Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winfixer / Virtumonde [RESOLVED]


  • This topic is locked This topic is locked

#1
spindrift

spindrift

    New Member

  • Member
  • Pip
  • 6 posts
Hello-

The same old story...it all started with Winfixer popups. I looked around and tried something called the Virtumundo removal tool 1.2 that I found on a Mcafee help forum by way of a Dell forum. It stopped the popups, but the free Panda scan showed that I still had Virtumonde. Next I found you folks and did all of the things you suggest in the "do this before posting a Hijack This log". However, the free Panda scan says that I still have Virtumonde. Any help you can give would be greatly appreciated. Thanks.

Below you'll find results from Hijack This, Ewido Security, and Panda scans:

Logfile of HijackThis v1.99.1
Scan saved at 9:40:32 PM, on 10/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Drew Minson\My Documents\Computer\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104944331578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: PRISMGNA.DLL - C:\WINDOWS\SYSTEM32\PRISMGNA.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:17:13 PM, 10/24/2005
+ Report-Checksum: 1B81A4AC

+ Scan result:

C:\Documents and Settings\Drew Minson\Cookies\drew minson@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Drew Minson\Cookies\drew minson@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Drew Minson\Cookies\drew minson@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup


::Report End

------------------------------

Incident Status Location

Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\SYSTEM32\pmnnn.dll
  • 0

Advertisements


#2
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi There

I am UKBiker and I will be helping you with this log. Let me look through it and I will post back soon.
  • 0

#3
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi again

Can you please check that you have nothing disabled at startup in your msconfig file. I f there is, please re enable everything, reboot and post a fresh HJT log here for me.
  • 0

#4
spindrift

spindrift

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello and thanks for looking at my problem!

I opened the system configuration utility and under the GENERAL tab, NORMAL STARTUP is checked. Under the STARTUP tab, everthing is checked. Here's the new Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:19:51 PM, on 10/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Drew Minson\My Documents\Computer\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104944331578
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: PRISMGNA.DLL - C:\WINDOWS\SYSTEM32\PRISMGNA.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
  • 0

#5
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi There

It looks like the removal tool you used got rid of most of Virtumonde, sometimes (as in your case) however there are two associated .dll files and one has been missed. Lets sort that out and see what else is lurking.


Please print these instructions out for reference.


Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

  • 0

#6
spindrift

spindrift

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello-

Here are the results of the SpySweeper session log:

********
10:53 AM: | Start of Session, Monday, October 31, 2005 |
10:53 AM: Spy Sweeper started
10:53 AM: Sweep initiated using definitions version 564
10:53 AM: Starting Memory Sweep
10:54 AM: Memory Sweep Complete, Elapsed Time: 00:01:33
10:54 AM: Starting Registry Sweep
10:55 AM: Registry Sweep Complete, Elapsed Time:00:00:14
10:55 AM: Starting Cookie Sweep
10:55 AM: Found Spy Cookie: 2o7.net cookie
10:55 AM: drew minson@2o7[1].txt (ID = 1957)
10:55 AM: Found Spy Cookie: go.com cookie
10:55 AM: drew minson@abc.go[1].txt (ID = 2729)
10:55 AM: Found Spy Cookie: about cookie
10:55 AM: drew minson@about[2].txt (ID = 2037)
10:55 AM: Found Spy Cookie: yieldmanager cookie
10:55 AM: drew minson@ad.yieldmanager[1].txt (ID = 3751)
10:55 AM: Found Spy Cookie: pointroll cookie
10:55 AM: drew minson@ads.pointroll[1].txt (ID = 3148)
10:55 AM: Found Spy Cookie: atwola cookie
10:55 AM: drew minson@atwola[1].txt (ID = 2255)
10:55 AM: Found Spy Cookie: bluestreak cookie
10:55 AM: drew minson@bluestreak[1].txt (ID = 2314)
10:55 AM: Found Spy Cookie: centrport net cookie
10:55 AM: drew minson@centrport[2].txt (ID = 2374)
10:55 AM: drew minson@cnn.122.2o7[1].txt (ID = 1958)
10:55 AM: Found Spy Cookie: ru4 cookie
10:55 AM: drew minson@edge.ru4[2].txt (ID = 3269)
10:55 AM: drew minson@email.about[2].txt (ID = 2038)
10:55 AM: drew minson@forums.go[1].txt (ID = 2729)
10:55 AM: drew minson@go[2].txt (ID = 2728)
10:55 AM: Found Spy Cookie: humanclick cookie
10:55 AM: drew minson@hc2.humanclick[1].txt (ID = 2810)
10:55 AM: drew minson@msnportal.112.2o7[1].txt (ID = 1958)
10:55 AM: Found Spy Cookie: questionmarket cookie
10:55 AM: drew minson@questionmarket[1].txt (ID = 3217)
10:55 AM: Found Spy Cookie: realmedia cookie
10:55 AM: drew minson@realmedia[2].txt (ID = 3235)
10:55 AM: drew minson@rsi.abc.go[1].txt (ID = 2729)
10:55 AM: Found Spy Cookie: tvguide cookie
10:55 AM: drew minson@rsi.tvguide[1].txt (ID = 3600)
10:55 AM: Found Spy Cookie: adbureau cookie
10:55 AM: drew minson@sbuilder.adbureau[2].txt (ID = 2060)
10:55 AM: drew minson@sdc.tvguide[1].txt (ID = 3600)
10:55 AM: Found Spy Cookie: dealtime cookie
10:55 AM: drew minson@stat.dealtime[2].txt (ID = 2506)
10:55 AM: Found Spy Cookie: statcounter cookie
10:55 AM: drew minson@statcounter[1].txt (ID = 3447)
10:55 AM: Found Spy Cookie: tmpad cookie
10:55 AM: drew minson@tmpad[1].txt (ID = 3545)
10:55 AM: Found Spy Cookie: trafficmp cookie
10:55 AM: drew minson@trafficmp[2].txt (ID = 3581)
10:55 AM: Found Spy Cookie: tripod cookie
10:55 AM: drew minson@tripod[1].txt (ID = 3591)
10:55 AM: drew minson@tvguide[2].txt (ID = 3599)
10:55 AM: Cookie Sweep Complete, Elapsed Time: 00:00:01
10:55 AM: Starting File Sweep
11:03 AM: Warning: Unhandled Archive Type
11:03 AM: Warning: Unhandled Archive Type
11:04 AM: File Sweep Complete, Elapsed Time: 00:09:08
11:04 AM: Full Sweep has completed. Elapsed time 00:10:59
11:04 AM: Traces Found: 27
11:05 AM: Removal process initiated
11:05 AM: Quarantining All Traces: 2o7.net cookie
11:05 AM: Quarantining All Traces: about cookie
11:05 AM: Quarantining All Traces: adbureau cookie
11:05 AM: Quarantining All Traces: atwola cookie
11:05 AM: Quarantining All Traces: bluestreak cookie
11:05 AM: Quarantining All Traces: centrport net cookie
11:05 AM: Quarantining All Traces: dealtime cookie
11:05 AM: Quarantining All Traces: go.com cookie
11:05 AM: Quarantining All Traces: humanclick cookie
11:05 AM: Quarantining All Traces: pointroll cookie
11:05 AM: Quarantining All Traces: questionmarket cookie
11:05 AM: Quarantining All Traces: realmedia cookie
11:05 AM: Quarantining All Traces: ru4 cookie
11:05 AM: Quarantining All Traces: statcounter cookie
11:05 AM: Quarantining All Traces: tmpad cookie
11:05 AM: Quarantining All Traces: trafficmp cookie
11:05 AM: Quarantining All Traces: tripod cookie
11:05 AM: Quarantining All Traces: tvguide cookie
11:05 AM: Quarantining All Traces: yieldmanager cookie
11:05 AM: Removal process completed. Elapsed time 00:00:01
********
10:49 AM: | Start of Session, Monday, October 31, 2005 |
10:49 AM: Spy Sweeper started
10:50 AM: Your spyware definitions have been updated.
10:53 AM: | End of Session, Monday, October 31, 2005 |
  • 0

#7
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi There.

please print these instructions out for reference

1) Please download the Killbox here.
Unzip it to the desktop but do NOT run it yet.

2) Copy everything inside the quote box below and paste it into Notepad. Save it as killfiles.txt on your desktop.

C:\WINDOWS\SYSTEM32\pmnnn.dll


3) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

4) Still in Safe Mode, please run Killbox.

5) Select "Delete on Reboot".

6) Open the text file you made earlier (Killfiles.txt), and copy the file names to the clipboard by highlighting them and pressing Control-C:

7) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

8) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..



Let the system reboot

Rescan with Activescan and post the results here for me again
  • 0

#8
spindrift

spindrift

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello-

I followed your instructions above, then ran Activescan. When the scan finished, the webpage said:
"No viruses or other malicious software have been found!"

Great! Thanks a million for your help. Is there anything else that I need to do?

Also, any thoughts on how I might have contracted this malware?

-Drew
  • 0

#9
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi There

It looks like thats everything dealt with so well done. Its hard to tell where you got infected as there are so many sources for Winfixer, but it is most likely that you have clicked on a link somewhere that offered a free virus scan or security check - not all such offers are entirely above board.

This is the bit I really Like



Congratulations , your log is clean :tazz: :) :)

Just a general clean up now and we are done

Now you have to clean out your temporary files and flush your restore points:
  • Start | Run | type cleanmgr | OK
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Click "OK" to remove them.
  • Click "Yes" to confirm the deletion.
Flush System Restore.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

4. Finally Defragment your hard Drive.


So now that your PC is clean, how do you keep it that way?

The single most important measure is this. Keep your copy of XP fully up to date after that,

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer alternatives available. ConsiderFirefox, however Opera and SlimBrowsers are good as well.
Glad to have been of help
  • 0

#10
ukbiker

ukbiker

    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP