then install (or update) JAVA version 1.5.0_06, per directions lower in that same link.
*******************************
Next, you should move the HJT program from your Desktop:
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
into a separate folder of its own... We recommend using folder
C:\HJT , so that it will then appear in your log under running processes as C:\HJT\HijackThis.exe
if you prefer, it's okay to have an HJT folder on your desktop, move the HJT program into this folder, and run it from there.
This is important because HJT generates log files, and backup files, in the folder from which it is run. So at present, all these logs/backups will just "clutter-up" your Desktop. And if you simply delete them from there, you'll lose the important backup information, which may be needed in case you have to "undo" [restore] some of the things you "FIX" incorrectly.
******************
after you move HJT, as i've just instructed:
close your interenet browser
Run HiJackThis. click on DO A SYSTEM SCAN ONLY
Place a check-mark in the box in front of each of the lines:
when you're done, generate a brand-new HiJackThis log.
REPLY to this thread, and post the HJT log.
please also post a copy of your VundoFix.txt log, which you should find in your ROOT directory, C:\
let us know what difference this made so far.
Be advised that you have other significant problems.
So at this point, I'm gonna try to ask someone else to step-in, to analyze and help repair your additional problems . Please be advised that we're very "understaffed" at the moment, so I can't make any guarantee as to when the next helper will arrive.
You have some other stuff that needs to go besides the winfixer:
After you run the program KY331 told you to do then:
Shutdown and Restart and Boot into Safe Mode by tapping the F8 key when you see
the PC maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option. Log in as your usual login or you won't find
the programs you put on the desktop
and some of the entries we want to remove will not appear in HijackTHis.
Run HijackThis and just do a Scan only. Check then Fix Checked the following:
If look2me-destroyer won't work then try l2mfix as explained here:
"First we need to make sure that a Windows system Service is configured properly because if it is not, the below fix will not work.
Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Secondary Logon
Look where is says Startup type: and make sure that it indicates it is set to Automatic. If not choose Automatic in the pull down box.
Look where it says Service Status: To the right of this it must say Started If it does not say started, click the Start button. Make sure it changes to Started.
Then click Apply Ok and then close the Services Window.
Download L2MeFix Tool
http://www.atribune.org/downloads/l2mfix.exe and save it where you will be able to find it.
Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.
Exit Browsers now before continuing
Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log. Save this log. You will need to post this log back here later when you come back.
Quote:
NOTE: While running option #1, if you receive an error mentioning either of the below:
- C:\windows\system32\cmd.exe
- or C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and Microsoft windows applications.
Then choose close to terminate the application. Then run l2mfix.bat again and this time select option 5 or see the fixautont.html link in the l2mfix folder to solve this error condition. Do not run the fix portion without fixing this first.
Next DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please also attach this log to your next message."
We need to run it in a special mode so try to save it to C:\. (Local Disk C: under My Computer) The file is called blbeta.exe. Start it by Start, Run, c:\blbeta.exe /expert, OK)
click > scan then > next,
If any items show have blacklight rename them except for wbemtest.exe"
Do not rename "wbemtest.exe" it's a windows file
The tool will ask if you want to reboot (restart) choose yes.
I ran VundoFix as directed, but it reported no files were found, and provided no log. I installed Java 1.5.0_06, but no previous versions were listed in the Add/Remove Programs listing.
I moved and ran a HJT scan in Safe Mode and fix items checked, and all recommended items were removed except a pair of 02s and 020s related to yayvw and nnnom.
I have yet to run Look2MeDestroyer and Blacklight, but pause here to report the latest HJT log results and check for further recommendations regarding the items that were not removed.
the two pairs of lines o2 and o20, with the files yayvw and nnnom, were the lines VundoFix was supposed to find and remove.... so it's surprising VundoFix didn't find anything.
these lines are responsible for popups: WinFixer, Amaena, Blackworm, Adult Friend-Finder, WinAntiVirus and/or WinAntiSpyware... i assume you're getting one or more of these?
i trust you downloaded the most current version, and weren't using an old(er) copy that you had from a previous occasion?
the log file is named VundoFix.txt , and it's automatically placed in the ROOT directory of your C: drive... so the files full name will be C:\VundoFix.txt ...
double check to see if you can find and post it now.
C:\WINDOWS\system32\wvyay.ini2
C:\WINDOWS\system32\wvyay.bak2
C:\WINDOWS\system32\wvyay.tmp
C:\WINDOWS\system32\wvyay.ini
C:\WINDOWS\system32\wvyay.ini2
C:\WINDOWS\system32\yayvw.dll
Attempting to delete C:\WINDOWS\system32\nnnom.dll
C:\WINDOWS\system32\nnnom.dll Could not be deleted.
Attempting to delete C:\WINDOWS\System32\yayvw.dll
C:\WINDOWS\System32\yayvw.dll Has been deleted!
Attempting to delete C:\WINDOWS\System32\wvyay.ini
C:\WINDOWS\System32\wvyay.ini Has been deleted!
Attempting to delete C:\WINDOWS\System32\wvyay.bak2
C:\WINDOWS\System32\wvyay.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\System32\wvyay.ini2
C:\WINDOWS\System32\wvyay.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\System32\wvyay.tmp
C:\WINDOWS\System32\wvyay.tmp Has been deleted!
Performing Repairs to the registry.
Done!
-----------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:57:16 PM, on 5/2/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
You can try to get HijackThis to remove it for you. Run HJT, Misc Tools, Delete a File on Reboot, point it to C:\WINDOWS\system32\nnnom.dll and Open then let it reboot. Then rerun the vundofix tools and see if it still finds anything.
Log looks good.
Ron
A Few Recommendations.
You can delete any programs we had you install but leave Hijackthis for now. You can also run Hijackthis, View the List of Backups and Delete All. If we used killbox its backup files can be removed now too. Run Killbox and select File, Cleanup, Delete All Backups. If you have an antivirus, check its quarantined files and delete any it had found.
You should also definitely toggle System Restore Off and then back On.
Following site has very clear instructions for turning it off. To turn it back on you just repeat the instructions but uncheck the box where it says to Turn Off System Restore on all Drives.
The reason we do this is to remove any archived copies of the infection from System Restore so that if you have to use SYstem Restore to fix a problem you won't accidentally reinfect your system. The next link explains how to use System Restore to go back in time if you hit a bad site or get infected.
One way to make an infection more obvious is to check everything in your current HijackThis and Add to Ignore List then set up Hijackthis to run at boot and to show you if it finds anything new. You do this by None of the Above Just start the program, Config (Main) and then check the box in front of Run Hiajckthis at startup and show it when items are found. OK. Then if Hijackthis opens after a boot it will show you any new programs that have been added. You can then decide if you want to keep them or not. If in doubt you can google for the .exe or .dll file at the end of the entry and see if what other people think of it.
Make sure you have removed any older versions of Java or JRE with Control Panel, Add/Remove Programs. Updates do not remove the older versions which have exploitable flaws.
If you have an older PC get rid of Microsoft Java Virtual Machine.
Following site explains how to tell if you have it:
If you feel that Internet Explorer is running a bit slower after the latest Java update you can try checking this line and then Fix Checked.
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
It was added by the latest version of Java. We don't know why. Earlier versions did not have it. It has been proven to slow down connections on some systems and removing it doesn't seem to hurt anything.
Other items you may wish to get rid of if you own a Dell are:
THese are from the MyWay Adware program installed on most Dells. The uninstaller was broken on many of them. To remove just close Internet Explorer, run HijackThis (scan only) and check them then Fix Checked.
If you are not running the latest version of Adobe you should consider updating. There are reports of a loophole for hackers in pre 7.03 versions. As an alternative you can dump adobe completely and use fox-it instead: http://www.foxitsoftware.com/pdf/rd_intro.php
If you do not have an antivirus program or the one you have was a trial that has expired then try the free antivirus for home users from Avast! http://www.avast.com/eng/download-avast-home.html (Uninstall any other antivirus program first.)
If you run Macromedia Flash make sure you have the latest version. We just got a warning the following versions are vulnerable: * Flash Player 8.0.22.0 and earlier * Flash Professional 8 * Flash Basic * Flash MX 2004 * Flash Debug Player 7.0.14.0 and earlier * Flex 1.5 * Breeze Meeting Add-In 5.1 and earlier * Adobe Macromedia Shockwave Player 10.1.0.11 and earlier
Just an observation here: that even though vundofix reported that
C:\WINDOWS\system32\nnnom.dll Could not be deleted
nevertheless, this file no longer appeared in your (most recent) HJT log...
that seems to happen a lot... vundofix reporting an allegedly negative result... yet somehow "succeeding" in spite of this. I don't know if it means it really deleted the file after all... or if it instead simply "deactivated" the file.
I haven't yet checked to see if the file is actually deleted, but my friend reports no more pop-ups. Windows System Restore has been cleared, and other maintenance continues. Defrag has helped speed things up a bit, and we may shortly save a Ghost image of the C: drive.
Thank you both for patience, expertise, and service here.
You can delete any programs we had you install but leave Hijackthis for now. You can also run Hijackthis, View the List of Backups and Delete All. If we used killbox its backup files can be removed now too. Run Killbox and select File, Cleanup, Delete All Backups. If you have an antivirus, check its quarantined files and delete any it had found.
You should also definitely toggle System Restore Off and then back On.
Following site has very clear instructions for turning it off. To turn it back on you just repeat the instructions but uncheck the box where it says to Turn Off System Restore on all Drives.
The reason we do this is to remove any archived copies of the infection from System Restore so that if you have to use SYstem Restore to fix a problem you won't accidentally reinfect your system. The next link explains how to use System Restore to go back in time if you hit a bad site or get infected.
One way to make an infection more obvious is to check everything in your current HijackThis and Add to Ignore List then set up Hijackthis to run at boot and to show you if it finds anything new. You do this by None of the Above Just start the program, Config (Main) and then check the box in front of Run Hiajckthis at startup and show it when items are found. OK. Then if Hijackthis opens after a boot it will show you any new programs that have been added. You can then decide if you want to keep them or not. If in doubt you can google for the .exe or .dll file at the end of the entry and see if what other people think of it.
Make sure you have removed any older versions of Java or JRE with Control Panel, Add/Remove Programs. Updates do not remove the older versions which have exploitable flaws.
If you have an older PC get rid of Microsoft Java Virtual Machine.
Following site explains how to tell if you have it:
If you feel that Internet Explorer is running a bit slower after the latest Java update you can try checking this line and then Fix Checked.
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
It was added by the latest version of Java. We don't know why. Earlier versions did not have it. It has been proven to slow down connections on some systems and removing it doesn't seem to hurt anything.
Other items you may wish to get rid of if you own a Dell are:
THese are from the MyWay Adware program installed on most Dells. The uninstaller was broken on many of them. To remove just close Internet Explorer, run HijackThis (scan only) and check them then Fix Checked.
If you are not running the latest version of Adobe you should consider updating. There are reports of a loophole for hackers in pre 7.03 versions. As an alternative you can dump adobe completely and use fox-it instead: http://www.foxitsoftware.com/pdf/rd_intro.php
If you do not have an antivirus program or the one you have was a trial that has expired then try the free antivirus for home users from Avast! http://www.avast.com/eng/download-avast-home.html (Uninstall any other antivirus program first.)
If you run Macromedia Flash make sure you have the latest version. We just got a warning the following versions are vulnerable: * Flash Player 8.0.22.0 and earlier * Flash Professional 8 * Flash Basic * Flash MX 2004 * Flash Debug Player 7.0.14.0 and earlier * Flex 1.5 * Breeze Meeting Add-In 5.1 and earlier * Adobe Macromedia Shockwave Player 10.1.0.11 and earlier
ky331
3 Apprentice
•
15.6K Posts
0
April 22nd, 2006 11:00
Next, you should move the HJT program from your Desktop:
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
into a separate folder of its own... We recommend using folder C:\HJT , so that it will then appear in your log under running processes as C:\HJT\HijackThis.exeif you prefer, it's okay to have an HJT folder on your desktop, move the HJT program into this folder, and run it from there.
This is important because HJT generates log files, and backup files, in the folder from which it is run. So at present, all these logs/backups will just "clutter-up" your Desktop. And if you simply delete them from there, you'll lose the important backup information, which may be needed in case you have to "undo" [restore] some of the things you "FIX" incorrectly.
******************
after you move HJT, as i've just instructed:
close your interenet browser
Run HiJackThis. click on DO A SYSTEM SCAN ONLY
Place a check-mark in the box in front of each of the lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R3 - Default URLSearchHook is missing
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\r0r60a9sed.dll (file missing)
Click on FIX CHECKED. Close HiJackThis. Reboot.
let us know what difference this made so far.
Be advised that you have other significant problems.
So at this point, I'm gonna try to ask someone else to step-in, to analyze and help repair your additional problems . Please be advised that we're very "understaffed" at the moment, so I can't make any guarantee as to when the next helper will arrive.
Good luck.
GreyMack
2.2K Posts
0
April 22nd, 2006 20:00
GM
RKinner
2 Intern
•
5.9K Posts
0
April 24th, 2006 19:00
You have some other stuff that needs to go besides the winfixer:
the PC maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option. Log in as your usual login or you won't find
the programs you put on the desktop
and some of the entries we want to remove will not appear in HijackTHis.
R3 - Default URLSearchHook is missing
O2 - BHO: InfoDocReader Object - {39D36F7F-81ED-45DC-87A3-A51824966B06} - C:\WINDOWS\System32\yayvw.dll
O2 - BHO: (no name) - {F2FA09FB-EE7A-46d8-9145-A1EEF7850052} - C:\WINDOWS\system32\nnnom.dll
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname9.exe
O4 - HKLM\..\Run: [oalhabfA] C:\WINDOWS\oalhabfA.exe
O4 - HKLM\..\Run: [wf02ccb7.dll] RUNDLL32.EXE wf02ccb7.dll,I2 0003fbc70f02ccb7
O4 - HKLM\..\Run: [ms0520810-4576] C:\WINDOWS\ms0520810-4576.exe
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\System32\FNTS~1\regedit.exe" -vt yazr
O4 - HKCU\..\Run: [uqzu] C:\PROGRA~1\COMMON~1\uqzu\uqzum.exe
O4 - HKCU\..\Run: [Nfzwmjo] C:\Program Files\?ppPatch\??erinit.exe
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: nnnom - C:\WINDOWS\SYSTEM32\nnnom.dll
O20 - Winlogon Notify: Run - C:\WINDOWS\system32\guard.tmp (file missing)
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\r0r60a9sed.dll (file missing)
O20 - Winlogon Notify: yayvw - C:\WINDOWS\System32\yayvw.dll
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\oalhabf.exe
http://www.atribune.org/content/view/28/
"First we need to make sure that a Windows system Service is configured properly because if it is not, the below fix will not work.
Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Secondary Logon
Look where is says Startup type: and make sure that it indicates it is set to Automatic. If not choose Automatic in the pull down box.
Look where it says Service Status: To the right of this it must say Started If it does not say started, click the Start button. Make sure it changes to Started.
Then click Apply Ok and then close the Services Window.
Download L2MeFix Tool http://www.atribune.org/downloads/l2mfix.exe and save it where you will be able to find it.
NOTE: While running option #1, if you receive an error mentioning either of the below:
- C:\windows\system32\cmd.exe
- or C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and Microsoft windows applications.
********************************************************
Download and Save.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
We need to run it in a special mode so try to save it to C:\. (Local Disk C: under My Computer) The file is called blbeta.exe. Start it by Start, Run, c:\blbeta.exe /expert, OK)
If any items show have blacklight rename them except for wbemtest.exe"
Do not rename "wbemtest.exe" it's a windows file
The tool will ask if you want to reboot (restart) choose yes.
Post a new log when done.
GreyMack
2.2K Posts
0
April 28th, 2006 20:00
I moved and ran a HJT scan in Safe Mode and fix items checked, and all recommended items were removed except a pair of 02s and 020s related to yayvw and nnnom.
I have yet to run Look2MeDestroyer and Blacklight, but pause here to report the latest HJT log results and check for further recommendations regarding the items that were not removed.
Logfile of HijackThis v1.99.1
Scan saved at 1:13:01 PM, on 4/28/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Program Files\Common Files\AOL\1141943058\ee\AOLHostManager.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\AOL\1141943058\ee\AOLServiceHost.exe
c:\program files\common files\aol\1141943058\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1141943058\ee\AOLServiceHost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: InfoDocReader Object - {39D36F7F-81ED-45DC-87A3-A51824966B06} - C:\WINDOWS\System32\yayvw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {F2FA09FB-EE7A-46d8-9145-A1EEF7850052} - C:\WINDOWS\system32\nnnom.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141943058\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Support - {416A2967-1A7E-49DF-BBAB-FEB4B54DC10D} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145283614242
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O20 - Winlogon Notify: nnnom - C:\WINDOWS\SYSTEM32\nnnom.dll
O20 - Winlogon Notify: yayvw - C:\WINDOWS\System32\yayvw.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
Thanks, GM
ky331
3 Apprentice
•
15.6K Posts
0
April 29th, 2006 00:00
the two pairs of lines o2 and o20, with the files yayvw and nnnom, were the lines VundoFix was supposed to find and remove.... so it's surprising VundoFix didn't find anything.
these lines are responsible for popups: WinFixer, Amaena, Blackworm, Adult Friend-Finder, WinAntiVirus and/or WinAntiSpyware... i assume you're getting one or more of these?
i trust you downloaded the most current version, and weren't using an old(er) copy that you had from a previous occasion?
the log file is named VundoFix.txt , and it's automatically placed in the ROOT directory of your C: drive... so the files full name will be C:\VundoFix.txt ...
double check to see if you can find and post it now.
Message Edited by ky331 on 04-28-200609:50 PM
GreyMack
2.2K Posts
0
May 1st, 2006 20:00
GM
RKinner
2 Intern
•
5.9K Posts
0
May 1st, 2006 22:00
You can forget the Look2me destroyer, l2mfix, and blacklight. It's clear that all that is left now is a vundo infection.
Ron
GreyMack
2.2K Posts
0
May 2nd, 2006 20:00
from c:\windows\system32\VundoFix.exe
C:\WINDOWS\System32\yayvw.dll
C:\WINDOWS\System32\wvyay.ini
C:\WINDOWS\System32\wvyay.bak2
C:\WINDOWS\System32\wvyay.ini2
C:\WINDOWS\System32\wvyay.tmp
C:\WINDOWS\system32\wvyay.bak2
C:\WINDOWS\system32\wvyay.tmp
C:\WINDOWS\system32\wvyay.ini
C:\WINDOWS\system32\wvyay.ini2
C:\WINDOWS\system32\yayvw.dll
C:\WINDOWS\System32\yayvw.dll
C:\WINDOWS\System32\wvyay.ini
C:\WINDOWS\System32\wvyay.bak2
C:\WINDOWS\System32\wvyay.ini2
C:\WINDOWS\System32\wvyay.tmp
C:\WINDOWS\system32\wvyay.bak2
C:\WINDOWS\system32\wvyay.tmp
C:\WINDOWS\system32\wvyay.ini
C:\WINDOWS\system32\wvyay.ini2
C:\WINDOWS\system32\yayvw.dll
Attempting to delete C:\WINDOWS\system32\nnnom.dll
C:\WINDOWS\system32\nnnom.dll Could not be deleted.
C:\WINDOWS\System32\yayvw.dll Has been deleted!
C:\WINDOWS\System32\wvyay.ini Has been deleted!
C:\WINDOWS\System32\wvyay.bak2 Has been deleted!
C:\WINDOWS\System32\wvyay.ini2 Has been deleted!
C:\WINDOWS\System32\wvyay.tmp Has been deleted!
Done!
-----------------------------
Scan saved at 12:57:16 PM, on 5/2/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\1141943058\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1141943058\ee\AOLServiceHost.exe
c:\program files\common files\aol\1141943058\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1141943058\ee\AOLServiceHost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141943058\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Support - {416A2967-1A7E-49DF-BBAB-FEB4B54DC10D} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145283614242
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
Thanks, GM
RKinner
2 Intern
•
5.9K Posts
0
May 2nd, 2006 20:00
You can try to get HijackThis to remove it for you. Run HJT, Misc Tools, Delete a File on Reboot, point it to C:\WINDOWS\system32\nnnom.dll
and Open then let it reboot. Then rerun the vundofix tools and see if it still finds anything.
Log looks good.
Ron
A Few Recommendations.
You can delete any programs we had you install but leave Hijackthis for now. You can also run Hijackthis, View the List of Backups and Delete All. If we used killbox its backup files can be removed now too. Run Killbox and select File, Cleanup, Delete All Backups. If you have an antivirus, check its quarantined files and delete any it had found.
You should also definitely toggle System Restore Off and then back On.
Following site has very clear instructions for turning it off. To turn it back on you just repeat the instructions but uncheck the box where it says to Turn Off System Restore on all Drives.
http://www.f-secure.com/v-descs/sfc_dis1.shtml
The reason we do this is to remove any archived copies of the infection from System Restore so that if you have to use SYstem Restore to fix a problem you won't accidentally reinfect your system. The next link explains how to use System Restore to go back in time if you hit a bad site or get infected.
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx
One way to make an infection more obvious is to check everything in your current HijackThis and Add to Ignore List then set up Hijackthis to run at boot and to show you if it finds anything new. You do this by None of the Above Just start the program, Config (Main) and then check the box in front of Run Hiajckthis at startup and show it when items are found. OK. Then if Hijackthis opens after a boot it will show you any new programs that have been added. You can then decide if you want to keep them or not. If in doubt you can google for the .exe or .dll file at the end of the entry and see if what other people think of it.
To avoid going to a bad site you might want to install IE-SpyAd and SpywareBlaster and make the other changes recommended at:.
http://www.mvps.org/winhelp2002/restricted.htm
I used to recommend Spybot's Immunize system but have recently learned it is not as good as the one at:
http://www.mvps.org/winhelp2002/hosts.htm
Always run a firewall. The one in XP SP2 is pretty good tho I think the free one from Zone Alarm is better.
http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=home_freedownloads
Turn on Autoupdates so you always get the latest patches from Windows.
Never hurts to do one of the free on line scans from Panda or Trend. They take a while but are pretty good.
www.pandasoftware.com/activescan/activescan.asp?
http://housecall.trendmicro.com/
I like to run Spybot S&D.
http://www.safer-networking.org/en/download/index.html
Also like to run AdAware once in a while.
http://www.lavasoftusa.com/software/adaware/
Get the latest version of
Java:
http://www.java.com/en/download/windows_automatic.jsp
Make sure you have removed any older versions of Java or JRE with Control Panel, Add/Remove Programs. Updates do not remove the older versions which have exploitable flaws.
If you have an older PC get rid of Microsoft Java Virtual Machine.
Following site explains how to tell if you have it:
http://www.java.com/en/download/help/uninstall_msvm.xml
The automated removal tool is no longer available on Microsoft's site but can be obtained here:
Download the MSJVM Removal Tool from:
http://www.majorgeeks.com/download4158.html
and run it.
If you feel that Internet Explorer is running a bit slower after the latest Java update you can try checking this line and then Fix Checked.
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
It was added by the latest version of Java. We don't know why. Earlier versions did not have it. It has been proven to slow down connections on some systems and removing it doesn't seem to hurt anything.
Other items you may wish to get rid of if you own a Dell are:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
THese are from the MyWay Adware program installed on most Dells. The uninstaller was broken on many of them.
To remove just close Internet Explorer, run HijackThis (scan only) and check them then Fix Checked.
If you are not running the latest version of Adobe you should consider updating. There are reports of a loophole for hackers in pre 7.03 versions.
As an alternative you can dump adobe completely and use fox-it instead:
http://www.foxitsoftware.com/pdf/rd_intro.php
If you do not have an antivirus program or the one you have was a trial that has expired then try the free antivirus for home users from Avast!
http://www.avast.com/eng/download-avast-home.html (Uninstall any other antivirus program first.)
If you run Macromedia Flash make sure you have the latest version. We just got a warning the following versions are vulnerable:
* Flash Player 8.0.22.0 and earlier
* Flash Professional 8
* Flash Basic
* Flash MX 2004
* Flash Debug Player 7.0.14.0 and earlier
* Flex 1.5
* Breeze Meeting Add-In 5.1 and earlier
* Adobe Macromedia Shockwave Player 10.1.0.11 and earlier
Also advise you to dump weatherbug if you have it. Start, Control Panel, Add/Remove Programs.
If you need weather then get The Weather Channel's program at:
http://www.weather.com/services/desktop.html?from=wxtoolspage&refer=wxtoolspage
ky331
3 Apprentice
•
15.6K Posts
0
May 2nd, 2006 21:00
Just an observation here: that even though vundofix reported that
C:\WINDOWS\system32\nnnom.dll Could not be deleted
nevertheless, this file no longer appeared in your (most recent) HJT log...
that seems to happen a lot... vundofix reporting an allegedly negative result... yet somehow "succeeding" in spite of this. I don't know if it means it really deleted the file after all... or if it instead simply "deactivated" the file.
bottom line question: have the popups stopped??
GreyMack
2.2K Posts
0
May 4th, 2006 06:00
GM
RKinner
2 Intern
•
5.9K Posts
0
May 4th, 2006 13:00
Glad things are getting back to normal.
Ron
A Few Recommendations.
You can delete any programs we had you install but leave Hijackthis for now. You can also run Hijackthis, View the List of Backups and Delete All. If we used killbox its backup files can be removed now too. Run Killbox and select File, Cleanup, Delete All Backups. If you have an antivirus, check its quarantined files and delete any it had found.
You should also definitely toggle System Restore Off and then back On.
Following site has very clear instructions for turning it off. To turn it back on you just repeat the instructions but uncheck the box where it says to Turn Off System Restore on all Drives.
http://www.f-secure.com/v-descs/sfc_dis1.shtml
The reason we do this is to remove any archived copies of the infection from System Restore so that if you have to use SYstem Restore to fix a problem you won't accidentally reinfect your system. The next link explains how to use System Restore to go back in time if you hit a bad site or get infected.
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx
One way to make an infection more obvious is to check everything in your current HijackThis and Add to Ignore List then set up Hijackthis to run at boot and to show you if it finds anything new. You do this by None of the Above Just start the program, Config (Main) and then check the box in front of Run Hiajckthis at startup and show it when items are found. OK. Then if Hijackthis opens after a boot it will show you any new programs that have been added. You can then decide if you want to keep them or not. If in doubt you can google for the .exe or .dll file at the end of the entry and see if what other people think of it.
To avoid going to a bad site you might want to install IE-SpyAd and SpywareBlaster and make the other changes recommended at:.
http://www.mvps.org/winhelp2002/restricted.htm
I used to recommend Spybot's Immunize system but have recently learned it is not as good as the one at:
http://www.mvps.org/winhelp2002/hosts.htm
Always run a firewall. The one in XP SP2 is pretty good tho I think the free one from Zone Alarm is better.
http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=home_freedownloads
Turn on Autoupdates so you always get the latest patches from Windows.
Never hurts to do one of the free on line scans from Panda or Trend. They take a while but are pretty good.
www.pandasoftware.com/activescan/activescan.asp?
http://housecall.trendmicro.com/
I like to run Spybot S&D.
http://www.safer-networking.org/en/download/index.html
Also like to run AdAware once in a while.
http://www.lavasoftusa.com/software/adaware/
Get the latest version of
Java:
http://www.java.com/en/download/windows_automatic.jsp
Make sure you have removed any older versions of Java or JRE with Control Panel, Add/Remove Programs. Updates do not remove the older versions which have exploitable flaws.
If you have an older PC get rid of Microsoft Java Virtual Machine.
Following site explains how to tell if you have it:
http://www.java.com/en/download/help/uninstall_msvm.xml
The automated removal tool is no longer available on Microsoft's site but can be obtained here:
Download the MSJVM Removal Tool from:
http://www.majorgeeks.com/download4158.html
and run it.
If you feel that Internet Explorer is running a bit slower after the latest Java update you can try checking this line and then Fix Checked.
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
It was added by the latest version of Java. We don't know why. Earlier versions did not have it. It has been proven to slow down connections on some systems and removing it doesn't seem to hurt anything.
Other items you may wish to get rid of if you own a Dell are:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
THese are from the MyWay Adware program installed on most Dells. The uninstaller was broken on many of them.
To remove just close Internet Explorer, run HijackThis (scan only) and check them then Fix Checked.
If you are not running the latest version of Adobe you should consider updating. There are reports of a loophole for hackers in pre 7.03 versions.
As an alternative you can dump adobe completely and use fox-it instead:
http://www.foxitsoftware.com/pdf/rd_intro.php
If you do not have an antivirus program or the one you have was a trial that has expired then try the free antivirus for home users from Avast!
http://www.avast.com/eng/download-avast-home.html (Uninstall any other antivirus program first.)
If you run Macromedia Flash make sure you have the latest version. We just got a warning the following versions are vulnerable:
* Flash Player 8.0.22.0 and earlier
* Flash Professional 8
* Flash Basic
* Flash MX 2004
* Flash Debug Player 7.0.14.0 and earlier
* Flex 1.5
* Breeze Meeting Add-In 5.1 and earlier
* Adobe Macromedia Shockwave Player 10.1.0.11 and earlier
Also advise you to dump weatherbug if you have it. Start, Control Panel, Add/Remove Programs.
If you need weather then get The Weather Channel's program at:
http://www.weather.com/services/desktop.html?from=wxtoolspage&refer=wxtoolspage