• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1047
  • Last Modified:

Spyware/Adware pop ups

I keep getting a pop up window that says something like " I am vulnerable to the blackworm virus etc'', I hit cancel and it brings me up to this website'' http://www.amaena.com/securityworm2/?aid=vm_pk_wav_na_3&lid=norton, adult friend finder comes up and this webaddress http://64.186.139.111/ads/3/?affid=82&cid=home

i have read other questions from other websites and this one and have ran these programs in safe mode ; ewido (it removed 33 items) ; ad-aware ; spysweeper ; the only program that tracked anything was the ewido program .

I also ran hijack this and here is the logfile ; can anyone help me in telling me what to remove to take care of this problem, it is driving me crazy . And another question ; what is the best FREE virus protection to download?

Scan saved at 9:39:07 PM, on 4/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coalfield.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\system32\pmnno.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: pmnno - C:\WINDOWS\system32\pmnno.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

0
missashley
Asked:
missashley
  • 3
  • 3
  • 3
  • +4
1 Solution
 
war1Commented:
Greetings, missashley !

To get rid of the popups from amaena site, you may need to run SmitRem.exe
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to its own folder on the desktop.

Boot into Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Best wishes!
0
 
war1Commented:
missashley,

Looks like you have Vundo.  Please download VundoFix.exe to your desktop.
http://www.atribune.org/downloads/VundoFix.exe

    * Double-click VundoFix.exe to extract the files
    * This will create a VundoFix folder on your desktop.
    * After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
    * Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
    * You will first be presented with a warning and a list of forums to seek help at.
      it should look like this
      Quote:
      VundoFix V2.1 by Atri
      By pressing enter you agree that you are using this at your own risk
      Please seek assistance at one of the following forums:
      http://www.atribune.org/forums
      http://www.247fixes.com/forums
      http://www.geekstogo.com/forum
      http://forums.net-integration.net
    * At this point press enter one time.
    * Next you will see:
      Quote:
      Type in the filepath as instructed by the forum staff
      Then Press Enter, Then F6, Then Enter Again to continue with the fix.
    * At this point please type the following file path (make sure to enter it exactly as below!):
          o C:\WINDOWS\system32\pmnno.dll
    * Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
    * Next you will see:
      Quote:
      Please type in the second filepath as instructed by the forum staff
      Then Press Enter, Then F6, Then Enter Again to continue with the fix.
    * At this point please type the following file path (make sure to enter it exactly as below!):
          o C:\WINDOWS\system32\onnmp.*
    * Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
    * The fix will run then HijackThis will open.
    * In HijackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\system32\pmnno.dll
O20 - Winlogon Notify: pmnno - C:\WINDOWS\system32\pmnno.dll

    * After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
    * Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
    * Once your machine reboots please continue with the instructions below.

Then, please run this online virus scan: ActiveScan
http://www.pandasoftware.com/activescan/

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.


0
 
missashleyAuthor Commented:
I ran the smitrem.exe file in safe mode and the pop up came back up again.

I also ran the vundo fix in safe mode ; after typing in the first file name on the prompt it asked me for the second ; I did as you asked and the cursor just dropped to the next line and kept blinking I left it there for a while and nothing ever came up. I did remove the files you asked

Scan saved at 11:27:55 PM, on 4/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coalfield.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\system32\pmnno.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: pmnno - C:\WINDOWS\system32\pmnno.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Here are the results from the active Scan
Incident                                                                        Status                        Location                                                                                                                                                                                                                                                        

Spyware:spyware/virtumonde                                                      Not disinfected               C:\WINDOWS\SYSTEM32\ssqpp.dll                                                                                                                                                                                                                                  
Spyware:Cookie/adultfriendfinder                                                Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@adultfriendfinder[1].txt                                                                                                                                                                                    
Spyware:Cookie/Advertising                                                      Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@advertising[2].txt                                                                                                                                                                                          
Spyware:Cookie/Apmebf                                                           Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@apmebf[1].txt                                                                                                                                                                                              
Spyware:Cookie/Atlas DMT                                                        Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@atdmt[2].txt                                                                                                                                                                                                
Spyware:Cookie/Atwola                                                           Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@atwola[1].txt                                                                                                                                                                                              
Spyware:Cookie/Doubleclick                                                      Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@doubleclick[1].txt                                                                                                                                                                                          
Spyware:Cookie/Hitbox                                                           Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@ehg-micron.hitbox[1].txt                                                                                                                                                                                    
Spyware:Cookie/Hitbox                                                           Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@hitbox[1].txt                                                                                                                                                                                              
Spyware:Cookie/Mediaplex                                                        Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@mediaplex[1].txt                                                                                                                                                                                            
Spyware:Cookie/Microsofte                                                       Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@microsofteup.112.2o7[1].txt                                                                                                                                                                                
Spyware:Cookie/QuestionMarket                                                   Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@questionmarket[2].txt                                                                                                                                                                                      
Spyware:Cookie/RealMedia                                                        Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@realmedia[1].txt                                                                                                                                                                                            
Spyware:Cookie/Searchportal                                                     Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@searchportal.information[1].txt                                                                                                                                                                            
Spyware:Cookie/Serving-sys                                                      Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@serving-sys[2].txt                                                                                                                                                                                          
Spyware:Cookie/Reliablestats                                                    Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@stats1.reliablestats[2].txt                                                                                                                                                                                
Spyware:Cookie/Tribalfusion                                                     Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@tribalfusion[1].txt                                                                                                                                                                                        
Spyware:Cookie/WinFixer                                                         Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@winfixer[2].txt                                                                                                                                                                                            
Spyware:Cookie/adultfriendfinder                                                Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@adultfriendfinder[1].txt                                                                                                                                                                                    
Spyware:Cookie/Advertising                                                      Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@advertising[2].txt                                                                                                                                                                                          
Spyware:Cookie/Apmebf                                                           Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@apmebf[1].txt                                                                                                                                                                                              
Spyware:Cookie/Atlas DMT                                                        Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@atdmt[2].txt                                                                                                                                                                                                
Spyware:Cookie/Atwola                                                           Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@atwola[1].txt                                                                                                                                                                                              
Spyware:Cookie/Doubleclick                                                      Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@doubleclick[1].txt                                                                                                                                                                                          
Spyware:Cookie/Hitbox                                                           Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@ehg-micron.hitbox[1].txt                                                                                                                                                                                    
Spyware:Cookie/Hitbox                                                           Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@hitbox[1].txt                                                                                                                                                                                              
Spyware:Cookie/Mediaplex                                                        Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@mediaplex[1].txt                                                                                                                                                                                            
Spyware:Cookie/Microsofte                                                       Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@microsofteup.112.2o7[1].txt                                                                                                                                                                                
Spyware:Cookie/QuestionMarket                                                   Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@questionmarket[2].txt                                                                                                                                                                                      
Spyware:Cookie/RealMedia                                                        Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@realmedia[1].txt                                                                                                                                                                                            
Spyware:Cookie/Searchportal                                                     Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@searchportal.information[1].txt                                                                                                                                                                            
Spyware:Cookie/Serving-sys                                                      Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@serving-sys[2].txt                                                                                                                                                                                          
Spyware:Cookie/Reliablestats                                                    Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@stats1.reliablestats[2].txt                                                                                                                                                                                
Spyware:Cookie/Tribalfusion                                                     Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@tribalfusion[1].txt                                                                                                                                                                                        
Spyware:Cookie/WinFixer                                                         Not disinfected               C:\Documents and Settings\Thompson\Cookies\thompson@winfixer[2].txt                                                                                                                                                                                            
Potentially unwanted tool:Application/Processor                                 Not disinfected               C:\Documents and Settings\Thompson\Desktop\smitRem\Process.exe                                                                                                                                                                                                  
Potentially unwanted tool:Application/Processor                                 Not disinfected               C:\Documents and Settings\Thompson\Desktop\VundoFix\VundoFix\process.exe                                                                                                                                                                                        
Spyware:Spyware/Virtumonde                                                      Not disinfected               C:\WINDOWS\system32\gebcd.dll                                                                                                                                                                                                                                  
Spyware:Spyware/Virtumonde                                                      Not disinfected               C:\WINDOWS\system32\ssqpp.dll                                                                                                                                                                                                                                  
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
war1Commented:
1. Vundo did not get removed.  When you typed in the first path, make sure it is

C:\WINDOWS\system32\pmnno.dll

When you type in the second path, make sure it is

C:\WINDOWS\system32\onnmp.*

opnmp is the reverse of pmnno.  Instead of dll after the dot, type *.

You may be able see the instructions on this web page
http://forums.techguy.org/security/406015-solved-another-trojan-vundo-logfile.html

See the second post.

2. Also, use CCleaner to clean out your cookies files
http://www.ccleaner.com
0
 
rpggamergirlCommented:
Hi missashley,

This is what you need to do.

 Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Put a check next to "Run VundoFix as a task".
You will receive a message saying vundofix will close and re-open in a minute or less.
Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
0
 
rpggamergirlCommented:
The VundoFix.exe that I posted above is NOT the same vundofix.exe that you already tried.
This one is very straightforward fix and it works.
0
 
nepostojeci_emailCommented:

-------
Step 1:
-------

First of all when you start HijackThis, click on the "Open the Misc Tools section" button.
Under "System tools", click "Open process manager" button.
You should see a list of processes currently running on your comp.
Try to kill as much as possible, avoiding svchost.exe. Those which belong to the
Windows would not be able to be terminated. So don't worry. This step is
important, because this way you are shutting down any processes that could
reverse back everything you clean up.

When you have finnished killing all possible processes, you should see in that list only
these processes (sorted by Image Name):
- csrss.exe
- explorer.exe
- HijackThis.exe
- lsass.exe
- services.exe
- smss.exe
- svchost.exe
- System
- System Idle Process
- winlogon.exe
and only "svchost.exe" should be repeated several times.

If you suddenly kill explorer.exe all of the icons from desktop will dissapear, and
your TaskBar will be gone too, but that's not a big deal. Just press Ctrl+Alt+Del,
and Task Manager will pop up, then go to: "File -> New Task (Run...)" and type
"explorer" and click the "Open" button. That will restore your desktop back.

AFTER, and only after you have killed all the other processes, you can start the
next step. If you fail to kill all of the processes (except the above), the chance
of success is somehow lowered.


-------
Step 2:
-------

If HijackThis is started, close it and start it again. Click on the
"Do a system scan only" button, and then select the following items:

(if you manually selected the site to be your start page in Internet Explorer
then ignore the following items, otherwise select it)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coalfield.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

Also select these items (trojan):
O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\system32\pmnno.dll
O20 - Winlogon Notify: pmnno - C:\WINDOWS\system32\pmnno.dll

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Now, click the "Fix checked" button (if any Windows Explorer or Internet Explorer
windows are open, close them before fixing). After the fixing has been done,
reboot your computer. When computer reboots, open HijackThis, click on the
"Do a system scan and save a logfile". Save the log to the Desktop, then connect
to the internet and upload your log to www.hijackthis.de and when you do that,
you should see a link to your log, after successful upload. Copy that link here
for further check to make sure everything went ok.

Greetings.
0
 
ignitionflameCommented:
http://www.diamondcs.com.au/

download process guard. install it and restart comp.
remove all applications in Security tab and take off learning mode in Main tab. restart computer and only grant access to the trusted programs. This would stop all adwares and popups.
0
 
missashleyAuthor Commented:
Ok I ran this http://www.atribune.org/ccount/click.php?id=4 as rpggamergirl suggested and Ive not received the pop ups anymore, I haven't been on the internet a whole lot but I am gonna give it about a day to see if it comes back..I also downloaded the trial version of Panda and it removed 33 things Yesterday but the pop up came back up. So hopefully it is gone for good..
0
 
nepostojeci_emailCommented:
Be sure to keep your computer up to date with windows update, because all
those worms and trojans you get are just exploits for a wide range of windows
bugs.

http://windowsupdate.microsoft.com/
0
 
rpggamergirlCommented:
missashley,
I have no doubt vundofix.exe got rid of your vundo infection.
One thing though, your version of java is vulnerable to vundo infection, you need to update or uninstall that version and download the latest version. Otherwise you could get re-infected with vundo almost straightaway.

Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp
0
 
missashleyAuthor Commented:
Thank you nepostojeci, will do that as well.
0
 
Vittorio301Commented:
I would like to add that it would be wise to delet Temp files from your computer and to disable system restore if you perform any kind of AV scan to fully ensure that the threat is removed off your system.  Panda was a good choice for an AV software - Kudos!
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

  • 3
  • 3
  • 3
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now