missashley
asked on
Spyware/Adware pop ups
I keep getting a pop up window that says something like " I am vulnerable to the blackworm virus etc'', I hit cancel and it brings me up to this website'' http://www.amaena.com/securityworm2/?aid=vm_pk_wav_na_3&lid=norton, adult friend finder comes up and this webaddress http://64.186.139.111/ads/3/?affid=82&cid=home
i have read other questions from other websites and this one and have ran these programs in safe mode ; ewido (it removed 33 items) ; ad-aware ; spysweeper ; the only program that tracked anything was the ewido program .
I also ran hijack this and here is the logfile ; can anyone help me in telling me what to remove to take care of this problem, it is driving me crazy . And another question ; what is the best FREE virus protection to download?
Scan saved at 9:39:07 PM, on 4/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\wltrys vc.exe
C:\WINDOWS\System32\bcmwlt ry.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Alwil Software\Avast4\ashServ.ex e
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.ex e
C:\Program Files\Dell\NICCONFIGSVC\NI CCONFIGSVC .exe
C:\WINDOWS\system32\igfxsr vc.exe
C:\WINDOWS\system32\hkcmd. exe
C:\WINDOWS\system32\igfxpe rs.exe
C:\Program Files\Java\jre1.5.0_03\bin \jusched.e xe
C:\Program Files\Synaptics\SynTP\SynT PEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quicks et.exe
C:\WINDOWS\system32\rundll 32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThi s.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.coalfield.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8 F47B4F28AE 9} - C:\WINDOWS\system32\pmnno. dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0 0123456789 0} - C:\WINDOWS\system32\dla\tf swshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 2.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A 6CCDF9CBF6 D} - C:\Program Files\Yahoo!\browser\YSide barIEBHO.d ll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtr ay.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd. exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpe rs.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin \jusched.e xe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT PEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quicks et.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\Update Service\IS USPM.exe" -startup
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAl ert.Exe -boot
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaitin g.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar 2.dll/cmse arch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar 2.dll/cmwo rdtrans.ht ml
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar 2.dll/cmba cklinks.ht ml
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar 2.dll/cmca che.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar 2.dll/cmsi milar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar 2.dll/cmtr ans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_03\bi n\npjpi142 _03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_03\bi n\npjpi142 _03.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A 2CD196348E 9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A 2CD196348E 9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - C:\WINDOWS\system32\Shdocv w.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0 050045C3C9 6} - C:\PROGRA~1\Yahoo!\MESSEN~ 1\YPager.e xe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0 050045C3C9 6} - C:\PROGRA~1\Yahoo!\MESSEN~ 1\YPager.e xe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugi n3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugi n2.dll
O16 - DPF: {8FD68625-2346-418A-8899-6 7CB36B1917 F} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0 001023E6D5 A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxde v.dll
O20 - Winlogon Notify: pmnno - C:\WINDOWS\system32\pmnno. dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.ex e
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NI CCONFIGSVC .exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrys vc.exe
i have read other questions from other websites and this one and have ran these programs in safe mode ; ewido (it removed 33 items) ; ad-aware ; spysweeper ; the only program that tracked anything was the ewido program .
I also ran hijack this and here is the logfile ; can anyone help me in telling me what to remove to take care of this problem, it is driving me crazy . And another question ; what is the best FREE virus protection to download?
Scan saved at 9:39:07 PM, on 4/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\wltrys
C:\WINDOWS\System32\bcmwlt
C:\WINDOWS\system32\spools
C:\Program Files\Alwil Software\Avast4\ashServ.ex
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.ex
C:\Program Files\Dell\NICCONFIGSVC\NI
C:\WINDOWS\system32\igfxsr
C:\WINDOWS\system32\hkcmd.
C:\WINDOWS\system32\igfxpe
C:\Program Files\Java\jre1.5.0_03\bin
C:\Program Files\Synaptics\SynTP\SynT
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quicks
C:\WINDOWS\system32\rundll
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThi
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtr
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quicks
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\Update
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAl
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaitin
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugi
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugi
O16 - DPF: {8FD68625-2346-418A-8899-6
O16 - DPF: {9600F64D-755F-11D4-A47F-0
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxde
O20 - Winlogon Notify: pmnno - C:\WINDOWS\system32\pmnno.
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.ex
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NI
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrys
missashley,
Looks like you have Vundo. Please download VundoFix.exe to your desktop.
http://www.atribune.org/downloads/VundoFix.exe
* Double-click VundoFix.exe to extract the files
* This will create a VundoFix folder on your desktop.
* After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
* Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
* You will first be presented with a warning and a list of forums to seek help at.
it should look like this
Quote:
VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
Please seek assistance at one of the following forums:
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net
* At this point press enter one time.
* Next you will see:
Quote:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
* At this point please type the following file path (make sure to enter it exactly as below!):
o C:\WINDOWS\system32\pmnno. dll
* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
* Next you will see:
Quote:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
* At this point please type the following file path (make sure to enter it exactly as below!):
o C:\WINDOWS\system32\onnmp. *
* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
* The fix will run then HijackThis will open.
* In HijackThis, please place a check next to the following items and click FIX CHECKED:
O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8 F47B4F28AE 9} - C:\WINDOWS\system32\pmnno. dll
O20 - Winlogon Notify: pmnno - C:\WINDOWS\system32\pmnno. dll
* After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
* Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
* Once your machine reboots please continue with the instructions below.
Then, please run this online virus scan: ActiveScan
http://www.pandasoftware.com/activescan/
Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
Looks like you have Vundo. Please download VundoFix.exe to your desktop.
http://www.atribune.org/downloads/VundoFix.exe
* Double-click VundoFix.exe to extract the files
* This will create a VundoFix folder on your desktop.
* After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
* Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
* You will first be presented with a warning and a list of forums to seek help at.
it should look like this
Quote:
VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
Please seek assistance at one of the following forums:
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net
* At this point press enter one time.
* Next you will see:
Quote:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
* At this point please type the following file path (make sure to enter it exactly as below!):
o C:\WINDOWS\system32\pmnno.
* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
* Next you will see:
Quote:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
* At this point please type the following file path (make sure to enter it exactly as below!):
o C:\WINDOWS\system32\onnmp.
* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
* The fix will run then HijackThis will open.
* In HijackThis, please place a check next to the following items and click FIX CHECKED:
O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8
O20 - Winlogon Notify: pmnno - C:\WINDOWS\system32\pmnno.
* After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
* Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
* Once your machine reboots please continue with the instructions below.
Then, please run this online virus scan: ActiveScan
http://www.pandasoftware.com/activescan/
Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
ASKER
I ran the smitrem.exe file in safe mode and the pop up came back up again.
I also ran the vundo fix in safe mode ; after typing in the first file name on the prompt it asked me for the second ; I did as you asked and the cursor just dropped to the next line and kept blinking I left it there for a while and nothing ever came up. I did remove the files you asked
Scan saved at 11:27:55 PM, on 4/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.ex e
C:\WINDOWS\system32\ntvdm. exe
C:\Program Files\Hijackthis\HijackThi s.exe
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.coalfield.com/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8 F47B4F28AE 9} - C:\WINDOWS\system32\pmnno. dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0 0123456789 0} - C:\WINDOWS\system32\dla\tf swshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 2.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A 6CCDF9CBF6 D} - C:\Program Files\Yahoo!\browser\YSide barIEBHO.d ll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtr ay.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd. exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpe rs.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin \jusched.e xe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT PEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quicks et.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\Update Service\IS USPM.exe" -startup
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAl ert.Exe -boot
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaitin g.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar 2.dll/cmse arch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar 2.dll/cmwo rdtrans.ht ml
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar 2.dll/cmba cklinks.ht ml
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar 2.dll/cmca che.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar 2.dll/cmsi milar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar 2.dll/cmtr ans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_03\bi n\npjpi142 _03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_03\bi n\npjpi142 _03.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A 2CD196348E 9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A 2CD196348E 9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - C:\WINDOWS\system32\Shdocv w.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0 050045C3C9 6} - C:\PROGRA~1\Yahoo!\MESSEN~ 1\YPager.e xe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0 050045C3C9 6} - C:\PROGRA~1\Yahoo!\MESSEN~ 1\YPager.e xe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugi n3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugi n2.dll
O16 - DPF: {8FD68625-2346-418A-8899-6 7CB36B1917 F} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0 001023E6D5 A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxde v.dll
O20 - Winlogon Notify: pmnno - C:\WINDOWS\system32\pmnno. dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.ex e
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NI CCONFIGSVC .exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrys vc.exe
Here are the results from the active Scan
Incident Status Location
Spyware:spyware/virtumonde Not disinfected C:\WINDOWS\SYSTEM32\ssqpp. dll
Spyware:Cookie/adultfriend finder Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@a dultfriend finder[1]. txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@a dvertising [2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@a pmebf[1].t xt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@a tdmt[2].tx t
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@a twola[1].t xt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@d oubleclick [1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@e hg-micron. hitbox[1]. txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@h itbox[1].t xt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@m ediaplex[1 ].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@m icrosofteu p.112.2o7[ 1].txt
Spyware:Cookie/QuestionMar ket Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@q uestionmar ket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@r ealmedia[1 ].txt
Spyware:Cookie/Searchporta l Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@s earchporta l.informat ion[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@s erving-sys [2].txt
Spyware:Cookie/Reliablesta ts Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@s tats1.reli ablestats[ 2].txt
Spyware:Cookie/Tribalfusio n Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@t ribalfusio n[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@w infixer[2] .txt
Spyware:Cookie/adultfriend finder Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@a dultfriend finder[1]. txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@a dvertising [2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@a pmebf[1].t xt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@a tdmt[2].tx t
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@a twola[1].t xt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@d oubleclick [1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@e hg-micron. hitbox[1]. txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@h itbox[1].t xt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@m ediaplex[1 ].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@m icrosofteu p.112.2o7[ 1].txt
Spyware:Cookie/QuestionMar ket Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@q uestionmar ket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@r ealmedia[1 ].txt
Spyware:Cookie/Searchporta l Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@s earchporta l.informat ion[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@s erving-sys [2].txt
Spyware:Cookie/Reliablesta ts Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@s tats1.reli ablestats[ 2].txt
Spyware:Cookie/Tribalfusio n Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@t ribalfusio n[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Thompson\Cookies\ thompson@w infixer[2] .txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Thompson\Desktop\ smitRem\Pr ocess.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Thompson\Desktop\ VundoFix\V undoFix\pr ocess.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\gebcd. dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ssqpp. dll
I also ran the vundo fix in safe mode ; after typing in the first file name on the prompt it asked me for the second ; I did as you asked and the cursor just dropped to the next line and kept blinking I left it there for a while and nothing ever came up. I did remove the files you asked
Scan saved at 11:27:55 PM, on 4/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.ex
C:\WINDOWS\system32\ntvdm.
C:\Program Files\Hijackthis\HijackThi
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtr
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynT
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quicks
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\Update
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAl
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaitin
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugi
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugi
O16 - DPF: {8FD68625-2346-418A-8899-6
O16 - DPF: {9600F64D-755F-11D4-A47F-0
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxde
O20 - Winlogon Notify: pmnno - C:\WINDOWS\system32\pmnno.
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.ex
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NI
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrys
Here are the results from the active Scan
Incident Status Location
Spyware:spyware/virtumonde
Spyware:Cookie/adultfriend
Spyware:Cookie/Advertising
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Thompson\Cookies\
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Thompson\Cookies\
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Thompson\Cookies\
Spyware:Cookie/Doubleclick
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Thompson\Cookies\
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Thompson\Cookies\
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Thompson\Cookies\
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Thompson\Cookies\
Spyware:Cookie/QuestionMar
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Thompson\Cookies\
Spyware:Cookie/Searchporta
Spyware:Cookie/Serving-sys
Spyware:Cookie/Reliablesta
Spyware:Cookie/Tribalfusio
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Thompson\Cookies\
Spyware:Cookie/adultfriend
Spyware:Cookie/Advertising
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Thompson\Cookies\
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Thompson\Cookies\
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Thompson\Cookies\
Spyware:Cookie/Doubleclick
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Thompson\Cookies\
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Thompson\Cookies\
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Thompson\Cookies\
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Thompson\Cookies\
Spyware:Cookie/QuestionMar
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Thompson\Cookies\
Spyware:Cookie/Searchporta
Spyware:Cookie/Serving-sys
Spyware:Cookie/Reliablesta
Spyware:Cookie/Tribalfusio
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Thompson\Cookies\
Potentially unwanted tool:Application/Processor
Potentially unwanted tool:Application/Processor
Spyware:Spyware/Virtumonde
Spyware:Spyware/Virtumonde
1. Vundo did not get removed. When you typed in the first path, make sure it is
C:\WINDOWS\system32\pmnno. dll
When you type in the second path, make sure it is
C:\WINDOWS\system32\onnmp. *
opnmp is the reverse of pmnno. Instead of dll after the dot, type *.
You may be able see the instructions on this web page
http://forums.techguy.org/security/406015-solved-another-trojan-vundo-logfile.html
See the second post.
2. Also, use CCleaner to clean out your cookies files
http://www.ccleaner.com
C:\WINDOWS\system32\pmnno.
When you type in the second path, make sure it is
C:\WINDOWS\system32\onnmp.
opnmp is the reverse of pmnno. Instead of dll after the dot, type *.
You may be able see the instructions on this web page
http://forums.techguy.org/security/406015-solved-another-trojan-vundo-logfile.html
See the second post.
2. Also, use CCleaner to clean out your cookies files
http://www.ccleaner.com
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The VundoFix.exe that I posted above is NOT the same vundofix.exe that you already tried.
This one is very straightforward fix and it works.
This one is very straightforward fix and it works.
try with
http://www.tune-up.com/
https://www.experts-exchange.com/questions/21778874/CANNOT-DELETE-UNINSTALL-MUSICMATCH-10.html#16232324
https://www.experts-exchange.com/questions/21797328/What-Is-It.html
https://www.experts-exchange.com/questions/21797314/How-To-Uninstall.html
https://www.experts-exchange.com/questions/21761816/A-question.html
BR Dushan
http://www.tune-up.com/
https://www.experts-exchange.com/questions/21778874/CANNOT-DELETE-UNINSTALL-MUSICMATCH-10.html#16232324
https://www.experts-exchange.com/questions/21797328/What-Is-It.html
https://www.experts-exchange.com/questions/21797314/How-To-Uninstall.html
https://www.experts-exchange.com/questions/21761816/A-question.html
BR Dushan
-------
Step 1:
-------
First of all when you start HijackThis, click on the "Open the Misc Tools section" button.
Under "System tools", click "Open process manager" button.
You should see a list of processes currently running on your comp.
Try to kill as much as possible, avoiding svchost.exe. Those which belong to the
Windows would not be able to be terminated. So don't worry. This step is
important, because this way you are shutting down any processes that could
reverse back everything you clean up.
When you have finnished killing all possible processes, you should see in that list only
these processes (sorted by Image Name):
- csrss.exe
- explorer.exe
- HijackThis.exe
- lsass.exe
- services.exe
- smss.exe
- svchost.exe
- System
- System Idle Process
- winlogon.exe
and only "svchost.exe" should be repeated several times.
If you suddenly kill explorer.exe all of the icons from desktop will dissapear, and
your TaskBar will be gone too, but that's not a big deal. Just press Ctrl+Alt+Del,
and Task Manager will pop up, then go to: "File -> New Task (Run...)" and type
"explorer" and click the "Open" button. That will restore your desktop back.
AFTER, and only after you have killed all the other processes, you can start the
next step. If you fail to kill all of the processes (except the above), the chance
of success is somehow lowered.
-------
Step 2:
-------
If HijackThis is started, close it and start it again. Click on the
"Do a system scan only" button, and then select the following items:
(if you manually selected the site to be your start page in Internet Explorer
then ignore the following items, otherwise select it)
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
Also select these items (trojan):
O2 - BHO: DosSpecFolder Object - {3496D13A-609A-407B-B181-8
O20 - Winlogon Notify: pmnno - C:\WINDOWS\system32\pmnno.
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
Now, click the "Fix checked" button (if any Windows Explorer or Internet Explorer
windows are open, close them before fixing). After the fixing has been done,
reboot your computer. When computer reboots, open HijackThis, click on the
"Do a system scan and save a logfile". Save the log to the Desktop, then connect
to the internet and upload your log to www.hijackthis.de and when you do that,
you should see a link to your log, after successful upload. Copy that link here
for further check to make sure everything went ok.
Greetings.
http://www.diamondcs.com.au/
download process guard. install it and restart comp.
remove all applications in Security tab and take off learning mode in Main tab. restart computer and only grant access to the trusted programs. This would stop all adwares and popups.
download process guard. install it and restart comp.
remove all applications in Security tab and take off learning mode in Main tab. restart computer and only grant access to the trusted programs. This would stop all adwares and popups.
ASKER
Ok I ran this http://www.atribune.org/ccount/click.php?id=4 as rpggamergirl suggested and Ive not received the pop ups anymore, I haven't been on the internet a whole lot but I am gonna give it about a day to see if it comes back..I also downloaded the trial version of Panda and it removed 33 things Yesterday but the pop up came back up. So hopefully it is gone for good..
Be sure to keep your computer up to date with windows update, because all
those worms and trojans you get are just exploits for a wide range of windows
bugs.
http://windowsupdate.microsoft.com/
those worms and trojans you get are just exploits for a wide range of windows
bugs.
http://windowsupdate.microsoft.com/
missashley,
I have no doubt vundofix.exe got rid of your vundo infection.
One thing though, your version of java is vulnerable to vundo infection, you need to update or uninstall that version and download the latest version. Otherwise you could get re-infected with vundo almost straightaway.
Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp
I have no doubt vundofix.exe got rid of your vundo infection.
One thing though, your version of java is vulnerable to vundo infection, you need to update or uninstall that version and download the latest version. Otherwise you could get re-infected with vundo almost straightaway.
Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp
ASKER
Thank you nepostojeci, will do that as well.
I would like to add that it would be wise to delet Temp files from your computer and to disable system restore if you perform any kind of AV scan to fully ensure that the threat is removed off your system. Panda was a good choice for an AV software - Kudos!
To get rid of the popups from amaena site, you may need to run SmitRem.exe
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to its own folder on the desktop.
Boot into Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
Best wishes!