For the life of me, this thing has become the bane of my existence.

I got it once through an ISO program download, and it was such a pain in the butt that I reformatted my computer to get rid of it. Now I've got it again, and through a completely different source.

I've read up on the Vundo symptoms. I've got the two icons on my desktop that keep reappearing whenever I delete them ("Windows Update" and "Help and Support"). My computer will occasionally operate very, very slowly for a moment before going back to work, following an error message telling me there's a critical error. It's a terrible nuisance, especially since I regularly do important work on my computer, and it closes Firefox from time to time.

I tried VundoFix and that other Vundo fixing program (can't remember its name), but neither worked. VundoFix keeps deleting all the Vundo it finds except for ONE that it tells me it can't get rid of.

Here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:54:37 PM, on 2/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O4 - HKLM\..\Run: [BMbb67aedf] Rundll32.exe "C:\WINDOWS\system32\lyanrmmh.dll",s
O4 - HKLM\..\RunServices: [DRam prosessor] msupdate.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 2353 bytes

-------------------------------------------------

I tried fixing/deleting lyanrmmh.dll, which looks really suspicious and reveals no searches on Google, but it doesn't go away. Any help would be tremendously appreciated.

Thanks.

lyanrmmh.dll will be a randomly generated name.

Please can you add all the malware files (or files you think may be malware) into a .zip file and upload them as an attachment to this post.


The best thing to do next is to follow this http://wiki.castlecops.com/MRP

If that doesn't help post a full Hijackthis log in this forum.

/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html

I also suggest you install Windows Defender (if you use Windows XP), which is free and is available from http://www.microsoft.com/athome/security/spyware/software/default.mspx