pop ups:(

Comments

• Crunchie Mandurah. Western Australia. Member

  September 2005 edited September 2005

  Please print these instructions out for use in Safe Mode.
  
  Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning and a list of forums to seek help at.
    it should look like this

    VundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk
    

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    
    
    C:\WINDOWS\System32\pmnno.dll

  
  
  [*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  [*] Next you will see:

  Please type in the second filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  [*]At this point please type the following file path (make sure to enter it exactly as below!):
  
  

  C:\WINDOWS\System32\onnmp.dll
  
  
  
  [*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  
  [*]The fix will run then HijackThis will open.
  [*]In HijackThis, please place a check next to the following items and click FIX CHECKED:
  
  

  O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
  O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\pmnno.dll
  
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
  
  O20 - Winlogon Notify: pmnno - C:\WINDOWS\System32\pmnno.dll
  
  
  
  [*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  [*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  [*]Once your machine reboots please continue with the instructions below.
  
  
  Then, please run this online virus scan: ActiveScan
  
  Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

  0
• angelica

  September 2005 edited September 2005

  the results from activescan are:
  
  
  Detected Disinfected
  Virus 0 0
  Spyware 0 0
  Hacking Tools 0 0
  Dialers 0 0
  Security Risks 0 0
  Suspicious files 0 0
  
  
  
  file from vundofix:
  
  Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
  Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
  Suspending PID 136 'smss.exe'
  Threads [140][144][148]
  
  Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
  Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
  Killing PID 736 'explorer.exe'
  
  Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
  Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
  Error, Cannot find a process with an image name of rundll32.exe
  
  Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
  Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
  Killing PID 212 'winlogon.exe'
  Could not delete file.
  Files Deleted sucessfully.
  
  
  new hijack this log:
  
  Logfile of HijackThis v1.99.1
  Scan saved at 4:14:06 PM, on 9/30/2005
  Platform: Windows XP SP1 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
  C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
  C:\WINDOWS\system32\drivers\dcfssvc.exe
  c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  C:\WINDOWS\wanmpsvc.exe
  c:\PROGRA~1\mcafee.com\vso\mcshield.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\System32\bcmwltry.exe
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
  C:\PROGRA~1\mcafee.com\agent\mcagent.exe
  c:\progra~1\mcafee.com\vso\mcvsescn.exe
  C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
  C:\Program Files\QuickTime\qttask.exe
  C:\Program Files\AIM+\AIM+.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
  C:\PROGRA~1\AMERIC~1.0A\waol.exe
  C:\Program Files\AIM\aim.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLHostManager.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLServiceHost.exe
  C:\Program Files\Windows Media Player\wmplayer.exe
  c:\progra~1\mcafee.com\vso\mcvsftsn.exe
  c:\program files\common files\aol\1101517519\ee\services\antiSpywareApp\ver2_0_0\AOLSP Scheduler.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLServiceHost.exe
  C:\WINDOWS\System32\wuauclt.exe
  C:\PROGRA~1\AMERIC~1.0A\shellmon.exe
  C:\Program Files\hijackthis\HijackThis.exe
  
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
  R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
  O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\pmnno.dll
  O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
  O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
  O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
  O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
  O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
  O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
  O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
  O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
  O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
  O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
  O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101517519\ee\AOLHostManager.exe
  O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
  O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~1.0A\AOL.EXE" -b
  O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
  O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
  O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
  O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
  O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
  O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
  O12 - Plugin for .aif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
  O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
  O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
  O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
  O12 - Plugin for .WAV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
  O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
  O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
  O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
  O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
  O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
  O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
  O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
  O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
  O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
  O20 - Winlogon Notify: pmnno - C:\WINDOWS\System32\pmnno.dll
  O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
  O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
  O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
  O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
  O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
  O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  
  
  
  thank you for responding so quickly:)

  0
• Crunchie Mandurah. Western Australia. Member

  September 2005 edited September 2005

  I do not know what happened, but nothing has changed in your log??
  You need to do the exact same thing again, (unless you didn't follow the instructions exactly ).
  Make sure that you do NOT open Internet Exploder when running the fix.
  Once you have done all, post another log please.
  
  I will not be able to respond again today, so I will catch up later on Sunday.

  0
• angelica

  October 2005 edited October 2005

  ahhh...i think it might be because when i was supposed to press anykey to restart my computer in safe mode, i did and nothing happened...so i kept pressing keys..and nothing was happening..so i just turned it off haha sorry
  
  after i did everything again these are the new results:
  
  
  active scan:
  
  Detected Disinfected
  Virus 0 0
  Spyware 0 0
  Hacking Tools 0 0
  Dialers 0 0
  Security Risks 0 0
  Suspicious files 0 0
  
  
  vundofix file:
  
  Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
  Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
  Suspending PID 136 'smss.exe'
  Threads [140][144][148]
  
  Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
  Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
  Killing PID 700 'explorer.exe'
  
  Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
  Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
  Error, Cannot find a process with an image name of rundll32.exe
  
  Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
  Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
  Killing PID 212 'winlogon.exe'
  Could not delete file.
  Files Deleted sucessfully.
  
  
  
  hijack this log:
  
  Logfile of HijackThis v1.99.1
  Scan saved at 5:21:14 PM, on 10/1/2005
  Platform: Windows XP SP1 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\csrss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\System32\alg.exe
  C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
  C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
  C:\WINDOWS\system32\drivers\dcfssvc.exe
  c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
  C:\WINDOWS\wanmpsvc.exe
  c:\PROGRA~1\mcafee.com\vso\mcshield.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\System32\bcmwltry.exe
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
  C:\PROGRA~1\mcafee.com\agent\mcagent.exe
  C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
  C:\Program Files\QuickTime\qttask.exe
  c:\progra~1\mcafee.com\vso\mcvsescn.exe
  C:\Program Files\AIM+\AIM+.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\AIM\aim.exe
  C:\PROGRA~1\AMERIC~1.0A\waol.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
  C:\WINDOWS\System32\wuauclt.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLHostManager.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLServiceHost.exe
  C:\WINDOWS\System32\wbem\wmiprvse.exe
  c:\program files\common files\aol\1101517519\ee\services\antiSpywareApp\ver2_0_0\AOLSP Scheduler.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLServiceHost.exe
  c:\progra~1\mcafee.com\vso\mcvsftsn.exe
  C:\PROGRA~1\AMERIC~1.0A\shellmon.exe
  C:\Program Files\hijackthis\HijackThis.exe
  
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
  R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\pmnno.dll
  O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
  O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
  O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
  O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
  O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
  O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
  O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
  O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
  O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
  O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
  O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101517519\ee\AOLHostManager.exe
  O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
  O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~1.0A\AOL.EXE" -b
  O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
  O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
  O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
  O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
  O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
  O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
  O12 - Plugin for .aif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
  O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
  O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
  O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
  O12 - Plugin for .WAV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
  O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
  O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
  O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
  O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
  O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
  O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
  O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
  O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
  O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
  O20 - Winlogon Notify: pmnno - C:\WINDOWS\System32\pmnno.dll
  O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
  O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
  O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
  O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
  O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
  O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  
  
  thanks for the continued help..i appreciate it!

  0
• Crunchie Mandurah. Western Australia. Member

  October 2005 edited October 2005

  Please download Process Explorer by Systernals from here.
  
  Also download KillBox by Option^Explicit from here.
  
  Unzip Process Explorer and double click on procexp.exe
  
  In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.
  
  Once you see this screen click on each instance of pmnno.dll once and then click the kill button.
  
  After you have killed all of the pmnno.dll's under winlogon click ok.
  
  Next double click on explorer.exe and again click once on each instance of pmnno.dll then click the kill button. Click on the Threads tab at the top.
  
  Once you have done that click ok again.
  
  Next run HijackThis and place a check beside each of the following.
  
  O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\pmnno.dll
  
  O20 - Winlogon Notify: pmnno - C:\WINDOWS\System32\pmnno.dll
  
  Now click fix checked and close HijackThis.
  
  Please copy the text from within the code box below and paste it into a blank notepad window.
  Save it as vundo.reg and in the save as type box choose all files.
  
  Once you have saved it double click it and allow it to merge with the registry.
  

  REGEDIT4
  
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ED748391-D25B-4A9B-BBD5-9F27E03E4A60}]
  
  [-HKEY_CLASSES_ROOT\CLSID\{581F22DA-7202-4F21-AEF3-114787156016}]
  
  [-HKEY_CLASSES_ROOT\MSEvents.MSEvents]
  
  [-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]
  
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]
  
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]

  
  Double click on Killbox.exe and then check the delete on reboot button.
  
  Enter the following filepath and filename into the Full path of file to delete box
  
  C:\WINDOWS\System32\pmnno.dll
  
  Click the red circle with the white x and allow your computer to reboot.
  
  After your computer has rebooted please run Hijackthis again and post a new HijackThis log.

  0
• angelica

  October 2005 edited October 2005

  new hijack this log:
  
  
  
  Logfile of HijackThis v1.99.1
  Scan saved at 11:27:42 AM, on 10/3/2005
  Platform: Windows XP SP1 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
  C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
  C:\WINDOWS\system32\drivers\dcfssvc.exe
  c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  C:\WINDOWS\wanmpsvc.exe
  c:\PROGRA~1\mcafee.com\vso\mcshield.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\System32\bcmwltry.exe
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
  C:\PROGRA~1\mcafee.com\agent\mcagent.exe
  C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
  c:\progra~1\mcafee.com\vso\mcvsescn.exe
  C:\Program Files\QuickTime\qttask.exe
  C:\Program Files\AIM+\AIM+.exe
  C:\Program Files\AIM\aim.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\PROGRA~1\AMERIC~1.0A\waol.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLHostManager.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLServiceHost.exe
  c:\program files\common files\aol\1101517519\ee\services\antiSpywareApp\ver2_0_0\AOLSP Scheduler.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLServiceHost.exe
  c:\progra~1\mcafee.com\vso\mcvsftsn.exe
  C:\WINDOWS\System32\wuauclt.exe
  C:\PROGRA~1\AMERIC~1.0A\shellmon.exe
  C:\Program Files\hijackthis\HijackThis.exe
  
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
  R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
  O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
  O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
  O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
  O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
  O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
  O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
  O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
  O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
  O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
  O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101517519\ee\AOLHostManager.exe
  O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
  O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~1.0A\AOL.EXE" -b
  O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
  O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
  O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
  O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
  O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
  O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
  O12 - Plugin for .aif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
  O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
  O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
  O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
  O12 - Plugin for .WAV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
  O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
  O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
  O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
  O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
  O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
  O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
  O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
  O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
  O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
  O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
  O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
  O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
  O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
  O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
  O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

  0
• Crunchie Mandurah. Western Australia. Member

  October 2005 edited October 2005

  Congratulations! Your log looks clean - good work!
  
  ===============
  
  Now that your PC is clean you need to follow these easy steps to keeping it this way:
  
  Secure your Internet Explorer by going here and following the instructions there.
  
  Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.
  
  Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.
  
  Install and keep updated, Ad-Aware SE, and Spybot S&D.
  Run them both on a regular basis, following the manufacturer's recommendations.
  
  Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.
  
  Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.
  
  
  Clear your Temp folders.
  Clear out your Temporary internet files and other temp files.
  Go to Start > Settings > Control Panel >Internet Options.
  Under the General tab click the Delete temporary internet files,
  delete all Offline content as well. Clear out Cookies.
  
  Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.
  
  Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)
  
  C:\Documents and Settings\username\Local Settings\Temp\
  
  In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.
  
  Empty the Recycle Bin.
  
  For XP users.
  After something like this it is a good idea to Flush the Restore Points and start fresh.
  To flush the XP system Restore Points.
  
  Go to Start>Run and type msconfig. Press enter.
  
  When msconfig opens, click the Launch System Restore Button.
  On the next page, click the System Restore Settings link on the left.
  
  Check the box labelled 'Turn off System restore'.
  
  Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
  
  Note that all previous restore points will be lost.
  
  ===============
  
  If you have any more problems, post back.
  
  -
  
  Happy surfing,
  
  crunchie.

  0
• angelica

  October 2005 edited October 2005

  yayyyy
  thank you very much for all your help
  hopefully i won't be back for awhile!

  0
• Crunchie Mandurah. Western Australia. Member

  October 2005 edited October 2005

  You are welcome .
  
  This thread is now closed. If you need it reopened, please send a PM to one of our Mods.
  
  Include the link to the thread and detail why you need it reopened.
  
  If this is not your thread please start a New Topic.
  

  0
• Crunchie Mandurah. Western Australia. Member

  October 2005 edited October 2005

  Thread reopened at members request.

  0
• angelica

  October 2005 edited October 2005

  thank you for re-opening the thread:)
  
  i'm basically having the same problem as before..random popups
  i've scanned with mcaffe & ad-aware but they don't seem to get rid of them [at least not permanently]
  
  so im posting a hijack this log & i'd appreciate any help!
  
  Logfile of HijackThis v1.99.1
  Scan saved at 9:38:44 PM, on 10/25/2005
  Platform: Windows XP SP1 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\csrss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\System32\alg.exe
  C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
  C:\WINDOWS\system32\drivers\dcfssvc.exe
  C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
  c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  C:\WINDOWS\wanmpsvc.exe
  c:\PROGRA~1\mcafee.com\vso\mcshield.exe
  C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
  C:\WINDOWS\System32\wuauclt.exe
  C:\WINDOWS\System32\bcmwltry.exe
  C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
  c:\progra~1\mcafee.com\vso\mcvsescn.exe
  c:\program files\mcafee.com\agent\mcagent.exe
  C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
  C:\Program Files\QuickTime\qttask.exe
  C:\PROGRA~1\AIM\aim.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLHostManager.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLServiceHost.exe
  c:\program files\common files\aol\1101517519\ee\services\antiSpywareApp\ver2_0_0\AOLSP Scheduler.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLServiceHost.exe
  c:\progra~1\mcafee.com\vso\mcvsftsn.exe
  C:\WINDOWS\System32\WISPTIS.EXE
  C:\WINDOWS\System32\svchost.exe
  C:\Program Files\AIM+\AIM+.exe
  C:\Program Files\AIM\AIM95_c2\aim.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLServiceHost.exe
  C:\Program Files\Internet Explorer\iexplore.exe
  C:\Program Files\Windows Media Player\wmplayer.exe
  C:\PROGRA~1\AMERIC~1.0A\waol.exe
  C:\PROGRA~1\AMERIC~1.0A\shellmon.exe
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  C:\WINDOWS\explorer.exe
  C:\Program Files\hijackthis\HijackThis.exe
  
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
  R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
  O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\pmnnl.dll
  O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
  O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
  O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
  O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
  O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
  O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
  O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
  O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
  O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
  O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101517519\ee\AOLHostManager.exe
  O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\AIM95_c2\aim.exe -cnetwait.odl
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~1.0A\AOL.EXE" -b
  O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
  O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
  O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
  O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
  O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\AIM95_c2\aim.exe
  O12 - Plugin for .aif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
  O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
  O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
  O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
  O12 - Plugin for .WAV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
  O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
  O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
  O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
  O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
  O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
  O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
  O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
  O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
  O20 - Winlogon Notify: pmnnl - C:\WINDOWS\System32\pmnnl.dll
  O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
  O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
  O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
  O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
  O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
  O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

  0
• Crunchie Mandurah. Western Australia. Member

  October 2005 edited October 2005

  Download symantecs removal tool and follow their instructions for running it.
  
  http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.removal.tool.html
  
  Post back a new log when done.

  0
• angelica

  October 2005 edited October 2005

  i followed the instructions and the program said the trojan file was not found on my computer..

  0
• Crunchie Mandurah. Western Australia. Member

  October 2005 edited October 2005

  Please print these instructions out for use in Safe Mode.
  
  Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk.

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    
    
    C:\WINDOWS\System32\pmnnl.dll

  
  
  [*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  [*] Next you will see:

  Please type in the second filepath as instructed by the forum staff
  Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  [*]At this point please type the following file path (make sure to enter it exactly as below!):
  
  

  C:\WINDOWS\System32\lnnmp.*
  
  
  
  [*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  
  [*]The fix will run then HijackThis will open.
  [*]In HijackThis, please place a check next to the following items and click FIX CHECKED:
  
  

  O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\pmnnl.dll
  
  O20 - Winlogon Notify: pmnnl - C:\WINDOWS\System32\pmnnl.dll
  
  
  
  [*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  [*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  [*]Once your machine reboots please continue with the instructions below.
  
  
  Then, please run this online virus scan: ActiveScan
  
  Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

  0
• angelica

  October 2005 edited October 2005

  i'm pretty sure the whole thing of what i was supposed to do after restarting my computer in safe mode went wrong. i don't know exactly i did wrong because im pretty sure i followed all the directions, but the whole KillVundo program-ish thing confuses me because sometimes it would close itself after i did enter-f6-enter and i tried to do it again but eh
  
  
  
  
  this was the text file:
  
  
  Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
  Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
  Error, Cannot find a process with an image name of smss.exe
  
  Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
  Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
  Error, Cannot find a process with an image name of explorer.exe
  
  Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
  Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
  Error, Cannot find a process with an image name of rundll32.exe
  
  Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
  Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
  Error, Cannot find a process with an image name of winlogon.exe
  
  
  
  these are the results from the panda scan:
  
  Detected Disinfected
  Virus 0 0
  Spyware 0 0
  Hacking Tools 0 0
  Dialers 0 0
  Security Risks 0 0
  Suspicious files 0 0
  
  
  
  
  and this is my new hijakc this log:
  
  
  Logfile of HijackThis v1.99.1
  Scan saved at 3:52:39 PM, on 10/28/2005
  Platform: Windows XP SP1 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
  C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
  C:\WINDOWS\system32\drivers\dcfssvc.exe
  c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  C:\WINDOWS\wanmpsvc.exe
  c:\PROGRA~1\mcafee.com\vso\mcshield.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\System32\bcmwltry.exe
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
  C:\PROGRA~1\mcafee.com\agent\mcagent.exe
  c:\progra~1\mcafee.com\vso\mcvsescn.exe
  C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
  C:\Program Files\QuickTime\qttask.exe
  C:\Program Files\AIM+\AIM+.exe
  C:\Program Files\AIM\aim.exe
  C:\Program Files\Messenger\msmsgs.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLHostManager.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLServiceHost.exe
  c:\progra~1\mcafee.com\vso\mcvsftsn.exe
  c:\program files\common files\aol\1101517519\ee\services\antiSpywareApp\ver2_0_0\AOLSP Scheduler.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLServiceHost.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLServiceHost.exe
  C:\Program Files\America Online 9.0a\waol.exe
  C:\WINDOWS\System32\wuauclt.exe
  C:\Program Files\America Online 9.0a\shellmon.exe
  C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
  C:\Program Files\hijackthis\HijackThis.exe
  
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
  R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
  O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\pmnnl.dll
  O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
  O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
  O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
  O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
  O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
  O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
  O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
  O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
  O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
  O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101517519\ee\AOLHostManager.exe
  O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
  O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
  O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
  O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
  O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
  O12 - Plugin for .aif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
  O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
  O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
  O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
  O12 - Plugin for .WAV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
  O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
  O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
  O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
  O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
  O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
  O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
  O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
  O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
  O20 - Winlogon Notify: pmnnl - C:\WINDOWS\System32\pmnnl.dll
  O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
  O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
  O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
  O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
  O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
  O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

  0
• Crunchie Mandurah. Western Australia. Member

  October 2005 edited October 2005

  Please download Process Explorer by Systernals from here.
  
  Also download KillBox by Option^Explicit from here.
  
  Unzip Process Explorer and double click on procexp.exe
  
  In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.
  
  Once you see this screen click on each instance of pmnnl.dll once and then click the kill button.
  
  After you have killed all of the pmnnl.dll's under winlogon click ok.
  
  Next double click on explorer.exe and again click once on each instance of pmnnl.dll then click the kill button. Click on the Threads tab at the top.
  
  Once you have done that click ok again.
  
  Next run HijackThis and place a check beside each of the following.
  
  O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\pmnnl.dll
  
  O20 - Winlogon Notify: pmnnl - C:\WINDOWS\System32\pmnnl.dll
  
  Now click fix checked and close HijackThis.
  
  Please copy the text from within the code box below and paste it into a blank notepad window.
  Save it as vundo.reg and in the save as type box choose all files.
  
  Once you have saved it double click it and allow it to merge with the registry.
  

  REGEDIT4
  
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FC148228-87E1-4D00-AC06-58DCAA52A4D1}]
  
  [-HKEY_CLASSES_ROOT\CLSID\{FC148228-87E1-4D00-AC06-58DCAA52A4D1}]
  
  [-HKEY_CLASSES_ROOT\MSEvents.MSEvents]
  
  [-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]
  
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]
  
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]

  
  Double click on Killbox.exe and then check the delete on reboot button.
  
  Enter the following filepath and filename into the Full path of file to delete box
  
  C:\WINDOWS\System32\pmnnl.dll
  
  Click the red circle with the white x and allow your computer to reboot.
  
  After your computer has rebooted please run Hijackthis again and post a new HijackThis log.

  0
• angelica

  October 2005 edited October 2005

  new hijakc this log:
  
  Logfile of HijackThis v1.99.1
  Scan saved at 4:47:18 PM, on 10/29/2005
  Platform: Windows XP SP1 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
  C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
  C:\WINDOWS\system32\drivers\dcfssvc.exe
  c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  C:\WINDOWS\wanmpsvc.exe
  c:\PROGRA~1\mcafee.com\vso\mcshield.exe
  C:\WINDOWS\Explorer.EXE
  C:\WINDOWS\System32\bcmwltry.exe
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
  C:\PROGRA~1\mcafee.com\agent\mcagent.exe
  C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
  C:\Program Files\QuickTime\qttask.exe
  C:\Program Files\AIM+\AIM+.exe
  C:\Program Files\Messenger\msmsgs.exe
  c:\progra~1\mcafee.com\vso\mcvsescn.exe
  C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
  C:\Program Files\America Online 9.0a\waol.exe
  C:\Program Files\AIM\aim.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLHostManager.exe
  C:\WINDOWS\System32\wuauclt.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLServiceHost.exe
  c:\program files\common files\aol\1101517519\ee\services\antiSpywareApp\ver2_0_0\AOLSP Scheduler.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLServiceHost.exe
  c:\progra~1\mcafee.com\vso\mcvsftsn.exe
  C:\Program Files\Common Files\AOL\1101517519\ee\AOLServiceHost.exe
  C:\Program Files\America Online 9.0a\shellmon.exe
  C:\Program Files\hijackthis\HijackThis.exe
  
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
  R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
  O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
  O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
  O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
  O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
  O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
  O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
  O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
  O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
  O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
  O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101517519\ee\AOLHostManager.exe
  O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
  O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
  O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
  O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
  O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
  O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
  O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
  O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
  O12 - Plugin for .aif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
  O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
  O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
  O12 - Plugin for .MPG: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
  O12 - Plugin for .WAV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
  O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
  O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
  O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
  O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
  O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
  O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
  O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
  O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
  O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
  O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
  O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
  O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
  O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
  O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
  O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

  0
• Crunchie Mandurah. Western Australia. Member

  October 2005 edited October 2005

  Congratulations! Your log looks clean - good work!
  
  ===============
  
  Now that your PC is clean you need to follow these easy steps to keeping it this way:
  
  Secure your Internet Explorer by going here and following the instructions there.
  
  Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.
  
  Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.
  
  Install and keep updated, Ad-Aware SE, and Spybot S&D.
  Run them both on a regular basis, following the manufacturer's recommendations.
  
  Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.
  
  Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.
  
  
  Clear your Temp folders.
  Clear out your Temporary internet files and other temp files.
  Go to Start > Settings > Control Panel >Internet Options.
  Under the General tab click the Delete temporary internet files,
  delete all Offline content as well. Clear out Cookies.
  
  Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.
  
  Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)
  
  C:\Documents and Settings\username\Local Settings\Temp\
  
  In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.
  
  Empty the Recycle Bin.
  
  For XP users.
  After something like this it is a good idea to Flush the Restore Points and start fresh.
  To flush the XP system Restore Points.
  
  Go to Start>Run and type msconfig. Press enter.
  
  When msconfig opens, click the Launch System Restore Button.
  On the next page, click the System Restore Settings link on the left.
  
  Check the box labelled 'Turn off System restore'.
  
  Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
  
  Note that all previous restore points will be lost.
  
  ===============
  
  If everything is running ok, let's do the final cleanup...
  
  ===============
  
  1. Run "Disk Cleanup" and allow it to remove everything it finds.
  
  2. If you've downloaded MicroWorld AV (MWAV), run it again - but don't scan, just click "Clear Log" and exit the program.
  
  3. Go to www.trendmicro.com and click "Free Online Scan", then "Scan now, it's free!". When it's downloaded, select all available drives, then check(tick) "Auto clean", then click "Scan".
  
  4. Run AdAware SE Personal and "perform a full system scan", then Spybot S&D, and "Check for Problems". Let them both remove the residual 'problems' left that HiJackThis couldn't fix.
  
  5. Disable, then re-enable system restore; with a reboot in-between. Then immediately create a new system point manually.
  
  ===============
  
  If you have any more problems, post back.
  
  -
  
  Happy surfing,
  
  crunchie.

  0
• angelica

  October 2005 edited October 2005

  thanks for all your help!!

  0
• Crunchie Mandurah. Western Australia. Member

  October 2005 edited October 2005

  You are welcome .
  
  This thread is now closed. If you need it reopened, please send a PM to one of our Mods.
  
  Include the link to the thread and detail why you need it reopened.
  
  If this is not your thread please start a New Topic.
  

  0