[Tiberius624]

WinFixer!!! AHH!!! Thanks in advance.


Logfile of HijackThis v1.99.1
Scan saved at 5:36:15 PM, on 9/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\XoftSpy\XoftSpy.exe
C:\Program Files\LeechGet 2004\LeechGet.exe
C:\Documents and Settings\Andrew\Desktop\killer\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\windows\system32\msiexec16.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\pmnli.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Stay Logged In - {B680F620-A770-468C-AE8F-918531F1B143} - C:\Program Files\Stay Logged In\Stay Logged In.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Updates] c:\windows\Updates.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [Windows Updates] c:\windows\Updates.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ANONYMIZER_SPYWAREKILLER] C:\Program Files\Anonymizer\sk\spywarekiller.exe /BOOT
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Stay Logged In - {0D9A7163-E30A-4ace-9ECB-C467E36B9DE4} - C:\Program Files\Stay Logged In\Stay Logged In.dll (file missing)
O9 - Extra 'Tools' menuitem: Show/Hide Stay Logged In - {0D9A7163-E30A-4ace-9ECB-C467E36B9DE4} - C:\Program Files\Stay Logged In\Stay Logged In.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.sigoftheweek.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmnli - C:\WINDOWS\system32\pmnli.dll

[Advertisements]

I know you guys say not to double post to bump your topic...but geeze its been almost a month, not trying to be rude, but this winfixer is very annoying and I have read all these topics about it in this forum, notthing seems to work for me, PLEASE HELP ME!!!

[Tiberius624]

I know you guys say not to double post to bump your topic...but geeze its been almost a month, not trying to be rude, but this winfixer is very annoying and I have read all these topics about it in this forum, notthing seems to work for me, PLEASE HELP ME!!!

[Tiberius624]

Nov. 24-
Went threw all the topics again, still cant seem to fix my problem. Help would be appreciated.

[skate_punk_21]

Sorry for the wait if you still need help these instructions should get ya started

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning.
  It should look like this
  

  VundoFix V2.15 by Atri
  By using VundoFix you agree that you are doing so at your own risk
  Press enter to continue....
  
  

• At this point press enter one time.
  
• Next you will see:
  

  Please Type in the filepath as instructed by the forum staff
  and then press enter:

• At this point please type the following file path (make sure to enter it exactly as below!):
  • C:\WINDOWS\system32\pmnli.dll
• Press Enter to continue with the fix.
  
• Next you will see:
  

  Please type in the second filepath as instructed by the forum
  staff then press enter:

• At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\ilnmp.*
• Press Enter to continue with the fix.
• The fix will run then HijackThis will open, if it does not open automatically please open it manually.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
  R3 - Default URLSearchHook is missing
  O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\pmnli.dll
  O20 - Winlogon Notify: pmnli - C:\WINDOWS\system32\pmnli.dll
• After you have fixed these items, close Hijackthis.
• Press enter to exit the program then manually reboot your computer.
• Once your machine reboots please continue with the instructions below.

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

[Tiberius624]

Incident Status Location

Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Andrew\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-6bb79f6a-7a6f8505.class
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Andrew\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-1b49a55a-33d0ee98.class
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Andrew\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-13580070-76b9f811.class
Possible Virus. Not disinfected C:\Documents and Settings\Andrew\Desktop\d2mod\l2uthless Ops v2.00i\Copy of l2uthless Ops v2.03\l2uthless Ops v2.03\l2uthlessUpdater.exe
Possible Virus. Not disinfected C:\Documents and Settings\Andrew\Desktop\d2mod\l2uthless Ops v2.00i\l2uthless Ops v2.02.zip[l2uthlessUpdater.exe]
Possible Virus. Not disinfected C:\Documents and Settings\Andrew\Desktop\d2mod\l2uthless Ops v2.00i\l2uthless Ops v2.03\l2uthless Ops v2.03\l2uthlessUpdater.exe
Possible Virus. Not disinfected C:\Documents and Settings\Andrew\Desktop\d2mod\l2uthless Ops v2.00i\l2uthless Ops v2.03.zip[l2uthlessUpdater.exe]
Possible Virus. Not disinfected C:\Documents and Settings\Andrew\Desktop\d2mod\l2uthless Ops v2.00i\l2uthlessUpdater.exe
Possible Virus. Not disinfected C:\Documents and Settings\Andrew\Desktop\d2mod\l2uthless Ops v2.00i.zip[l2uthlessUpdater.exe]
Possible Virus. Not disinfected C:\Documents and Settings\Andrew\Desktop\junk\GUNZ Folder for GZP\Folder for GZP\antarctica.rar[antarctica.exe]
Possible Virus. Not disinfected C:\Documents and Settings\Andrew\Desktop\junk\GUNZ Folder for GZP.zip[antarctica.exe]
Virus:Trojan Horse Not disinfected C:\Documents and Settings\Andrew\Desktop\maple\vb\EyeSpy\Client.exe
Virus:Bck/Yepesy.A Not disinfected C:\Documents and Settings\Andrew\Desktop\maple\vb\EyeSpy\Server.exe
Virus:Trojan Horse Not disinfected C:\Documents and Settings\Andrew\Desktop\maple\vb\EyeSpy.zip[Client.exe]
Virus:Bck/Yepesy.A Not disinfected C:\Documents and Settings\Andrew\Desktop\maple\vb\EyeSpy.zip[Server.exe]
Adware:Adware/SaveNow Not disinfected C:\Program Files\BearShare\Installer\saveinstwm.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3D.tmp
Adware:Adware/WUpd Not disinfected C:\RECYCLER\S-1-5-21-3183478175-1000163655-3214066754-500\Dc1.exe
Adware:Adware/WUpd Not disinfected C:\RECYCLER\S-1-5-21-3183478175-1000163655-3214066754-500\Dc2.dll
Adware:Adware/WUpd Not disinfected C:\RECYCLER\S-1-5-21-3183478175-1000163655-3214066754-500\Dc3.exe
Virus:Trojan Horse Not disinfected C:\removekl.exe
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\jdijhwheyx.exe
Adware:Adware/Aurora Not disinfected C:\WINDOWS\jrvspaw.exe
Virus:Bck/Yepesy.A Not disinfected C:\WINDOWS\SYSTEM\Updates.exe
Adware:Adware/StartPage.AIW Not disinfected C:\WINDOWS\SYSTEM32\mlljg.dll




Logfile of HijackThis v1.99.1
Scan saved at 5:36:38 PM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andrew\Desktop\killer\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\windows\system32\msiexec16.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Stay Logged In - {B680F620-A770-468C-AE8F-918531F1B143} - C:\Program Files\Stay Logged In\Stay Logged In.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Updates] c:\windows\Updates.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Windows Updates] c:\windows\Updates.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Stay Logged In - {0D9A7163-E30A-4ace-9ECB-C467E36B9DE4} - C:\Program Files\Stay Logged In\Stay Logged In.dll (file missing)
O9 - Extra 'Tools' menuitem: Show/Hide Stay Logged In - {0D9A7163-E30A-4ace-9ECB-C467E36B9DE4} - C:\Program Files\Stay Logged In\Stay Logged In.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.sigoftheweek.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmnli - C:\WINDOWS\system32\pmnli.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe







VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\pmnli.dll

The second filepath entered was C:\WINDOWS\system32\ilnmp.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 132 'smss.exe'

Error, Cannot find a process with an image name of explorer.exe


Killing PID 208 'winlogon.exe'
Killing PID 208 'winlogon.exe'
Killing PID 208 'winlogon.exe'
Killing PID 208 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\pmnli.dll Deleted sucessfully.
C:\WINDOWS\system32\ilnmp.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

[skate_punk_21]

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.


Boot Into Safe Mode
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.


View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.


Stop Potentially Runnning Processes
Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):
C:\windows\system32\msiexec16.exe
c:\windows\Updates.exe


Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\windows\system32\msiexec16.exe
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Windows Updates] c:\windows\Updates.exe
O4 - HKCU\..\Run: [Windows Updates] c:\windows\Updates.exe
O20 - Winlogon Notify: pmnli - C:\WINDOWS\system32\pmnli.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.


File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\windows\system32\msiexec16.exe
c:\windows\Updates.exe
C:\Documents and Settings\Andrew\Desktop\maple\vb\EyeSpy\
C:\Program Files\BearShare\Installer\saveinstwm.exe
C:\removekl.exe
C:\WINDOWS\jdijhwheyx.exe
C:\WINDOWS\jrvspaw.exe
C:\WINDOWS\SYSTEM32\mlljg.dll

Reboot your system in Normal Mode.


Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Standard
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Edited by skate_punk_21, 30 November 2005 - 08:50 PM.

[Tiberius624]

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, December 02, 2005 14:29:28
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 2/12/2005
Kaspersky Anti-Virus database records: 153058
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 150712
Number of viruses found: 6
Number of infected objects: 12
Number of suspicious objects: 0
Duration of the scan process: 5546 sec

Infected Object Name - Virus Name
C:\RECYCLER\S-1-5-21-3183478175-1000163655-3214066754-1007\Dc162.exe Infected: Backdoor.Win32.Hupigon.hk
C:\RECYCLER\S-1-5-21-3183478175-1000163655-3214066754-1007\Dc163.exe Infected: Backdoor.Win32.Hupigon.hk
C:\RECYCLER\S-1-5-21-3183478175-1000163655-3214066754-1007\Dc170.exe Infected: Trojan-Spy.Win32.VB.dd
C:\RECYCLER\S-1-5-21-3183478175-1000163655-3214066754-1007\Dc178.exe Infected: Trojan-Spy.Win32.VB.dd
C:\RECYCLER\S-1-5-21-3183478175-1000163655-3214066754-1007\Dc179.dll Infected: Trojan.Win32.Crypt.o
C:\RECYCLER\S-1-5-21-3183478175-1000163655-3214066754-1007\Dc180.exe Infected: Trojan-Spy.Win32.SCKeyLog.l
C:\RECYCLER\S-1-5-21-3183478175-1000163655-3214066754-1007\Dc181.exe/data0008 Infected: Trojan-Spy.Win32.SCKeyLog.v
C:\RECYCLER\S-1-5-21-3183478175-1000163655-3214066754-1007\Dc181.exe/data0009 Infected: Trojan-Spy.Win32.SCKeyLog.ac
C:\RECYCLER\S-1-5-21-3183478175-1000163655-3214066754-1007\Dc181.exe/data0011 Infected: Trojan-Spy.Win32.SCKeyLog.ac
C:\RECYCLER\S-1-5-21-3183478175-1000163655-3214066754-1007\Dc181.exe/data0012 Infected: Trojan-Spy.Win32.SCKeyLog.v
C:\RECYCLER\S-1-5-21-3183478175-1000163655-3214066754-1007\Dc181.exe Infected: Trojan-Spy.Win32.SCKeyLog.v
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP401\A0218257.exe Infected: Trojan-Spy.Win32.VB.dd

Scan process completed.

[skate_punk_21]

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! and install it.
Run CleanUp! Set the program up as follows:

• Click "Options..."
• Move the arrow down to "Custom CleanUp!"
• Put a check next to the following:
  
  
• Empty Recycle Bins
  
• Delete Cookies
  
• Delete Prefetch files
  
• Scan local drives for temporary files (Please uncheck this option)
  
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Congratulations Your Log is Clean!!

Now we have a few cleanup items...


Hidden Files/Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is DISABLED. Also make sure that the System Files and Folders are NOT showing / visible. Lastly, CHECK the Hide protected operating system files option.


System Restore
Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

-->To Turn system restore back on: Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.


Preventative Measures
This is a good time to set up protection against further attacks. Read How Did I Get Infected In The First Place?.

Also Consider...

• SpywareBlaster to help prevent spyware from installing in the first place.
  
• SpywareGuard to catch and block spyware before it can execute.
  
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

You should also have a good firewall. Here are 4 free ones available for personal use:

• ZoneAlarm
  
• Avast Antivirus/Firewall
  
• Tiny Personal Firewall
  
• OutPost Firewall

How is she running now? Any further problems? If not, Good work, and Happy Computing!