Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HijackThis log - fig

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HijackThis log - fig

Unread postby fig » June 9th, 2007, 12:26 pm

I've been having a lot of trouble with my pc running slowly and popups nonstop. I've run Ad-Aware, Spybot, and I run McAfee. I've been spyware free for years and all of the sudden I'm having problems

Logfile of HijackThis v1.99.1
Scan saved at 12:24:34 PM, on 6/9/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
I:\Windows\system32\Dwm.exe
I:\Windows\Explorer.EXE
I:\Windows\SOUNDMAN.EXE
I:\Windows\System32\rundll32.exe
i:\PROGRA~1\mcafee.com\agent\mcagent.exe
I:\Windows\system32\taskeng.exe
I:\Program Files\Windows Sidebar\sidebar.exe
I:\Windows\ehome\ehtray.exe
I:\Windows\System32\rundll32.exe
I:\Program Files\Windows Media Player\wmpnscfg.exe
I:\Windows\ehome\ehmsas.exe
I:\Windows\system32\rundll32.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" I:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" I:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" I:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ApachInc] "rundll32.exe" "I:\Windows\system32\qaxbuhkj.dll",realset
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\VistaCodecPack\QT\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Sidebar] "I:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] I:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "I:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{517BC539-65CB-4E10-A936-9F28CBB5B572}
O10 - Unknown file in Winsock LSP: i:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: i:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - I:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - I:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - i:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - i:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - I:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - I:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - I:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - I:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
fig
Regular Member
 
Posts: 16
Joined: June 9th, 2007, 12:08 pm
Advertisement
Register to Remove

Unread postby random/random » June 9th, 2007, 2:59 pm

Rename HijackThis.exe to random.exe and then post a new log
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Unread postby fig » June 9th, 2007, 3:03 pm

sorry, must have missed that part in the guide'

Logfile of HijackThis v1.99.1
Scan saved at 3:01:35 PM, on 6/9/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
I:\Windows\system32\Dwm.exe
I:\Windows\Explorer.EXE
I:\Windows\SOUNDMAN.EXE
I:\Windows\System32\rundll32.exe
i:\PROGRA~1\mcafee.com\agent\mcagent.exe
I:\Windows\system32\taskeng.exe
I:\Program Files\Windows Sidebar\sidebar.exe
I:\Windows\ehome\ehtray.exe
I:\Windows\System32\rundll32.exe
I:\Program Files\Windows Media Player\wmpnscfg.exe
I:\Windows\ehome\ehmsas.exe
I:\Windows\system32\rundll32.exe
I:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\BitTornado\btdownloadgui.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\HijackThis\random.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - i:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - i:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - I:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C1E8EDBF-47FF-4B63-BBB6-5A169258E158} - I:\Windows\system32\vtstq.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - I:\Windows\system32\cvhctdhw.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" I:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" I:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" I:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ApachInc] "rundll32.exe" "I:\Windows\system32\qaxbuhkj.dll",realset
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\VistaCodecPack\QT\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Sidebar] "I:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] I:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "I:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{517BC539-65CB-4E10-A936-9F28CBB5B572}
O10 - Unknown file in Winsock LSP: i:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: i:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - Winlogon Notify: fccabax - fccabax.dll (file missing)
O20 - Winlogon Notify: vtstq - I:\Windows\
O20 - Winlogon Notify: WRNotifier - I:\Windows\SYSTEM32\WRLogonNTF.dll
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - I:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - I:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - i:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - i:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - I:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - I:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - I:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - I:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
fig
Regular Member
 
Posts: 16
Joined: June 9th, 2007, 12:08 pm

Unread postby random/random » June 9th, 2007, 3:35 pm

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O2 - BHO: (no name) - {C1E8EDBF-47FF-4B63-BBB6-5A169258E158} - I:\Windows\system32\vtstq.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - I:\Windows\system32\cvhctdhw.dll
O4 - HKLM\..\Run: [ApachInc] "rundll32.exe" "I:\Windows\system32\qaxbuhkj.dll",realset
O20 - Winlogon Notify: fccabax - fccabax.dll (file missing)
O20 - Winlogon Notify: vtstq - I:\Windows\

Then close all windows except HijackThis and click Fix Checked

Restart

Use windows explorer to find and delete these files:

I:\Windows\system32\vtstq.dll
I:\Windows\system32\cvhctdhw.dll
I:\Windows\system32\qaxbuhkj.dll
I:\Windows\system32\fccabax.dl

Post a new HijackThis log and let me know how its running now
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Unread postby fig » June 9th, 2007, 5:37 pm

Seems to be running better now (knock on wood). How does my HJT log look?

Logfile of HijackThis v1.99.1
Scan saved at 5:35:53 PM, on 6/9/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
I:\Windows\system32\Dwm.exe
I:\Windows\Explorer.EXE
I:\Windows\SOUNDMAN.EXE
I:\Windows\System32\rundll32.exe
I:\Program Files\Windows Sidebar\sidebar.exe
I:\Windows\ehome\ehtray.exe
I:\Windows\System32\rundll32.exe
i:\PROGRA~1\mcafee.com\agent\mcagent.exe
I:\Windows\system32\taskeng.exe
I:\Windows\ehome\ehmsas.exe
I:\Program Files\Windows Media Player\wmpnscfg.exe
I:\Program Files\Windows Sidebar\sidebar.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Windows\system32\rundll32.exe
I:\Windows\system32\rundll32.exe
I:\Windows\system32\rundll32.exe
I:\Program Files\HijackThis\random.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - i:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - i:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - I:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {DC092C19-BCD6-4285-946A-3D0AD5010F01} - I:\Windows\system32\vtstq.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - I:\Windows\system32\ghnqnsrt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" I:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" I:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" I:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\VistaCodecPack\QT\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "I:\Windows\system32\hcgkwljs.dll",realset
O4 - HKCU\..\Run: [Sidebar] I:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] I:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "I:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{517BC539-65CB-4E10-A936-9F28CBB5B572}
O10 - Unknown file in Winsock LSP: i:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: i:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - Winlogon Notify: vtstq - I:\Windows\system32\vtstq.dll
O20 - Winlogon Notify: WRNotifier - I:\Windows\SYSTEM32\WRLogonNTF.dll
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - I:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - I:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - i:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - i:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - I:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - I:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - I:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - I:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
fig
Regular Member
 
Posts: 16
Joined: June 9th, 2007, 12:08 pm

Unread postby random/random » June 9th, 2007, 5:39 pm

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Unread postby fig » June 10th, 2007, 5:42 pm

Okay here is my new HJT log..I'm still getting some problems with popups...

Logfile of HijackThis v1.99.1
Scan saved at 5:41:51 PM, on 6/10/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
I:\Windows\system32\Dwm.exe
I:\Windows\SOUNDMAN.EXE
I:\Windows\System32\rundll32.exe
I:\Program Files\Windows Sidebar\sidebar.exe
I:\Windows\ehome\ehtray.exe
i:\PROGRA~1\mcafee.com\agent\mcagent.exe
I:\Windows\system32\taskeng.exe
I:\Program Files\Windows Media Player\wmpnscfg.exe
I:\Windows\System32\rundll32.exe
I:\Windows\ehome\ehmsas.exe
I:\Program Files\Windows Sidebar\sidebar.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Windows\system32\SearchFilterHost.exe
I:\Windows\system32\rundll32.exe
i:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
I:\Program Files\HijackThis\random.exe
I:\Windows\Explorer.EXE
I:\Windows\system32\SearchProtocolHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - i:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {A015A0D0-4526-4E21-BF3C-668F87FE80D9} - I:\Windows\system32\vtstq.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - i:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - I:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - I:\Windows\system32\ghnqnsrt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" I:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" I:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" I:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\VistaCodecPack\QT\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "I:\Windows\system32\hcgkwljs.dll",realset
O4 - HKCU\..\Run: [Sidebar] I:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] I:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "I:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{517BC539-65CB-4E10-A936-9F28CBB5B572}
O10 - Unknown file in Winsock LSP: i:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: i:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - Winlogon Notify: vtstq - I:\Windows\system32\vtstq.dll
O20 - Winlogon Notify: WRNotifier - I:\Windows\SYSTEM32\WRLogonNTF.dll
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - I:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - I:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - i:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - i:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - I:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - I:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - I:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - I:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - I:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
fig
Regular Member
 
Posts: 16
Joined: June 9th, 2007, 12:08 pm

Unread postby random/random » June 10th, 2007, 5:49 pm

You need to post the contents of C:\vundofix.txt
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Unread postby fig » June 11th, 2007, 11:54 am

vundofix didn't work for me. It scanned fine, but when I tried to fix the Vundo my screen went blank and never came back. I had to reset my machine. So I used a symantec tool to remove Vundo, but it said it wasn't on my pc. I'll post a new HJT log shortly.
fig
Regular Member
 
Posts: 16
Joined: June 9th, 2007, 12:08 pm

Unread postby fig » June 11th, 2007, 1:35 pm

here's my new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 1:34:38 PM, on 6/11/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
I:\Windows\system32\Dwm.exe
I:\Windows\Explorer.EXE
I:\Windows\SOUNDMAN.EXE
I:\Windows\System32\rundll32.exe
I:\Program Files\Windows Sidebar\sidebar.exe
I:\Windows\ehome\ehtray.exe
i:\PROGRA~1\mcafee.com\agent\mcagent.exe
I:\Windows\ehome\ehmsas.exe
I:\Windows\System32\rundll32.exe
I:\Windows\system32\taskeng.exe
I:\Program Files\Windows Media Player\wmpnscfg.exe
I:\Program Files\Windows Sidebar\sidebar.exe
I:\Windows\system32\rundll32.exe
I:\Windows\system32\SearchFilterHost.exe
I:\Windows\System32\mobsync.exe
I:\Program Files\Windows Media Player\wmplayer.exe
I:\Program Files\HijackThis\random.exe
I:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {43ECE479-3B72-499E-AC79-C640A020E77E} - I:\Windows\system32\vtstq.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - i:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - I:\Windows\system32\qopmjgd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - i:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - I:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - I:\Windows\system32\ghnqnsrt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" I:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" I:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" I:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\VistaCodecPack\QT\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "I:\Windows\system32\hcgkwljs.dll",realset
O4 - HKCU\..\Run: [Sidebar] I:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] I:\Windows\ehome\ehTray.exe
O10 - Unknown file in Winsock LSP: i:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: i:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - Winlogon Notify: qopmjgd - I:\Windows\SYSTEM32\qopmjgd.dll
O20 - Winlogon Notify: vtstq - I:\Windows\system32\vtstq.dll
O20 - Winlogon Notify: winezn32 - I:\Windows\SYSTEM32\winezn32.dll
O20 - Winlogon Notify: WRNotifier - I:\Windows\SYSTEM32\WRLogonNTF.dll
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - I:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - I:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - i:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - i:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - I:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - I:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - I:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - I:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - I:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
fig
Regular Member
 
Posts: 16
Joined: June 9th, 2007, 12:08 pm

Unread postby random/random » June 11th, 2007, 2:12 pm

To run HijackThis please right click on random.exe and click run as administrator

Also while performing the fixes you need to accept any changes that UAC might prompt you about

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O2 - BHO: (no name) - {43ECE479-3B72-499E-AC79-C640A020E77E} - I:\Windows\system32\vtstq.dll
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - I:\Windows\system32\qopmjgd.dll
O20 - Winlogon Notify: qopmjgd - I:\Windows\SYSTEM32\qopmjgd.dll
O20 - Winlogon Notify: vtstq - I:\Windows\system32\vtstq.dll
O20 - Winlogon Notify: winezn32 - I:\Windows\SYSTEM32\winezn32.dll

Then close all windows except HijackThis and click Fix Checked

Restart

Use windows explorer to find and delete these files:

I:\Windows\system32\vtstq.dll
I:\Windows\system32\qopmjgd.dll
I:\Windows\SYSTEM32\winezn32.dll

Now post a new HijackThis log
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Unread postby fig » June 13th, 2007, 9:08 pm

I'm still getting a bunch of random popups...I don't understand

Logfile of HijackThis v1.99.1
Scan saved at 9:06:36 PM, on 6/13/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
I:\Windows\system32\Dwm.exe
I:\Windows\SOUNDMAN.EXE
I:\Windows\System32\rundll32.exe
I:\Program Files\Windows Sidebar\sidebar.exe
I:\Windows\ehome\ehtray.exe
i:\PROGRA~1\mcafee.com\agent\mcagent.exe
I:\Windows\System32\rundll32.exe
i:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
I:\Program Files\Windows Media Player\wmpnscfg.exe
I:\Windows\ehome\ehmsas.exe
I:\Windows\system32\taskeng.exe
I:\Program Files\Windows Sidebar\sidebar.exe
I:\Windows\system32\rundll32.exe
I:\Windows\system32\SearchFilterHost.exe
I:\Windows\system32\SearchProtocolHost.exe
I:\Windows\explorer.exe
I:\Windows\system32\rundll32.exe
I:\Program Files\HijackThis\random.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {22EE158B-1E54-4A96-86AD-C69484A9F26B} - I:\Windows\system32\vtstq.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - I:\Windows\system32\qvyjgeml.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - i:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - i:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - I:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - i:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" I:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" I:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" I:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\VistaCodecPack\QT\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "I:\Windows\system32\raexviri.dll",realset
O4 - HKCU\..\Run: [Sidebar] I:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] I:\Windows\ehome\ehTray.exe
O10 - Unknown file in Winsock LSP: i:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: i:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - Winlogon Notify: vtstq - I:\Windows\system32\vtstq.dll
O20 - Winlogon Notify: WRNotifier - I:\Windows\SYSTEM32\WRLogonNTF.dll
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - I:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - I:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - i:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - I:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - i:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - I:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - I:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - I:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - I:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - I:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - I:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
fig
Regular Member
 
Posts: 16
Joined: June 9th, 2007, 12:08 pm

Unread postby random/random » June 14th, 2007, 12:31 pm

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once the scan is complete, Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the 3 entries below into the top 3 boxes (one line per box):

      I:\Windows\system32\vtstq.dll
      I:\Windows\system32\qvyjgeml.dll
      I:\Windows\system32\raexviri.dll

  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
User avatar
random/random
Developer
Developer
 
Posts: 7731
Joined: December 18th, 2005, 3:30 pm

Unread postby NonSuch » June 26th, 2007, 12:03 am

Due to inactivity, this topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 33 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware