Jump to content


Photo

vundo.dll


  • This topic is locked This topic is locked
7 replies to this topic

#1 laurafe

laurafe

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 May 2007 - 05:48 AM

i have run spybot s&d and mcafee. mcafee keeps catching pups and trojans trying to conect to the internet, including Generic AdClicker.d; FakeAlert-I.dr; Generic Spy.b; Downloader-BCF; Downlaoder-EV. spybot s&d has deleted Avenue A, Inc.; FastClick; Win32.Agent.At; and Smithfraud-C Toolbar868 several times. following is my hijackthis file:


Logfile of HijackThis v1.99.1
Scan saved at 6:14:33 AM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142469970140
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...713/mcfscan.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 31 May 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 05 June 2007 - 09:56 AM

Hello,

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Please download Atribune's VundoFix.exe from this site:
http://www.atribune.org/ccount/click.php?id=4 and place it on your desktop.

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files,
click YES


Once you click yes, your desktop will go blank as it starts removing
Vundo.


When completed, it will prompt that it will reboot your computer,
click OK.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.


=*=

Your version of Java is vulnerable to these types of infections, please update.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions. <- important
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.



Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Include also the report form Dr.Web.

nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 laurafe

laurafe

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 05 June 2007 - 07:08 PM

Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Include also the report form Dr.Web.


Dr. Web Report:

mps.exe;c:\program files\mcafee\mps;Probably BACKDOOR.Trojan;Incurable.Will be moved after reboot.;
j5231539.dll;c:\windows\system32;Trojan.Click.2485;Will be cured after reboot.;
lsdysjqk.dll;c:\windows\system32;Adware.Crew;Incurable.Moved.;
winrnt32.dll;c:\windows\system32;Trojan.DownLoader.22758;Will be cured after reboot.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\AIMSUD338;Probably BACKDOOR.Trojan;Incurable.Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.6.1;Probably BACKDOOR.Trojan;Incurable.Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Probably BACKDOOR.Trojan;Incurable.Moved.;
win1EC.tmp.exe;C:\Documents and Settings\Laura Fe Echavarria\Local Settings\Temp;Trojan.DownLoader.22225;Deleted.;
aolsetup.exe;C:\Program Files\AIM6\services\softwareUpdate\ver2_13_13_7;Probably BACKDOOR.Trojan;Incurable.Moved.;
mcinst.exe;C:\Program Files\Common Files\McAfee\Installer;Probably BACKDOOR.Trojan;Incurable.Moved.;
mps.exe;C:\Program Files\McAfee\MPS;Probably BACKDOOR.Trojan;Incurable.Will be moved after reboot.;
edfdxfub.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
libiis.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
llvhpnqx.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
mchixssj.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
pmnnm.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
tpwdiuxx.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
j5231539.dll;C:\WINDOWS\system32;Trojan.Click.2485;Will be cured after reboot.;
lsdysjqk.dll;C:\WINDOWS\system32;Adware.Crew;;
lsfnceqk.exe;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
qnxdlfgs.exe;C:\WINDOWS\system32;Trojan.Click.2485;Deleted.;
winrnt32.dll;C:\WINDOWS\system32;Trojan.DownLoader.22758;Will be cured after reboot.;
win15D6.tmp.exe;C:\WINDOWS\Temp;Trojan.Mezzia;Deleted.;
win15DE.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.22225;Deleted.;
win16B3.tmp.exe;C:\WINDOWS\Temp;Trojan.Mezzia;Deleted.;
win16BC.tmp.exe;C:\WINDOWS\Temp;Trojan.DownLoader.22225;Deleted.;

------------------------------------------------------------------

VundoFix V4.2.33

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.6

Scan started at 9:56:12 AM 3/15/2006

Listing files found while scanning....


C:\WINDOWS\system32\hjllm.bak1
C:\WINDOWS\system32\hjllm.bak2
C:\WINDOWS\system32\hjllm.tmp
Attempting to delete C:\WINDOWS\system32\hjllm.bak1
C:\WINDOWS\system32\hjllm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjllm.bak2
C:\WINDOWS\system32\hjllm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjllm.tmp
C:\WINDOWS\system32\hjllm.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.2

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 5:39:47 PM 6/5/2007

Listing files found while scanning....

c:\windows\system\libiis.dll
C:\WINDOWS\system32\bufxdfde.ini
C:\WINDOWS\system32\edfdxfub.dll
C:\WINDOWS\system32\llvhpnqx.dll
C:\WINDOWS\system32\mchixssj.dll
C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\mnnmp.bak2
C:\WINDOWS\system32\mnnmp.ini
C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\tpwdiuxx.dll
C:\WINDOWS\system32\xxuidwpt.ini

Beginning removal...

Attempting to delete c:\windows\system\libiis.dll
c:\windows\system\libiis.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bufxdfde.ini
C:\WINDOWS\system32\bufxdfde.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\edfdxfub.dll
C:\WINDOWS\system32\edfdxfub.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\llvhpnqx.dll
C:\WINDOWS\system32\llvhpnqx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mchixssj.dll
C:\WINDOWS\system32\mchixssj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\mnnmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\mnnmp.bak2
C:\WINDOWS\system32\mnnmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\mnnmp.ini
C:\WINDOWS\system32\mnnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\pmnnm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tpwdiuxx.dll
C:\WINDOWS\system32\tpwdiuxx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxuidwpt.ini
C:\WINDOWS\system32\xxuidwpt.ini Has been deleted!

Performing Repairs to the registry.
Done!

------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:02:52 PM, on 6/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Documents and Settings\All Users\Application Data\mlqdmbkf.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {360A2B83-EEA8-4CB4-8C02-EF726F76D5DE} - C:\WINDOWS\system32\pmnnm.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [mlqdmbkf.exe] C:\Documents and Settings\All Users\Application Data\mlqdmbkf.exe
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\edfdxfub.dll",realset
O4 - HKLM\..\Run: [j5231539] rundll32 C:\WINDOWS\system32\j5231539.dll sook
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142469970140
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.game...aploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...713/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: vturrqn - vturrqn.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

------------------------------------------------------------------

now there are popups for Ultamate Defender 2007 when i open the web...

thank you !

Edited by laurafe, 05 June 2007 - 07:09 PM.


#5 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 06 June 2007 - 07:34 AM

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Please remember to uninstall all old versions of Sun Java with the Add/Remove Programs applet.
If these versions are present delete.
J2SE Runtime Environment 4.x.x
J2SE Runtime Environment 5.x.x


The lates is 1.6.x

=*=

Do you have Netpumper or Bitgrabber or BitRoll installed? If so, uninstall them via start > Settings> Control Panel > add/remove programs. This because they are bundled with the malware you are dealing with (swizzor aka lop).
Also look if next are present in software > add/remove programs and uninstall them:


CiD Help / CiD Manager
Download Plugin for Internet Explorer
Zone Media


In case, during uninstall, when asked for the uninstall Verification, please enter the numbers that will appear in the window

Then reboot. Important!

After reboot,

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {360A2B83-EEA8-4CB4-8C02-EF726F76D5DE} - C:\WINDOWS\system32\pmnnm.dll (file missing)
O4 - HKLM\..\Run: [mlqdmbkf.exe] C:\Documents and Settings\All Users\Application Data\mlqdmbkf.exe
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\edfdxfub.dll",realset
O4 - HKLM\..\Run: [j5231539] rundll32 C:\WINDOWS\system32\j5231539.dll sook
O20 - Winlogon Notify: vturrqn - vturrqn.dll (file missing)
O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)


Click on Fix Checked when finished and exit HijackThis.

Delete these files in bold if found.

C:\Documents and Settings\All Users\Application Data\mlqdmbkf.exe
C:\WINDOWS\system32\edfdxfub.dll
C:\WINDOWS\system32\j5231539.dll


Restart the computer again.

* Download Deljob.exe and save it on your desktop.
Doubleclick Deljob.exe.


A log, (logit.txt) should open afterwards. This log will be present on your desktop
Post the contents of the logfile in your next reply together with a new Hijackthis log.


Let me know what problem remains.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#6 laurafe

laurafe

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 09 June 2007 - 05:25 PM

all previous java versions were deleted and only Java™ SE Runtime Environment 6 Update 1 is listed in the add/remove programs applet.

Netpumper, Bitgrabber, nor BitRoll were found to be installed. Also, CiD Help / CiD Manager, Download Plugin for Internet Explorer, nor Zone Media were present.

Once rebooted, I ran HijackThis and found, checked, and fixed all files listed above.

I deleted mlqdmbkf.exe, however, edfdxfub.dll and j5231539.dll were not found.

I rebooted again and ran Deljob.exe.

The only problem I seem to be having now is that when I reboot a RUNDLL error message pops up at startup that states "error loading CTMBHA.DLL; Invalid Access to memory location".

Following are my log files:

--------------------------------------------------------
No LOP jobs found
--------------------------------------------------------
Files remaining after cleaning

McAfee.com Scan for Viruses - My Computer (LAURAFE-Laura Fe Echavarria).job
McDefragTask.job
McQcTask.job
--------------------------------------------------------
App data folders

Volume in drive C has no label.
Volume Serial Number is 9C0E-69B8

Directory of C:\Documents and Settings\Laura Fe Echavarria\Application Data

05/25/2007 08:39 AM <DIR> .
05/25/2007 08:39 AM <DIR> ..
02/09/2006 03:03 PM <DIR> acccore
04/12/2006 03:33 PM <DIR> Adobe
02/02/2007 03:39 PM <DIR> AdobeUM
04/19/2007 11:14 AM <DIR> Ahead
10/08/2006 07:03 PM <DIR> Corel
02/14/2006 09:10 PM <DIR> CORELP~1 Corel Photo Album
06/30/2006 05:16 PM <DIR> CYBERL~1 CyberLink
05/25/2007 08:39 AM <DIR> GLOBAL~1 GlobalSCAPE
02/06/2006 08:48 PM <DIR> Google
02/06/2006 08:43 PM <DIR> Gtek
08/16/2005 06:50 AM <DIR> IDENTI~1 Identities
03/11/2007 09:25 AM <DIR> Lavasoft
02/22/2006 11:01 PM <DIR> LEADER~1 Leadertech
02/08/2006 09:16 PM <DIR> MACROM~1 Macromedia
03/15/2007 03:48 PM <DIR> MICROS~1 Microsoft
10/04/2006 02:19 AM <DIR> Real
02/22/2006 11:03 PM <DIR> Sonic
02/06/2006 08:26 PM <DIR> Sun
0 File(s) 0 bytes
20 Dir(s) 53,516,845,056 bytes free
Volume in drive C has no label.
Volume Serial Number is 9C0E-69B8

Directory of C:\Documents and Settings\All Users\Application Data

06/09/2007 05:56 PM <DIR> .
06/09/2007 05:56 PM <DIR> ..
02/02/2007 06:02 PM <DIR> Adobe
03/04/2007 06:23 PM <DIR> AOL
03/04/2007 06:22 PM <DIR> AOLDOW~1 AOL Downloads
03/04/2007 06:25 PM <DIR> AOLOCP~1 AOL OCP
02/06/2006 08:33 PM <DIR> CREATI~1 Creative Labs
05/28/2007 01:23 PM <DIR> Google
05/28/2007 04:44 PM <DIR> GTek
02/06/2006 08:41 PM <DIR> INSTAL~1 InstallShield
06/05/2007 12:02 PM <DIR> McAfee
06/05/2007 09:30 AM <DIR> McAfee.com
03/11/2007 09:25 AM <DIR> MICROS~1 Microsoft
06/13/2006 08:50 PM <DIR> PopCap
02/06/2006 08:40 PM <DIR> QUICKT~1 QuickTime
06/09/2007 05:34 PM <DIR> Ringo
03/09/2006 08:33 PM <DIR> SPYBOT~1 Spybot - Search & Destroy
05/11/2007 02:40 AM <DIR> Support.com
02/25/2006 03:38 AM <DIR> WINDOW~1 Windows Genuine Advantage
06/04/2007 09:46 PM <DIR> WinZip
0 File(s) 0 bytes
20 Dir(s) 53,516,845,056 bytes free
--------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 6:08:19 PM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -

C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program

files\mcafee\virusscan\scriptcl.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"

-start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe"

-startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common

Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_01\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -

http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.micros...b?1142469970140
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -

http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -

http://download.game...aploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -

http://download.mcaf...713/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative

Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. -

C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common

Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common

files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program

Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program

Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe


Thank you, once again, for all your help. :thumbsup:

#7 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 10 June 2007 - 07:32 AM

Nice Work your log is clean.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
http://users.telenet...prevention.html

The error message with CTMBHA.DLL is probably due to a corrupt file or you need the newer version. It's Related to Creative_Audigy line of sound cards from Creative Technology Ltd. If you have the installation disk for your Sound card see you can replace the file on your computer. If the problem remains then you would need a new version.


You can fix this item with HijackThis and then restart the computer.
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon

The error will stop but you may loose some functionnality with the Sound Card. In any event it's not presently loading.
Do you have any current problems with your sound card? If not then fix it. Some people thing that it's not required.


You can always restore the item if fixing it give you some problem with the sound.
Open HijackThis. In the bottom right click on Config | Backups then highlight the entry and click on restore
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#8 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 21 June 2007 - 09:06 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button