Virus problems.

[uzumaki]

I've spent the last few days chasing down various maleware, which ruined my 2 years of maleware free life. >_< going to post Hijack this log later but,,, how they slipped in baffled me. I used Zone Alarm pro since I first found them way back before Win XP came around (version 2 I think). Right now I have Update.exe and IE blacklisted permanently.

I've had to deal with Smitfraud, Yazzle, various downloader, and other assorted crap. I resorted to moving the hard drive from my main PC to my second PC as second hard drive. Since nothing gets loaded when it isn't the boot drive, I was able to clean it throughly but various scanners combined took a little over 24 hours to clean and verify. And another round of scans once I put the hard drive back in to catch any sneaky files. Strangely I found over 200,000 cookies hidden in the recycle bin. I wondered if Foxfire shoves banned cookies there or if there was another reason for those cookies being in the recycle bin.

Today, Update.exe slipped into the task manager list and I found 4 separate files relating to 888 toolbar for IE. Plus 2 new files that don't belong to System32 folder.

These happened when I used Meka, a Sega Master System emulator so I suspect the current version is loaded with spywares. The creation date of these offending files occured after I started Meka application. I've had Meka in the past without any problem so I'm a bit ticked off. I got the emulator from SMSPower.org if anyone needs to check the emulator. The emulator and the installer file I downloaded didn't get flagged as a source of spyware so dunno...

Anyway, Hi from Michigan. And when I get things done around here I'll post the Hijack this log. Then I'm off to find a witch doctor and have him put a poverty curse on every maleware author. author of persistent maleware will also suffer from wilted genitalia curse!

PS I have not turned on system restore yet... 6 days since I started having problem and turned it off to fix it.

 

[howard_hopkinso]

Hello and welcome to Techspot.

I have retitled your thread to Virus problems and moved it to our security and the web forum.

It sounds like you`ve got a real bad case of the nasties.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.


Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard :wave: :wave:


This thread is for the use of uzumaki only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[uzumaki]

I had already posted here at https://www.techspot.com/vb/showthread.php?t=65193 before I noticed my hello post got moved.

Oh well.

 

[howard_hopkinso]

No problem mate, I`ll just delete your other thread.

Regards Howard

This thread is for the use of uzumaki only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[uzumaki]

Anyway here's the attachment from HJT (renamed to prevent problems with some viruses)

I'm not done with AVG scan but it's reported one so far: Downloader.Zlob.bdo

If there an utility that watches for changes to registry, startup files, and to changes or new files added in windows directory, and to point the originating program doing the changes? It would help rule out the one program I was using when this started.

 

[howard_hopkinso]

After following these instructions, you should go HERE and install one of the antivirus programmes, either AVG free or Avast.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how HERE.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: 80.175.31.124 www.winmx.com

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

O2 - BHO: (no name) - {26B61245-2471-3859-3126-04487DAC7F8A} - C:\WINDOWS\system32\ipnydgh.dll

O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\metvkqsu.dll (file missing)

O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{303D7~2\Bar888.dll (file missing)

O2 - BHO: (no name) - {C671A733-A4AA-4B5F-8CEE-006242C457B5} - C:\WINDOWS\system32\nnnkhgh.dll (file missing)

O2 - BHO: (no name) - {FD4D062D-CAD1-4EB6-9DAD-69896D77DAC3} - C:\WINDOWS\system32\pmnno.dll

O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{303D7~2\Bar888.dll (file missing)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)

O20 - Winlogon Notify: nnnkhgh - nnnkhgh.dll (file missing)

O20 - Winlogon Notify: pmnno - C:\WINDOWS\system32\pmnno.dll

O20 - Winlogon Notify: winphc32 - winphc32.dll (file missing)

Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

These are the filepaths you need to enter into killbox.

C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\ipnydgh.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Install and run the Antivirus programme as per the instructions in the link I gave you.

Post a fresh HJT log and an AVG Antispyware log.

Regards Howard

This thread is for the use of uzumaki only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[uzumaki]

just did it all as directed. Hopefully I didn't miss a step or 2.

Attached is a fresh Hijack this log and AVG log. I also ran Microtrend AV and Spybot and it reported nothing to be found.

 

[howard_hopkinso]

Download Vundofix from HERE.

Double click the Vundofix.exe to run it.

Right click in the vundofix window and click add files.

Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

This is the filepath you need to enter into Vundofix.

C:\WINDOWS\system32\pmnno.dll

Post a fresh HJT log after doing the above.

Regards Howard

This thread is for the use of uzumaki only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[uzumaki]

Here's round 2. For some reason Vundofix took over 3 hours first time but I got the files removed after I rebooted.

 

[Rik]

Your log is clean.

However, you appear to have no antivirus software running and this is a huge secutiry risk. Download either the free AVG or Avast antivirus programmes from within this link - https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/


This thread is for the use of uzumaki only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.