Forum Home
Press F1
Thread ID: 64519	2005-12-17 23:40:00	I need help with removing trojan.vundo...please!	gsb1976 (9439)	Press F1

Post ID	Timestamp	Content	User
413633	2005-12-17 23:40:00	Win XP home edition with Symantec Antivirus I ran the fix from the Symantec site (needless to say it didn't work). Logfile of HijackThis v1.99.1 Scan saved at 6:26:22 PM, on 12/17/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\STOPzilla!\szntsvc.exe C:\WINDOWS\system32\spoolsv.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe c:\Program Files\Norton Personal Firewall\NISUM.EXE C:\WINDOWS\Explorer.EXE c:\Program Files\Norton Personal Firewall\ccPxySvc.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\windows\system\hpsysdrv.exe C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe C:\WINDOWS\System32\hphmon05.exe C:\HP\KBD\KBD.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\LTMSG.exe C:\WINDOWS\VM_STI.EXE C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe C:\Program Files\STOPzilla!\Stopzilla.exe C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer by Cavalier Telephone, LLC R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - (no file) O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file) O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\pmnll.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7 O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Web Cam 320 O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\WcjC.exe O4 - HKLM\..\Run: [abu] abu.exe O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb1 0.exe O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe" O4 - HKLM\..\Run: [sWwj7rLS5] C:\documents and settings\owner\local settings\temp\sWwj7rLS5.exe O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [840455603ae3] C:\WINDOWS\System32\blackbox.exe O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1 O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C O4 - HKLM\..\Run: [aecfqw] C:\WINDOWS\system32\aqyjnzxc.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [aqyjnzxc] c:\windows\system32\aqyjnzxc.exe O4 - HKLM\..\Run: [CSV7P71] C:\Program Files\CSBB\CSV7P71.exe O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1123610744\EE\AOLHostManager.exe O4 - HKLM\..\Run: [izuslqkbflxte] C:\WINDOWS\System32\aqyjnzxc.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [oFrW3EW] senogsvc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [REXG8Ibo] C:\documents and settings\owner\local settings\temp\REXG8Ibo.exe O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe O4 - HKLM\..\Run: [StartAOL] "C:\Program Files\America Online 9.0a\RBM.exe" -runonce O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.ex e" O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINDOWS\system32\inetp60.dll,DllRunServer O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe O4 - HKLM\..\Run: [vmss] C:\WINDOWS\system32\vmss\vmss.exe O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\dnx?.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing) O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing) O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - online.comcast.net (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - download.mcafee.com O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - download.mcafee.com O17 - HKLM\System\CCS\Services\Tcpip\..\{84D8C4A4-786A-441B-AD5B-7430672696C4}: NameServer = 64.83.0.10,64.83.1.10 O17 - HKLM\System\CS1\Services\Tcpip\..\{84D8C4A4-786A-441B-AD5B-7430672696C4}: NameServer = 64.83.0.10,64.83.1.10 O17 - HKLM\System\CS2\Services\Tcpip\..\{84D8C4A4-786A-441B-AD5B-7430672696C4}: NameServer = 64.83.0.10,64.83.1.10 O17 - HKLM\System\CS3\Services\Tcpip\..\{84D8C4A4-786A-441B-AD5B-7430672696C4}: NameServer = 64.83.0.10,64.83.1.10 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: pmnll - C:\WINDOWS\system32\pmnll.dll O20 - Winlogon Notify: vtstt - vtstt.dll (file missing) O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program Files\STOPzilla!\szntsvc.exe Any help would be greatly appreciated. :dogeye:	gsb1976 (9439)
413634	2005-12-18 00:36:00	Turn system restore off, and boot into safe mode . Run HJT again and tick these entries, and tick fix checked . R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file) R3 - URLSearchHook: IncrediFindBHO Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - (no file) O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - (no file) O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file) 2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} -C:\WINDOWS\system32\pmnll . dll - Looks like this is part of Vundo . O4 - HKLM\ . . \Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\WcjC . exe This looks like its part of Sandboxer ( . ca . com/securityadvisor/pest/pest . aspx?id=453077886" target="_blank">www3 . ca . com) O4 - HKLM\ . . \Run: [abu] abu . exe - this maybe related to Sandbox O4 - HKLM\ . . \Run: [AlcxMonitor] ALCXMNTR . EXE O4 - HKLM\ . . \Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate . exe" O4 - HKLM\ . . \Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr . exe - Part of a trojan / adware/spyware O4 - HKLM\ . . \Run: [WhenUSave] C:\PROGRA~1\Save\Save . exe - Part of savenow - Spyware . See if Savenow shows in add/remove programs . Uninstall it if its there . O4 - HKLM\ . . \Run: [840455603ae3] C:\WINDOWS\System32\blackbox . exe O4 - HKLM\ . . \Run: [98D0CE0C16B1] rundll32 . exe D0CE0C16B1,D0CE0C16B1 O4 - HKLM\ . . \Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32 . exe E6F1873B . DLL,D9EBC318C O4 - HKLM\ . . \Run: [aecfqw] C:\WINDOWS\system32\aqyjnzxc . exe O4 - HKLM\ . . \Run: [aqyjnzxc] c:\windows\system32\aqyjnzxc . exe O4 - HKLM\ . . \Run: [CSV7P71] C:\Program Files\CSBB\CSV7P71 . exe O4 - HKLM\ . . \Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc . exe O4 - HKLM\ . . \Run: [izuslqkbflxte] C:\WINDOWS\System32\aqyjnzxc . exe O4 - HKLM\ . . \Run: [oFrW3EW] senogsvc . exe O4 - HKLM\ . . \Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask . exe" -atboottime - not nasty but not needed in startup O4 - HKLM\ . . \Run: [RunWindowsUpdate] C:\WINDOWS\uptodate . exe - Adware/spyware O4 - HKLM\ . . \Run: [satmat] C:\WINDOWS\satmat . exe - this looks like betterinternet spyware . O4 - HKLM\ . . \Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0 . ex e" - spyware . O4 - HKLM\ . . \Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver . exe 04 - HKLM\ . . \Run: [Power Scan] C:\Program Files\Power Scan\powerscan . exe This is spyware O4 - HKLM\ . . \Run: [vmss] C:\WINDOWS\system32\vmss\vmss . exe - adware O4 - HKLM\ . . \Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32 . exe stlb2 . dll,DllRunMain O4 - HKLM\ . . \Run: [Rundll32_8] rundll32 . exe C:\WINDOWS\system32\inetp60 . dll,DllRunServer O4 - HKCU\ . . \Run: [Notn] C:\Documents and Settings\Owner\Application Data\dnx? . exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar . dll/SEARCH . HTML 09 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava . dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava . dll (file missing) O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www . comcast . net/ (file missing) O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www . comcastsupport . com/ (file missing) 09 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - . comcast . net/help/" target="_blank">online . comcast . net (file missing) O20 - Winlogon Notify: pmnll - C:\WINDOWS\system32\pmnll . dll O20 - Winlogon Notify: vtstt - vtstt . dll (file missing)	Speedy Gonzales (78)
413635	2005-12-18 00:53:00	Hi and Welcome You have many infections . . . . . It may help to print out or copy this page as you will be working in Safe Mode . . Make sure to work through the fixes in the exact order its listed . . Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes . . Download any of the required programs before attempting to start any of the fixes . Please do NOT run Hijack This in a TEMPorary folder or on the Desktop . I recommend c:/program files/HJT/ SHOW HIDDEN FILES AND FOLDERS . To show hidden files instructions (WinXP) Doubleclick My Computer | Tools | Folder Options | View tab Select Show Hidden Files and Folders Uncheck Hide extensions for known file types Uncheck Hide protected operating system files (Recommended) Select Apply to All Folders | Yes | Apply | OK ------------------------------------------------------------------ Files highlighted in BLACK will need to be removed from your hard drive . Folders that have been highlighted RED will need to be uninstalled . ------------------------------------------------------------------ Download VirtumundoBegone ( . home . comcast . net/tools/VirtumundoBeGone . exe" target="_blank">secured2k . home . comcast . net) and save it to your desktop . When you have done this doubleclick on VirtumundoBeGone . exe and follow the instructions . When it has finished, reboot and post the log that is created on your desktop called VBG . TXT in your next reply . Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected . -------------------------------------------------------------------------- You will need to remove the Peper Trojan so please get the PeperFix ( . bleepingcomputer . com/files/peperremover . php" target="_blank">www . bleepingcomputer . com) and run that . ----------------------------------------------------------------------- Download the trial version of Ewido Security Suite ( . ewido . net/en/download/" target="_blank">www . ewido . net) When installing, under "Additional Options" uncheck "Install Background Guard" and "Install scan via context menu" . Launch Ewido Security Suite (there should be an icon on your desktop doubleclick it) . The program will now go to the main screen . You will need to update ewido to the latest definition files . On the left hand side of the main screen click update and then click on Start Update . The update will start and a progress bar will show the updates being installed . If you have problems with the updater, you can use this link to manually update ewido . . ewido . net/en/download/updates/ . " target="_blank">www . ewido . net Do not run a scan yet . When you have done this, boot into Safe Mode (restart your PC and keep tapping F8 while it restarts) . Run Ewido Security Suite now . Click on Scanner and click Complete System Scan and the scan will begin . During the scan it will prompt you to clean files, click OK . When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK . When the scan is finished, click the Save report button at the bottom of the screen . Save the report to your desktop and close Ewido Security Suite ------------------------------------------------------------- Please start by going into SAFE MODE . During reboot, tap the F8 key . Select Safe Mode and then run "Hijack This" ------------------------------------------------------------------ Uninstall the following programs (if they still exist) Go into HijackThis->Config->Misc . Tools->Open Uninstall manager Ebates_MoeMoneyMake Media CSBB Save AutoUpdate ----------------------------------------------------------------- Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes . Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT . O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\pmnll . dll O4 - HKLM\ . . \Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\WcjC . exe O4 - HKLM\ . . \Run: [abu] abu . exe O4 - HKLM\ . . \Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate . exe" O4 - HKLM\ . . \Run: [sWwj7rLS5] C:\documents and settings\owner\local settings\temp\sWwj7rLS5 . exe O4 - HKLM\ . . \Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr . exe O4 - HKLM\ . . \Run: [WhenUSave] C:\PROGRA~1\Save\Save . exe O4 - HKLM\ . . \Run: [840455603ae3] C:\WINDOWS\System32\blackbox . exe O4 - HKLM\ . . \Run: [98D0CE0C16B1] rundll32 . exe D0CE0C16B1,D0CE0C16B1 O4 - HKLM\ . . \Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32 . exe E6F1873B . DLL,D9EBC318C O4 - HKLM\ . . \Run: [aecfqw] C:\WINDOWS\system32\aqyjnzxc . exe O4 - HKLM\ . . \Run: [oFrW3EW] senogsvc . exe O4 - HKLM\ . . \Run: [aqyjnzxc] c:\windows\system32\aqyjnzxc . exe O4 - HKLM\ . . \Run: [CSV7P71] C:\Program Files\CSBB\CSV7P71 . exe O4 - HKLM\ . . \Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc . exe O4 - HKLM\ . . \Run: [izuslqkbflxte] C:\WINDOWS\System32\aqyjnzxc . exe O4 - HKLM\ . . \Run: [REXG8Ibo] C:\documents and settings\owner\local settings\temp\REXG8Ibo . exe O4 - HKLM\ . . \Run: [RunWindowsUpdate] C:\WINDOWS\uptodate . exe O4 - HKLM\ . . \Run: [satmat] C:\WINDOWS\satmat . exe O4 - HKLM\ . . \Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0 . ex e" O4 - HKLM\ . . \Run: [farmmext] C:\WINDOWS\farmmext . exe O4 - HKLM\ . . \Run: [Rundll32_8] rundll32 . exe C:\WINDOWS\system32\inetp60 . dll,DllRunServer O4 - HKLM\ . . \Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats . exe O4 - HKLM\ . . \Run: [vmss] C:\WINDOWS\system32\vmss\vmss . exe O4 - HKLM\ . . \Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32 . exe stlb2 . dll,DllRunMain O4 - HKCU\ . . \Run: [Notn] C:\WINDOWS\system32\pmnll . dll O20 - Winlogon Notify: pmnll - C:\WINDOWS\system32\pmnll . dll O20 - Winlogon Notify: vtstt - vtstt . dll (file missing) ------------------------------------------------------------------ Open Windows Explorer and delete the following highlighted file/s Also delete the following red folder/s C:\documents and settings\owner\local settings\temp\sWwj7rLS5 . exe C:\documents and settings\owner\local settings\temp\REXG8Ibo . exe C:\WINDOWS\system32\pmnll . dll C:\WINDOWS\system32\vmss\vmss . exe C:\WINDOWS\system32\inetp60 . dll C:\WINDOWS\farmmext . exe C:\WINDOWS\satmat . exe C:\WINDOWS\uptodate . exe C:\WINDOWS\System32\aqyjnzxc . exe C:\WINDOWS\system32\wsxsvc\wsxsvc . exe C:\WINDOWS\System32\blackbox . exe C:\Program Files\Common files\updmgr\updmgr . exe C:\WINDOWS\System32\WcjC . exe C:\WINDOWS\System32\senogsvc . exe C:\Program Files\Ebates_MoeMoneyMake C:\Program Files\Media C:\Program Files\CSBB C:\PROGRA~1\Save C:\Program Files\AutoUpdate ------------------------------------------------------------------- When finished please post a new log . . . . . .	Pancake (6359)
413636	2005-12-18 00:59:00	Eddy: That is a work or art! Beautiful!	SurferJoe46 (51)
413637	2005-12-18 01:05:00	Eddy: That is a work or art! Beautiful! Its a set layout.It makes it easy to work with especially when you are doing up to ten logs a day.It what we call a canned speech.All you have to do is fill in the blanks.It also makes it easy for the user to follow .. ;)	Pancake (6359)
413638	2005-12-18 01:17:00	good thing you can read my typos . . . the "r" and the "f" are kinda close . . aren't they? c/p: "Eddy: That is a work or art! Beautiful!" is supposed to read: "Eddy: That is a work OF art! Beautiful!"	SurferJoe46 (51)
1