechiel\Application Data\macromedia\Flash Player\#SharedObjects\ERDWR56N\www.broadcaster.com
C:\Documents and Settings\John Zechiel\Application Data\macromedia\Flash Player\#SharedObjects\ERDWR56N\www.broadcaster.com\played_list.sol
C:\Documents and Settings\John Zechiel\Application Data\macromedia\Flash Player\#SharedObjects\ERDWR56N\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\John Zechiel\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\John Zechiel\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bwgoubdl.dll
C:\WINDOWS\system32\dlrhfxjh.dll
C:\WINDOWS\system32\efqexyij.ini
C:\WINDOWS\system32\jiyxeqfe.dll
C:\WINDOWS\system32\kdrytfkg.dll
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak2
C:\WINDOWS\system32\kjllm.bak2
C:\WINDOWS\system32\kjllm.ini
C:\WINDOWS\system32\kjllm.ini
C:\WINDOWS\system32\mlljk.dll
C:\WINDOWS\system32\smsxjxsf.dll
C:\WINDOWS\system32\telbxbjv.dll


.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


.
-------\nm



(((((((((((((((((((((((((   Files Created from 2007-09-12 to 2007-10-12  )))))))))))))))))))))))))))))))
.


2007-10-11 20:16    51,200  --a------   C:\WINDOWS\NirCmd.exe
2007-10-10 22:24    24,576  --a------   C:\WINDOWS\system32\VundoFixSVC.exe
2007-10-10 19:05    <DIR>    d--------   C:\Program Files\Common Files\Java
2007-10-10 18:43    <DIR>    d--------   C:\VundoFix Backups
2007-10-06 10:26    12,160  --a------   C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-06 10:26    12,160  --a--c---   C:\WINDOWS\system32\dllcache\mouhid.sys
2007-10-06 10:26    9,600   --a------   C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-06 10:26    9,600   --a--c---   C:\WINDOWS\system32\dllcache\hidusb.sys
2007-10-03 13:48    6,221,304   --a------   C:\TEMP\winamp535_full_emusic-7plus.exe
2007-10-03 00:36    <DIR>    d--------   C:\Program Files\XoftSpySE
2007-10-03 00:29    <DIR>    d--------   C:\Program Files\Enigma Software Group
2007-10-02 23:52    <DIR>    d--------   C:\WINDOWS\system32\vMW02a
2007-10-02 23:52    <DIR>    d--------   C:\TEMP\xOe
2007-09-24 22:58    3,269,420   --a------   C:\TEMP\The Terminator Theme (From T3)- Brad Fiedel.zip


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-11 02:06    ---------   d-----w C:\Program Files\Java
2007-10-09 04:49    1,550   ----a-w C:\Program Files\ProgramFiles.txt
2007-10-07 07:38    ---------   d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-05 21:06    ---------   d-----w C:\Program Files\McAfee
2007-10-03 20:52    ---------   d-----w C:\Program Files\Winamp
2007-08-27 05:44    ---------   d-----w C:\Program Files\iTunes
2007-08-27 05:44    ---------   d-----w C:\Program Files\iPod
2007-08-27 05:42    ---------   d-----w C:\Program Files\QuickTime
2007-08-27 05:42    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-08-27 05:40    ---------   d-----w C:\Program Files\Apple Software Update
2007-08-27 05:40    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Apple
.


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"USRpdA"="C:\WINDOWS\SYSTEM32\USRmlnkA.exe" [2003-03-31 05:00]
"IMONTRAY"="C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe" [2003-01-10 13:08]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-12-15 20:26]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-01-23 11:20]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 22:10]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 15:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"TraySantaCruz"="C:\WINDOWS\system32\tbctray.exe" [2002-04-17 12:51]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPlayer"="C:\Program Files\Real\RealOne Player\realplay.exe" [2006-05-28 20:35]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 14:22]


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"<NO NAME>"=


C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2003-12-20 15:43:59]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-11 01:00:00]
Microsoft Office Shortcut Bar.lnk - C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE [1997-07-11 01:00:00]
Net DDE.lnk - C:\WINDOWS\system32\netdde.exe [2004-06-16 11:32:52]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-11 01:00:00]


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\mlljk.dll


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""


R0 mpegport;mpegport;C:\WINDOWS\System32\DRIVERS\mpegport.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\System32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\System32\drivers\pwd_2k.sys
R1 UBHelper;UBHelper;C:\WINDOWS\System32\drivers\UBHelper.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\System32\drivers\UdfReadr_xp.sys
R2 iSMBIOS;iSMBIOS;\??\C:\WINDOWS\System32\drivers\iSMBIOS.SYS
R2 rmdvd;RM DVD helper;C:\WINDOWS\System32\DRIVERS\rmdvd.sys
R2 SIODRV;SIODRV;\??\C:\WINDOWS\System32\drivers\SIODRV.SYS
R3 ICAM3NT5;Intel(r) PC Camera CS331;C:\WINDOWS\System32\Drivers\ICAM3D2.SYS
R3 mmc_2K;mmc_2K;C:\WINDOWS\System32\drivers\mmc_2K.sys
R3 smbusp;Intel(R) SMBus 2.0 Driver;C:\WINDOWS\System32\DRIVERS\smb.sys
R3 tbcspud;Santa Cruz Driver;C:\WINDOWS\System32\drivers\tbcspud.sys
R3 tbcwdm;Santa Cruz WDM Driver;C:\WINDOWS\System32\drivers\tbcwdm.sys
R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\System32\DRIVERS\USRpdA.sys
S3 cel90xbe;cel90xbe;\??\C:\DOCUME~1\JOHNZE~1\LOCALS~1\Temp\cel90xbe.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\System32\drivers\dvd_2K.sys
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 rmquasar;Hollywood Plus MiniDriver;C:\WINDOWS\System32\DRIVERS\rmquasar.sys


.
**************************************************************************


catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-11 20:22:29
Windows 5.1.2600 Service Pack 1 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
Completion time: 2007-10-11 20:24:15 - machine was rebooted
.
--- E O F ---


=====


Here's the log from HijackThis:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:47 PM, on 10/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\Explorer.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
C:\Program Files\WinPMail\winpm-32.exe
C:\Documents and Settings\John Zechiel\Desktop\BiJaciThis.exe


N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mlb.com/"); (C:\Documents and Settings\JOHN ZECHIEL\Application Data\Mozilla\Profiles\default\o8dohl6q.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\JOHN ZECHIEL\Application Data\Mozilla\Profiles\default\o8dohl6q.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Net DDE.lnk = C:\WINDOWS\system32\netdde.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .html: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191450472234
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O18 - Protocol: msell2 - {9367D24B-8506-471A-915A-CFBB4BCEB631} - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\MSELL2.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
O23 - Service: tbaspi - Voyetra Turtle Beach, Inc. - C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\TURTLE~1\AUDIOS~1\x10nets.exe


--
End of file - 7561 bytes


====

We don't know if this was successful or not. If my son tells me the problem still exists, I'll post here. If this is my last message, then it's because the problem has not reemerged.

Thanks again for all your help.

Dave Zechiel

Edited by happygeek: fixed formatting

0

Can you please do the following.


===============

Scan with HijackThis and then place a check next to all the following, if present:


O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============


When your done, rescan your system and make sure the following isn't present:

N3 - Netscape ... 5CSBWeb_01.src (or) 5CSBWeb_02.src

If it is, then fix that entry again; sometimes it'll take more than one pass. The actual entry is ok, and won't be deleted, it's the java wrapper marked in red that needs to be removed.

===============

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\WINDOWS\system32\drivers\mouhid.sys
C:\WINDOWS\system32\dllcache\mouhid.sys
C:\WINDOWS\system32\drivers\hidusb.sys
C:\WINDOWS\system32\dllcache\hidusb.sys

0

Hi, crunchie,

Here are the logs from the scan of the four drivers you asked for, along with a HijackThis log report. My son says his computer didn't display any symptoms since we ran combofix.exe.

File to upload & scan: Virus

Service
Service load:
0% 100%
File: mouhid.sys
Status:
OK
MD5: b1c303e17fb9d46e87a98e4ba6769685
Packers detected:
Analyzing...
Bit9 reports: No threat detected (more info)
Scanner results
Scan taken on 12 Oct 2007 17:38:09 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Service load:
0% 100%
File: mouhid.sys
Status:
OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: b1c303e17fb9d46e87a98e4ba6769685
Packers detected:
-
Bit9 reports: No threat detected (more info)
Scanner results
Scan taken on 12 Oct 2007 17:42:09 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Service load:
0% 100%
File: hidusb.sys
Status:
OK
MD5: 1de6783b918f540149aa69943bdfeba8
Packers detected:
-
Bit9 reports: No threat detected (more info)
Scanner results
Scan taken on 12 Oct 2007 17:43:48 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Service load:
0% 100%
File: hidusb.sys
Status:
OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 1de6783b918f540149aa69943bdfeba8
Packers detected:
-
Bit9 reports: No threat detected (more info)
Scanner results
Scan taken on 12 Oct 2007 17:47:08 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

===

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:08 AM, on 10/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Encarta\Encarta Reference Library DVD 2004\EDICT.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
C:\PROGRA~1\McAfee\VIRUSS~2\mcvsshld.exe
C:\Program Files\WinPMail\winpm-32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\John Zechiel\Desktop\BiJaciThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.mlb.com/"); (C:\Documents and Settings\JOHN ZECHIEL\Application Data\Mozilla\Profiles\default\o8dohl6q.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\JOHN ZECHIEL\Application Data\Mozilla\Profiles\default\o8dohl6q.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Net DDE.lnk = C:\WINDOWS\system32\netdde.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .html: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191450472234
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O18 - Protocol: msell2 - {9367D24B-8506-471A-915A-CFBB4BCEB631} - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\MSELL2.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~2\mcsysmon.exe
O23 - Service: tbaspi - Voyetra Turtle Beach, Inc. - C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\TURTLE~1\AUDIOS~1\x10nets.exe

--
End of file - 7956 bytes

Thanks again for all your help.

David Zechiel

0

You are welcome.


Congratulations! Your log looks clean - good work!

===============

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Download CCleaner and install, then run it. It will clear out your temp folders.

  1. Uncheck "Cookies" under "Internet Explorer".
  2. Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.
  3. Close when finished.

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, AVG anti-spyware, Ad-Aware SE and Spybot S&D.
Run them all on a regular basis, following the maker's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start | Run and type msconfig and press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.