# Solved: Adware mllmm.dll removal



## Selkie (Oct 25, 2005)

Good Morning All!

I use Windows XP and recieved this message from my firewall:
VirusScan-Warnung!
C:\WINDOWS\SYSTEM32\mllmm.dll
Adware-Virtumundo

I cannot remove it using the virus scan software. From reading earlier posts, I gathered that I should scan with Hijack This! and the resulting log is printed below. (not that I know what to do with this information.)

What should I do next? I use my computer exclusively for word processing for my work and have never ventured into these areas before. Any assistance would be greatly appreciated.

Thanks, Selkie

Logfile of HijackThis v1.99.1
Scan saved at 8:21:22 AM, on 10/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\Dell\Media Experience\PCMService.exe
C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Network Associates\VirusScan\SHSTAT.EXE
C:\Programme\Network Associates\Common Framework\UpdaterUI.exe
C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe
C:\Programme\Gemeinsame Dateien\ACD Systems\DE\DevDetect.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Creative\Shared Files\Media Sniffer\MtdAcq.exe
C:\Palm\HOTSYNC.EXE
C:\Palm\AlarmApp.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Programme\Network Associates\Common Framework\FrameworkService.exe
C:\Programme\Network Associates\VirusScan\Mcshield.exe
C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\kernel.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\sc_watch.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\PROGRAMME\T-ONLINE\T-ONLINE_SOFTWARE_5\BROWSER\BROWSER.EXE
C:\Programme\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [switp] C:\WINDOWS\switpa.exe
O4 - HKLM\..\Run: [xyjkb] C:\WINDOWS\xyjkb.exe
O4 - HKLM\..\Run: [IST Service] C:\Programme\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Programme\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programme\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programme\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Programme\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart
O4 - HKLM\..\Run: [Device Detector] "C:\Programme\Gemeinsame Dateien\ACD Systems\DE\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [MtdAcq] C:\Programme\Creative\Shared Files\Media Sniffer\MtdAcq.exe /s
O4 - Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Programme\SideFind\sidefind.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/de/4,0,0,90/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/de/1,0,0,23/mcgdmgr.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E6E3934-86D6-400B-B2C2-847086BE6E97}: NameServer = 217.237.150.225 217.237.150.141
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mllmm - C:\WINDOWS\system32\mllmm.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework-Dienst (McAfeeFramework) - Network Associates, Inc. - C:\Programme\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\PROSetWired\NCS\Sync\NetSvc.exe


----------



## D_Trojanator (May 13, 2005)

Hi there! 
I'm not too sure whether this will work or not as the symptons are not classic ---> will give it a go though! :up:

Please print these instructions out for use in Safe Mode.

Please download *VundoFix.exe* to your desktop.
Double-click *VundoFix.exe* to extract the files
This will create a *VundoFix* folder on your desktop.
After the files are extracted, please reboot your computer into *Safe Mode*. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Once in safe mode open the *VundoFix* folder and doubleclick on *KillVundo.bat*
You will first be presented with a warning.
It should look like this 


> VundoFix V2.15 by Atri
> By using VundoFix you agree that you are doing so at your own risk
> Press enter to continue....



 At this point press enter one time.
 Next you will see:


> Please Type in the filepath as instructed by the forum staff
> and then press enter:



At this point please type the following file path (make sure to enter it exactly as below!):
*C:\WINDOWS\system32\mllmm.dll*

Press *Enter* to continue with the fix.
 Next you will see:


> Please type in the second filepath as instructed by the forum
> staff then press enter:



At this point please type the following file path (make sure to enter it exactly as below!):
*C:\WINDOWS\system32\mmllm.**
This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*

Press *Enter* to continue with the fix.
The fix will run then HijackThis will open, if it does not open automatically please open it manually.
In HiJackThis, please place a check next to the following items and click *FIX CHECKED*:
*O20 - Winlogon Notify: mllmm - C:\WINDOWS\system32\mllmm.dll*

After you have fixed these items, close Hijackthis.
Press enter to exit the program then manually reboot your computer.
Once your machine reboots please continue with the instructions below.
Download and install *CleanUp!*

Open *Cleanup!* by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "*Options...*"
Move the arrow down to "*Custom CleanUp!*"
Put a check next to the following (Make sure nothing else is checked!):
Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click *OK*
Press the *CleanUp!* button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: *ActiveScan*

Copy the *results of the ActiveScan* and paste them here along with a new *HiJackThis log* and the *vundofix.txt* file from the vundofix folder into this topic.


----------



## Selkie (Oct 25, 2005)

Hi David,

Thank you for your clear and understandable reply (even to a complete computer newbie like myself).

I did as instructed and it seems to have worked.

Below are the results of the 1) active scan 2)Hijackthis log and 3) the Vundofix text

1)
Detected Disinfected 
Virus 0 0 
Spyware 0 0 
Hacking Tools 0 0 
Dialers 0 0 
Security Risks 0 0 
Suspicious files 0 0

2)Logfile of HijackThis v1.99.1
Scan saved at 11:48:23 AM, on 10/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\Dell\Media Experience\PCMService.exe
C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Network Associates\VirusScan\SHSTAT.EXE
C:\Programme\Network Associates\Common Framework\UpdaterUI.exe
C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe
C:\Programme\Gemeinsame Dateien\ACD Systems\DE\DevDetect.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Creative\Shared Files\Media Sniffer\MtdAcq.exe
C:\Palm\HOTSYNC.EXE
C:\Palm\AlarmApp.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Programme\Network Associates\Common Framework\FrameworkService.exe
C:\Programme\Network Associates\VirusScan\Mcshield.exe
C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\kernel.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\sc_watch.exe
C:\Programme\iPod\bin\iPodService.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE
C:\Programme\Real\RealPlayer\RealPlay.exe
C:\PROGRAMME\T-ONLINE\T-ONLINE_SOFTWARE_5\BROWSER\BROWSER.EXE
C:\PROGRA~1\CleanUp!\cleanup.exe
C:\Programme\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\mllmm.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [switp] C:\WINDOWS\switpa.exe
O4 - HKLM\..\Run: [xyjkb] C:\WINDOWS\xyjkb.exe
O4 - HKLM\..\Run: [IST Service] C:\Programme\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Programme\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programme\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programme\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Programme\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart
O4 - HKLM\..\Run: [Device Detector] "C:\Programme\Gemeinsame Dateien\ACD Systems\DE\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [MtdAcq] C:\Programme\Creative\Shared Files\Media Sniffer\MtdAcq.exe /s
O4 - Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Programme\SideFind\sidefind.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/de/4,0,0,90/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/de/1,0,0,23/mcgdmgr.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E6E3934-86D6-400B-B2C2-847086BE6E97}: NameServer = 217.237.150.225 217.237.150.141
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mllmm - C:\WINDOWS\system32\mllmm.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework-Dienst (McAfeeFramework) - Network Associates, Inc. - C:\Programme\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\PROSetWired\NCS\Sync\NetSvc.exe

3)
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\mllmm.dll

The second filepath entered was C:\WINDOWS\system32\mmllm.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------

Killing PID 136 'smss.exe'

Killing PID 748 'explorer.exe'
Killing PID 748 'explorer.exe'

Killing PID 216 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\mllmm.dll Deleted sucessfully.
C:\WINDOWS\system32\mmllm.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

Whew, what a list!

David, in addition to a positive rating, if you ever need my professional assistance (I work as a translator, editor and author in both English and German) please do not hesitate to ask.

Cheers!

Selkie


----------



## D_Trojanator (May 13, 2005)

There is a bit more to do 

*List programs that can be removed using Windows 'Add or Remove'*

This utility "List Installed Programs" will provide a list of installed programs. It is found half way down the page. Click on the little arrow and then the download icon that is on the new window that opens up. You can download the script and run it from your hard disk or run it without downloading. 
When asked to enter the PC details - leave it blank and click OK. Ask to view the results and copy the Notepad list. Paste it in a reply to this thread.

David


----------



## Selkie (Oct 25, 2005)

Hi David! 
Alright, I managed that too. Here are the results. Why does it show 2 copies of Hijackthis? Did I do something weird?

cheers,

Selkie

INSTALLED SOFTWARE (115) - SMITHCOM - 10/25/2005 12:49:02 PM

ACDSee for PENTAX	Ver: 5.1.0	Installed: 10/4/2005
ACDSee for Pentax 2.0	Ver: 6.0.7	Installed: 8/22/2005
Adobe Acrobat - Reader 6.0.2 Update	Ver: 6.0.2	Installed: 3/2/2005
Adobe Acrobat and Reader 6.0.3 Update	Ver: 6.0.3	Installed: 8/22/2005
Adobe Download Manager 1.2 (Nur entfernen)	
Adobe Photoshop Album 2.0 Starter Edition	Ver: 2.00.100	Installed: 6/1/2005
Adobe Reader 6.0.1 - Deutsch	Ver: 006.000.001	Installed: 6/1/2005
Barbie(R) Pet Rescue	
BJ Printer Driver	
CleanUp!	
Creative Jukebox Driver	
Creative MediaSource	
Dell Driver Reset Tool	Ver: 1.02.0000	Installed: 3/2/2005
Dell Media Experience	
Dell Photo Printer 720	
Dell System Restore	Ver: 2.00.0000	Installed: 3/2/2005
ElsterFormular 2004/2005	Ver: 6.3.1.0	Installed: 8/10/2005
Hijackthis 1.99.1	
HijackThis 1.99.1	Ver: 1.99.1
ImageMixer	Ver: 1.06.003
Intel(R) Extreme Graphics 2 Driver	
Intel(R) PRO Network Adapters and Drivers	
Intel(R) PROSet for Wired Connections	Ver: 8.00.5000	Installed: 3/2/2005
iPod for Windows 2005-03-23	Ver: 3.8.0	Installed: 8/7/2005
iPod for Windows 2005-03-23	Ver: 3.8.0	Installed: 8/7/2005
iTunes	Ver: 4.7.1.30	Installed: 3/14/2005
iTunes	Ver: 4.7.1.30	Installed: 3/14/2005
Jasc Paint Shop Photo Album	Ver: 4.0.4	Installed: 3/2/2005
Jasc Paint Shop Pro 8	Ver: 8.10.0000	Installed: 3/2/2005
Java 2 Runtime Environment, SE v1.4.2_03	Ver: 1.4.2_03	Installed: 3/2/2005
Macromedia Shockwave Player	
Madeline European Adventures	
McAfee VirusScan Enterprise	Ver: 8.0.0	Installed: 7/25/2005
MediaRing Talk Release 7.2.026	
Microsoft .NET Framework 1.1	
Microsoft .NET Framework 1.1	Ver: 1.1.4322	Installed: 3/11/2005
Microsoft .NET Framework 1.1 German Language Pack	Ver: 1.1.4322	Installed: 8/18/2004
Microsoft .NET Framework 1.1 Hotfix (KB886903)	
Microsoft Office XP Professional mit FrontPage	Ver: 10.0.2701.0	Installed: 3/7/2005
Microsoft Works 7.0 Ver: 07.02.0702	Installed: 3/2/2005
MicroStaff WINASPI	
MSN	
MSN Music Assistant	
OfferAgent	
Oozic Player	
Palm Desktop	
Panda ActiveScan	
PestPatrolv5	Ver: 5.0.1.5	Installed: 5/3/2005
PowerDVD 5.3	
QuickTime	
Reader Rabbit I Can Read! With Phonics	
RealPlayer	
Shockwave Director 10.1	
Shockwave Flash	
Sicherheitsupdate für Step by Step Interactive Training (KB898458)	Ver: 20050502.101010	Installed: 6/15/2005
Sicherheitsupdate für Windows XP (KB883939)	Ver: 1	Installed: 6/15/2005
Sicherheitsupdate für Windows XP (KB890046)	Ver: 1	Installed: 6/15/2005
Sicherheitsupdate für Windows XP (KB893756)	Ver: 1	Installed: 8/12/2005
Sicherheitsupdate für Windows XP (KB896358)	Ver: 1	Installed: 6/15/2005
Sicherheitsupdate für Windows XP (KB896422)	Ver: 1	Installed: 6/15/2005
Sicherheitsupdate für Windows XP (KB896423)	Ver: 1	Installed: 8/12/2005
Sicherheitsupdate für Windows XP (KB896428)	Ver: 1	Installed: 6/15/2005
Sicherheitsupdate für Windows XP (KB896688)	Ver: 1	Installed: 10/18/2005
Sicherheitsupdate für Windows XP (KB899587)	Ver: 1	Installed: 8/12/2005
Sicherheitsupdate für Windows XP (KB899588)	Ver: 1	Installed: 8/12/2005
Sicherheitsupdate für Windows XP (KB899591)	Ver: 1	Installed: 8/12/2005
Sicherheitsupdate für Windows XP (KB900725)	Ver: 1	Installed: 10/18/2005
Sicherheitsupdate für Windows XP (KB901017)	Ver: 1	Installed: 10/18/2005
Sicherheitsupdate für Windows XP (KB901214)	Ver: 1	Installed: 8/9/2005
Sicherheitsupdate für Windows XP (KB902400)	Ver: 1	Installed: 10/18/2005
Sicherheitsupdate für Windows XP (KB903235)	Ver: 1	Installed: 8/9/2005
Sicherheitsupdate für Windows XP (KB904706)	Ver: 1	Installed: 10/18/2005
Sicherheitsupdate für Windows XP (KB905414)	Ver: 1	Installed: 10/18/2005
Sicherheitsupdate für Windows XP (KB905749)	Ver: 1	Installed: 10/18/2005
SideFind	
SlotchBar	
Sonic DLA	Ver: 4.95	Installed: 3/2/2005
Sonic RecordNow!	Ver: 7.3	Installed: 3/2/2005
Sonic Update Manager	Ver: 2.9	Installed: 3/2/2005
SPY Fox Dry Cereal	
T-Online 5.0	
T-Online Copas	
T-Online Direktanwahl	
T-Online Installationsdateien	Ver: 5.0	Installed: 3/2/2005
Uninstall 180search Assistant	
Update für Windows XP (KB894391)	Ver: 1	Installed: 8/12/2005
Update für Windows XP (KB896727)	Ver: 1	Installed: 8/12/2005
Update für Windows XP (KB898461)	Ver: 1	Installed: 6/28/2005
WebFldrs XP	Ver: 9.50.7523	Installed: 8/18/2004
Windows Installer 3.1 (KB893803)	Ver: 3.1
Windows Installer 3.1 (KB893803)	Ver: 3.1
Windows Media Format Runtime	
Windows Media Player 10	
Windows XP-Hotfix - KB834707	Ver: 20040929.110854
Windows XP-Hotfix - KB867282	Ver: 20050127.090417
Windows XP-Hotfix - KB873333	Ver: 20050114.005213
Windows XP-Hotfix - KB873339	Ver: 20041117.092459
Windows XP-Hotfix - KB885250	Ver: 20050118.202711
Windows XP-Hotfix - KB885835	Ver: 20041027.181713
Windows XP-Hotfix - KB885836	Ver: 20041028.173203
Windows XP-Hotfix - KB885884	Ver: 20040924.025457
Windows XP-Hotfix - KB886185	Ver: 20041021.090540
Windows XP-Hotfix - KB887472	Ver: 20041014.162858
Windows XP-Hotfix - KB887742	Ver: 20041103.095002
Windows XP-Hotfix - KB888113	Ver: 20041116.131036
Windows XP-Hotfix - KB888302	Ver: 20041207.111426
Windows XP-Hotfix - KB888310	Ver: 20041027.095746
Windows XP-Hotfix - KB890047	Ver: 20041221.124506
Windows XP-Hotfix - KB890175	Ver: 20041201.233338
Windows XP-Hotfix - KB890859	Ver: 1	Installed: 4/14/2005
Windows XP-Hotfix - KB890923	Ver: 1	Installed: 4/14/2005
Windows XP-Hotfix - KB891781	Ver: 20050110.165439
Windows XP-Hotfix - KB893066	Ver: 1	Installed: 4/14/2005
Windows XP-Hotfix - KB893086	Ver: 1	Installed: 4/14/2005
Yahoo! Toolbar


----------



## D_Trojanator (May 13, 2005)

Uninstall these 4 from add/remove in the control panel and post a new HJT log

*OfferAgent
SideFind 
SlotchBar 
Uninstall 180search Assistant*

David


----------



## Selkie (Oct 25, 2005)

Hi David!

Slotchbar refuses to be deleted (no msg., it simply pings, blinks and does nothing). For the other three, I got a msg. (in German) claiming that a problem had arisen when deleting and perhaps the files had already been deleted. I chose "delete from program listing". I hope that was correct.
This is all a bit beyond my ken.

a grateful Selkie


----------



## D_Trojanator (May 13, 2005)

Ok, good
Post a new HJT log
David


----------



## Selkie (Oct 25, 2005)

posting...

Logfile of HijackThis v1.99.1
Scan saved at 1:20:15 PM, on 10/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\Dell\Media Experience\PCMService.exe
C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Network Associates\VirusScan\SHSTAT.EXE
C:\Programme\Network Associates\Common Framework\UpdaterUI.exe
C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe
C:\Programme\Gemeinsame Dateien\ACD Systems\DE\DevDetect.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Creative\Shared Files\Media Sniffer\MtdAcq.exe
C:\Palm\HOTSYNC.EXE
C:\Palm\AlarmApp.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Programme\Network Associates\Common Framework\FrameworkService.exe
C:\Programme\Network Associates\VirusScan\Mcshield.exe
C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\kernel.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\sc_watch.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE
C:\PROGRAMME\T-ONLINE\T-ONLINE_SOFTWARE_5\BROWSER\BROWSER.EXE
C:\Programme\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\mllmm.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [switp] C:\WINDOWS\switpa.exe
O4 - HKLM\..\Run: [xyjkb] C:\WINDOWS\xyjkb.exe
O4 - HKLM\..\Run: [IST Service] C:\Programme\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Programme\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programme\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programme\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Programme\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart
O4 - HKLM\..\Run: [Device Detector] "C:\Programme\Gemeinsame Dateien\ACD Systems\DE\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [MtdAcq] C:\Programme\Creative\Shared Files\Media Sniffer\MtdAcq.exe /s
O4 - Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Programme\SideFind\sidefind.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/de/4,0,0,90/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/de/1,0,0,23/mcgdmgr.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E6E3934-86D6-400B-B2C2-847086BE6E97}: NameServer = 217.237.150.225 217.237.150.141
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: mllmm - C:\WINDOWS\system32\mllmm.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework-Dienst (McAfeeFramework) - Network Associates, Inc. - C:\Programme\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\PROSetWired\NCS\Sync\NetSvc.exe


----------



## D_Trojanator (May 13, 2005)

With IE closed, run Hijack This again. 
Put a checkmark on these entries and hit "fix checked":

*R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\mllmm.dll (file missing)

O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)

O4 - HKLM\..\Run: [switp] C:\WINDOWS\switpa.exe

O4 - HKLM\..\Run: [xyjkb] C:\WINDOWS\xyjkb.exe

O4 - HKLM\..\Run: [IST Service] C:\Programme\ISTsvc\istsvc.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10
\OSA.EXE

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Programme\SideFind\sidefind.dll (file missing)

O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

O20 - Winlogon Notify: mllmm - C:\WINDOWS\system32\mllmm.dll (file missing) *

Please Navigate to the *C:\Windows\Temp* folder. 
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. (if you cannot delete some items it's fine!)

Then go to Start > Run and type *%temp%* in the Run box. 
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to *Control Panel* > Internet Options. 
On the General tab under "Temporary Internet Files" Click "Delete Files". 
Put a check by "Delete Offline Content" and click OK. 
Click on the Programs tab then click the "Reset Web Settings" button. 
Click Apply then OK.

*Empty the Recycle Bin*.
---------------------------

Download *KillBox* here: http://www.downloads.subratam.org/KillBox.zip
Save it to your desktop.
*DO NOT* run it yet.

Boot into *Safe Mode*

Double-click on *Killbox.exe * to run it. 
Now put a tick by Standard File Kill. 
In the "*Full Path of File to Delete"* box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the *X* in the middle after you enter each file. 
It will ask for confimation to delete the file. 
Click *Yes*. 
Continue with that same procedure until you have copied and pasted all of these in the "*Paste Full Path of File to Delete*" box.

*C:\WINDOWS\switpa.exe

C:\WINDOWS\xyjkb.exe

C:\Programme\ISTsvc\istsvc.exe *
______________________

Manually delete this folder:

*C:\Programme\ISTsvc*

Reboot to normal mode and post a new HJT log
David


----------



## Selkie (Oct 25, 2005)

Hi David!

I did as instructed (though this all taxes my sad computer skills to the utmost extent). Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 2:01:35 PM, on 10/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programme\Dell\Media Experience\PCMService.exe
C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe
C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Network Associates\VirusScan\SHSTAT.EXE
C:\Programme\Network Associates\Common Framework\UpdaterUI.exe
C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\kernel.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe
C:\Programme\Gemeinsame Dateien\ACD Systems\DE\DevDetect.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis2\sc_watch.exe
C:\Programme\Creative\Shared Files\Media Sniffer\MtdAcq.exe
C:\Palm\HOTSYNC.EXE
C:\Palm\AlarmApp.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Programme\Network Associates\Common Framework\FrameworkService.exe
C:\Programme\Network Associates\VirusScan\Mcshield.exe
C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programme\iPod\bin\iPodService.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE
C:\PROGRAMME\T-ONLINE\T-ONLINE_SOFTWARE_5\BROWSER\BROWSER.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programme\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Programme\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programme\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programme\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Programme\Gemeinsame Dateien\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Programme\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [ToADiMon.exe] C:\Programme\T-Online\T-Online_Software_5\Basis-Software\Basis1\ToADiMon.exe -TOnlineAutodialStart
O4 - HKLM\..\Run: [Device Detector] "C:\Programme\Gemeinsame Dateien\ACD Systems\DE\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [MtdAcq] C:\Programme\Creative\Shared Files\Media Sniffer\MtdAcq.exe /s
O4 - Startup: Alarm Manager.LNK = C:\Palm\AlarmApp.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...W/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/de/4,0,0,90/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/de/1,0,0,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E6E3934-86D6-400B-B2C2-847086BE6E97}: NameServer = 217.237.150.225 217.237.150.141
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework-Dienst (McAfeeFramework) - Network Associates, Inc. - C:\Programme\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programme\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\PROSetWired\NCS\Sync\NetSvc.exe


----------



## D_Trojanator (May 13, 2005)

Clean Log!!








How's everything running? :up: or :down: ?

Now turn off *System Restore*:

On the Desktop, right-click *My Computer*.
Click *Properties*.
Click the *System Restore * tab.
Check Turn off *System Restore*.
Click *Apply*, and then click *OK*.

*Restart your computer*, turn System Restore back on and create a restore point.

To create a restore point:

Single-click *Start* and point to *All Programs*.
Mouse over *Accessories*, then *System Tools*, and select *System Restore.*In the System Restore wizard, select the box next the text labeled "*Create a restore point*" and click the *Next* button.
Type a description for your new restore point. Something like "*After trojan/spyware cleanup*". Click *Create* and you're done.

How's everything running? :up: or :down: ?


----------



## Selkie (Oct 25, 2005)

Hi David!

Process complete and everything is running wonderfully, fast and easily. You have spent a great deal of time on this with me. How can I recompense you? A box of German chocolates? A donation to your favourite charity? I don't suppose you need a paper analysed?  

Thank you for all your assistance. I am very, very, very grateful.

Selkie


----------



## D_Trojanator (May 13, 2005)

That's fine! 
What part of Germany are you from, i've just come back from Berlin on a school trip!

You can donate $5 or whatever the equivalent euros are to help keep the site running; we offer a voluntary service here so i cannot take money myself. As you may imagine the website costs a lot to run, and any donations we kindly recieve go direct to that!

If you wish to, please do it via affero - there is a link in my signature that says "rate me"; you can rate my help there also if you wish.

Of course it is not compulsory by any means, and a thank you will most certainly surffice!

David


----------



## cybertech (Apr 16, 2002)

This thread is solved so I am closing it. If you need it reopened just PM me or any other moderator.


----------

