Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please help me. Winfixer and pop ups [RESOLVED]

Started by bboydiztrak , Nov 19 2005 12:18 AM

  • This topic is locked This topic is locked

#1
bboydiztrak
Posted 19 November 2005 - 12:18 AM

bboydiztrak

    Member

  • Member
  • PipPip
  • 18 posts
oh heres my log

Logfile of HijackThis v1.99.1
Scan saved at 1:17:54 AM, on 11/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
C:\Program Files\DV Series\Console\Watch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kevin\Desktop\fixing\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\snnpapi.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\pmnnm.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1CC61292-C640-417F-8D75-59C3362F4929} - C:\WINDOWS\system32\msbc.dll (file missing)
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\awtqo.dll
O2 - BHO: (no name) - {E6F88EA3-ADD5-4CFE-81DE-0CCF31DEC2D9} - C:\WINDOWS\system32\snnpapi.dll (file missing)
O3 - Toolbar: (no name) - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyElim] srbho.exe
O4 - HKLM\..\Run: [Testimonials] ActionScr.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [Brong32] DTOURS.exe
O4 - HKCU\..\Run: [backorif] nmdllw.exe
O4 - HKCU\..\Run: [PasswdMon] Shaitan1678.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Ulead Photo Express Calendar Checker For My Custom Edition.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\DV Series\Console\Watch.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {98BFD494-F6AD-4794-9038-832C0654CC43} - http://pak05.picture...-US.9.2.4.0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2360632D-1873-419A-AFEF-CF5203B42F09}: NameServer = 69.50.176.156,195.225.176.31
O18 - Filter: text/html - {4EED2447-471F-4065-96BB-2D9DC384B76B} - C:\WINDOWS\system32\snnpapi.dll
O18 - Filter: text/plain - {4EED2447-471F-4065-96BB-2D9DC384B76B} - C:\WINDOWS\system32\snnpapi.dll
O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmnnm - C:\WINDOWS\SYSTEM32\pmnnm.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
  • 0

Advertisements

#2
OwNt
Posted 19 November 2005 - 04:07 AM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, bboydiztrak.

You will need to print out these instructions for use in Safe Mode.

You have a CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run CleanUp! Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.
  • 0

#3
bboydiztrak
Posted 19 November 2005 - 02:29 PM

bboydiztrak

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
new log file. i still have the winfixer problem.

C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
C:\Program Files\DV Series\Console\Watch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kevin\Desktop\fixing\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\pmnnm.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1CC61292-C640-417F-8D75-59C3362F4929} - C:\WINDOWS\system32\msbc.dll (file missing)
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\awtqo.dll
O3 - Toolbar: (no name) - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyElim] srbho.exe
O4 - HKLM\..\Run: [Testimonials] ActionScr.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [Brong32] DTOURS.exe
O4 - HKCU\..\Run: [backorif] nmdllw.exe
O4 - HKCU\..\Run: [PasswdMon] Shaitan1678.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Ulead Photo Express Calendar Checker For My Custom Edition.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\DV Series\Console\Watch.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {98BFD494-F6AD-4794-9038-832C0654CC43} - http://pak05.picture...-US.9.2.4.0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2360632D-1873-419A-AFEF-CF5203B42F09}: NameServer = 69.50.176.156,195.225.176.31
O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmnnm - C:\WINDOWS\SYSTEM32\pmnnm.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
  • 0

#4
OwNt
Posted 19 November 2005 - 03:09 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, bboydiztrak.

Could I have the rest of the logs please?

Also, could you post another fresh Hijackthis log, the one you posted got cut off.
  • 0

#5
bboydiztrak
Posted 20 November 2005 - 05:04 PM

bboydiztrak

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
C:\Program Files\DV Series\Console\Watch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kevin\Desktop\fixing\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\pmnnm.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1CC61292-C640-417F-8D75-59C3362F4929} - C:\WINDOWS\system32\msbc.dll (file missing)
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\awtqo.dll
O3 - Toolbar: (no name) - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyElim] srbho.exe
O4 - HKLM\..\Run: [Testimonials] ActionScr.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [Brong32] DTOURS.exe
O4 - HKCU\..\Run: [backorif] nmdllw.exe
O4 - HKCU\..\Run: [PasswdMon] Shaitan1678.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Ulead Photo Express Calendar Checker For My Custom Edition.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\DV Series\Console\Watch.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {98BFD494-F6AD-4794-9038-832C0654CC43} - http://pak05.picture...-US.9.2.4.0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2360632D-1873-419A-AFEF-CF5203B42F09}: NameServer = 69.50.176.156,195.225.176.31
O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmnnm - C:\WINDOWS\SYSTEM32\pmnnm.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe




CWS SHREDDER

LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{16E92C54-71BE-4652-ABAA-C728A0F68E1D}] SEQPACKET 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{16E92C54-71BE-4652-ABAA-C728A0F68E1D}] DATAGRAM 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2360632D-1873-419A-AFEF-CF5203B42F09}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2360632D-1873-419A-AFEF-CF5203B42F09}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2810EB22-763D-4D0C-9450-64BBD1758685}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2810EB22-763D-4D0C-9450-64BBD1758685}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{531D3D38-B38F-4A40-9052-52EFBA55506B}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{531D3D38-B38F-4A40-9052-52EFBA55506B}] DATAGRAM 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{766547BA-4AB0-4FED-B324-A082DCF25802}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{766547BA-4AB0-4FED-B324-A082DCF25802}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6403B7B4-AE4E-4FCD-B088-4EEC63354041}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6403B7B4-AE4E-4FCD-B088-4EEC63354041}] DATAGRAM 4


**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No


**** Downloaded Program Files ****

{166B1BCA-3F9C-11CF-8075-444553540000} [http://active.macrom...or/cabs/sw.cab]
{98BFD494-F6AD-4794-9038-832C0654CC43} [http://pak05.picture...US.9.2.4.0.cab]
{D27CDB6E-AE6D-11CF-96B8-444553540000} [http://download.macr...sh/swflash.cab]


**** Windows Services ****

[Alerter] %SystemRoot%\system32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[aspnet_state] %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[BITS] %SystemRoot%\system32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\system32\svchost.exe -k netsvcs
[CiSvc] %SystemRoot%\system32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[COMSysApp] C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[DcomLaunch] %SystemRoot%\system32\svchost -k DcomLaunch
[Dhcp] %SystemRoot%\system32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\system32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\system32\svchost.exe -k netsvcs
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[Fax] %systemroot%\system32\fxssvc.exe
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[HTTPFilter] %SystemRoot%\System32\svchost.exe -k HTTPFilter
[ImapiService] C:\WINDOWS\system32\imapi.exe
[lanmanserver] %SystemRoot%\system32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\system32\svchost.exe -k netsvcs
[LexBceS] C:\WINDOWS\system32\LEXBCES.EXE
[LmHosts] %SystemRoot%\system32\svchost.exe -k LocalService
[Messenger] %SystemRoot%\system32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\system32\mnmsrvc.exe
[MSDTC] C:\WINDOWS\system32\msdtc.exe
[MSIServer] C:\WINDOWS\system32\msiexec.exe /V
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\system32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[NetSvc] C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
[Nla] %SystemRoot%\system32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\system32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[PlugPlay] %SystemRoot%\system32\services.exe
[PolicyAgent] %SystemRoot%\system32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\system32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\system32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\system32\svchost.exe -k netsvcs
[RpcLocator] %SystemRoot%\system32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\system32\rsvp.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[SharedAccess] %SystemRoot%\system32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\system32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\system32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\system32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\system32\dllhost.exe /Processid:{A445BD1E-49EE-4607-B370-5CCA447377C4}
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost -k DComLaunch
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[upnphost] %SystemRoot%\system32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[VSS] %SystemRoot%\System32\vssvc.exe
[w32time] %SystemRoot%\system32\svchost.exe -k netsvcs
[WebClient] %SystemRoot%\system32\svchost.exe -k LocalService
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\system32\wbem\wmiapsrv.exe
[wscsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[wuauserv] %systemroot%\system32\svchost.exe -k netsvcs
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs
[xmlprov] %SystemRoot%\System32\svchost.exe -k netsvcs


**** Custom IE Search Items ****

SEARCH: [CustomizeSearch]
SEARCH: [Default_Search_URL]
SEARCH: [SearchAssistant]
SEARCH: [SearchAssistant] http://ie.search.msn...st/srchasst.htm
SEARCH: [CustomizeSearch] http://ie.search.msn...st/srchcust.htm


**** Complete IE Options ****

IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Disable Script Debugger] yes
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] C:\WINDOWS\system32\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] about:blank
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Search Page]
IEOPT: [Default_Page_URL]
IEOPT: [FullScreen] no
IEOPT: [Use FormSuggest] no
IEOPT: [Window_Placement] ,
IEOPT: [AddToFavoritesExpanded]
IEOPT: [NotifyDownloadComplete] no
IEOPT: [FormSuggest PW Ask] no
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Default_Search_URL]
IEOPT: [Use Search Asst] no
IEOPT: [Use Custom Search URL]
IEOPT: [Search Bar]
IEOPT: [ShowedCheckBrowser] Yes
IEOPT: [Check_Associations] No
IEOPT: [Default_Page_URL] http://www.microsoft...er=6&ar=msnhome
IEOPT: [Default_Search_URL] http://www.microsoft...=ie&ar=iesearch
IEOPT: [Search Page]
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] %SystemRoot%\system32\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] about:blank
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.0.2600.0000
IEOPT: [FullScreen] no
IEOPT: [Search Bar]
IEOPT: [HOMEOldSP] about:blank
IEOPT: [Use Search Asst] no
IEOPT: [Use Custom Search URL]


kaspersky scans

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, November 20, 2005 17:29:10
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 21/11/2005
Kaspersky Anti-Virus database records: 151031
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\Kevin\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 10079
Number of viruses found: 4
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 397 sec

Infected Object Name - Virus Name
C:\WINDOWS\SYSTEM32\awtqo.dll Infected: Trojan.Win32.Crypt.o
C:\WINDOWS\SYSTEM32\mljge.dll Infected: Trojan-Downloader.Win32.ConHook.o
C:\WINDOWS\SYSTEM32\pmnnm.dll Infected: Trojan-Downloader.Win32.Agent.yf
C:\WINDOWS\SYSTEM32\xscan.exe/data0006 Infected: Trojan-Dropper.Win32.Agent.hy
C:\WINDOWS\SYSTEM32\xscan.exe Infected: Trojan-Dropper.Win32.Agent.hy

Scan process completed.


kaspersky scan for my computer


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, November 20, 2005 18:00:08
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 21/11/2005
Kaspersky Anti-Virus database records: 151031
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 38947
Number of viruses found: 7
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 1566 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-51cccb7c-233a98f2.class Infected: Trojan-Clicker.Win32.Spywad.b
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-c486e07-1a7589dd.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-c486e07-1a7589dd.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-c486e07-1a7589dd.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-c486e07-1a7589dd.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\WINDOWS\SYSTEM32\awtqo.dll Infected: Trojan.Win32.Crypt.o
C:\WINDOWS\SYSTEM32\mljge.dll Infected: Trojan-Downloader.Win32.ConHook.o
C:\WINDOWS\SYSTEM32\pmnnm.dll Infected: Trojan-Downloader.Win32.Agent.yf
C:\WINDOWS\SYSTEM32\xscan.exe/data0006 Infected: Trojan-Dropper.Win32.Agent.hy
C:\WINDOWS\SYSTEM32\xscan.exe Infected: Trojan-Dropper.Win32.Agent.hy

Scan process completed.





also i have no spyware protection and anti virus protection and i still have the winfixer problem
  • 0

#6
bboydiztrak
Posted 20 November 2005 - 06:59 PM

bboydiztrak

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
please help me. my computer is going nuts with this winfixer stuff.
  • 0

#7
OwNt
Posted 20 November 2005 - 07:57 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, bboydiztrak.

Please print these instructions out or save them in notepad for use in Safe Mode.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://swandog46.gee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please close it.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log into this topic.



Please also download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\pmnnm.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\mnnmp.*
    O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\awtqo.dll
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\pmnnm.dll
    O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\awtqo.dll
    O3 - Toolbar: (no name) - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - (no file)
    O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll
    O20 - Winlogon Notify: pmnnm - C:\WINDOWS\SYSTEM32\pmnnm.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log, the vundofix.txt file from the vundofix folder, and the Wareout log in your next reply.
  • 0

#8
bboydiztrak
Posted 20 November 2005 - 08:35 PM

bboydiztrak

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
http://swandog46.gee.../Fixwareout.exe that link didnt work
  • 0

#9
OwNt
Posted 20 November 2005 - 08:45 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, bboydiztrak.

It seems to work for me, have you tried the one above it as well?
  • 0

#10
bboydiztrak
Posted 20 November 2005 - 09:07 PM

bboydiztrak

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
http://downloads.sub.../Fixwareout.exe this link works but

http://swandog46.gee.../Fixwareout.exe this one doesnt

what should i do?
  • 0

Advertisements

#11
OwNt
Posted 20 November 2005 - 10:44 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Please use the one that works and continue with the fix exactly as directed. :tazz:
  • 0

#12
bboydiztrak
Posted 20 November 2005 - 11:46 PM

bboydiztrak

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Fixwareout ver 1.003
Post this report in the forums please

Reg Entries that were deleted

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...

»»»»» Misc files
C:\WINDOWS\System32\xscan.exe

»»»»» Checking for older varients covered by the Rem3 tool
C:\WINDOWS\System32\openconf.exe
C:\WINDOWS\System32\opensdl.exe
C:\WINDOWS\System32\opensdl2.exe


Logfile of HijackThis v1.99.1
Scan saved at 12:45:09 AM, on 11/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
C:\Program Files\DV Series\Console\Watch.exe
C:\WINDOWS\system32\imapi.exe
C:\Documents and Settings\Kevin\Desktop\fixing\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\pmnnm.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1CC61292-C640-417F-8D75-59C3362F4929} - C:\WINDOWS\system32\msbc.dll (file missing)
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\awtqo.dll
O3 - Toolbar: (no name) - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyElim] srbho.exe
O4 - HKLM\..\Run: [Testimonials] ActionScr.exe
O4 - HKCU\..\Run: [Brong32] DTOURS.exe
O4 - HKCU\..\Run: [backorif] nmdllw.exe
O4 - HKCU\..\Run: [PasswdMon] Shaitan1678.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Ulead Photo Express Calendar Checker For My Custom Edition.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 My Custom Edition\CalCheck.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\DV Series\Console\Watch.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {98BFD494-F6AD-4794-9038-832C0654CC43} - http://pak05.picture...-US.9.2.4.0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2360632D-1873-419A-AFEF-CF5203B42F09}: NameServer = 69.50.176.156,195.225.176.31
O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmnnm - pmnnm.dll (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
  • 0

#13
bboydiztrak
Posted 20 November 2005 - 11:47 PM

bboydiztrak

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\pmnnm.dll

The second filepath entered was C:\WINDOWS\system32\mnnmp.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 128 'smss.exe'

Killing PID 748 'explorer.exe'
Killing PID 748 'explorer.exe'
Killing PID 748 'explorer.exe'
Killing PID 748 'explorer.exe'


Killing PID 204 'winlogon.exe'
Killing PID 204 'winlogon.exe'
Killing PID 204 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\pmnnm.dll Deleted sucessfully.
C:\WINDOWS\system32\mnnmp.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------
  • 0

#14
OwNt
Posted 21 November 2005 - 12:00 AM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, bboydiztrak.

Please print these instructions out or save them in notepad for use in Safe Mode.

Download CWShredder here to its own folder.

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder

Please also download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.
  • Open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\awtqo.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\oqtwa.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\pmnnm.dll (file missing)
    O2 - BHO: (no name) - {1CC61292-C640-417F-8D75-59C3362F4929} - C:\WINDOWS\system32\msbc.dll (file missing)
    O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\awtqo.dll
    O3 - Toolbar: (no name) - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - (no file)
    O4 - HKLM\..\Run: [SpyElim] srbho.exe
    O4 - HKLM\..\Run: [Testimonials] ActionScr.exe
    O4 - HKCU\..\Run: [Brong32] DTOURS.exe
    O4 - HKCU\..\Run: [backorif] nmdllw.exe
    O4 - HKCU\..\Run: [PasswdMon] Shaitan1678.exe
    O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll
    O20 - Winlogon Notify: pmnnm - pmnnm.dll (file missing)
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#15
bboydiztrak
Posted 21 November 2005 - 12:10 AM

bboydiztrak

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Incident Status Location

Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\system32\awtqo.dll
Spyware:spyware/virtumonde No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-c486e07-1a7589dd.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-c486e07-1a7589dd.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-c486e07-1a7589dd.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-c486e07-1a7589dd.zip[Beyond.class]
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\SYSTEM32\awtqo.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\SYSTEM32\mljge.dll
Adware:Adware/Findspy No disinfected C:\WINDOWS\SYSTEM32\openconf.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\SYSTEM32\opensdl.exe
Spyware:Spyware/WareOut No disinfected C:\WINDOWS\SYSTEM32\xscan.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP