Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need help removing Winfixer

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Need help removing Winfixer

Unread postby EB99 » October 10th, 2005, 6:43 pm

Winfixer.com keeps popping up whenever I am on the internet. I am connected to the internet through a Linksys hard-wired router which I am assuming acts as a firewall. I am running SpyGuard and Avast 4.6. I also use AdAware and Spybot and SpyBlaster. I ran all of these before posting this message. I also downloaded and ran a2. I don't think this fixed the problem. i also noticed that my IE desktop shortcuts don't always work. Here is my Hijackthis log file. I would appreciate any help you can offer. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 10:32:07 PM, on 10/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nj.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhhf.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\pmnno.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1294210953
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp2.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkhhf - C:\WINDOWS\SYSTEM32\jkhhf.dll
O20 - Winlogon Notify: pmnno - C:\WINDOWS\system32\pmnno.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
EB99
Regular Member
 
Posts: 31
Joined: October 10th, 2005, 4:54 pm
Advertisement
Register to Remove

Unread postby dobhar » October 11th, 2005, 1:32 am

Hi...

My name is dobhar and I will be looking over your log. Please give me some time to go look it over and I will post back as soon as possible. If you have any questions please post back as a reply to this Thread\Topic and I will be advised by email so I can return and help you. Do not start another Thread\Topic.

Thank You,
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby dobhar » October 11th, 2005, 2:13 am

Note: Edited at 03:56 PM Cental Time

Hi EB99...
_____________________________________________________

Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
_____________________________________________________

Step 1.
==========

You have SpywareGuard installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might interfer with our "Fixes"...
- Right-click the running icon of SpywareGuard (in the System Tray), it will open the program.
- Then go to "Menu, Click on "File", and select "Exit"
- Then confirm the program is closed
After all of the fixes are complete it is very important that you enable SpywareGuard again.

Step 2.
==========

We need to uninstall some programs using "Add or Remove Programs" in the Control Panel:
  1. Get into Control Panel.
  2. Double-click "Add or Remove Programs".
  3. Look in the Currently installed programs box for each program listed below and if it is there:
    1. Click on it to select it.
    2. Click Change (or Change/Remove) button.
    3. If you are prompted to confirm the removal of the program, click "Yes"
My Search Bar
MyWay Speed Bar
My Web Search Bar
Fun Web Products Easy Installer


Step 3.
==========

Please download and install CCleaner from here
(Note: DO NOT run this program yet)

Step 4.
==========

Please download VundoFix.exe from here to your desktop.
- Double-click VundoFix.exe to extract the files...This will create a VundoFix folder on your desktop.
- After the files are extracted, please reboot your computer into Safe Mode.

Step 5.
==========

- Reboot computer into "Safe Mode" Using the F8 method:
- As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears
- Use the arrow keys to select the Safe Mode menu item
(Note: For additional help in booting into Safe Mode, see the following site - here

Step 6.
==========

We need to make sure all hidden files are showing...
  • Open "My Computer".
  • Click on "Tools" and from the drop down menu select "Folder Options".
  • Select the "View" tab.
  • Under the "Hidden files and folders" heading SELECT "Show hidden files and folders".
  • UNCHECK the "Hide file extensions for known types option".
  • UNCHECK the "Hide protected operating system files (recommended) option".
  • Click "Yes" to confirm.
  • Click "OK".
Step 7.
==========

** Please make sure SpywareGuard is still disabled **
Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning. It should look like this
    VundoFix V2.13 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:
    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.
  • At this point please type the following file path (make sure to enter it exactly as below!):
    C:\WINDOWS\system32\pmnno.dll
    • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
    • Next you will see:
      Please type in the second filepath as instructed by the forum staff
      Then Press Enter, Then F6, Then Enter Again to continue with the fix.
    • At this point please type the following file path (make sure to enter it exactly as below!):
      C:\WINDOWS\system32\onnmp.*
      • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
      • The fix will run then HijackThis will open.
      • In HijackThis, please place a check next to the following items and click FIX CHECKED:

        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
        R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
        O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
        O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\pmnno.dll
        O20 - Winlogon Notify: pmnno - C:\WINDOWS\system32\pmnno.dll

        • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
        • Pressing any key will cause a "Blue Screen of Death". This is normal, do not worry! At this point if your PC does not reboot then manually reboot your PC.
        • Once your machine reboots please continue with the instructions below.
        Step 8.
        ==========

        Delete the following Folder(s) and File(s) in BOLD only. (Note: Don't be concern if can't find but advise if not found)
        Folder(s)...
        C:\Program Files\MyWaySA <<<= Delete This Folder

        Step 9.
        ==========

        We now need to cleanup all the Temp, Temorary Internet Files, Recycle Bin, etc...
        - Start the CCleaner program
        - Get into "Options" => Select "Advanced" => Deselect\uncheck "Only delete files in Windows Temp folders older than 48 hours"
        - We are only going to work with the "Cleaner" section. (Note: Do not use the "Issues" section)
        - click on the Run Cleaner button in the lower right-hand corner
        - After complete close program

        Step 10.
        ==========

        Run Panda's ActiveScan - online virus scan from here and perform a full system scan.
        - Once you are on the Panda site click the "Scan your PC" button
        - A new window will open...click the big "Check Now" button
        - Enter your Country
        - Enter your State/Province
        - Enter your e-mail address and click send
        - Select either Home User or Company
        - Click the big Scan Now button
        - If it wants to install an ActiveX component allow it
        - It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
        - Click on "Local Disks" to start the scan
        - Post Panda scan results in your next reply

        Step 11.
        ==========

        - Post a fresh new HijackTHis log
        - Post the Vundofix.txt log
        - Post the Panda ActiveScan results
        - Don't forget to make sure SpywareGuard is "running" again
        Last edited by dobhar on October 11th, 2005, 5:05 pm, edited 2 times in total.
        User avatar
        dobhar
        MRU Honors Grad Emeritus
         
        Posts: 961
        Joined: March 3rd, 2005, 3:00 am
        Location: Winnipeg

        Thanks, Dobhar.

        Unread postby EB99 » October 11th, 2005, 8:07 am

        Off to work now. I will go through the steps you posted tonight. EB99.[/b]
        EB99
        Regular Member
         
        Posts: 31
        Joined: October 10th, 2005, 4:54 pm

        Unread postby dobhar » October 11th, 2005, 4:59 pm

        Hi EB99...

        Some new information came to light so I slightly modified my original fix. If you printed out the Instructions this morning do not use them, please reprint.

        Thanks,
        User avatar
        dobhar
        MRU Honors Grad Emeritus
         
        Posts: 961
        Joined: March 3rd, 2005, 3:00 am
        Location: Winnipeg

        problem with safe mode

        Unread postby EB99 » October 11th, 2005, 9:50 pm

        Dobhar,
        I had a problem when I booted into Safe mode. I have 4 user accounts set up on my computer. mine, my wife and 2 kids. When I boot into safe mode, only the administrator and my wife's acount show up as log on options. My account is not listed in Safe Mode. The Admin account does not have all of my programs loaded, partiuclarly not the CCleaner and VundoFix. I tried my logging on under my wife's account and she does not have those programs either. Do you know any changes I can make that will have my account show up in safe mode? EB99
        EB99
        Regular Member
         
        Posts: 31
        Joined: October 10th, 2005, 4:54 pm

        Unread postby EB99 » October 11th, 2005, 10:28 pm

        fixed the problem. Proceeding with your instructions. EB99
        EB99
        Regular Member
         
        Posts: 31
        Joined: October 10th, 2005, 4:54 pm

        Unread postby EB99 » October 12th, 2005, 12:02 am

        Followed your instructions. I did not find all of the files that you said to check. Also, did not find C:\program files\MyWaySa.

        here is the latest HJT log

        Logfile of HijackThis v1.99.1
        Scan saved at 11:55:52 PM, on 10/11/2005
        Platform: Windows XP SP2 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\WINDOWS\Explorer.EXE
        C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
        C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
        C:\Program Files\Alwil Software\Avast4\ashServ.exe
        C:\WINDOWS\system32\svchost.exe
        C:\Program Files\Analog Devices\Core\smax4pnp.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\system32\hkcmd.exe
        C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
        C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
        C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
        C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
        C:\WINDOWS\system32\dla\tfswctrl.exe
        C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
        C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
        C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
        C:\Program Files\Dell Support\DSAgnt.exe
        C:\Program Files\Internet Explorer\iexplore.exe
        C:\WINDOWS\system32\wscntfy.exe
        C:\Program Files\HijackThis\HijackThis.exe

        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nj.com/
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
        O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhhf.dll
        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
        O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
        O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
        O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
        O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
        O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
        O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
        O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
        O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
        O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
        O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
        O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
        O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
        O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
        O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
        O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
        O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
        O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
        O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
        O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
        O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
        O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
        O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
        O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
        O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
        O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
        O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
        O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
        O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
        O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
        O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
        O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
        O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
        O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
        O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
        O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1294210953
        O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
        O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp2.cab
        O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
        O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
        O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
        O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
        O20 - Winlogon Notify: jkhhf - C:\WINDOWS\SYSTEM32\jkhhf.dll
        O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
        O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
        O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
        O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
        O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
        O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
        O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

        Here is the Vundofix.txt log


        Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
        Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
        Suspending PID 500 'smss.exe'
        Threads [504][508][512]

        Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
        Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
        Killing PID 1424 'explorer.exe'

        Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
        Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
        Error, Cannot find a process with an image name of rundll32.exe

        Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
        Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
        Killing PID 572 'winlogon.exe'
        Killing PID 572 'winlogon.exe'
        Killing PID 572 'winlogon.exe'
        Killing PID 572 'winlogon.exe'
        Killing PID 572 'winlogon.exe'
        Killing PID 572 'winlogon.exe'
        File Deleted sucessfully.
        Files Deleted sucessfully.

        Here are the results of the Panda ActiveScan

        Incident Status Location

        Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\jkhhf.dll
        EB99
        Regular Member
         
        Posts: 31
        Joined: October 10th, 2005, 4:54 pm

        Unread postby dobhar » October 12th, 2005, 1:43 am

        Hi EB99...
        _____________________________________________________

        Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
        _____________________________________________________

        Step 1.
        ==========

        Please download Killbox from here and save it to your Desktop
        (Note: DO NOT run this program yet)

        Step 2.
        ==========

        - Reboot computer into "Safe Mode" Using the F8 method

        Step 3.
        ==========

        Please make sure all hidden files are still showing

        Step 4.
        ==========

        ** Please make sure SpywareGuard is still disabled **
        - Close all Windows and Programs
        - Start HijackThis...
        - Select\check the following entries, Double-check to make sure that only these entries are checked.

        O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhhf.dll
        O20 - Winlogon Notify: jkhhf - C:\WINDOWS\SYSTEM32\jkhhf.dll


        - Click the "Fix checked" button.
        - Close HijackThis

        Step 5.
        ==========

        We now need to cleanup all the Temp, Temorary Internet Files, Recycle Bin, etc...
        - Start the CCleaner program
        - Get into "Options" => Select "Advanced" => Deselect\uncheck "Only delete files in Windows Temp folders older than 48 hours"
        - We are only going to work with the "Cleaner" section. (Note: Do not use the "Issues" section)
        - click on the Run Cleaner button in the lower right-hand corner
        - After complete close program

        Step 6.
        ==========

        - Navigate to your Desktop
        - Double-click on KillBox.exe
        - Click "Delete on Reboot"
        - Paste this file into the top "Full Path of File to Delete" box.

        C:\WINDOWS\system32\jkhhf.dll

        - Click the "Delete File" button which looks like a stop sign.
        - Click "Yes" at the Delete on Reboot prompt.
        - Click "Yes" at the Delete next Reboot prompt.
        (Note: If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

        Step 7.
        ==========

        - Reboot into "Normal Mode" and run Panda's ActiveScan - online virus scan from here and perform a full system scan.
        - Once you are on the Panda site click the "Scan your PC" button
        - A new window will open...click the big "Check Now" button
        - Enter your Country
        - Enter your State/Province
        - Enter your e-mail address and click send
        - Select either Home User or Company
        - Click the big Scan Now button
        - If it wants to install an ActiveX component allow it
        - It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
        - Click on "Local Disks" to start the scan
        - Post Panda scan results in your next reply

        Step 8.
        ==========

        - Post a fresh new HijackTHis log
        - Post the Vundofix.txt log
        - Post the Panda ActiveScan results
        - Don't forget to make sure SpywareGuard is "running" again
        User avatar
        dobhar
        MRU Honors Grad Emeritus
         
        Posts: 961
        Joined: March 3rd, 2005, 3:00 am
        Location: Winnipeg

        Unread postby EB99 » October 12th, 2005, 10:07 pm

        Dobhar,
        Please note the following.
        Step 4 - I could not find either file in HJT
        Step 8
        new HJT log posted below
        You said to post a Vundofix log, but you did not say to run Vundofix in your instructions.
        Panda Activescan did not find anything so there is no log.

        Logfile of HijackThis v1.99.1
        Scan saved at 10:01:25 PM, on 10/12/2005
        Platform: Windows XP SP2 (WinNT 5.01.2600)
        MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\WINDOWS\Explorer.EXE
        C:\Program Files\Analog Devices\Core\smax4pnp.exe
        C:\WINDOWS\system32\hkcmd.exe
        C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
        C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
        C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
        C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
        C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
        C:\WINDOWS\system32\dla\tfswctrl.exe
        C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
        C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
        C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
        C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
        C:\Program Files\Alwil Software\Avast4\ashServ.exe
        C:\Program Files\Dell Support\DSAgnt.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\system32\wscntfy.exe
        C:\Program Files\HijackThis\HijackThis.exe

        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nj.com/
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
        O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
        O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
        O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\system32\jkhhh.dll
        O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
        O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
        O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
        O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
        O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
        O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
        O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
        O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
        O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
        O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
        O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
        O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
        O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
        O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
        O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
        O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
        O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
        O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
        O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
        O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
        O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
        O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
        O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
        O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
        O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
        O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
        O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
        O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
        O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
        O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
        O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
        O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
        O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
        O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
        O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1294210953
        O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
        O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp2.cab
        O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
        O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
        O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
        O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
        O20 - Winlogon Notify: jkhhh - C:\WINDOWS\system32\jkhhh.dll
        O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
        O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
        O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
        O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
        O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
        O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
        O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
        EB99
        Regular Member
         
        Posts: 31
        Joined: October 10th, 2005, 4:54 pm

        Unread postby dobhar » October 13th, 2005, 12:02 am

        Hi EBB99...

        Sorry about that...error in "cut & paste"... :?

        Looks like Vundo is still hanging around...Let's run the Vundofix one more time.
        _____________________________________________________

        Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
        _____________________________________________________

        Step 1.
        ==========

        You have SpywareGuard installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might interfer with our "Fixes"...
        - Right-click the running icon of SpywareGuard (in the System Tray), it will open the program.
        - Then go to "Menu, Click on "File", and select "Exit"
        - Then confirm the program is closed
        After all of the fixes are complete it is very important that you enable SpywareGuard again.

        Step 2.
        ==========

        - Reboot computer into "Safe Mode" Using the F8 method

        Step 3.
        ==========

        PLease make sure all hidden files are still showing

        Step 4.
        ==========

        ** Please make sure SpywareGuard is disabled **
        Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
        • You will first be presented with a warning. It should look like this
          VundoFix V2.13 by Atri
          By using VundoFix you agree that you are doing so at your own risk
          Press enter to continue....

        • At this point press enter one time.
        • Next you will see:
          Type in the filepath as instructed by the forum staff
          Then Press Enter, Then F6, Then Enter Again to continue with the fix.
        • At this point please type the following file path (make sure to enter it exactly as below!):
          C:\WINDOWS\system32\jkhhh.dll
          • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
          • Next you will see:
            Please type in the second filepath as instructed by the forum staff
            Then Press Enter, Then F6, Then Enter Again to continue with the fix.
          • At this point please type the following file path (make sure to enter it exactly as below!):
            C:\WINDOWS\system32\hhhkj.*
            • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
            • The fix will run then HijackThis will open.
            • In HijackThis, please place a check next to the following items and click FIX CHECKED:

              O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\system32\jkhhh.dll
              O20 - Winlogon Notify: jkhhh - C:\WINDOWS\system32\jkhhh.dll
              • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
              • Pressing any key will cause a "Blue Screen of Death". This is normal, do not worry! At this point if your PC does not reboot then manually reboot your PC.
              • Once your machine reboots please continue with the instructions below
              Step 5.
              ==========

              We now need to cleanup all the Temp, Temorary Internet Files, Recycle Bin, etc...
              - Start the CCleaner program
              - Get into "Options" => Select "Advanced" => Deselect\uncheck "Only delete files in Windows Temp folders older than 48 hours"
              - We are only going to work with the "Cleaner" section. (Note: Do not use the "Issues" section)
              - click on the Run Cleaner button in the lower right-hand corner
              - After complete close program
              - Please make sure the Recycle Bin is emptied

              Step 6.
              ==========

              Run Panda's ActiveScan - online virus scan from here and perform a full system scan.
              - Once you are on the Panda site click the "Scan your PC" button
              - A new window will open...click the big "Check Now" button
              - Enter your Country
              - Enter your State/Province
              - Enter your e-mail address and click send
              - Select either Home User or Company
              - Click the big Scan Now button
              - If it wants to install an ActiveX component allow it
              - It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
              - Click on "Local Disks" to start the scan
              - Post Panda scan results in your next reply

              Step 7.
              ==========

              - Post a fresh new HijackTHis log
              - Post the Vundofix.txt log
              - Post the Panda ActiveScan results
              - Don't forget to make sure SpywareGuard is "running" again
              User avatar
              dobhar
              MRU Honors Grad Emeritus
               
              Posts: 961
              Joined: March 3rd, 2005, 3:00 am
              Location: Winnipeg

              Unread postby EB99 » October 14th, 2005, 11:20 pm

              Dobhar
              Here is the latest HJT scan and Vundofix scan
              Panda Activescan did not find anything.
              Logfile of HijackThis v1.99.1
              Scan saved at 11:15:38 PM, on 10/14/2005
              Platform: Windows XP SP2 (WinNT 5.01.2600)
              MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

              Running processes:
              C:\WINDOWS\System32\smss.exe
              C:\WINDOWS\system32\winlogon.exe
              C:\WINDOWS\system32\services.exe
              C:\WINDOWS\system32\lsass.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\System32\svchost.exe
              C:\WINDOWS\system32\spoolsv.exe
              C:\WINDOWS\Explorer.EXE
              C:\Program Files\Analog Devices\Core\smax4pnp.exe
              C:\WINDOWS\system32\hkcmd.exe
              C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
              C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
              C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
              C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
              C:\WINDOWS\system32\dla\tfswctrl.exe
              C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
              C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
              C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
              C:\Program Files\Dell Support\DSAgnt.exe
              C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
              C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
              C:\Program Files\Alwil Software\Avast4\ashServ.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\system32\svchost.exe
              C:\WINDOWS\system32\wscntfy.exe
              C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe
              C:\Program Files\HijackThis\HijackThis.exe

              R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nj.com/
              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
              R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
              O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
              O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
              O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
              O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
              O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
              O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
              O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
              O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
              O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
              O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
              O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
              O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
              O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
              O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
              O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
              O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
              O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
              O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
              O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
              O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
              O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
              O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
              O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
              O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
              O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
              O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
              O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
              O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
              O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
              O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
              O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
              O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
              O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
              O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
              O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
              O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp.cab
              O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
              O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
              O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1294210953
              O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
              O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com/cp/install/AxCtp2.cab
              O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
              O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
              O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
              O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
              O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
              O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
              O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
              O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
              O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
              O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
              O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


              Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
              Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
              Suspending PID 132 'smss.exe'
              Threads [136][140][144]

              Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
              Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
              Killing PID 744 'explorer.exe'

              Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
              Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
              Error, Cannot find a process with an image name of rundll32.exe

              Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
              Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
              Killing PID 212 'winlogon.exe'
              Killing PID 212 'winlogon.exe'
              File Deleted sucessfully.
              Files Deleted sucessfully.

              EB99
              EB99
              Regular Member
               
              Posts: 31
              Joined: October 10th, 2005, 4:54 pm

              Unread postby dobhar » October 15th, 2005, 3:39 pm

              Hi EB99...

              I am happy to say that your log is clean. Nice job! :)
              ___________________________________________

              Your log seems to be clean. I can find nothing bad listed so I'm also posting my standard {All Clean} speech below. It has good information and some recommended tools (Recommended by all who deal with Spyware Nasties). Tools like SpywareBlaster => SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. Definitley recommended!!
              __________________________________________

              The last thing I need you to do is to reset your "Hidden files and folders". System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion...
              - Open "My Computer".
              - Click on "Tools" and from the drop down menu select "Folder Options".
              - Select the "View" tab.
              - Under the Hidden files and folders heading UNSELECT "Show Hidden files and folders".
              - CHECK the "Hide protected operating system files (recommended) option".
              - Click "Yes" to confirm.
              - Click "OK".
              ___________________________

              Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
              1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to enable and reenable system restore here:

                Managing Windows Millenium System Restore or Windows XP System Restore Guide

                Renable system restore with instructions from tutorial above
              2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
                1. From within Internet Explorer click on the Tools menu and then click on Options.
                2. Click once on the Security tab
                3. Click once on the Internet icon so it becomes highlighted.
                4. Click once on the Custom Level button.
                  1. Change the Download signed ActiveX controls to Prompt
                  2. Change the Download unsigned ActiveX controls to Disable
                  3. Change the Initialize and script ActiveX controls not marked as safe to Disable
                  4. Change the Installation of desktop items to Prompt
                  5. Change the Launching programs and files in an IFRAME to Prompt
                  6. Change the Navigate sub-frames across different domains to Prompt
                  7. When all these settings have been made, click on the OK button.
                  8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
                5. Next press the Apply button and then the OK to exit the Internet Properties page.
              3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs:
                Virus, Spyware, and Malware Protection and Removal Resources
              4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
              5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly. For a tutorial on Firewalls and a listing of some available ones see the link below:
                Understanding and Using Firewalls
              6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
              7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here:
                Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
              8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
                Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
              9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here:
                Using SpywareBlaster to protect your computer from Spyware and Malware
              10. Install IE-SPYAD - IE-SPYAD adds a list of sites and domains associated with advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer. A tutorial on installing & using IE-SPYAD can be found here:
                Using IE-Spyad to enhance your privacy and security
              11. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
              Follow this list and your potential for being infected again will reduce dramatically.

              Glad I was able to help.
              User avatar
              dobhar
              MRU Honors Grad Emeritus
               
              Posts: 961
              Joined: March 3rd, 2005, 3:00 am
              Location: Winnipeg

              Unread postby EB99 » October 16th, 2005, 11:33 pm

              Dobhar
              Thank you so much for for your help. My computer is working much better and no more annoying pop-ups.
              Thank you again for your time and patience.
              EB99
              EB99
              Regular Member
               
              Posts: 31
              Joined: October 10th, 2005, 4:54 pm

              Unread postby dobhar » October 16th, 2005, 11:36 pm

              No problem EB99...Happy to help out... :D

              Glad it all worked out... :)
              User avatar
              dobhar
              MRU Honors Grad Emeritus
               
              Posts: 961
              Joined: March 3rd, 2005, 3:00 am
              Location: Winnipeg
              Advertisement
              Register to Remove

              Next

              • Similar Topics
                Replies
                Views
                Last post

              Return to Infected? Virus, malware, adware, ransomware, oh my!



              Who is online

              Users browsing this forum: No registered users and 293 guests

              Contact us:

              Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

              Member site: UNITE Against Malware