10 replies to this topic

[jonspet]

Ok hi ! I have Trojan.Vundo.B on my computer and it is slowing every single thing on my computer down I did find one forum on the internet but it did not help me at all !! So I have run scans with ad-aware and norton and norton finds it and tells me it can't be deleted because it is running with explorer.exe and winlogon.exe ...! I have already run a program call fxVundoB and is supposed to find the virus and delete it but nothing happens and it can't find it. So what I was wondering was if I could get some help.....and whether I should download that "hijacker" application and post here my logs because I really need help and it would be very much appreciated.

[jonspet]

Ok well I downloaded HijackThis and here is the log, I know that the vundo.B file is called nnnmj.dll or something like that:


Logfile of HijackThis v1.99.1
Scan saved at 20:32:39, on 1.11.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\forrit\Norton Anti-Virus scanner\navapsvc.exe
C:\WINDOWS\Explorer.EXE
E:\forrit\Norton Anti-Virus scanner\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jónsi\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.darkthrone.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bt.is
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.rhi.hi.is:8080
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\nnnmj.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\forrit\Norton Anti-Virus scanner\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\forrit\Norton Anti-Virus scanner\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [clock] C:\WINDOWS\clock.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Advanced Tools Check] E:\forrit\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {064D665E-3903-4976-83EA-EE3D6A63E598} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {064D665E-3903-4976-83EA-EE3D6A63E598} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {107F5EFE-9255-4319-88CB-9462C9DF86B2} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {107F5EFE-9255-4319-88CB-9462C9DF86B2} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {2708FEAC-941F-4FD3-8A49-85ED078AB4CD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2708FEAC-941F-4FD3-8A49-85ED078AB4CD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {35FE007F-B42F-4973-A29C-E733395ED04E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {35FE007F-B42F-4973-A29C-E733395ED04E} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {40A06BB1-5B77-4FAE-A621-F963D9093793} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {40A06BB1-5B77-4FAE-A621-F963D9093793} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {4B7CD476-1B9F-49B5-AF04-33EB445BA304} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4B7CD476-1B9F-49B5-AF04-33EB445BA304} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {514166F4-7D43-4C86-9AB8-8615EE5D8971} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {514166F4-7D43-4C86-9AB8-8615EE5D8971} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {529405F8-554D-47B0-A6AE-ED2F9FF0A981} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {529405F8-554D-47B0-A6AE-ED2F9FF0A981} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {79278CB7-56EF-4999-8B97-83EA57B0D650} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {79278CB7-56EF-4999-8B97-83EA57B0D650} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {808A1E8E-46FF-4236-BD45-626B9B0B0334} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {808A1E8E-46FF-4236-BD45-626B9B0B0334} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {8D141FD6-2513-4601-BAE7-6CE6A5D4B853} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8D141FD6-2513-4601-BAE7-6CE6A5D4B853} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B1B23768-F59A-44B4-8CD4-E86476B817D8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B1B23768-F59A-44B4-8CD4-E86476B817D8} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BA503D0F-86AD-44B9-BB00-EC689A3808C7} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BA503D0F-86AD-44B9-BB00-EC689A3808C7} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C510E48F-2ADD-4D22-9F1F-8F8926BC8907} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C510E48F-2ADD-4D22-9F1F-8F8926BC8907} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {CD1525A0-686E-436D-B414-8F6003575FD5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CD1525A0-686E-436D-B414-8F6003575FD5} - (no file) (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14....es/MsnPUpld.cab
O16 - DPF: {511F9316-771B-4953-A268-1C36DA667FE9} (SponsorAdulto Class) - http://ip.sponsoradu...bTelecomInt.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102006415474
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc...Bridge-c139.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.18/ttinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: nnnmj - C:\WINDOWS\System32\nnnmj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\forrit\Norton Anti-Virus scanner\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\forrit\Norton Anti-Virus scanner\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - E:\forrit\Norton Anti-Virus scanner\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[Micah_6:8]

Download L2mfix from one of these two locations:

l2mfix.exe (© Shadowwar)

l2mfix.exe (© Shadowwar)

Save the file to your desktop and <double-click> l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

<double-click> l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing <enter>.

This will scan your computer and it may appear nothing is happening, then, after a minute or 2, Notepad will open with a log. Copy/paste the contents of that log into this thread.


IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

[jonspet]

Ok I did what you said and got this long message here: L2MFIX find log 1.04a These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnmj] "Asynchronous"=dword:00000001 "DllName"="C:\\WINDOWS\\System32\\nnnmj.dll" "Impersonate"=dword:00000000 "Startup"="SysLogon" "Logoff"="SysLogoff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de) This program is Freeware, use it on your own risk! Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: (ID-NI) ALLOW Read BUILTIN\Users (ID-IO) ALLOW Read BUILTIN\Users (ID-NI) ALLOW Read BUILTIN\Power Users (ID-IO) ALLOW Read BUILTIN\Power Users (ID-NI) ALLOW Full access BUILTIN\Administrators (ID-IO) ALLOW Full access BUILTIN\Administrators (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM (ID-IO) ALLOW Full access CREATOR OWNER ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders" "{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler" "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler" "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension" "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices" "{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu" "{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache" ********************************************************************************** HKEY ROOT CLASSIDS: ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ nnnmj.dll Thu 2005-09-22 16:19:12 ..... 528 404 516,02 K gebyw.dll Wed 2005-09-21 0:02:42 ..SH. 27 149 26,51 K sirenacm.dll Thu 2005-10-13 0:11:06 A.... 118 784 116,00 K 3 items found: 3 files (1 H/S), 0 directories. Total of file sizes: 674 337 bytes 658,53 K Locate .tmp files: C:\WINDOWS\SYSTEM32\ perfst~1.tmp Mon 2005-09-26 1:17:48 A.... 385 300 376,27 K 1 item found: 1 file, 0 directories. Total of file sizes: 385 300 bytes 376,27 K ********************************************************************************** Directory Listing of system files: Volume in drive C has no label. Volume Serial Number is 5C06-6E44 Directory of C:\WINDOWS\System32 02.11.2005 01:40 208.678 jmnnn.ini 01.11.2005 21:42 207.512 jmnnn.bak2 22.10.2005 12:05 376.576 jmnnn.bak1 09.10.2005 12:53 <DIR> Microsoft 21.09.2005 00:02 27.149 gebyw.dll 17.02.2005 12:23 0 mcc.exe 17.02.2005 12:23 0 d2kpax.exe 17.02.2005 12:23 0 winproc32.exe 17.02.2005 12:23 0 bridge.dll 17.02.2005 12:23 0 a.exe 17.02.2005 12:23 0 d2kpax.dll 17.02.2005 12:23 0 jac.dll 17.02.2005 12:23 0 msxslab.dll 17.02.2005 12:23 0 cdimgdev.dll 17.02.2005 12:23 0 ied.exe 17.02.2005 12:23 0 msasmc18.dll 17.02.2005 12:23 0 miniport_mp.exe 05.07.2004 19:12 <DIR> dllcache 16 File(s) 819.915 bytes 2 Dir(s) 1.041.989.632 bytes free

[Micah_6:8]

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning that should look like this
  

  VundoFix V2.15 by Atri
  By using VundoFix you agree that you are doing so at your own risk
  Press enter to continue....
  
  

• At this point press enter one time.
  
• Next you will see:
  

  Type in the filepath as instructed by the forum staff
  Then Press Enter:

• At this point please type the following file path (make sure to enter it exactly as below!):
  • C:\WINDOWS\System32\nnnmj.dll
• Press Enter to continue with the fix.
  
• Next you will see:
  

  Please type in the second filepath as instructed by the forum staff
  Then Press Enter to continue with the fix.

• At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\System32\jmnnn.*
• Press Enter to continue with the fix.
  
• The fix will run then HijackThis will open, if it does not open automatically please open it manually.
• In HijackThis, please place a check next to the following items and click FIX CHECKED:
  O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\nnnmj.dll
  
  O20 - Winlogon Notify: nnnmj - C:\WINDOWS\System32\nnnmj.dll
  
• After you have fixed these items, close Hijackthis.
• Press enter to exit the program then manually reboot your computer.
• Once your machine reboots please continue with the instructions below.

Copy a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

After the reboot, delete this file if it still exists:

C:\WINDOWS\SYSTEM32\gebyw.dll

It will be "hidden".
Be sure to show hidden files when looking for this file.

[jonspet]

Ok I just wanted to say I appreciate the help but ok..!!! I ran HijackThis after I used killVundo.bat and it didn't find then(still in safe mode):

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\nnnmj.dll

But then after I went back to normal mode HijackThis found the above file and I then fixed it and ran another scan with HT and here is that log...(I am not sure if I should reboot again after I deleted "O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\nnnmj.dll" or not so I will post the HT.log now and then restart again and do another scan and compare to this one here that is about to follow:



Logfile of HijackThis v1.99.1
Scan saved at 16:17:09, on 2.11.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\forrit\Norton Anti-Virus scanner\navapsvc.exe
E:\forrit\Norton Anti-Virus scanner\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\ctfmon.exe
E:\forrit\Norton Anti-Virus scanner\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jónsi\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.darkthrone.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bt.is
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.rhi.hi.is:8080
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\forrit\Norton Anti-Virus scanner\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\forrit\Norton Anti-Virus scanner\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [clock] C:\WINDOWS\clock.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Advanced Tools Check] E:\forrit\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {064D665E-3903-4976-83EA-EE3D6A63E598} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {064D665E-3903-4976-83EA-EE3D6A63E598} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {107F5EFE-9255-4319-88CB-9462C9DF86B2} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {107F5EFE-9255-4319-88CB-9462C9DF86B2} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {2708FEAC-941F-4FD3-8A49-85ED078AB4CD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2708FEAC-941F-4FD3-8A49-85ED078AB4CD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {35FE007F-B42F-4973-A29C-E733395ED04E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {35FE007F-B42F-4973-A29C-E733395ED04E} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {40A06BB1-5B77-4FAE-A621-F963D9093793} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {40A06BB1-5B77-4FAE-A621-F963D9093793} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {4B7CD476-1B9F-49B5-AF04-33EB445BA304} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4B7CD476-1B9F-49B5-AF04-33EB445BA304} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {514166F4-7D43-4C86-9AB8-8615EE5D8971} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {514166F4-7D43-4C86-9AB8-8615EE5D8971} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {529405F8-554D-47B0-A6AE-ED2F9FF0A981} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {529405F8-554D-47B0-A6AE-ED2F9FF0A981} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {79278CB7-56EF-4999-8B97-83EA57B0D650} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {79278CB7-56EF-4999-8B97-83EA57B0D650} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {808A1E8E-46FF-4236-BD45-626B9B0B0334} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {808A1E8E-46FF-4236-BD45-626B9B0B0334} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {8D141FD6-2513-4601-BAE7-6CE6A5D4B853} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8D141FD6-2513-4601-BAE7-6CE6A5D4B853} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B1B23768-F59A-44B4-8CD4-E86476B817D8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B1B23768-F59A-44B4-8CD4-E86476B817D8} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BA503D0F-86AD-44B9-BB00-EC689A3808C7} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BA503D0F-86AD-44B9-BB00-EC689A3808C7} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C510E48F-2ADD-4D22-9F1F-8F8926BC8907} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C510E48F-2ADD-4D22-9F1F-8F8926BC8907} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {CD1525A0-686E-436D-B414-8F6003575FD5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CD1525A0-686E-436D-B414-8F6003575FD5} - (no file) (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14....es/MsnPUpld.cab
O16 - DPF: {511F9316-771B-4953-A268-1C36DA667FE9} (SponsorAdulto Class) - http://ip.sponsoradu...bTelecomInt.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102006415474
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc...Bridge-c139.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.18/ttinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: nnnmj - C:\WINDOWS\System32\nnnmj.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\forrit\Norton Anti-Virus scanner\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\forrit\Norton Anti-Virus scanner\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - E:\forrit\Norton Anti-Virus scanner\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Also the vundofix.txt file:

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

ReadMe.txt
killvundo.bat
process.exe
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\System32\nnnmj.dll

The second filepath entered was C:\WINDOWS\System32\jmnnn.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 140 'smss.exe'

Killing PID 716 'explorer.exe'


Killing PID 220 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\System32\nnnmj.dll Deleted sucessfully.
C:\WINDOWS\System32\jmnnn.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------



p.s. I didn't find gebyw.dll with hidden files shown so I think it might not be there.

*after edit* I ran another check with HT after I rebooted again and the log seemed to be the same as the one above. And I used ctrl+f to check if the word nnnmj was anywhere in the log and it was only in one place which is the same place as in the above log!!! So please tell me if there are anymore things I need to do or not. My computer seems to be working faster now so maybe it is ok now.

Edited by jonspet, 02 November 2005 - 10:41 AM.

[Micah_6:8]

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!

Run Hijack This!
Click "Do a systen scan only".
Then "check" the box to the left of these item(s):

O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe

O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc...Bridge-c139.cab

O20 - Winlogon Notify: nnnmj - C:\WINDOWS\System32\nnnmj.dll (file missing)

Then click "Fix checked" and close Hijack This!.

Reboot in "safe" mode.

Delete all of the following noted (in red) file(s)/FOLDER(s) you can find:

c:\windows\dnscleaner.exe <--- file

Some malware files may be "hidden".
Be sure to show hidden files when looking for these file(s) and/or folder(s).

Reboot in normal mode and "copy/paste" a new log file into this thread.

[jonspet]

Logfile of HijackThis v1.99.1
Scan saved at 23:33:39, on 2.11.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\forrit\Norton Anti-Virus scanner\navapsvc.exe
E:\forrit\Norton Anti-Virus scanner\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\ctfmon.exe
E:\forrit\Norton Anti-Virus scanner\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Jónsi\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.darkthrone.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bt.is
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.rhi.hi.is:8080
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\forrit\Norton Anti-Virus scanner\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\forrit\Norton Anti-Virus scanner\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [clock] C:\WINDOWS\clock.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [Advanced Tools Check] E:\forrit\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {064D665E-3903-4976-83EA-EE3D6A63E598} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {064D665E-3903-4976-83EA-EE3D6A63E598} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {107F5EFE-9255-4319-88CB-9462C9DF86B2} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {107F5EFE-9255-4319-88CB-9462C9DF86B2} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {2708FEAC-941F-4FD3-8A49-85ED078AB4CD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2708FEAC-941F-4FD3-8A49-85ED078AB4CD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {35FE007F-B42F-4973-A29C-E733395ED04E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {35FE007F-B42F-4973-A29C-E733395ED04E} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {40A06BB1-5B77-4FAE-A621-F963D9093793} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {40A06BB1-5B77-4FAE-A621-F963D9093793} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {4B7CD476-1B9F-49B5-AF04-33EB445BA304} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4B7CD476-1B9F-49B5-AF04-33EB445BA304} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {514166F4-7D43-4C86-9AB8-8615EE5D8971} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {514166F4-7D43-4C86-9AB8-8615EE5D8971} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {529405F8-554D-47B0-A6AE-ED2F9FF0A981} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {529405F8-554D-47B0-A6AE-ED2F9FF0A981} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {79278CB7-56EF-4999-8B97-83EA57B0D650} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {79278CB7-56EF-4999-8B97-83EA57B0D650} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {808A1E8E-46FF-4236-BD45-626B9B0B0334} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {808A1E8E-46FF-4236-BD45-626B9B0B0334} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {8D141FD6-2513-4601-BAE7-6CE6A5D4B853} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8D141FD6-2513-4601-BAE7-6CE6A5D4B853} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B1B23768-F59A-44B4-8CD4-E86476B817D8} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B1B23768-F59A-44B4-8CD4-E86476B817D8} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {BA503D0F-86AD-44B9-BB00-EC689A3808C7} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BA503D0F-86AD-44B9-BB00-EC689A3808C7} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {C510E48F-2ADD-4D22-9F1F-8F8926BC8907} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C510E48F-2ADD-4D22-9F1F-8F8926BC8907} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {CD1525A0-686E-436D-B414-8F6003575FD5} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {CD1525A0-686E-436D-B414-8F6003575FD5} - (no file) (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14....es/MsnPUpld.cab
O16 - DPF: {511F9316-771B-4953-A268-1C36DA667FE9} (SponsorAdulto Class) - http://ip.sponsoradu...bTelecomInt.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102006415474
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.18/ttinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\forrit\Norton Anti-Virus scanner\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\forrit\Norton Anti-Virus scanner\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - E:\forrit\Norton Anti-Virus scanner\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Ok I did what you said so here is my newest log

[Micah_6:8]

Looks good!!!

GOD bless you!!!

M68

Items you may wish to consider to harden your defenses against future infections:

Read "How did I get infected in the first place?"

Download/install IE-Spyad

IE-Spyad puts over 4000 known malicious web sites into IE's "restricted zone" to help prevent you from getting infected.

Check your browser settings at Qualsys.com

A series of "tests" (and suggested fixes) to help tweak IE's settings to help prevent infections when surfing the web.

Follow safe Internet practices:

1. Keep your virus definitions up to date, and scan your system regularly.

2. Don't open email, or download attachments from unrecognized email addresses.

3. Be careful when downloading email attachments, EVEN FROM PEOPLE YOU KNOW! Many virii, worms, and trojans infect a persons system then immeadiately spread themselves to the people in the infected persons addressbook via email attachments.

4. Be careful downloading files from the Internet. Scan all downloaded files with a reliable UP-TO-DATE antivirus program. Scan "zip" files BEFORE unzipping, and scan all unzipped files BEFORE USING THEM.

5. Keep your Windows and IE current with all the latest patches and updates.

[jonspet]

WOW I don't really know how to thank you guys !!! I have been frustrated over this virus for so long now and haven't had a clue what to do !!! If someone I know is ever in trouble I will definitely tell them about this site ! You guys are saviours and you have to keep this site going ! thanks Jon

[Micah_6:8]

This topic is now closed.

If you need this topic reopened, please request this by sending an email to us at the following link
(Click for address)
Include your post user name and detail why you need it reopened with a valid link to your post.
Any bad links or emails that are not from the original poster will be deleted without response.
Any emails without the subject "Reopen" will be deleted without being looked at.

If this is not your thread please start a New Topic.