Hijack this log question...how to?

Question

I don't usually consider myself a newbie but....how do you do a Hijack this log?? Running dimension 2400 and keep getting winfixer popup  and blue screens Message Edited by gmanfan on 01-05-2006 05:26 AM

ky331 · Answer

let's 'play the odds', and assume your WinFixer problem is caused by a vundo trojan... (if not, it won't hurt anything to try this anyway):   download VirtumundoBeGone from: http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe * Save it to your Desktop* Close all running programs (including your Internet Browser)* Double-click VirtumundoBeGone.exe on the desktop* Follow the directions as indicated please be advised that this program will generate a 'BLUE SCREEN OF DEATH'... this is an expected/necessary part of the process, so don't be surprised when it happens. just reboot if your system 'jams' ********************* It's now time to report back to us: VirtumundoBeGone generated a 'log' file of its own, which it should have placed on your Desktop... please REPLY to this thread, and copy/ paste the VirtumundoBeGone log back here, along with your latest HJT log.   ***********************   Download a self-extracting copy of the latest version of HJT (HiJackThis) (version 1.99.1) from http://downloads.malwareremoval.com/hijackthis_sfx.exe     Save it to your Desktop. Double-click on the     hijackthis_sfx.exe    file, and allow it to self-extract [by clicking on UnZip] into the suggested/default folder, C:\Program Files\HijackThis   Use Windows Explorer to navigate your way into this folder, and then double click on HiJackThis. exe Click on  Do a System Scan and Save a LogFile This will automatically open NotePad Copy the entire file from NotePad:  EDIT/SelectAll, EDIT/Copy Then REPLY to this thread, and go PASTE the results here.   WARNING:  HiJack This is a VERY POWERFUL tool.  While it's  completely safe  for you to download, generate, and post your log (as described above), you should *NOT* attempt to do anything else (in particular, do NOT use it to delete/fix any entries) until you are advised to do so by a forum expert!!   Improper use of this tool can severely damage your system.   Message Edited by ky331 on 01-05-2006 09:03 AM

ky331 · Answer

your HJT log confirms the presence of a vundo trojan.

please run VirtumundoBeGone, as i suggested above.

when done, REPLY here, posting post the VBG log, as well as an updated/revised HJT log (please generate the HJT log after you run VBG).

gmanfan · Answer

Logfile of HijackThis v1.99.1
Scan saved at 6:54:27 AM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\pestpatrol\PPMCActiveDetection.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\david barden\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\system32\pmnlm.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [cvrss] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.af.mil
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A587DAFF-DE03-4721-90CD-44BA8F047A03} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.pogo.com/game/deluxe/insaniquarium/popcaploader_v6.cab
O16 - DPF: {ECB40B9A-5869-476D-9110-8E171A5929B2} (Siebel Option Pack for IE 7.5.3) - https://fsm.gd-ns.com/service_enu/16172/applets/SiebelOptionPack.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F91197B8-52DF-4C3E-9A6E-1D04D5C007CC} (Siebel Option Pack for IE 7.5.3) - https://fsm.gd-ns.com/service_enu/16172/applets/SiebelOptionPack.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmnlm - C:\WINDOWS\system32\pmnlm.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

gmanfan · Answer

VBG Lof

[01/05/2006, 6:46:11] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\david barden\Desktop\VirtumundoBeGone.exe" )
[01/05/2006, 6:46:19] - Detected System Information:
[01/05/2006, 6:46:19] - Windows Version: 5.1.2600, Service Pack 2
[01/05/2006, 6:46:19] - Current Username: david barden (Admin)
[01/05/2006, 6:46:19] - Windows is in NORMAL mode.
[01/05/2006, 6:46:19] - Searching for Browser Helper Objects:
[01/05/2006, 6:46:19] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[01/05/2006, 6:46:19] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/05/2006, 6:46:19] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[01/05/2006, 6:46:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/05/2006, 6:46:19] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[01/05/2006, 6:46:19] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[01/05/2006, 6:46:19] - BHO 4: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[01/05/2006, 6:46:19] - BHO 5: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} (AOL Toolbar Launcher)
[01/05/2006, 6:46:19] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/05/2006, 6:46:19] - BHO 7: {B313D637-F405-4052-AC37-E2119AB3C8F8} (MSEvents Object)
[01/05/2006, 6:46:19] - ALERT: Found MSEvents Object!
[01/05/2006, 6:46:19] - Finished Searching Browser Helper Objects
[01/05/2006, 6:46:19] - *** Detected MSEvents Object
[01/05/2006, 6:46:19] - Trying to remove MSEvents Object...
[01/05/2006, 6:46:20] -    Terminating Process: IEXPLORE.EXE
[01/05/2006, 6:46:20] -    Terminating Process: RUNDLL32.EXE
[01/05/2006, 6:46:20] -    Disabling Automatic Shell Restart
[01/05/2006, 6:46:23] -    Terminating Process: EXPLORER.EXE
[01/05/2006, 6:46:23] -    Suspending the NT Session Manager System Service
[01/05/2006, 6:46:23] -    Terminating Windows NT Logon/Logoff Manager
[01/05/2006, 6:46:23] -    Re-enabling Automatic Shell Restart
[01/05/2006, 6:46:23] -   File to disable: C:\WINDOWS\system32\pmnlm.dll
[01/05/2006, 6:46:23] - Renaming C:\WINDOWS\system32\pmnlm.dll -> C:\WINDOWS\system32\pmnlm.dll.vir
[01/05/2006, 6:46:23] - ! File rename was unsucessful.
[01/05/2006, 6:46:23] - Attempting to Deny Access to C:\WINDOWS\system32\pmnlm.dll
[01/05/2006, 6:46:25] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[01/05/2006, 6:46:25] - processed file: C:\WINDOWS\system32\pmnlm.dll

[01/05/2006, 6:46:25] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[01/05/2006, 6:46:25] -   Removing HKLM\...\Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8}
[01/05/2006, 6:46:25] -   Removing HKCR\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}
[01/05/2006, 6:46:25] -   Adding Kill Bit for ActiveX for GUID: {B313D637-F405-4052-AC37-E2119AB3C8F8}
[01/05/2006, 6:46:25] -   Deleting ATLEvents/MSEvents Registry entries
[01/05/2006, 6:46:25] -   Removing HKLM\...\Winlogon\Notify\pmnlm
[01/05/2006, 6:46:25] - Searching for Browser Helper Objects:
[01/05/2006, 6:46:25] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[01/05/2006, 6:46:25] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/05/2006, 6:46:25] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[01/05/2006, 6:46:25] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/05/2006, 6:46:25] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[01/05/2006, 6:46:25] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[01/05/2006, 6:46:25] - BHO 4: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[01/05/2006, 6:46:25] - BHO 5: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} (AOL Toolbar Launcher)
[01/05/2006, 6:46:25] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/05/2006, 6:46:25] - Finished Searching Browser Helper Objects
[01/05/2006, 6:46:25] - Finishing up...
[01/05/2006, 6:46:25] - A restart is needed.
[01/05/2006, 6:46:25] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[01/05/2006, 6:46:33] - Attempting to Restart via STOP error (Blue Screen!)

[01/06/2006, 17:01:16] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\david barden\Desktop\VirtumundoBeGone.exe" )
[01/06/2006, 17:01:20] - Detected System Information:
[01/06/2006, 17:01:20] - Windows Version: 5.1.2600, Service Pack 2
[01/06/2006, 17:01:20] - Current Username: david barden (Admin)
[01/06/2006, 17:01:20] - Windows is in NORMAL mode.
[01/06/2006, 17:01:20] - Searching for Browser Helper Objects:
[01/06/2006, 17:01:20] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[01/06/2006, 17:01:20] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/06/2006, 17:01:20] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[01/06/2006, 17:01:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/06/2006, 17:01:20] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[01/06/2006, 17:01:20] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[01/06/2006, 17:01:20] - BHO 4: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[01/06/2006, 17:01:20] - BHO 5: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} (AOL Toolbar Launcher)
[01/06/2006, 17:01:20] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/06/2006, 17:01:20] - BHO 7: {B313D637-F405-4052-AC37-E2119AB3C8F8} (MSEvents Object)
[01/06/2006, 17:01:20] - ALERT: Found MSEvents Object!
[01/06/2006, 17:01:20] - Finished Searching Browser Helper Objects
[01/06/2006, 17:01:20] - *** Detected MSEvents Object
[01/06/2006, 17:01:20] - Trying to remove MSEvents Object...
[01/06/2006, 17:01:21] -    Terminating Process: IEXPLORE.EXE
[01/06/2006, 17:01:22] -    Terminating Process: RUNDLL32.EXE
[01/06/2006, 17:01:23] -    Disabling Automatic Shell Restart
[01/06/2006, 17:01:23] -    Terminating Process: EXPLORER.EXE
[01/06/2006, 17:01:23] -    Suspending the NT Session Manager System Service
[01/06/2006, 17:01:23] -    Terminating Windows NT Logon/Logoff Manager
[01/06/2006, 17:01:23] -    Re-enabling Automatic Shell Restart
[01/06/2006, 17:01:23] -   File to disable: C:\WINDOWS\system32\pmnlm.dll
[01/06/2006, 17:01:23] - Renaming C:\WINDOWS\system32\pmnlm.dll -> C:\WINDOWS\system32\pmnlm.dll.vir
[01/06/2006, 17:01:23] - ! File rename was unsucessful.
[01/06/2006, 17:01:23] - Attempting to Deny Access to C:\WINDOWS\system32\pmnlm.dll
[01/06/2006, 17:01:23] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[01/06/2006, 17:01:23] - processed file: C:\WINDOWS\system32\pmnlm.dll

[01/06/2006, 17:01:23] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[01/06/2006, 17:01:23] -   Removing HKLM\...\Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8}
[01/06/2006, 17:01:23] -   Removing HKCR\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}
[01/06/2006, 17:01:23] -   Adding Kill Bit for ActiveX for GUID: {B313D637-F405-4052-AC37-E2119AB3C8F8}
[01/06/2006, 17:01:23] -   Deleting ATLEvents/MSEvents Registry entries
[01/06/2006, 17:01:23] -   Removing HKLM\...\Winlogon\Notify\pmnlm
[01/06/2006, 17:01:23] - Searching for Browser Helper Objects:
[01/06/2006, 17:01:23] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[01/06/2006, 17:01:23] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/06/2006, 17:01:23] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[01/06/2006, 17:01:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/06/2006, 17:01:23] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[01/06/2006, 17:01:23] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[01/06/2006, 17:01:23] - BHO 4: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[01/06/2006, 17:01:23] - BHO 5: {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} (AOL Toolbar Launcher)
[01/06/2006, 17:01:23] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/06/2006, 17:01:23] - Finished Searching Browser Helper Objects
[01/06/2006, 17:01:23] - Finishing up...
[01/06/2006, 17:01:23] - A restart is needed.
[01/06/2006, 17:01:23] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[01/06/2006, 17:01:34] - Attempting to Restart via STOP error (Blue Screen!)

gmanfan · Answer

HIJACK LOG

Logfile of HijackThis v1.99.1
Scan saved at 5:04:14 PM, on 1/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\pestpatrol\PPMCActiveDetection.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\david barden\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [cvrss] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.af.mil
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A587DAFF-DE03-4721-90CD-44BA8F047A03} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.pogo.com/game/deluxe/insaniquarium/popcaploader_v6.cab
O16 - DPF: {ECB40B9A-5869-476D-9110-8E171A5929B2} (Siebel Option Pack for IE 7.5.3) - https://fsm.gd-ns.com/service_enu/16172/applets/SiebelOptionPack.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F91197B8-52DF-4C3E-9A6E-1D04D5C007CC} (Siebel Option Pack for IE 7.5.3) - https://fsm.gd-ns.com/service_enu/16172/applets/SiebelOptionPack.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PestPatrol Remote - Computer Associates International, Inc. - C:\Program Files\Common Files\pestpatrol\ppRemoteService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Is this it? Did it work??? We haven't had any pop ups or anything for 2 days now! Yeah. Hopefully this worked. Thanks

ky331 · Answer

Nice work. Looks like VirtumundoBeGone successfully deactivated the bad WinFixer file. And i see you've already noticed the difference :smileyhappy:

At this point, I'm gonna try to ask someone else to step-in, to determine additional problems (if any) that you might have. Please be advised that we're very "understaffed" at the moment, so I can't make any guarantee as to when the next helper will arrive.

Good luck.

RKinner · Answer

This line looks strange:

O4 - HKCU\..\Run: [cvrss] C:\Program Files\Windows Media Player\wmplayer.exe

I don't understand why the media player should run at start - if it really is the media player.

Could I get you to submit the file for testing? Go to

http://virusscan.jotti.org/

Then press the Browse button and point it at:

C:\Program Files\Windows Media Player\wmplayer.exe

Then Submit.

I think that's all you have to dobut you should probably stop the process first. If you run HijackTHis and Open the Misc Tools Section then select Process Manager you can highlight the C:\Program Files\Windows Media Player\wmplayer.exe
and then Kill Process.

Ron

Virus & Spyware

Hijack this log question...how to?

Was this post helpful?