Pop-ups and new tabs opening, cpu spiking at random [Archive]

Armiris

2009-09-25, 02:12

My CPU has been running around 90-100% all the time, IE keeps popping up, new tabs are being opened on Netscape, and an MSI installer dialog keeps popping up randomly. I'm also automatically reconnecting to the Internet whenever I disconnect from it. I can't run McAfee to scan for viruses, and after I updated Spybot, it won't run. Here is my HijackThis log (HiJackThis isn't running anymore, so this is the most recent log I can get). I tried to install ERUNT, but it's not working. I also have several dozen strange connections running when I use netstat on Command Prompt. I'll post a log of that in my next post. Please help.

Logfile of HijackThis v1.99.1
Scan saved at 10:07:21 AM, on 9/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Me\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Cricket\Cricket Broadband\Cricket Broadband.exe

O4 - HKLM\..\Run: [pokevisan] Rundll32.exe "c:\windows\system32\fijirafo.dll",a
O17 - HKLM\System\CCS\Services\Tcpip\..\{807FCA28-6148-488D-B5C2-C3E597295EE5}: NameServer = 172.28.221.53 172.28.221.54
O20 - AppInit_DLLs: c:\windows\system32\fijirafo.dll,fewuvavu.dll
O21 - SSODL: sowiramur - {a9789da6-a3b7-4b8c-9938-c4347a29d9fa} - c:\windows\system32\fijirafo.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SMS_v3_2_0 - Unknown owner - C:\Program Files\Rosetta Stone\SMS v3.2.0hs\wrapper.exe" -s "C:\Program Files\Rosetta Stone\SMS v3.2.0hs\service\wrapper.conf (file missing)
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

It went past the top of the screen, so I can't get all the connections. Here's what I could copy:

TCP 10.99.37.22:4050 209.183.226.150:80 TIME_WAIT 0
TCP 10.99.37.22:4052 209.183.226.150:80 TIME_WAIT 0
TCP 10.99.37.22:4055 205.234.175.175:80 TIME_WAIT 0
TCP 10.99.37.22:4056 205.234.175.175:80 TIME_WAIT 0
TCP 10.99.37.22:4058 209.183.226.150:80 TIME_WAIT 0
TCP 10.99.37.22:4060 205.234.175.175:80 TIME_WAIT 0
TCP 10.99.37.22:4062 77.67.127.56:80 TIME_WAIT 0
TCP 10.99.37.22:4064 64.233.169.149:80 TIME_WAIT 0
TCP 10.99.37.22:4066 64.233.169.149:80 TIME_WAIT 0
TCP 10.99.37.22:4069 69.20.87.82:80 TIME_WAIT 0
TCP 10.99.37.22:4070 77.67.127.40:80 TIME_WAIT 0
TCP 10.99.37.22:4074 77.67.127.24:80 TIME_WAIT 0
TCP 10.99.37.22:4078 77.67.127.56:80 TIME_WAIT 0
TCP 10.99.37.22:4080 209.183.226.150:80 TIME_WAIT 0
TCP 10.99.37.22:4084 205.234.175.175:80 TIME_WAIT 0
TCP 10.99.37.22:4086 209.183.226.150:80 TIME_WAIT 0
TCP 10.99.37.22:4089 69.192.44.20:80 TIME_WAIT 0
TCP 10.99.37.22:4090 69.192.44.20:80 TIME_WAIT 0
TCP 10.99.37.22:4092 69.192.44.20:80 TIME_WAIT 0
TCP 10.99.37.22:4094 74.125.93.157:80 TIME_WAIT 0
TCP 10.99.37.22:4096 66.135.208.226:80 TIME_WAIT 0
TCP 10.99.37.22:4100 74.125.93.157:80 TIME_WAIT 0
TCP 10.99.37.22:4102 77.67.127.42:80 TIME_WAIT 0
TCP 10.99.37.22:4106 66.114.50.88:80 TIME_WAIT 0
TCP 10.99.37.22:4108 66.114.50.88:80 TIME_WAIT 0
TCP 10.99.37.22:4111 66.114.50.88:80 TIME_WAIT 0
TCP 10.99.37.22:4112 66.114.50.88:80 TIME_WAIT 0
TCP 10.99.37.22:4114 66.114.50.88:80 TIME_WAIT 0
TCP 10.99.37.22:4116 66.114.50.88:80 TIME_WAIT 0
TCP 10.99.37.22:4118 66.114.50.88:80 TIME_WAIT 0
TCP 10.99.37.22:4121 205.234.175.175:80 TIME_WAIT 0
TCP 10.99.37.22:4124 205.234.175.175:80 TIME_WAIT 0
TCP 10.99.37.22:4128 205.234.175.175:80 TIME_WAIT 0
TCP 10.99.37.22:4130 205.234.175.175:80 TIME_WAIT 0
TCP 10.99.37.22:4134 216.137.45.81:80 TIME_WAIT 0
TCP 10.99.37.22:4142 216.137.45.81:80 TIME_WAIT 0
TCP 10.99.37.22:4145 69.192.44.20:80 TIME_WAIT 0
TCP 10.99.37.22:4146 69.192.44.20:80 TIME_WAIT 0
TCP 10.99.37.22:4148 74.125.93.102:80 TIME_WAIT 0
TCP 10.99.37.22:4154 69.192.40.100:80 TIME_WAIT 0
TCP 10.99.37.22:4157 69.192.44.20:80 TIME_WAIT 0
TCP 10.99.37.22:4164 66.114.50.88:80 TIME_WAIT 0
TCP 10.99.37.22:4165 66.114.50.88:80 TIME_WAIT 0
TCP 10.99.37.22:4167 69.192.44.20:80 TIME_WAIT 0
TCP 10.99.37.22:4173 207.211.65.18:80 TIME_WAIT 0
TCP 10.99.37.22:4175 207.211.65.18:80 TIME_WAIT 0
TCP 10.99.37.22:4178 74.86.135.173:80 TIME_WAIT 0
TCP 10.99.37.22:4179 74.86.167.75:80 TIME_WAIT 0
TCP 10.99.37.22:4181 64.233.169.149:80 TIME_WAIT 0
TCP 127.0.0.1:3811 127.0.0.1:18676 TIME_WAIT 0
TCP 127.0.0.1:3813 127.0.0.1:18676 TIME_WAIT 0
TCP 127.0.0.1:3819 127.0.0.1:18676 TIME_WAIT 0
TCP 127.0.0.1:3821 127.0.0.1:18676 TIME_WAIT 0
TCP 127.0.0.1:3853 127.0.0.1:18676 TIME_WAIT 0
TCP 127.0.0.1:3865 127.0.0.1:18676 TIME_WAIT 0
TCP 127.0.0.1:3892 127.0.0.1:18676 TIME_WAIT 0
TCP 127.0.0.1:3928 127.0.0.1:18676 TIME_WAIT 0
TCP 127.0.0.1:3956 127.0.0.1:18676 TIME_WAIT 0
TCP 127.0.0.1:3983 127.0.0.1:18676 TIME_WAIT 0
TCP 127.0.0.1:3985 127.0.0.1:18676 TIME_WAIT 0
TCP 127.0.0.1:4013 127.0.0.1:18676 TIME_WAIT 0
TCP 127.0.0.1:4015 127.0.0.1:18676 TIME_WAIT 0
TCP 127.0.0.1:4022 127.0.0.1:18676 TIME_WAIT 0
TCP 127.0.0.1:4097 127.0.0.1:18676 TIME_WAIT 0
TCP 127.0.0.1:4137 127.0.0.1:18676 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4059 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3995 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4155 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3899 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3934 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3863 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3802 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3834 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3658 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4110 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4170 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3738 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4027 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3664 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3680 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3712 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3744 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3968 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3696 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3728 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4160 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3936 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3808 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4043 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4091 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3770 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3914 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3706 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3898 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4119 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3867 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3946 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3754 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3964 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4129 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4113 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3825 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3649 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4049 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3918 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3857 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4033 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4143 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4081 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4065 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4017 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4177 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3873 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4001 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4011 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3690 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4122 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3962 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3819 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3851 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4172 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3806 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3676 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3817 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3833 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4079 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4095 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4077 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4109 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3710 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4061 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3938 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3730 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4162 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3890 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3666 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3746 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3794 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3922 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3682 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3954 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3714 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4158 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3881 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4025 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4045 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4031 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4153 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4073 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3993 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3823 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4083 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4063 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3843 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4115 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3651 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4131 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3987 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3875 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4099 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4003 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4147 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4051 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4019 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4035 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4067 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3859 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4163 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3827 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3869 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4009 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3849 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4093 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4057 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4041 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4105 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3950 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3981 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3672 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3720 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3656 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4029 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4125 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3837 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3908 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3855 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3999 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3684 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4068 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3924 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3940 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3716 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3732 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3700 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3764 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3960 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3704 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3726 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3800 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4168 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3976 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3742 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4141 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3885 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3752 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4047 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4127 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3887 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3883 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3944 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3758 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4085 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4117 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3861 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3845 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4021 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4037 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3653 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3829 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4101 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4149 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4133 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4053 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3989 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4005 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3659 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3877 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3896 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3678 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3724 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3736 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3784 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4088 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3688 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3916 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3694 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3948 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3879 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4103 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3815 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3991 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3772 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3702 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3958 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3686 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4174 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3926 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3782 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4166 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3894 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3718 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3996 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4087 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4151 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4135 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4007 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3902 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3831 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3804 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:3740 TIME_WAIT 0
TCP 127.0.0.1:18676 127.0.0.1:4071 TIME_WAIT 0
UDP 0.0.0.0:445 *:* 4
[System]

UDP 0.0.0.0:4500 *:* 536
[lsass.exe]

UDP 0.0.0.0:500 *:* 536
[lsass.exe]

UDP 10.99.37.22:1900 *:* 1136
C:\WINDOWS\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP 10.99.37.22:123 *:* 844
C:\WINDOWS\System32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP 127.0.0.1:1900 *:* 1136
C:\WINDOWS\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP 127.0.0.1:123 *:* 844
C:\WINDOWS\System32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

C:\Documents and Settings\Me>

I was able to install Malwarebytes, seems that ending all McAfee processes got it to run a lot smoother. I now know I have the Vundo trojan, and Malwarebytes helped, but I still have some bits of it left. How do I remove it completely? Here is my Malwarebytes scan log, and a new HijackThis log.

Malwarebytes' Anti-Malware 1.41
Database version: 2861
Windows 5.1.2600 Service Pack 2

9/25/2009 5:55:55 PM
mbam-log-2009-09-25 (17-55-55).txt

Scan type: Full Scan (C:\|)
Objects scanned: 168898
Time elapsed: 38 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\koyitawe.dll (Trojan.Vundo) -> Delete on reboot.
c:\WINDOWS\system32\fijirafo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vebikosi.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{677cf6b1-b8da-42e0-8d2e-7d746dc7e6df} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pokevisan (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{677cf6b1-b8da-42e0-8d2e-7d746dc7e6df} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\nazavefim (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\koyitawe.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\koyitawe.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\fijirafo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\fijirafo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\fijirafo.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\koyitawe.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yutobayu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fewuvavu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sivakubo.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vebikosi.dll (Trojan.Vundo) -> Delete on reboot.

Logfile of HijackThis v1.99.1
Scan saved at 6:00:46 PM, on 9/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Me\Desktop\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O20 - AppInit_DLLs: vebikosi.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SMS_v3_2_0 - Unknown owner - C:\Program Files\Rosetta Stone\SMS v3.2.0hs\wrapper.exe" -s "C:\Program Files\Rosetta Stone\SMS v3.2.0hs\service\wrapper.conf (file missing)
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
========================
Forum FAQ:
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Dakeyras

2009-09-29, 14:47

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hi Armiris and welcome to Safer Networking. :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Scan with GMER:

Please download GMER Rootkit Scanner from here (http://www.gmer.net/download.php).

Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

http://i266.photobucket.com/albums/ii277/sUBs_/th_Gmer_initScan.gif
(http://i266.photobucket.com/albums/ii277/sUBs_/Gmer_initScan.gif)
Click the image to enlarge it

In the right panel, you will see several boxes that have been checked. Uncheck the following ...

Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.

Scan with RSIT:

Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Make sure that RSIT.exe is on the your Desktop before running the application!

Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:

log.txt will be opened maximized.
info.txt will be opened minimized.

Please post the contents of both log.txt and info.txt.
Note: Both logs can also be located within this folder rsit at the root of your installed Hard-Drive. EG: C:\rsit

When completed the above, please post back the following in the order asked for:

How is you computer performing now, any further symptoms and or problems encountered?
Gmer Log.
Both RSIT logs. <-- Post them individually please, IE: one Log per post/reply.

Dakeyras

2009-10-04, 17:25

Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.