Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Yet another Trojan.Vundo victim [RESOLVED]


  • This topic is locked This topic is locked

#1
paula13

paula13

    Member

  • Member
  • PipPip
  • 11 posts
I am yet another victim of this Trojan and would greatly appreciate some help. Norton AV says the file lives at C:\WINDOWS\System32\pmnnn.dll. I have run VundoFix.exe as directed on this site, but to no avail. I have also run CCleaner, AdAware SE, Spybot S&D and have Spyware Blaster.

When I ran VundoFix, everything appeared to go as described in the directions, however my system did not automatically reboot when pressing any key after closing down HJT. I manually rebooted the system. Also, after reboot, I reran HJT and noticed that the 02 and 020 lines that I had checked to be fixed had not been removed.

Following is my HJT log and the log from VundoFix:

HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 9:51:46 PM, on 10/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\cmd.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\pmnnn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../US/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1092954264703
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Vundofix.txt:

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 176 'smss.exe'
Threads [180]Error 0x6 : The handle is invalid. [184]Error 0x6 : The handle is invalid. [188]Error 0x6 : The handle is invalid.

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 852 'explorer.exe'
Killing PID 852 'explorer.exe'
Killing PID 852 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 252 'winlogon.exe'
Error 0x6 : The handle is invalid. Could not delete file.
Files Deleted sucessfully.


Thank you in advance for your help! :tazz:

Edited by paula13, 15 October 2005 - 09:01 PM.

  • 0

Advertisements


#2
Linkmaster

Linkmaster

    Visiting Staff

  • Member
  • PipPipPip
  • 940 posts
Hi paula13, Welcome to GTG !! :tazz:

Sorry for the delay in responding to your post !!

I am working on your log. As soon as a GTG Staff Member reviews my fix, I will post it for you.
Thank you for being patient.

Edited by Linkmaster, 18 October 2005 - 07:57 AM.

  • 0

#3
paula13

paula13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Linkmaster and thank you for your reply! :tazz:

I am still having trojan.vundo problems and have tried more attempts at fixing the problem, including Symantec's latest FixVundo offering from yesterday to no avail. Unfortunately, C:\WINDOWS\system32\pmnnn.dll is still hanging around.

Since somethings may have changes, I am including updated HJT and VundoFix logs:

Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 7:02:12 AM, on 10/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program
Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec
Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec
Shared\ccApp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet
Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet
Explorer\SearchURL,(Default) =
http://red.clientapp...//www.yahoo.com
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO -
{02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program
Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object -
{827DC836-DD9F-4A68-A602-5812EB50A834} -
C:\WINDOWS\system32\pmnnn.dll
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class -
{BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google -
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AHQInit] C:\Program
Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
/P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus
C42"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [YBrowser] C:\Program
Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge]
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe
/autostart
O4 - HKLM\..\Run: [UserFaultCheck]
%systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk =
C:\Program Files\Adobe\Acrobat
7.0\Reader\reader_sl.exe
O4 - Global Startup: SBC Self Support Tool.lnk =
C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search -
res://c:\program
files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word
- res://c:\program
files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links -
res://c:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page
- res://c:\program
files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft
Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages -
res://c:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into
English - res://c:\program
files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Login -
{2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program
Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login -
{2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program
Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com -
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! MahJong Solitaire -
http://download.game...s/y/mjst4_x.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} -
http://download.ebay.../US/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
(YInstStarter Class) -
http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
http://v5.windowsupd...b?1092954264703
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
(ActiveScan Installer Class) -
http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E}
(PhotosCtrl Class) -
http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479}
(EPSImageControl Class) -
http://tools.ebayimg...ol_v1-0-3-0.cab
O20 - Winlogon Notify: pmnnn -
C:\WINDOWS\system32\pmnnn.dll
O23 - Service: AOL Connectivity Service (AOL ACS) -
America Online, Inc. -
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler -
Symantec Corporation - C:\Program
Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc)
- Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access -
Creative Technology Ltd -
C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Gear Security Service (GEARSecurity) -
GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple
Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation -
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service
(navapsvc) - Symantec Corporation - C:\Program
Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor
Service (NPFMntor) - Symantec Corporation - C:\Program
Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) -
NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation -
C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) -
Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service
(SNDSrvc) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation
- C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\Security Center\SymWSC.exe

Vundo Fix:


Command Line Process Viewer/Killer/Suspender for
Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 176 'smss.exe'
Threads [180]Error 0x6 : The handle is invalid.
[184]Error 0x6 : The handle is invalid. [188]Error 0x6
: The handle is invalid.

Command Line Process Viewer/Killer/Suspender for
Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 856 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for
Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of
rundll32.exe

Command Line Process Viewer/Killer/Suspender for
Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 256 'winlogon.exe'
Error 0x6 : The handle is invalid. Could not delete
file.
Files Deleted sucessfully.

Thanks so much for your help! - Paula
  • 0

#4
Linkmaster

Linkmaster

    Visiting Staff

  • Member
  • PipPipPip
  • 940 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure.

Download and install CCleaner Do Not Run Yet

Download VundoFix.exe to your desktop.
Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a warning.
It should look like this

VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....


At this point press enter one time.
Next you will see:

Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.


At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\pmnnn.dll
Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

Next you will see:

Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.


At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\nnnmp.*
Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

The fix will run then HijackThis will open, if it does not open automatically please open it manually.
In HiJackThis, please place a check next to the following items : (if present)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\pmnnn.dll

O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll


Click on Fix Checked
Press enter to exit the program then manually reboot your computer
Once your machine reboots please continue with the instructions below.

Run CCleaner
Open CCleaner
NOTE:DO NOT USE THE ISSUES TAB!!!!

Options, Advanced: Uncheck "Only delete files in Windows Temp folders older than 48 hours" (for cleaning malware files!)

Options, Settings: Check "Run CCleaner when system starts" (optional)
Options, Settings: Check "Add 'Run Cleaner' option to Recycle Bin context menu" (optional)

To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder):

Options>CustomFolders>Add Folder>Navigate to these folders (click on bold file once and hit OK) :
* C:\Windows\Temp\
* C:\Windows\Prefetch
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet\Files\ (This will delete all your cached internet content including cookies.)
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
Hit OK
In left pane, scroll down to "Advanced, Custom Folders", put a check in Custom Folders
Then click on Run Cleaner.
Put check in box to not show message again.
It will automatically clean.
Close out CCleaner.

Run Panda's ActiveScan and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder here!!
  • 0

#5
paula13

paula13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hello Linkmaster and thank you so much for your help with my Trojan.Vundo problem! I have completed the steps you gave me to follow. Unfortunately, I see from my HijackThis log that I have not sucessfully removed Vundo.

When I ran through the steps for VundoFix (after entering c:\WINDOWS\system32\nnnmp.* in the second step), I got the following message "The process cannot access the file because it is being used by another process."

Following is the result of my HijackThis scan:

Logfile of HijackThis v1.99.1
Scan saved at 6:45:10 PM, on 10/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\cmd.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\pmnnn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../US/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1092954264703
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Following is the contents of the Vundofix.txt file:

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was c:\WINDOWS\system32\pmnnn.dll

The second filepath entered was c:\WINDOWS\system32\nnnmp.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 176 'smss.exe'
Error 0x6 : The handle is invalid.
Killing PID 856 'explorer.exe'


Killing PID 256 'winlogon.exe'
Error 0x6 : The handle is invalid. --------------------------------------------------------------------------------------

Could not delete c:\WINDOWS\system32\pmnnn.dll.
c:\WINDOWS\system32\nnnmp.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

And lastly, the result of the ActiveScan:


Incident Status Location

Adware:adware/virtualbouncer No disinfected C:\WINDOWS\SYSTEM32\INNERADINSTALL.LOG
Adware:adware/tvmedia No disinfected C:\Documents and Settings\Paula\Application Data\tvmcwrd.dll
Adware:adware/blazefind No disinfected Windows Registry
Spyware:Spyware/CouponAge No disinfected C:\WINDOWS\SYSTEM32\cdlsp.dll


It seems to be stubborn. Thanks again for your help. :tazz:
Paula
  • 0

#6
Linkmaster

Linkmaster

    Visiting Staff

  • Member
  • PipPipPip
  • 940 posts
Download Ewido Security Suite
Install ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE:During some scans with ewido it is finding cases of false positives.**See Below**[list]

**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close Ewido Security Suite.

Post the report.txt file and a new HijackThis log
  • 0

#7
paula13

paula13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hello Linkmaster,

Here are the logs from Ewidow and Hijack This. Ewido found & removed 46 nasties, so that's a step in the right direction!

Ewidow Log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:09:59 PM, 10/19/2005
+ Report-Checksum: BB9A8C1C

+ Scan result:

HKLM\SOFTWARE\Classes\Interface\{49DB48FF-02B5-4645-B676-94A4DF1AA026} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{49DB48FF-02B5-4645-B676-94A4DF1AA026}\Forward\\ -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} -> Spyware.TotalVelocity : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/ObjSafe.tlb\\.Owner -> Spyware.Roimoi : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/ObjSafe.tlb\\{E0CE16CB-741C-4B24-8D04-A817856E07F4} -> Spyware.Roimoi : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\qudpxt9y.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\qudpxt9y.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\qudpxt9y.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\qudpxt9y.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\qudpxt9y.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\qudpxt9y.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\qudpxt9y.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\qudpxt9y.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3.tmp -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp -> Spyware.Cookie.Valuead : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6E.tmp -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq70.tmp -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq73.tmp -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq74.tmp -> Spyware.Cookie.Com : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq75.tmp -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq77.tmp -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq78.tmp -> Spyware.Cookie.Dbbsrv : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7A.tmp -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7B.tmp -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7D.tmp -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7E.tmp -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq81.tmp -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq82.tmp -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq83.tmp -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq84.tmp -> Spyware.Cookie.Gator : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq85.tmp -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq86.tmp -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8A.tmp -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8B.tmp -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8D.tmp -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA.tmp -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAE.tmp -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqAF.tmp -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB.tmp -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC.tmp -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqD.tmp -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE.tmp -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\WINDOWS\SYSTEM32\cdlsp.dll -> TrojanDownloader.Agent.br : Cleaned with backup


::Report End


Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:10:57 PM, on 10/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\pmnnn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../US/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1092954264703
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Thank you again for your help!

Paula
  • 0

#8
Linkmaster

Linkmaster

    Visiting Staff

  • Member
  • PipPipPip
  • 940 posts
Since we got rid a few more nasties, lets try the Vundo Fix again
(Some of these instructions you may already have but I am going to repeat then in case you deleted yours.

Download VundoFix.exe to your desktop.
Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a warning.
It should look like this

VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....


At this point press enter one time.
Next you will see:

Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.


At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\pmnnn.dll
Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

Next you will see:

Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.


At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\nnnmp.*
Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

The fix will run then HijackThis will open, if it does not open automatically please open it manually.
In HiJackThis, please place a check next to the following items : (if present)

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\pmnnn.dll
O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll


Click on Fix Checked and reboot and post another fresh HijackThis log & the vundo.txt

Edited by Linkmaster, 20 October 2005 - 05:30 AM.

  • 0

#9
paula13

paula13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hello Linkmaster,

I too thought to try VundoFix.exe again after running Ewido. Unfortunately, I had gotten the same result as previously posted here (error message after entering c:\WINDOWS\system32\nnnmp.* stating "The process cannot access the file because it is being used by another process.").

Unfortunately, I am away from that computer right now. When I return home tonight, I will run VundoFix.exe again and create a fresh Hijack This log to post.

Thank you so much for your help with this stubborn little trojan!

Paula
  • 0

#10
Linkmaster

Linkmaster

    Visiting Staff

  • Member
  • PipPipPip
  • 940 posts
(Some of these instructions you may already have but I am going to repeat then incase you deleted yours)

Download VundoFix.exe to your desktop.
Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.

Download and Install Ad-aware SE
Close ALL windows except Ad-Aware SE.
Click on the ‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
Close Adaware SE

Please reboot your computer into Safe Mode.
You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight Safe Mode then hit enter.

Setup & Run AdAwareSE
Click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:

In the General window make sure the following are selected in green:

Under Safety:
Automatically save log-file
Automatically quarantine objects prior to removal
Safe Mode (always request confirmation)

Under Definitions:
Prompt to update outdated definitions - set the number of days
Click on the ‘Scanning’ button on the left and select in green:

Under Driver, Folders & Files:
Scan Within Archives

Under Select drives & folders to scan:
Choose all hard drives

Under Memory & Registry:all green
Scan Active Processes
Scan Registry
Deep Scan Registry
Scan my IE favorites for banned URL’s
Scan my Hosts file

Click on the ‘Advanced’ button on the left and select in green:

Under Shell Integration:
Move deleted files to recycle bin

Under Logfile Detail Level:all green
include addtional object information
DESELECT - include negligible objects information
include environment information

Under Alternate Data Streams:
Don't log streams smaller than 0 bytes
Don't log ADS with the following names: CA_INOCULATEIT

Click the ‘Tweak’ button and select in green:

Under Scanning Engine:
Unload recognized processes during scanning
Scan registry for all users instead of current user only

Under Cleaning Engine:
Let Windows remove files in use at next reboot

Under Log Files:
Include basic Ad-aware SE settings in logfile
Include additional Ad-aware SE settings in logfile
Please do not check: Include Module list in logfile

Click on Proceed to save the settings.

Click Start

Choose Perform Full System Scan

DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

Click Next and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.

If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window

Click on Next and check all the boxes in the window

Click next and OK to remove

Close AdawareSE

Open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a warning.
It should look like this

VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....


At this point press enter one time.
Next you will see:

Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.


At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\pmnnn.dll
Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

Next you will see:

Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.


At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\nnnmp.*
Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

The fix will run then HijackThis will open, if it does not open automatically please open it manually.
In HiJackThis, please place a check next to the following items : (if present)

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\pmnnn.dll
O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll


Click on Fix Checked and reboot and post another fresh HijackThis log & the vundo.txt
  • 0

Advertisements


#11
paula13

paula13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hello Linkmaster,

I updated, configured & ran Ad-aware SE as instructed but did not come up with any bad entries. I then ran VundoFix.exe, which continues to give me the error "The process cannot access the file because it is being used by another process."

This thing just doesn't want to leave! :tazz: In any event, my Hijack This and VundoFix logs are included as requested:

Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:02:14 PM, on 10/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\cmd.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\pmnnn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ati2dvag] C:\WINDOWS\system32\ati2dvag.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../US/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1092954264703
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

VundoFix.txt file:

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was c:\WINDOWS\system32\pmnnn.dll

The second filepath entered was c:\WINDOWS\system32\nnnmp.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 176 'smss.exe'
Error 0x6 : The handle is invalid.
Killing PID 968 'explorer.exe'
Killing PID 968 'explorer.exe'


Killing PID 256 'winlogon.exe'
Error 0x6 : The handle is invalid. --------------------------------------------------------------------------------------

Could not delete c:\WINDOWS\system32\pmnnn.dll.
c:\WINDOWS\system32\nnnmp.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

Thank you again for your help!

Paula

Edited by paula13, 20 October 2005 - 07:22 PM.

  • 0

#12
Linkmaster

Linkmaster

    Visiting Staff

  • Member
  • PipPipPip
  • 940 posts
The fix wont disable smss and winlogon, that is the reason for the error you are getting !!

Are you logged in with an Administrator account ??

If not log in as an Administrator and try the Vundofix, and HijackThis again !!
  • 0

#13
paula13

paula13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hello Linkmaster,

I decided to delete the version of vundofix I had on my desktop and start with a fresh download from your post. I then booted the computer in safe mode, logged in as Administrator (I thought I had been doing this, but was absolutely sure this time). I ran Ad-aware as you had instructed in post #9 which found no bad entries. I then ran vundofix from the new file I had just downloaded, entered c:\WINDOWS\system32\pmnnn.dll at the first promp and c:\WINDOWS\system32.nnnmp.* at the second prompt. I still got the error message which states: "The process cannot access the file because it is being used by another process." I then ran Hijack This (via Vundofix) and checked the boxes beside the following lines:

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\pmnnn.dll

and

O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll

and clicked "Fix." Once again the lines were not deleted.

I believe I am following your directions correctly, but I am not a computer expert by any means and I greatly appreciate your help with this.

Following is the Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 7:24:14 PM, on 10/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\cmd.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\pmnnn.dll


O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ati2dvag] C:\WINDOWS\system32\ati2dvag.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../US/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1092954264703
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



VundoFix.txt file:

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was c:\WINDOWS\system32\pmnnn.dll

The second filepath entered was c:\WINDOWS\system32\nnnmp.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 176 'smss.exe'
Error 0x6 : The handle is invalid.
Killing PID 852 'explorer.exe'
Killing PID 852 'explorer.exe'


Killing PID 256 'winlogon.exe'
Error 0x6 : The handle is invalid. --------------------------------------------------------------------------------------

Could not delete c:\WINDOWS\system32\pmnnn.dll.
c:\WINDOWS\system32\nnnmp.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------
  • 0

#14
Linkmaster

Linkmaster

    Visiting Staff

  • Member
  • PipPipPip
  • 940 posts

I believe I am following your directions correctly, but I am not a computer expert by any means and I greatly appreciate your help with this


This is just being stubborn :tazz: This stuff sometimes doesnt want to leave. But we will keep trying !!

Lets try this :

Download SpySweeper

Click the Download Spy Sweeper Trial link on the right under Spy Sweeper Resources to download the program.
Install it.
Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes
Once the definitions are installed, click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.

Reboot and post a new HijackThis log and the Session Log here
  • 0

#15
paula13

paula13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Linkmaster,

Good news, I think we licked this stubborn little bugger! :) I have not gotten the Norton AV popup stating I have Trojan.Vundo!!

Here is my Spy Sweeper Session Log:

********
8:53 AM: | Start of Session, Sunday, October 23, 2005 |
8:53 AM: Spy Sweeper started
8:53 AM: Sweep initiated using definitions version 560
8:53 AM: Starting Memory Sweep
8:53 AM: Warning: Failed to load image: C:\WINDOWS\system32\pmnnn.dll
8:55 AM: Found Adware: virtumonde
8:55 AM: Detected running threat: C:\WINDOWS\SYSTEM32\pmnnn.dll (ID = 77)
9:00 AM: Memory Sweep Complete, Elapsed Time: 00:07:12
9:00 AM: Starting Registry Sweep
9:01 AM: Found Adware: blazefind
9:01 AM: HKLM\software\microsoft\windows\currentversion\uninstall\windows sr 2.0\ (4 subtraces) (ID = 104552)
9:01 AM: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130)
9:01 AM: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136)
9:01 AM: HKCR\clsid\{827dc836-dd9f-4a68-a602-5812eb50a834}\ (12 subtraces) (ID = 749140)
9:01 AM: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153)
9:01 AM: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157)
9:01 AM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{827dc836-dd9f-4a68-a602-5812eb50a834}\ (ID = 749160)
9:01 AM: HKLM\software\classes\clsid\{827dc836-dd9f-4a68-a602-5812eb50a834}\ (12 subtraces) (ID = 749166)
9:01 AM: HKLM\software\classes\clsid\{827dc836-dd9f-4a68-a602-5812eb50a834}\progid\ (1 subtraces) (ID = 749172)
9:02 AM: Registry Sweep Complete, Elapsed Time:00:01:42
9:02 AM: Starting Cookie Sweep
9:02 AM: Found Spy Cookie: reliablestats cookie
9:02 AM: mike@stats1.reliablestats[2].txt (ID = 3254)
9:02 AM: Cookie Sweep Complete, Elapsed Time: 00:00:02
9:02 AM: Starting File Sweep
9:02 AM: Found Adware: winmovie dialer
9:02 AM: c:\windows\downloaded program files\conflict.1 (ID = -2147476814)
9:03 AM: Found Adware: virtualbouncer
9:03 AM: innervbinstall.log (ID = 82805)
9:03 AM: Found Adware: addestroyer
9:03 AM: inneradinstall.log (ID = 49035)
9:05 AM: Found Adware: zestyfind desktop links
9:05 AM: iconz2.exe (ID = 91157)
9:07 AM: Found Adware: media-motor
9:07 AM: backup-20040823-181342-403.inf (ID = 74136)
9:24 AM: Found Adware: tvmedia
9:24 AM: tvmuknwrd.dll (ID = 81759)
9:24 AM: tvmuknwrd.dll (ID = 81759)
9:24 AM: ppqf.tmp (ID = 51438)
9:25 AM: File Sweep Complete, Elapsed Time: 00:22:45
9:25 AM: Full Sweep has completed. Elapsed time 00:31:58
9:25 AM: Traces Found: 64
9:30 AM: Removal process initiated
9:32 AM: Quarantining All Traces: addestroyer
9:32 AM: Quarantining All Traces: blazefind
9:32 AM: Quarantining All Traces: media-motor
9:32 AM: Quarantining All Traces: tvmedia
9:32 AM: Quarantining All Traces: virtualbouncer
9:32 AM: Quarantining All Traces: virtumonde
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: virtumonde is in use. It will be removed on reboot.
9:33 AM: C:\WINDOWS\SYSTEM32\pmnnn.dll is in use. It will be removed on reboot.
9:33 AM: Quarantining All Traces: winmovie dialer
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: Quarantining All Traces: zestyfind desktop links
9:33 AM: Quarantining All Traces: reliablestats cookie
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:33 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:34 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:35 AM: BHO Shield: found: -- BHO installation denied at user request
9:36 AM: BHO Shield: found: -- BHO installation denied at user request
9:36 AM: BHO Shield: found: -- BHO installation denied at user request
9:36 AM: BHO Shield: found: -- BHO installation denied at user request
9:36 AM: BHO Shield: found: -- BHO installation denied at user request
9:36 AM: BHO Shield: found: -- BHO installation denied at user request
9:36 AM: BHO Shield: found: -- BHO installation denied at user request
9:36 AM: BHO Shield: found: -- BHO installation denied at user request
9:36 AM: BHO Shield: found: -- BHO installation denied at user request
9:36 AM: BHO Shield: found: -- BHO installation allowed at user request
9:36 AM: BHO Shield: found: -- BHO installation denied at user request
9:36 AM: Preparing to restart your computer. Please wait...
9:36 AM: Removal process completed. Elapsed time 00:05:31
********
8:50 AM: | Start of Session, Sunday, October 23, 2005 |
8:50 AM: Spy Sweeper started
8:52 AM: Your spyware definitions have been updated.
8:53 AM: | End of Session, Sunday, October 23, 2005 |


I had several popups asking if I wanted to deny a BHO installation to which I responded "yes." I hope that was the right thing to do.

Here is my Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:41:30 AM, on 10/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\cmd.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_6_2_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ati2dvag] C:\WINDOWS\system32\ati2dvag.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../US/install.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1092954264703
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I put a check in the box next to:

O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll (file missing)

and clicked "Fix Selected."

I then ran Hijack This again and noted that the above-mentioned O20 line did not reappear!

Thank you so much for you help with this little monster. :tazz: It has been the bane of my existance for over a week now.

Paula
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP