Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Slow And Pop Up ?


  • This topic is locked This topic is locked
10 replies to this topic

#1 maje1710

maje1710

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:15 PM

Posted 30 June 2006 - 08:04 PM

Hi i have a slow computer and some popup appeir time to time and my anti virus pop with warnings ...
i have scan my computer with all the program that you mentionned on this site ...
can you look at my hijackthis log please ?

thanks

that's strange, it won't save my log ???? everytime i push the button "save log" the program closed and nothing happens ?

i finally save a log here it is :

Logfile of HijackThis v1.99.1
Scan saved at 10:31:46 PM, on 30/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX7800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P35 "EPSON Stylus CX7800 Series (Copy 1)" /O6 "USB001" /M "Stylus CX7800"
O4 - HKLM\..\Run: [SoloSysCheck] C:\PROGRA~1\SRNMIC~1\SYSCHECK.COM
O4 - HKCU\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /M "Stylus CX7800" /EF "HKCU"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150167590968
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/MsnChat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


can you help me ?

Mark

Edited by maje1710, 30 June 2006 - 09:35 PM.


BC AdBot (Login to Remove)

 


#2 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 01 July 2006 - 12:32 AM

Hi maje1710 -

It looks like you have a hidden infection. Please do the following.

• Re-name HijackThis.exe to analyze.exe by doing the following:
- Navigate to C:\Program Files\Hijackthis\
- Right-click onto HijackThis.exe and select "Rename"
- Type analyze.exe and hit Enter.

• Finally, double-click onto analyze.exe (which is still hijackthis) and post back with the new log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#3 maje1710

maje1710
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:15 PM

Posted 01 July 2006 - 04:05 PM

hi again, i just rename my hijackthis, here's my new log :

Logfile of HijackThis v1.99.1
Scan saved at 4:51:50 PM, on 01/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5838A8C7-6DB8-4E96-84B2-4A4ABC577FB4} - C:\WINDOWS\system32\pmnll.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX7800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P35 "EPSON Stylus CX7800 Series (Copy 1)" /O6 "USB001" /M "Stylus CX7800"
O4 - HKCU\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /M "Stylus CX7800" /EF "HKCU"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150167590968
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/MsnChat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: pmnll - C:\WINDOWS\system32\pmnll.dll
O20 - Winlogon Notify: winubg32 - C:\WINDOWS\SYSTEM32\winubg32.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

also, there are strange files in my "temp" directory :

win1.tmp, win2.tmp, win3.tmp, win4.tmp, win5.tmp.exe, etc .... ??

and that message (popup) from my antivirus appear often :

VIRUS (popup by trend micro) :

C:\WINDOWS\system32\winubg32.dll
TROJ_AGENT.CQZ

hope that you can help me ..

many thanx....

Mark

#4 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 01 July 2006 - 07:42 PM

Hi,

Okay, I see the infections now. Thanks for the information about the files. You have several infections, so it will take a few steps to clean them off of your system. Please do the following.

• Please download Vundofix.exe by Atribune and save it to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • In case it says that nothing was been found, Right click the list box (white box) in the main VundoFix window.
  • Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.
  • In the Window: copy and paste next in the first field: C:\WINDOWS\System32\pmnll.dll
  • Copy and paste next in the second field: C:\WINDOWS\System32\llnmp.*
  • Click the “Add Files” button.
  • Click the "Close Window" button.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • A log will be created, C:\vundofix.txt which you will need to include in your next reply.
Note: Please run VundoFix only one time.
If you run it more than one time, you will overwrite the original log generated when it was run the first time.

• Open HijackThis, click Open the Misc Toos section, then click Delete a file on bootup
- a window will open
- Where it says "File Name" - copy and paste: C:\Windows\System32\winubg32.dll
- Click Open
- A prompt will appear advising you that the file will be deleted and asking if you want to reboot now
- Click Yes
- Your computer will now reboot.


• Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#5 maje1710

maje1710
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:15 PM

Posted 03 July 2006 - 04:01 PM

hi again thanks for responding so fast ...

first, i have to tell you thah when i open Vundofix and clic on : Run VundoFix as a task, i receive a message saying Vundofix will close and re-open in a minute or less ... but it never reopen !! so i reopen it myself and scan my computer .

here's my Vundofix log :

VundoFix V4.2.84

Checking Java version...

Scan started at 4:01:38 PM 03/07/2006

Listing files found while scanning....


C:\WINDOWS\system32\llnmp.bak1
C:\WINDOWS\system32\llnmp.bak2
C:\WINDOWS\system32\llnmp.ini
C:\WINDOWS\system32\pmnll.dll
Attempting to delete C:\WINDOWS\system32\llnmp.bak1
C:\WINDOWS\system32\llnmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\llnmp.bak2
C:\WINDOWS\system32\llnmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\llnmp.ini
C:\WINDOWS\system32\llnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnll.dll
C:\WINDOWS\system32\pmnll.dll Has been deleted!

Performing Repairs to the registry.
Done!

here's my Hijackthis new log :

Logfile of HijackThis v1.99.1
Scan saved at 4:38:03 PM, on 03/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A5BE02D3-C2BA-48D4-BCBC-6D14210A00D7} - C:\WINDOWS\system32\pmnll.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX7800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P35 "EPSON Stylus CX7800 Series (Copy 1)" /O6 "USB001" /M "Stylus CX7800"
O4 - HKCU\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /M "Stylus CX7800" /EF "HKCU"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_12\bin\npjpi142_12.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150167590968
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/MsnChat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winubg32 - winubg32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

i see ugly words in my hijackthis log like :

- O2 - BHO: (no name) - {A5BE02D3-C2BA-48D4-BCBC-6D14210A00D7} - C:\WINDOWS\system32\pmnll.dll (file missing) (do hijackthis have to fix it )?

-O20 - Winlogon Notify: winubg32 - winubg32.dll (file missing) (do hijackthis have to fix it )?

-O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) (do hijackthis have to fix it )?

-O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) (do hijackthis have to fix it )?

is there other files that hijackthis have to "fix" ?

you say : "Okay, I see the infections now. Thanks for the information about the files. You have several infections, so it will take a few steps to clean them off of your system."
are they ALL gone ?

i have done the "Delete a file on bootup" with Hijackthis for the "C:\Windows\System32\winubg32.dll" files.

thank you again for your appreciate support .....

Mark

#6 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 03 July 2006 - 09:12 PM

Hi,

Don't worry - I'll give you step-by-step instructions. Just don't fix anything in HijackThis on your own. By the way, you did well with vundofix because the vundo is gone as is another infection which were the two primary infections. Now, we'll work on the rest of the malware. Please do the following in the order given.

• Start HijackThis, click System Scan Only and place a checkmark next to the following items:
O2 - BHO: (no name) - {A5BE02D3-C2BA-48D4-BCBC-6D14210A00D7} - C:\WINDOWS\system32\pmnll.dll (file missing)
O20 - Winlogon Notify: winubg32 - winubg32.dll (file missing)


It looks like you uninstalled SpySweeper. If you did, check the following as well:
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Close ALL browsers and open windows except for HijackThis and click 'Fix Checked'.

• You have an outdated version of Java which, because of security reasons, needs to be
updated. To update Java:
- Go to Start -> Control Panel -> Add/Remove programs
- Search in the list for all previous installed versions of Java. (J2SE Runtime Environment...)
- Select the version(s) and click Remove
- Then download and install the newest version from here:
http://www.java.com/en/download/manual.jsp

• Reboot your computer!

• Download and install Ewido Anti-Spyware 4
1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "[/b]Next[/b]".
3. Read the "License Agreement" and click "I Agree".
4. Accept the default installation path: C:\Program Files\ewido anti-spyware 4.0 and click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. You can select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. If you choose to do this, then right click on ewdio in the system tray and uncheck "Start with Windows".
7. Go to Start > Run and type: services.msc
  • Press "OK".
  • In Services, click the "Extended tab" and scroll down the list to find ewido anti-spyware 4.0 guard.
  • When you find the guard service, double-click on it.
  • In the Properties Window > General Tab that opens, click the "Stop" button.
  • From the drop-down menu next to "Startup Type", click on "Disabled".
  • Now click "Apply", then "OK" and close the Services window.
8. Select the "Update" button and click "Start update". If you are having problems with the updater, manually update with the Ewido Full database installer from here.
9. Exit Ewido when done.
Do NOT perform a scan yet.

• Reboot into SAFE MODE.
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

• Clean out your Temporary Internet files.
Close ALL browsers and ALL open windows.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin

Close ALL open Windows / Programs / Folders.

• Scan with Ewido as follows:
1. Launch Ewido, click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?" check all (default).
  • Under "Possibly unwanted software" check all (default).
  • Under "What to Scan?" make sure "Scan every file" is selected (default).
  • Under "Reports" select "Automatically generate report after every scan and UNcheck "Only if threats were found".
2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\ewido anti-spyware 4.0\Reports\
6. Exit Ewido when done.

Note: Close all open windows, programs, and DO NOT USE the computer while Ewido is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper Ewido's ability to clean properly and may result in reinfection.

Note: If Ewido "crashes" or "hangs" during the scan, try scanning again by doing this:
1. Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.
2. If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.

• Reboot into Normal Mode.

• Post back with the results of the Ewido scan and a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#7 maje1710

maje1710
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:15 PM

Posted 04 July 2006 - 10:57 AM

hi again, thanks again for responding so fast and still assisting me ....

i do the ewido thing, here's my report :

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:40:58 AM 04/07/2006

+ Scan result:



C:\WINDOWS\system32\pmnkhig.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Program Files\Innovative Solutions\Advanced Uninstaller PRO 2006 version 7\snd-advanceduninstallerpro7.5.3.loader.exe/run.exe -> Downloader.Zlob.uz : Cleaned with backup (quarantined).
D:\My Download Files\advanced uninstaller pro 2006 v7.5.3_crack incl\snd-advanceduninstallerpro7.5.3.loader.exe_crack(ne pas instal. la 2ieme instal.)/run.exe -> Downloader.Zlob.uz : Cleaned with backup (quarantined).


::Report end


here's my Hijackthis report :

Logfile of HijackThis v1.99.1
Scan saved at 11:48:23 AM, on 04/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EPSON Stylus CX7800 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P35 "EPSON Stylus CX7800 Series (Copy 1)" /O6 "USB001" /M "Stylus CX7800"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P26 "EPSON Stylus CX7800 Series" /M "Stylus CX7800" /EF "HKCU"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150167590968
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/MsnChat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

what about these lines ? :
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe ?
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

does everything is "ok" in these logs ?

thanx again and again ...

Mark

#8 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 04 July 2006 - 02:32 PM

Hi,

You're quite welcome! Your log looks clean. The two entries that you asked about are legitimate.
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
- this is what it says in the brackets. It updates Java.
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
- this is the plugin for Adobe Acrobat.

• I see no software Firewall program present on your system. This will greatly help in preventing your system from being infected by malware. Please install a Firewall program.
ZoneAlarm -or- Agnitum Outpost Free -or- Kerio are good FREE software Firewall programs.
See, Understanding and Using Firewalls

• If you have not done so, please empty your Recycle Bin.

• Create a new Restore Point:
- Go to Start -> All Programs -> Accessories -> System Tools -> System Restore.
- When the utility opens, select "Create a new restore point" and click Next
- Name the restore point - something like "After infection cleaned" or "After cleaning"
- Click Create.

• Delete the old Restore Points:
- Go to Start -> All Programs -> Accessories -> System Tools -> Disk Cleanup. Click Ok.
- Click the "More Options" tab.
- Where it states "System Restore" - click Clean up.
- All of the old Restore Points will be deleted EXCEPT for the one you just created.

Reboot your computer!

• To keep this clean in the future, I would suggest the following things:

• Install Spywareblaster. SpywareBlaster doesn't scan and clean for so-called spyware but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls and also prevents the installation of any of them via a webpage. Update it periodically.

• Download ATF Cleaner by Atribune and save to your desktop.
This program is for XP and Windows 2000 only
This is a good program for periodically cleaning your system. Instructions are here

* Avoid illegal sites because that's where most malware is present.
* Don't click on links inside pop-ups.
* Don't click on links in spam messages claiming to offer anti-spyware software because most of these so-called removers ARE spyware.
* Download free software only from sites you know and trust because a lot of free software can bundle other software, including spyware.

• Let your anti-spyware scanner(s) scan frequently and don't forget to update before scanning.

• I suggest you perform an online virus-scan once in a while (Housecall and/or Bitdefender) because what one virus-scanner can't find, another one maybe can.
Also, make sure that your virus-scanner, the one that is already installed on your system, is always up to date!

• Make sure your Windows has the latest updates by going here.

• Consider switching to Mozilla Firefox.
This browser is considered to be far more secure than Internet Explorer and offers improved pop-up blocking. If you do decide to install Firefox, please read Switching from IE to Firefox.

• More information on how to prevent malware can be found at So how did I get infected in the first place? by Tony Klein and Malware Prevention: Prevent Re-infection.

Happy surfing again! :thumbsup:
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#9 maje1710

maje1710
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:15 PM

Posted 04 July 2006 - 03:45 PM

hi again Waterfalls, and many thanks for everything ....

i have a litle question please (i d'ont know if i'm in the right place )?

- i have problems with my vizualisation with my windos media player version 10 (especially, the vizualisation window media 9 series : rhythm and waves it was working fine before )!!!

i try to rollback to version 9 and reinstall the version 10 .....(i even try the new beta version 11) ! always the same thing :
a popup came up : Windows Media Player has encountered a problem and needs to close. We are sorry for the inconvenience.

i d'ont know what to do !!?? it was working fine before .....

do you think that you can help me again?

thanks


Mark

#10 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 04 July 2006 - 04:20 PM

Hi,

This forum is just for HJT logs and removing malware. Try posting your question in the Audio and Visual Forum.

Good luck!
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#11 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:12:15 PM

Posted 14 July 2006 - 10:53 AM

Since this issue appears resolved ... this topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users