asked on

Spyware/Adware pop ups

I keep getting a pop up window that says something like " I am vulnerable to the blackworm virus etc'', I hit cancel and it brings me up to this website'' http://www.amaena.com/securityworm2/?aid=vm_pk_wav_na_3&lid=norton, adult friend finder comes up and this webaddress http://64.186.139.111/ads/3/?affid=82&cid=home

i have read other questions from other websites and this one and have ran these programs in safe mode ; ewido (it removed 33 items) ; ad-aware ; spysweeper ; the only program that tracked anything was the ewido program .

I also ran hijack this and here is the logfile ; can anyone help me in telling me what to remove to take care of this problem, it is driving me crazy . And another question ; what is the best FREE virus protection to download?

Scan saved at 9:39:07 PM, on 4/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coalfield.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\system32\pmnno.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: pmnno - C:\WINDOWS\system32\pmnno.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

war1

Greetings, missashley !

To get rid of the popups from amaena site, you may need to run SmitRem.exe
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to its own folder on the desktop.

Boot into Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Best wishes!

war1

missashley,

Looks like you have Vundo. Please download VundoFix.exe to your desktop.
http://www.atribune.org/downloads/VundoFix.exe

* Double-click VundoFix.exe to extract the files
* This will create a VundoFix folder on your desktop.
* After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
* Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
* You will first be presented with a warning and a list of forums to seek help at.
it should look like this
Quote:
VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
Please seek assistance at one of the following forums:
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net
* At this point press enter one time.
* Next you will see:
Quote:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
* At this point please type the following file path (make sure to enter it exactly as below!):
o C:\WINDOWS\system32\pmnno.dll
* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
* Next you will see:
Quote:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
* At this point please type the following file path (make sure to enter it exactly as below!):
o C:\WINDOWS\system32\onnmp.*
* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
* The fix will run then HijackThis will open.
* In HijackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\system32\pmnno.dll
O20 - Winlogon Notify: pmnno - C:\WINDOWS\system32\pmnno.dll

* After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
* Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
* Once your machine reboots please continue with the instructions below.

Then, please run this online virus scan: ActiveScan
http://www.pandasoftware.com/activescan/

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

missashley

ASKER

I ran the smitrem.exe file in safe mode and the pop up came back up again.

I also ran the vundo fix in safe mode ; after typing in the first file name on the prompt it asked me for the second ; I did as you asked and the cursor just dropped to the next line and kept blinking I left it there for a while and nothing ever came up. I did remove the files you asked

Scan saved at 11:27:55 PM, on 4/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coalfield.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\system32\pmnno.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: pmnno - C:\WINDOWS\system32\pmnno.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Here are the results from the active Scan
Incident Status Location

Spyware:spyware/virtumonde Not disinfected C:\WINDOWS\SYSTEM32\ssqpp.dll
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@adultfriendfinder[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@advertising[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@ehg-micron.hitbox[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@hitbox[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@mediaplex[1].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@microsofteup.112.2o7[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@realmedia[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@searchportal.information[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@serving-sys[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@stats1.reliablestats[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@tribalfusion[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@winfixer[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@adultfriendfinder[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@advertising[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@ehg-micron.hitbox[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@hitbox[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@mediaplex[1].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@microsofteup.112.2o7[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@realmedia[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@searchportal.information[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@serving-sys[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@stats1.reliablestats[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@tribalfusion[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Thompson\Cookies\thompson@winfixer[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Thompson\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Thompson\Desktop\VundoFix\VundoFix\process.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\gebcd.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ssqpp.dll

war1

1. Vundo did not get removed. When you typed in the first path, make sure it is

C:\WINDOWS\system32\pmnno.dll

When you type in the second path, make sure it is

C:\WINDOWS\system32\onnmp.*

opnmp is the reverse of pmnno. Instead of dll after the dot, type *.

You may be able see the instructions on this web page
http://forums.techguy.org/security/406015-solved-another-trojan-vundo-logfile.html

See the second post.

2. Also, use CCleaner to clean out your cookies files
http://www.ccleaner.com

ASKER CERTIFIED SOLUTION

rpggamergirl

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

rpggamergirl

The VundoFix.exe that I posted above is NOT the same vundofix.exe that you already tried.
This one is very straightforward fix and it works.

Dushan Silva

try with

http://www.tune-up.com/

https://www.experts-exchange.com/questions/21778874/CANNOT-DELETE-UNINSTALL-MUSICMATCH-10.html#16232324
https://www.experts-exchange.com/questions/21797328/What-Is-It.html
https://www.experts-exchange.com/questions/21797314/How-To-Uninstall.html
https://www.experts-exchange.com/questions/21761816/A-question.html

BR Dushan

nepostojeci_email

-------
Step 1:
-------

First of all when you start HijackThis, click on the "Open the Misc Tools section" button.
Under "System tools", click "Open process manager" button.
You should see a list of processes currently running on your comp.
Try to kill as much as possible, avoiding svchost.exe. Those which belong to the
Windows would not be able to be terminated. So don't worry. This step is
important, because this way you are shutting down any processes that could
reverse back everything you clean up.

When you have finnished killing all possible processes, you should see in that list only
these processes (sorted by Image Name):
- csrss.exe
- explorer.exe
- HijackThis.exe
- lsass.exe
- services.exe
- smss.exe
- svchost.exe
- System
- System Idle Process
- winlogon.exe
and only "svchost.exe" should be repeated several times.

If you suddenly kill explorer.exe all of the icons from desktop will dissapear, and
your TaskBar will be gone too, but that's not a big deal. Just press Ctrl+Alt+Del,
and Task Manager will pop up, then go to: "File -> New Task (Run...)" and type
"explorer" and click the "Open" button. That will restore your desktop back.

AFTER, and only after you have killed all the other processes, you can start the
next step. If you fail to kill all of the processes (except the above), the chance
of success is somehow lowered.

-------
Step 2:
-------

If HijackThis is started, close it and start it again. Click on the
"Do a system scan only" button, and then select the following items:

(if you manually selected the site to be your start page in Internet Explorer
then ignore the following items, otherwise select it)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coalfield.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

Also select these items (trojan):
O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8F47B4F28AE9} - C:\WINDOWS\system32\pmnno.dll
O20 - Winlogon Notify: pmnno - C:\WINDOWS\system32\pmnno.dll

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Now, click the "Fix checked" button (if any Windows Explorer or Internet Explorer
windows are open, close them before fixing). After the fixing has been done,
reboot your computer. When computer reboots, open HijackThis, click on the
"Do a system scan and save a logfile". Save the log to the Desktop, then connect
to the internet and upload your log to www.hijackthis.de and when you do that,
you should see a link to your log, after successful upload. Copy that link here
for further check to make sure everything went ok.

Greetings.

ignitionflame

http://www.diamondcs.com.au/

download process guard. install it and restart comp.
remove all applications in Security tab and take off learning mode in Main tab. restart computer and only grant access to the trusted programs. This would stop all adwares and popups.

missashley

ASKER

Ok I ran this http://www.atribune.org/ccount/click.php?id=4 as rpggamergirl suggested and Ive not received the pop ups anymore, I haven't been on the internet a whole lot but I am gonna give it about a day to see if it comes back..I also downloaded the trial version of Panda and it removed 33 things Yesterday but the pop up came back up. So hopefully it is gone for good..

nepostojeci_email

Be sure to keep your computer up to date with windows update, because all
those worms and trojans you get are just exploits for a wide range of windows
bugs.

http://windowsupdate.microsoft.com/

rpggamergirl

missashley,
I have no doubt vundofix.exe got rid of your vundo infection.
One thing though, your version of java is vulnerable to vundo infection, you need to update or uninstall that version and download the latest version. Otherwise you could get re-infected with vundo almost straightaway.

Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp

missashley

ASKER

Thank you nepostojeci, will do that as well.

Vittorio301

I would like to add that it would be wise to delet Temp files from your computer and to disable system restore if you perform any kind of AV scan to fully ensure that the threat is removed off your system. Panda was a good choice for an AV software - Kudos!