Tech Support Forum - View Single Post

sUBs · 10-14-2005, 01:53 AM

Please print these instructions out

Reboot your computer into Safe Mode.
Restart your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight Safe Mode then hit enter.

Once in safe mode, enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

Tick - Show hidden files and folder
Untick - Hide file extensions for known types
Untick - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following folders, if present:

C:\WINDOWS\bundles\

Locate and delete the following files:

C:\WINDOWS\SYSTEM32\istinstall_154074.exe
C:\WINDOWS\SYSTEM32\saieau.dat
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
C:\Documents and Settings\Mary\Application Data\tvmknwrd.dll
C:\casino.ico
C:\WINDOWS\dsearch1.bin
C:\WINDOWS\pcconfig.dat
C:\WINDOWS\a90oy4o.sys
C:\WINDOWS\SYSTEM32\j4a9kh.exe
C:\WINDOWS\SYSTEM32\mllmm.dll
C:\WINDOWS\SYSTEM32\nkrh.dll.tcf
C:\WINDOWS\SYSTEM32\nkrh.dll3393.tcf
C:\WINDOWS\SYSTEM32\nkrh.dll367.tcf
C:\WINDOWS\SYSTEM32\nkrh.dll3884.tcf
C:\WINDOWS\SYSTEM32\nkrh.dll495.tcf
C:\WINDOWS\SYSTEM32\nkrh.dll5022.tcf
C:\WINDOWS\SYSTEM32\nkrh.dll6922.tcf
C:\WINDOWS\SYSTEM32\nkrh.dll8145.tcf
C:\WINDOWS\SYSTEM32\SplWbr.dll
C:\WINDOWS\WildFlics.exe

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Then Go to Start > Run - type cmd <Press Enter> ..this opens the comand prompt
type del /q C:\Windows\system32\*.tmp <Press Enter>
type exit <Press Enter>

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Open the VundoFix folder and doubleclick on KillVundo.bat
At the introductory screen, press <Enter> to proceed.
When asked to type in a filepath, please key this in:

C:\WINDOWS\SYSTEM32\mllmm.dll

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Next you will be asked to type in a second filepath.
At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\System32\vtutu.dll

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

The fix should then automatically launch HijackThis. (if it doesn't, you'll have to do it manually)
In HiJackThis, please place a check next to the following items and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\mllmm.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\vtutu.dll
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O20 - Winlogon Notify: mllmm - C:\WINDOWS\SYSTEM32\mllmm.dll
O20 - Winlogon Notify: vtutu - C:\WINDOWS\System32\vtutu.dll

After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

After you have rebooted, open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Then, perform an online scan with Internet Explorer with Panda ActiveScan

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

10-14-2005, 01:53 AM	#14 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,498 OS: N/A	Please print these instructions out Reboot your computer into Safe Mode. Restart your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter. Once in safe mode, enable the viewing of Hidden files From Windows Explorer, go to Tools>Folder Options> View tab. Tick - Show hidden files and folder Untick - Hide file extensions for known types Untick - Hide protected operating system files Click Yes to confirm & then click OK Locate and delete the following folders, if present: C:\WINDOWS\bundles\ Locate and delete the following files: C:\WINDOWS\SYSTEM32\istinstall_154074.exe C:\WINDOWS\SYSTEM32\saieau.dat C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho C:\Documents and Settings\Mary\Application Data\tvmknwrd.dll C:\casino.ico C:\WINDOWS\dsearch1.bin C:\WINDOWS\pcconfig.dat C:\WINDOWS\a90oy4o.sys C:\WINDOWS\SYSTEM32\j4a9kh.exe C:\WINDOWS\SYSTEM32\mllmm.dll C:\WINDOWS\SYSTEM32\nkrh.dll.tcf C:\WINDOWS\SYSTEM32\nkrh.dll3393.tcf C:\WINDOWS\SYSTEM32\nkrh.dll367.tcf C:\WINDOWS\SYSTEM32\nkrh.dll3884.tcf C:\WINDOWS\SYSTEM32\nkrh.dll495.tcf C:\WINDOWS\SYSTEM32\nkrh.dll5022.tcf C:\WINDOWS\SYSTEM32\nkrh.dll6922.tcf C:\WINDOWS\SYSTEM32\nkrh.dll8145.tcf C:\WINDOWS\SYSTEM32\SplWbr.dll C:\WINDOWS\WildFlics.exe * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Then Go to Start > Run - type cmd <Press Enter> ..this opens the comand prompt type *del /q C:\Windows\system32\.tmp <Press Enter> type exit** <Press Enter> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Open the VundoFix folder and doubleclick on KillVundo.bat At the introductory screen, press <Enter> to proceed. When asked to type in a filepath, please key this in: C:\WINDOWS\SYSTEM32\mllmm.dll Press Enter, then press the F6 key, then press Enter one more time to continue with the fix. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Next you will be asked to type in a second filepath. At this point please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\System32\vtutu.dll Press Enter, then press the F6 key, then press Enter one more time to continue with the fix. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * The fix should then automatically launch HijackThis. (if it doesn't, you'll have to do it manually) In HiJackThis, please place a check next to the following items and click FIX CHECKED: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\mllmm.dll O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\System32\vtutu.dll O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab O20 - Winlogon Notify: mllmm - C:\WINDOWS\SYSTEM32\mllmm.dll O20 - Winlogon Notify: vtutu - C:\WINDOWS\System32\vtutu.dll After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer. Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry! * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * After you have rebooted, open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!): Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click OK Press the CleanUp! button to start the program. It may ask you to reboot at the end, click NO. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Then, perform an online scan with Internet Explorer with Panda ActiveScan Click Scan your PC & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Click on see report. Then click Save report Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic. __________________ Question - what have you done for the community today?