Spyware Just wont Go away.

Please attach the Bitdefender and CounterSpy logs as requested in the READ & RUN ME. Also your HJT log should have been obtained after completing the READ ME not before. It shows no signs of PandaActiveScan being run but you did post a log from Panda.


Start by downloading Pocket KillBox

Extract it to its own folder somewhere that you will be able to locateit later.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:O2 - BHO: DosSpecFolder Object - {FDA4DFFB-2C3D-4730-8D7E-28523C7F2F67} - C:\WINDOWS\SYSTEM\MLLIG.DLL
O4 - HKLM\..\RunOnce: [*MLLIG] rundll32.exe C:\WINDOWS\SYSTEM\MLLIG.DLL,CreateProtectProc rerun

Now exit HijackThis!

Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

C:\WINDOWS\SYSTEM\GILLM.DAT
C:\WINDOWS\SYSTEM\GILLM.ini
C:\WINDOWS\SYSTEM\GILLM.ini2
C:\WINDOWS\SYSTEM\GILLM.tmp
C:\WINDOWS\SYSTEM\GILLM.tmp2
C:\WINDOWS\SYSTEM\GILLM.bak
C:\WINDOWS\SYSTEM\GILLM.bak1
C:\WINDOWS\SYSTEM\GILLM.bak2
C:\WINDOWS\SYSTEM\MLLIG.DLL

If you find any other files in this folder that begin with gillm and end with any other extension ( the .ini is an an extension) delete them to.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log and tell me how the steps went.

 

Did you actually find the files I was asking you to delete? Did they delete when you tried to delete them? Were there any other filles named gillm.xxx (where xxx could be anything).

There are a few other registry keys we need to fix to as CounterSpy indicates. These were not in my list. That is why we ask for the logs from the scanners. The can tell useful info even if they do not fix the problems. Let's try another tool that often can help fix Virtumonde which can be very difficult on Win 9x systems.

Run the procedure in the below link and then attach the spysweeper.txt log.

Running Spy Sweeper

Then attach a new HJT log and let me know if it help or not.

 

Okay but is it still in your HJT log. Spy Sweeper had a problem running on your PC. It kept running out of memory. You probably need to exit everything possible including ALL browsers before running it. It could not quarantine the C:\WINDOWS\SYSTEM\MLLIG.DLL file.

If this file is still present, you can boot into DOS mode (not a command prompt - I mean boot to true DOS mode) and then change to the C:\WINDOWS\SYSTEM folder and manually locate and delete the MLLIG.DLL file.

 

You're welcome.

If you are not having any other malware problems, you should work thru the below link:

How to Protect yourself from malware!