Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WinFixer ! Pls help


  • This topic is locked This topic is locked

#1
jimbono

jimbono

    New Member

  • Member
  • Pip
  • 5 posts
Hi Guys!!!

First off, let me thank you all guys for doing a great job... Keep up the spirit...
:tazz: :)

This is my first post in this forum. Lately, I am having the Winfixer problem in my laptop. I have all the tools Spybot S&D /Spyware Blaster/ SpywareGuard etc. I have checked thorougly with these tools. But still the Winfixer window opens up sometimes. Don't know what to do from here.

Any help will be greatly appreciated and thanks in advance for all your help. I have dumped my HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 11:47:42 AM, on 9/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Winamp\winampa.exe
C:\Utils\ZoneAlarm\zlclient.exe
C:\Utils\Eraser\historyeraser.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\explorer.exe
C:\Utils\Anti-Spyware\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Utils\LeechGet 2004\LeechGet.exe
C:\Utils\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Utils\Anti-Spyware\SpywareGuard\dlprotect.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\pmnll.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {98FCA3EA-933D-18B4-03AD-5F6D4271CA3D} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Download - {777D0B4C-75C9-4874-ABFF-80B4BE8DC532} - C:\Program Files\Download Toolbar\IEBand2.dll
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Utils\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [HD] C:\Utils\Jvw History Eraser and IE Panic 1.0 Trial\Hd.cmd
O4 - HKCU\..\Run: [BackupNotify] C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [SPSTEALT] "C:\Utils\Eraser\historyeraser.exe" /stealt
O8 - Extra context menu item: Download using LeechGet - file://C:\Utils\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Utils\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Utils\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Save To Gallery - res://C:\Program Files\Download Toolbar\IEBand2.dll/DownloadToGallery.htm
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.vikatan.com/tdserver.cab
O20 - Winlogon Notify: pmnll - C:\WINDOWS\system32\pmnll.dll
O20 - Winlogon Notify: WB - C:\MACOSG~1\WINDOW~1\WINDOW~1\fastload.dll
O23 - Service: Ensemble [ENSEMBLE] (Cache_c-_ensemblesys) - Unknown owner - c:\ensemblesys\bin\cservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Please help me out guys!!

Thanks,
jimbono
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome to Geeks to Go!

I am currently reviewing your log, and will post back with instructions shortly.
  • 0

#3
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome jimbono to Geeks to Go!

Please print these instructions out for use in Safe Mode.

Please disable SpybotSD’s protection, as it may hinder the removal of the infection. You can enable it after you're clean.

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box and/or Uncheck Resident.
Close Spybot.

***

Open HijackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on
    SpyKiller
  • Click on Delete this entry
  • Click "Yes"
Close HijackThis.

***

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning and a list of forums to seek help at.
    it should look like this

    VundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk
    Please seek assistance at one of the following forums:
    http://www.atribune.org/forums
    http://www.247fixes.com/forums
    http://www.geekstogo.com/forum
    http://forums.net-integration.net

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\pmnll.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\llnmp.* This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HijackThis, please place a check next to the following items and click FIX CHECKED:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\pmnll.dll

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

    O2 - BHO: (no name) - {98FCA3EA-933D-18B4-03AD-5F6D4271CA3D} - (no file)

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

    O20 - Winlogon Notify: pmnll - C:\WINDOWS\system32\pmnll.dll
  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
Download and install Cleanup from here (Alternate site if the above is not working, go Here)

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#4
jimbono

jimbono

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi g2i2r4,

Thanks for your immediate reply. I am in the process of doing all that you have asked me to do.

It might take a while since I don't have a printer in my home and I have to write them down and then do all of them.

Will respond to you as soon as I am done with that.

Again, thanks for coming to my rescue...

Will reply soon

Thanks,
jimbono
  • 0

#5
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
You may want to copy it to a notepad file then.

In safe mode you can open the notepad file and follow the instructions.
  • 0

#6
jimbono

jimbono

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi g2i2r4,

Here are the results

ACTIVESCAN LOG:

Incident Status Location

Spyware:spyware/bridge No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\bridge.inf
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\biini.inf
Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32a.sys
Spyware:spyware/altnet No disinfected C:\PROGRAM FILES\Altnet
Adware:adware/topmoxie No disinfected C:\PROGRAM FILES\couponsandoffers
Adware:adware/sidesearch No disinfected C:\PROGRAM FILES\Lycos
Adware:adware/myway No disinfected C:\PROGRAM FILES\MyWay
Adware:adware/quicksearch No disinfected C:\PROGRAM FILES\QuickSearch
Adware:adware/blazefind No disinfected Windows Registry
Virus:W32/Lentin.R Disinfected Hotmail\Inbox\The world of Friendship\world_of_friendship.scr
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Vidhya\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-7271642a-5145c6af.zip[Beyond.class]
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\a.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\b.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\ba.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\bb.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\bc.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\bd.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\couponsandoffers\System\Code\be.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\couponsandoffers\System\Code\bf.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\bg.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\couponsandoffers\System\Code\bh.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\bi.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\bj.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\couponsandoffers\System\Code\bk.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\bl.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\bm.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\bn.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\couponsandoffers\System\Code\bo.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\couponsandoffers\System\Code\bp.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\bq.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\couponsandoffers\System\Code\br.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\bs.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\bt.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\bu.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\bv.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\bw.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\bx.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\by.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\bz.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\c.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\ca.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\cb.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\cc.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\cd.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\couponsandoffers\System\Code\ce.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\cf.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\cg.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\ch.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\ci.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\cj.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\ck.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\cl.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\cm.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\cn.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\co.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\cp.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\couponsandoffers\System\Code\cq.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\couponsandoffers\System\Code\cr.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\cs.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\couponsandoffers\System\Code\ct.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\cu.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\cv.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\cx.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\couponsandoffers\System\Code\cz.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\d.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\da.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\db.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\dc.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\dd.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\couponsandoffers\System\Code\de.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\couponsandoffers\System\Code\df.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\di.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\dl.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\couponsandoffers\System\Code\dn.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\couponsandoffers\System\Code\dp.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\dr.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\ds.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\dt.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\du.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\dv.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\dw.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\couponsandoffers\System\Code\dy.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\couponsandoffers\System\Code\dz.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\ed.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\f.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\h.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\i.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\j.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\l.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\m.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\couponsandoffers\System\Code\n.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\p.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\q.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\r.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\s.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\t.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\u.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\w.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\couponsandoffers\System\Code\x.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\couponsandoffers\System\Code\y.class
Spyware:Spyware/New.net No disinfected C:\Program Files\FileSubmit\My Light In Darkness\NNEZTA388.exe
Adware:Adware/QuickSearch No disinfected C:\Program Files\FileSubmit\My Light In Darkness\TBEZA127Q.exe
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\LimeShop.exe
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\a.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\bf.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bq.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\bs.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dc.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dm.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\du.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dx.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\i.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\j.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\p.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\q.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\s.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\t.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\u.class
Adware:Adware/QuickSearch No disinfected C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
Adware:Adware/WUpd No disinfected C:\Program Files\support.com\backup\CD\CD2B013Bd01\24712_56bd76541_[CD2B013Bd01]
Adware:Adware/NetPals No disinfected C:\WINDOWS\iNetPal\m3tsp8.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\biini.inf
Adware:Adware/Startpage.FG No disinfected C:\WINDOWS\system32\mtwirl.dll

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:37:06 PM, on 9/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Winamp\winampa.exe
C:\Utils\ZoneAlarm\zlclient.exe
C:\Utils\Eraser\historyeraser.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\Logitech\Video\AlbumDB2.exe
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\Utils\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Utils\Anti-Spyware\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Download - {777D0B4C-75C9-4874-ABFF-80B4BE8DC532} - C:\Program Files\Download Toolbar\IEBand2.dll
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Utils\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [HD] C:\Utils\Jvw History Eraser and IE Panic 1.0 Trial\Hd.cmd
O4 - HKCU\..\Run: [BackupNotify] C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [SPSTEALT] "C:\Utils\Eraser\historyeraser.exe" /stealt
O8 - Extra context menu item: Download using LeechGet - file://C:\Utils\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Utils\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Utils\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Save To Gallery - res://C:\Program Files\Download Toolbar\IEBand2.dll/DownloadToGallery.htm
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.vikatan.com/tdserver.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: WB - C:\MACOSG~1\WINDOW~1\WINDOW~1\fastload.dll
O23 - Service: Ensemble [ENSEMBLE] (Cache_c-_ensemblesys) - Unknown owner - c:\ensemblesys\bin\cservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


VundoFix Log:


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP

V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 264 'smss.exe'
Threads [268][272][276]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP

V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 900 'explorer.exe'
Killing PID 900 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP

V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP

V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 340 'winlogon.exe'
Killing PID 340 'winlogon.exe'
Error 0x5 : Access is denied.File Deleted sucessfully.
Files Deleted sucessfully.

I wanted to tell you about a few things I encountered.

I didn't have the Resident Uncheck Teatimer box and/or Uncheck Resident since when I went to the 'Tools' dialog I saw only an 'Install' link to install the Resident tools.

Also in HijackThis V1.99.1, I couldn't find the Box that says "Uninstall Manager"- "SpyKiller". So I just closed both the programs. Would that be a problem since I didn't have these?

I appreciate your help a lot. :tazz:

Thanks,
jimbono
  • 0

#7
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Panda found a lot, let's see what you have there that may belong to the findings.
  • Open HijackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and past the List from notepad into your post

  • 0

#8
jimbono

jimbono

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I couldn't find SpyKiller in this list, g2i2r4.


3ivx D4 4.5.1 (remove only)
Active Ports
Ad-aware 6 Personal
Adobe Reader 6.0
Adobe SVG Viewer 3.0
All Sound Recorder 1.78
All Sound Recorder XP 2.10
AVI/MPEG/RM/WMV Joiner 4.81
BitTorrent 3.4.2
BitTorrent S-5.8.7 (SHAD0W's Experimental)
CC_ccStart
ccCommon
CleanCache 2.19
CleanUp!
CodeStuff Starter
ComcastSUPPORT
Conexant 56K ACLink Modem
Conexant AC-Link Audio
Cooxie Toolbar
DivX Player
DivX Pro
DivX User Guide
DivXG400
Download Toolbar
Dr. DivX Trial
DVD Decrypter (Remove Only)
DVD Shrink 3.2
dvd43 1.4
Ease MP3 Recorder 1.22
Easy CD & DVD Creator 6
EasyRecorder version 4.42
EclipseStyle
Encarta Online
Ensemble in C:\EnsembleSys
Express WebPictures 1.8.7.0
File Properties Changer
Free History Eraser
Free Internet TV v3.7
Google Earth Plus
Google Gmail Notifier
Google Video Viewer 1.0 (based on VLC 0.8.2 Player)
HijackThis 1.99.1
HP Deskjet Preloaded Printer Drivers
HP Photo & Imaging 3.1
HP Photo and Imaging 2.0 - Photosmart Cameras
HP PSC & OfficeJet 3.0
HP Software Update
HPIZ311
iISystem Wiper 2.3
Image Transfer
ImageMixer for Sony
ImageMixer for Sony DVD Handycam
InterVideo DVDCopy 2
InterVideo WinDVD
InterVideo WinDVD Creator 2
iQue - Detail Map Install
iQue - MapInstall and ContactLocation
iQue - Voice Prompts
iTunes
Java 2 Runtime Environment Standard Edition v1.3.1_02
Java 2 Runtime Environment, SE v1.4.2
LeechGet 2004 Version 1.1
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)
Logitech Desktop Messenger
Logitech iTouch Software
Logitech MouseWare 9.79
Logitech Print Service
Logitech QuickCam
Logitech Resource Center
MapSource - City Select North America v6
Media Library Management Wizard
Microsoft .NET Framework 1.1
Microsoft Baseline Security Analyzer 1.2.1
Microsoft Learning and Research Plus Support Files
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office Standard Edition 2003
Microsoft Picture It! Express 7.0
MicroStaff WINASPI
mIRC
Movie Maker Background Music Files
Movie Maker Sound Effects
Movie Maker Title Images
Mozilla Firefox (1.0PR)
MSN Internet Software
MSN Messenger 7.0
MSN Music Assistant
MSRedist
MUSICMATCH® Jukebox
muvee autoProducer DVD Edition - HPH
Napster
Napster Burn Engine
Nero Suite
Nikon Message Center
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
NVDVD
NVIDIA Windows 2000/XP Display Drivers
OpenMG Limited Patch 3.4-04-16-16-01
OpenMG Secure Module 3.4.01
Palm Desktop for Garmin iQue 3600
Panda ActiveScan
Patin-Couffin 19
Personal License Update Wizard for Windows Media Player
Photosmart 140,240,7200,7600,7700,7900 Series
Picasa
PictureProject
Plus! MP3 Audio Converter LE
Quicken 2004
QuickSearch Toolbar
QuickTime
Real Alternative 1.22
RealPlayer Basic
RecordNow!
Roxio DVDMax Player
Roxio Easy Media Creator 7 Basic DVD Edition
SDP Downloader
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
Shockwave
Skype 1.1
SnagIt 7
Sonic Foundry ACID 4.0
Sonic Update Manager
SonicStage 2.0.06
Sony DVD Architect 2.0
Sony DVD Handycam USB Driver
Sony Sound Forge 7.0
Sony USB Driver
Sony Vegas 5.0a
Spybot - Search & Destroy 1.2
SpywareBlaster v3.4
SpywareGuard v2.2
SwordSearcher Complete Bible Suite 1.43
Symantec Script Blocking Installer
SymNet
Tamil Bible 2.0
TreeSize 1.7
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Virtual Desktop Manager Powertoy for Windows XP
Visualizer Photo Resize
WebCam for MSN Messenger
Winamp (remove only)
WindowBlinds
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Bonus Pack for Windows XP
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows SR 2.0
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
WMV to AVI MPEG DVD WMV Converter 1.0.2
Yahoo! Customizations
Yahoo! Messenger
ZoneAlarm
  • 0

#9
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Ok, here comes:

Update these programs:
Firefox (now 1.06)
Spybot - Search & Destroy 1.2 (now 1.4)
Limewire (version 4.8 and up are no longer bundles with spyware or other unwanted parasites)

***


Open HijackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on
    Windows SR 2.0
  • Click on Delete this entry
  • Click "Yes"
Close HijackThis.

***

Update the new Spybot to the latest definitions. Don't scan yet.

***

Update AdAware SE 1.06 to the latest definitions. Don't scan yet.

***

Please disable SpybotSD’s protection, as it may hinder the removal of the infection. You can enable it after you're clean.

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box and/or Uncheck Resident.
Close Spybot.

***

Please disable SpywareGuard, as it will stand in the way of us cleaning up:

Right click the running icon of Spywareguard, it will open the program.
Then go to Menu, file, exit.
Then confirm the program is closed.
Reverse the process when you’ve carried out the advise.

***

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\Program Files\support.com\backup\CD\CD2B013Bd01\24712_56bd76541_[CD2B013Bd01]
C:\WINDOWS\inf\biini.inf
C:\WINDOWS\system32\mtwirl.dll
C:\WINDOWS\DOWNLOADED PROGRAM FILES\bridge.inf
C:\WINDOWS\smdat32a.sys

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Use Windows Explorer to remove these folders:
C:\PROGRAM FILES\Altnet
C:\PROGRAM FILES\couponsandoffers
C:\PROGRAM FILES\Lycos
C:\PROGRAM FILES\MyWay
C:\PROGRAM FILES\QuickSearch
C:\Program Files\LimeShop
C:\Program Files\QuickSearch
C:\WINDOWS\iNetPal
C:\Program Files\SpyKiller\

***

Run a scan with Spybot, remove all items found.

***

Run a scan with AdAware, remove all items found.

***

Reboot back to normal mode.
How are things now?
  • 0

#10
jimbono

jimbono

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi g2i2r4,

Sorry, I saw your post only today. I am at the office right now.

I will do as per your advice and reply back with the results as soon as I can.
:tazz:

Thanks a lot,
jimbono
  • 0

#11
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Take your time, I'll be around somewhere. :tazz:


EDIT:
As there has been no reply from the original poster for more than two weeks this topic is now closed.

If you are the original poster and still need assistance, please send me a PM.

Edited by g2i2r4, 30 September 2005 - 01:08 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP