ivang Posted August 28, 2007 Report Share Posted August 28, 2007 I was infected by a "Back-door Trojan" which one I am not exactly sure because my McAfee Shield deleted it immediately. I have since been getting pop-ups that have been mostly linked to the WinAntiVirus07 program. I have also done an entire scan of my system where nothing came up. I also read some of the previous posts about getting Combofix, but the website seems to be down at the moment and I cannot install the program. Here is my a copy of my log from HijackThis...Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEc:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exeC:\Program Files\QuickTime\QTTask.exeC:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\University of Arizona Software\U of A VPN Client\cvpnd.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\system32\lkcitdl.exeC:\WINDOWS\system32\lkads.exeC:\WINDOWS\system32\lktsrv.exeC:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\program files\common files\mcafee\mna\mcnasvc.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeC:\PROGRA~1\McAfee\MSC\mcpromgr.exec:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\Program Files\National Instruments\MAX\nimxs.exeC:\WINDOWS\system32\nicitdl5.exeC:\Program Files\National Instruments\Shared\Security\nidmsrv.exeC:\WINDOWS\system32\nisvcloc.exeC:\Program Files\National Instruments\Shared\Tagger\tagsrv.exeC:\WINDOWS\System32\tcpsvcs.exeC:\WINDOWS\System32\snmp.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\nipalsm.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exec:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\WinRAR\WinRAR.exeC:\DOCUME~1\IVANGR~1\LOCALS~1\Temp\Rar$EX01.570\HiJackThis_v2.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.email.arizona.edu/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {126D2E44-3B1D-46B6-BE67-D5BCF68AEEFD} - C:\WINDOWS\system32\urqnolj.dllO2 - BHO: (no name) - {450AA662-3EEA-4E6C-B549-B13847E549CD} - C:\WINDOWS\system32\hggdb.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dllO2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\veavblpg.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [EPSON Stylus CX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\WINDOWS\TEMP\E_SB4.tmp" /EF "HKLM"O4 - HKLM\..\Run: [systemOptimizer] rundll32.exe "C:\WINDOWS\system32\jsdbkxsl.dll",forkonceO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cabO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168086620636O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168630700910O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cabO18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: hggdb - C:\WINDOWS\system32\hggdb.dllO20 - Winlogon Notify: urqnolj - C:\WINDOWS\SYSTEM32\urqnolj.dllO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dllO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\University of Arizona Software\U of A VPN Client\cvpnd.exeO23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exeO23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exeO23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exeO23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exeO23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exeO23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exeO23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exeO23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exeO23 - Service: National Instruments Citadel (NICitadel5Service) - National Instruments, Inc. - C:\WINDOWS\system32\nicitdl5.exeO23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exeO23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exeO23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exeO23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exeO23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exeO23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exeO23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE--End of file - 13341 bytesThanks for you help.-Ivan Link to post Share on other sites
rmurphy Posted August 28, 2007 Report Share Posted August 28, 2007 Hi, and welcome to BestTechie. I'm Ryan, and I'll be helping you with your issue.Please download VundoFix.exe to your desktop.Double-click VundoFix.exe to run it.Click the Scan for Vundo button.Once it's done scanning, click the Remove Vundo button.You will receive a prompt asking if you want to remove the files, click YESOnce you click yes, your desktop will go blank as it starts removing Vundo.When completed, it will prompt that it will reboot your computer, click OK.Please post the contents of C:\vundofix.txt, and Uninstall List, and a new HiJackThis log.Note: It is possible that VundoFix encountered a file it could not remove.In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.To obtain the uninstall list:Open HijackThis, click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)-Ryan Link to post Share on other sites
ivang Posted August 28, 2007 Author Report Share Posted August 28, 2007 Everything seems to be functioning okay now. Thanks. The HijackThis log file is as follows....Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEc:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\University of Arizona Software\U of A VPN Client\cvpnd.exeC:\WINDOWS\system32\bnomnoxs.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exeC:\Program Files\QuickTime\QTTask.exeC:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\WINDOWS\system32\lkcitdl.exeC:\WINDOWS\system32\lkads.exeC:\WINDOWS\system32\lktsrv.exeC:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\program files\common files\mcafee\mna\mcnasvc.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeC:\PROGRA~1\McAfee\MSC\mcpromgr.exec:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\Program Files\National Instruments\MAX\nimxs.exeC:\WINDOWS\system32\nicitdl5.exeC:\Program Files\National Instruments\Shared\Security\nidmsrv.exeC:\WINDOWS\system32\nisvcloc.exeC:\Program Files\National Instruments\Shared\Tagger\tagsrv.exeC:\WINDOWS\System32\tcpsvcs.exeC:\WINDOWS\System32\snmp.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\nipalsm.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\iPod\bin\iPodService.exec:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Google\Google Updater\GoogleUpdater.exeC:\Program Files\Google\Google Updater\GoogleUpdater.exeC:\Program Files\Google\Google Updater\2.2.940.34809\GoogleUpdaterInstallMgr.exeC:\DOCUME~1\IVANGR~1\LOCALS~1\Temp\Rar$EX00.059\HiJackThis_v2.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.email.arizona.edu/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {126D2E44-3B1D-46B6-BE67-D5BCF68AEEFD} - C:\WINDOWS\system32\urqnolj.dllO2 - BHO: (no name) - {450AA662-3EEA-4E6C-B549-B13847E549CD} - C:\WINDOWS\system32\hggdb.dll (file missing)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dllO2 - BHO: (no name) - {EFFCB1DD-4F7E-43B0-B4DA-7C74C1675AF8} - C:\WINDOWS\system32\ursss.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [EPSON Stylus CX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\WINDOWS\TEMP\E_SB4.tmp" /EF "HKLM"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cabO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168086620636O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168630700910O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cabO18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: urqnolj - C:\WINDOWS\SYSTEM32\urqnolj.dllO20 - Winlogon Notify: ursss - C:\WINDOWS\system32\ursss.dllO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dllO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\University of Arizona Software\U of A VPN Client\cvpnd.exeO23 - Service: DomainService - - C:\WINDOWS\system32\bnomnoxs.exeO23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exeO23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINDOWS\system32\lkads.exeO23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINDOWS\system32\lktsrv.exeO23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exeO23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exeO23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exeO23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exeO23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exeO23 - Service: National Instruments Citadel (NICitadel5Service) - National Instruments, Inc. - C:\WINDOWS\system32\nicitdl5.exeO23 - Service: nidevldu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exeO23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exeO23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exeO23 - Service: nipxirmu - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exeO23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exeO23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exeO23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE--End of file - 13526 bytesThe Vundo Text file is as follows...VundoFix V6.5.7Checking Java version...Scan started at 11:51:28 AM 8/28/2007Listing files found while scanning....C:\WINDOWS\system32\bdggh.bak1C:\WINDOWS\system32\bdggh.bak2C:\WINDOWS\system32\bdggh.iniC:\windows\system32\cogeagph.iniC:\WINDOWS\system32\hggdb.dllC:\WINDOWS\system32\hpgaegoc.dllC:\windows\system32\jsdbkxsl.dllC:\windows\system32\lsxkbdsj.iniC:\WINDOWS\system32\veavblpg.dllBeginning removal... Attempting to delete C:\WINDOWS\system32\bdggh.bak1C:\WINDOWS\system32\bdggh.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\bdggh.bak2C:\WINDOWS\system32\bdggh.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system32\bdggh.iniC:\WINDOWS\system32\bdggh.ini Has been deleted! Attempting to delete C:\windows\system32\cogeagph.iniC:\windows\system32\cogeagph.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\hggdb.dllC:\WINDOWS\system32\hggdb.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\hpgaegoc.dllC:\WINDOWS\system32\hpgaegoc.dll Has been deleted! Attempting to delete C:\windows\system32\jsdbkxsl.dllC:\windows\system32\jsdbkxsl.dll Has been deleted! Attempting to delete C:\windows\system32\lsxkbdsj.iniC:\windows\system32\lsxkbdsj.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\veavblpg.dllC:\WINDOWS\system32\veavblpg.dll Has been deleted!Performing Repairs to the registry.Done!Thanks again. If you notice that something is still not 100% correct, please let me know.-Ivan Link to post Share on other sites
ivang Posted August 28, 2007 Author Report Share Posted August 28, 2007 The Uninstall list is as follows...9205 Driver PackageAdobe Acrobat 8.1.0 ProfessionalAdobe Flash Player PluginAdobe Reader 8.1.0Adobe Shockwave PlayerAdobe® Photoshop® Album Starter Edition 3.2AOL Instant MessengerApple Mobile Device SupportApple Software UpdateArcSoft PhotoImpression 5ATI Control PanelATI Display DriverBCM V.92 56K ModemBroadcom Gigabit Integrated Controllerburster 9205burster interface portDell Media ExperienceDell ResourceCDDell Wireless WLAN CardDivX Web PlayerEPSON CX6000 Series User's GuideEPSON Printer SoftwareEPSON ScanEPSON Stylus CX6000 Scanner Driver UpdateGoogle UpdaterHijackThis 2.0.0Hotfix for Windows Media Format 11 SDK (KB929399)Hotfix for Windows XP (KB896344)Hotfix for Windows XP (KB914440)Hotfix for Windows XP (KB915865)Hotfix for Windows XP (KB916089)Hotfix for Windows XP (KB926239)Hotfix for Windows XP (KB928388)Hotfix for Windows XP (KB929120)iPodRipIsoBuster 2.0iTunesIVI Shared ComponentsJava 2 Runtime Environment, SE v1.4.2_14Java 2 SDK, SE v1.4.2_14Java SE Runtime Environment 6 Update 1LaCie Backup Software v1.5.2215Logitech Audio Echo Cancellation ComponentLogitech Desktop MessengerLogitech QuickCamLogitech Video EnumeratorLogitech® Camera DriverMacromedia Flash Player 8MATLAB R2007aMcAfee SecurityCenterMicrosoft .NET Framework 1.1Microsoft .NET Framework 1.1Microsoft .NET Framework 1.1 Hotfix (KB928366)Microsoft .NET Framework 2.0Microsoft .NET Framework 3.0Microsoft .NET Framework 3.0Microsoft Compression Client Pack 1.0 for Windows XPMicrosoft Internationalized Domain Names Mitigation APIsMicrosoft National Language Support Downlevel APIsMicrosoft Office Standard Edition 2003Microsoft User-Mode Driver Framework Feature Pack 1.0Mozilla Firefox (2.0.0.6)MSXML 4.0 SP2 (KB927978)MSXML 4.0 SP2 (KB936181)MSXML 6.0 Parser (KB933579)MVisionNational Instruments SoftwareNI EULA DepotNI MDF SupportPowerDVDQuickTimeSecurity Update for CAPICOM (KB931906)Security Update for CAPICOM (KB931906)Security Update for Microsoft .NET Framework 2.0 (KB928365)Security Update for Windows Internet Explorer 7 (KB928090)Security Update for Windows Internet Explorer 7 (KB929969)Security Update for Windows Internet Explorer 7 (KB931768)Security Update for Windows Internet Explorer 7 (KB933566)Security Update for Windows Internet Explorer 7 (KB937143)Security Update for Windows Internet Explorer 7 (KB938127)Security Update for Windows Media Player (KB911564)Security Update for Windows Media Player 10 (KB917734)Security Update for Windows Media Player 11 (KB936782)Security Update for Windows Media Player 6.4 (KB925398)Security Update for Windows XP (KB890046)Security Update for Windows XP (KB893756)Security Update for Windows XP (KB896358)Security Update for Windows XP (KB896423)Security Update for Windows XP (KB896424)Security Update for Windows XP (KB896428)Security Update for Windows XP (KB899587)Security Update for Windows XP (KB899591)Security Update for Windows XP (KB900725)Security Update for Windows XP (KB901017)Security Update for Windows XP (KB901214)Security Update for Windows XP (KB902400)Security Update for Windows XP (KB904706)Security Update for Windows XP (KB905414)Security Update for Windows XP (KB905749)Security Update for Windows XP (KB908519)Security Update for Windows XP (KB911562)Security Update for Windows XP (KB911927)Security Update for Windows XP (KB912919)Security Update for Windows XP (KB913580)Security Update for Windows XP (KB914388)Security Update for Windows XP (KB914389)Security Update for Windows XP (KB917344)Security Update for Windows XP (KB917422)Security Update for Windows XP (KB917953)Security Update for Windows XP (KB918118)Security Update for Windows XP (KB919007)Security Update for Windows XP (KB920213)Security Update for Windows XP (KB920670)Security Update for Windows XP (KB920683)Security Update for Windows XP (KB920685)Security Update for Windows XP (KB921398)Security Update for Windows XP (KB921503)Security Update for Windows XP (KB921883)Security Update for Windows XP (KB922616)Security Update for Windows XP (KB922819)Security Update for Windows XP (KB923191)Security Update for Windows XP (KB923414)Security Update for Windows XP (KB923689)Security Update for Windows XP (KB923694)Security Update for Windows XP (KB923980)Security Update for Windows XP (KB924191)Security Update for Windows XP (KB924270)Security Update for Windows XP (KB924496)Security Update for Windows XP (KB924667)Security Update for Windows XP (KB925454)Security Update for Windows XP (KB925486)Security Update for Windows XP (KB925902)Security Update for Windows XP (KB926247)Security Update for Windows XP (KB926255)Security Update for Windows XP (KB926436)Security Update for Windows XP (KB927779)Security Update for Windows XP (KB927802)Security Update for Windows XP (KB928255)Security Update for Windows XP (KB928843)Security Update for Windows XP (KB929123)Security Update for Windows XP (KB930178)Security Update for Windows XP (KB931261)Security Update for Windows XP (KB931784)Security Update for Windows XP (KB932168)Security Update for Windows XP (KB935839)Security Update for Windows XP (KB935840)Security Update for Windows XP (KB936021)Security Update for Windows XP (KB938829)SigmaTel AC97 Audio DriversSkype™ 3.5SopCast 1.1.2Spelling Dictionaries Support For Adobe Reader 8UMVPLStandaloneUpdate for Windows XP (KB898461)Update for Windows XP (KB900485)Update for Windows XP (KB904942)Update for Windows XP (KB908531)Update for Windows XP (KB910437)Update for Windows XP (KB911280)Update for Windows XP (KB916595)Update for Windows XP (KB920342)Update for Windows XP (KB920872)Update for Windows XP (KB922582)Update for Windows XP (KB925720)Update for Windows XP (KB927891)Update for Windows XP (KB929338)Update for Windows XP (KB930916)Update for Windows XP (KB931836)Update for Windows XP (KB936357)Update for Windows XP (KB938828)VideoLAN VLC media player 0.8.6Viewpoint Media PlayerVPN ClientWindows Communication FoundationWindows Imaging ComponentWindows Installer 3.1 (KB893803)Windows Internet Explorer 7Windows Media Format 11 runtimeWindows Media Format 11 runtimeWindows Media Player 11Windows Media Player 11Windows Presentation FoundationWindows Workflow FoundationWindows XP Hotfix - KB873339Windows XP Hotfix - KB885835Windows XP Hotfix - KB885836Windows XP Hotfix - KB886185Windows XP Hotfix - KB887472Windows XP Hotfix - KB888302Windows XP Hotfix - KB890859Windows XP Hotfix - KB891781Windows XP Service Pack 2WinPcap 3.0WinRAR archiver-Ivan Link to post Share on other sites
rmurphy Posted August 28, 2007 Report Share Posted August 28, 2007 The following programs can be uninstalled:Java 2 Runtime Environment, SE v1.4.2_14Java 2 SDK, SE v1.4.2_14Double-click VundoFix.exe to run it.Right click the listbox and select Add more files? Add the following files, one per lineC:\WINDOWS\system32\ursss.dllC:\WINDOWS\system32\urqnolj.dll[*]Click the Remove Vundo button.[*]You will receive a prompt asking if you want to remove the files, click YES[*]Once you click yes, your desktop will go blank as it starts removing Vundo.[*]When completed, it will prompt that it will reboot your computer, click OK.[*]Please post the contents of C:\vundofix.txt and a new HiJackThis log.Note: It is possible that VundoFix encountered a file it could not remove.In this case, VundoFix will run on reboot, simply follow the above instructions when VundoFix appears at reboot.Open HiJack This and scan. When it finishes, put an X in the box next to these following item(s)O2 - BHO: (no name) - {126D2E44-3B1D-46B6-BE67-D5BCF68AEEFD} - C:\WINDOWS\system32\urqnolj.dllO2 - BHO: (no name) - {450AA662-3EEA-4E6C-B549-B13847E549CD} - C:\WINDOWS\system32\hggdb.dll (file missing)O2 - BHO: (no name) - {EFFCB1DD-4F7E-43B0-B4DA-7C74C1675AF8} - C:\WINDOWS\system32\ursss.dllO20 - Winlogon Notify: urqnolj - C:\WINDOWS\SYSTEM32\urqnolj.dllO20 - Winlogon Notify: ursss - C:\WINDOWS\system32\ursss.dllO23 - Service: DomainService - - C:\WINDOWS\system32\bnomnoxs.exeClose all open windows except for HiJack This and click fix checked.Still in HiJackThis: Click on the "Config..." button on the bottom right Click on the tab "Misc Tools" click on "delete an NT service" Copy and paste this in: DomainService Click "ok", then rebootIf you would please rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. Link to post Share on other sites
Recommended Posts