Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Infecton. Need Help With Removal


  • This topic is locked This topic is locked
8 replies to this topic

#1 zemzee

zemzee

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 18 June 2008 - 11:07 AM

Hey,
Ive been infected with Vundo yest again. I was first infected on XP but now i have Vista and Vundo has been updated.
Here i will post DSS Log,HijackThis log and AVG log. I was scanning with Kaspersky Online Scanner but IE crashed.
All replies will be greatfully appreaciated (sorry about spelling :thumbsup: )

DSS and HijackThis Log

Deckard's System Scanner v20071014.68
Run by Husseyin on 2008-06-18 16:42:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
27: 2008-06-18 13:19:31 UTC - RP58 - Windows Update
26: 2008-06-17 12:54:49 UTC - RP57 - Scheduled Checkpoint
25: 2008-06-16 18:07:40 UTC - RP56 - Installed Microsoft Office Professional Edition 2003
24: 2008-06-16 14:58:28 UTC - RP55 - Windows Defender Checkpoint
23: 2008-06-16 11:57:15 UTC - RP53 - Scheduled Checkpoint


-- First Restore Point --
1: 2008-06-07 16:51:53 UTC - RP26 - Installed Macromedia Dreamweaver 8


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Husseyin.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:47:45, on 18/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\rundll32.exe
C:\Windows\explorer.exe
C:\Downloads\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Husseyin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\xxyyyAPJ.dll,#1
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Husseyin\AppData\Local\Temp\fccddcbx.dll,c
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Husseyin\AppData\Local\Temp\urQICUmn.dll,#1
O4 - HKCU\..\Run: [BMbfa3e4f6] Rundll32.exe "C:\Users\Husseyin\AppData\Local\Temp\afycfxfm.dll",s
O4 - HKCU\..\Run: [bc90d76a] rundll32.exe "C:\Users\Husseyin\AppData\Local\Temp\mcxritnu.dll",b
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.79\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 3.79\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O13 - Gopher Prefix:
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u...ows-i586-jc.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

--
End of file - 6636 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe",2
.reg - regfile - shell\open\command - "regedit.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Ethernet Controller
Device ID: PCI\VEN_8086&DEV_294C&SUBSYS_E0371631&REV_02\3&2411E6FE&0&C8
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_8086&DEV_294C&SUBSYS_E0371631&REV_02\3&2411E6FE&0&C8
Service:

Class GUID:
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_E0371631&REV_02\3&2411E6FE&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_2930&SUBSYS_E0371631&REV_02\3&2411E6FE&0&FB
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-06-18 16:00:00 492 --a------ C:\Windows\Tasks\1-Click Maintenance.job


-- Files created between 2008-05-18 and 2008-06-18 -----------------------------

2008-06-18 16:47:35 0 d-------- C:\Program Files\Trend Micro
2008-06-16 19:12:09 0 d-------- C:\Program Files\Common Files\L&H
2008-06-16 19:11:25 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-06-16 19:09:54 0 d-------- C:\Program Files\Microsoft Works
2008-06-16 19:08:53 0 d-------- C:\Program Files\Microsoft.NET
2008-06-16 19:07:00 0 dr-h----- C:\MSOCache
2008-06-12 18:03:46 59392 --a------ C:\Windows\system32\ljJBsSMe.dll
2008-06-12 17:55:24 59392 --a------ C:\Windows\system32\xxyyyAPJ.dll
2008-06-12 16:14:57 0 d-a------ C:\Users\All Users\TEMP
2008-06-12 16:14:56 0 d-------- C:\Fraps
2008-06-11 18:24:46 0 d-------- C:\Program Files\LiveUpdate
2008-06-11 18:24:03 0 d-------- C:\Users\All Users\BVRP Software
2008-06-11 18:24:03 0 d-------- C:\Program Files\mobile PhoneTools
2008-06-09 21:12:15 0 d-------- C:\MyMod
2008-06-09 21:03:19 0 d-------- C:\HammerAutosave
2008-06-08 13:26:47 0 d-------- C:\Users\All Users\WEBREG
2008-06-08 13:26:10 0 d-------- C:\Users\All Users\HPSSUPPLY
2008-06-08 13:24:46 0 d-------- C:\Program Files\Common Files\HP
2008-06-08 13:16:07 0 d-------- C:\Users\All Users\Hewlett-Packard
2008-06-08 13:13:35 117760 --a------ C:\Windows\system32\hpz3l4v2.dll <Not Verified; Hewlett-Packard Company; Language Monitor>
2008-06-08 13:13:12 0 d-------- C:\Program Files\HP
2008-06-08 13:12:46 133481 --a------ C:\Windows\hppins20.dat
2008-06-08 12:50:34 0 d-------- C:\Users\All Users\HP
2008-06-08 12:50:32 258048 --a------ C:\Windows\system32\hpzids01.dll <Not Verified; Hewlett-Packard; HP Installer>
2008-06-08 12:50:30 16655 --a------ C:\Windows\hppmdl20.dat
2008-06-07 17:54:42 0 d-------- C:\Program Files\Common Files\Macromedia
2008-06-07 17:52:54 0 d-------- C:\Users\All Users\Macromedia
2008-06-07 17:51:52 0 d-------- C:\Program Files\Macromedia
2008-06-07 17:51:07 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-07 12:08:15 0 d-------- C:\Program Files\Common Files\Steam
2008-06-07 11:14:21 0 d-------- C:\Program Files\Valve
2008-06-03 15:03:04 0 d-------- C:\Program Files\VideoLAN
2008-06-01 18:33:37 0 d-------- C:\Program Files\ASIO4ALL v2
2008-06-01 18:32:56 0 d-------- C:\Program Files\Outsim
2008-06-01 14:52:18 0 d-------- C:\New Stuff
2008-06-01 14:31:05 0 d-------- C:\Users\Husseyin\{18fce3f7-5afd-429e-ae83-6878fb13e068}
2008-06-01 14:30:54 0 d-------- C:\Program Files\MP3 Player Utilities 3.79
2008-06-01 13:06:58 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-01 12:55:29 0 d-------- C:\Program Files\Activision
2008-05-31 22:04:20 0 d-------- C:\Windows\Panther
2008-05-31 22:04:05 0 d--hs---- C:\Boot
2008-05-31 20:24:04 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-31 20:19:59 0 d-------- C:\Windows\Downloaded Installations
2008-05-31 20:07:29 225280 --a------ C:\Windows\system32\rewire.dll <Not Verified; Propellerhead Software AB; ReWire>
2008-05-31 20:07:29 0 d-------- C:\Program Files\VstPlugins
2008-05-31 20:06:47 0 d-------- C:\Program Files\Image-Line
2008-05-31 20:05:25 0 d-------- C:\Program Files\MagicISO
2008-05-31 18:53:19 0 d-------- C:\Program Files\Java
2008-05-31 18:52:19 0 d-------- C:\Program Files\Common Files\Java
2008-05-31 18:52:09 0 d-------- C:\Program Files\LimeWire
2008-05-31 18:48:51 0 d-------- C:\Downloads
2008-05-31 18:48:26 0 d-------- C:\Program Files\BitComet
2008-05-31 17:18:54 0 d-------- C:\Users\All Users\Grisoft
2008-05-31 17:18:52 0 d-------- C:\Users\All Users\NVIDIA
2008-05-31 15:40:17 0 d-------- C:\Windows\PCHEALTH
2008-05-31 15:30:47 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-31 15:30:39 0 d-------- C:\Program Files\Windows Live
2008-05-31 15:30:20 0 d-------- C:\Users\All Users\WLInstaller
2008-05-31 15:27:28 0 d-------- C:\Windows\system32\Macromed
2008-05-31 14:26:32 0 d-------- C:\Users\All Users\TuneUp Software
2008-05-31 14:26:27 0 d-------- C:\Program Files\TuneUp Utilities 2008
2008-05-31 14:25:49 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-31 14:07:02 0 d--hs---- C:\Windows\Installer
2008-05-31 13:25:33 0 dr------- C:\Users\Husseyin\Searches
2008-05-31 13:25:25 0 dr------- C:\Users\Husseyin\Contacts
2008-05-31 13:25:22 0 dr------- C:\Users\Husseyin\Videos
2008-05-31 13:25:22 0 d--hs---- C:\Users\Husseyin\Templates
2008-05-31 13:25:22 0 d--hs---- C:\Users\Husseyin\Start Menu
2008-05-31 13:25:22 0 d--hs---- C:\Users\Husseyin\SendTo
2008-05-31 13:25:22 0 dr------- C:\Users\Husseyin\Saved Games
2008-05-31 13:25:22 0 d--hs---- C:\Users\Husseyin\Recent
2008-05-31 13:25:22 0 d--hs---- C:\Users\Husseyin\PrintHood
2008-05-31 13:25:22 0 dr------- C:\Users\Husseyin\Pictures
2008-05-31 13:25:22 4718592 --ahs---- C:\Users\Husseyin\NTUSER.DAT
2008-05-31 13:25:22 0 d--hs---- C:\Users\Husseyin\NetHood
2008-05-31 13:25:22 0 d--hs---- C:\Users\Husseyin\My Documents
2008-05-31 13:25:22 0 dr------- C:\Users\Husseyin\Music
2008-05-31 13:25:22 0 d--hs---- C:\Users\Husseyin\Local Settings
2008-05-31 13:25:22 0 dr------- C:\Users\Husseyin\Links
2008-05-31 13:25:22 0 dr------- C:\Users\Husseyin\Favorites
2008-05-31 13:25:22 0 dr------- C:\Users\Husseyin\Downloads
2008-05-31 13:25:22 0 dr------- C:\Users\Husseyin\Documents
2008-05-31 13:25:22 0 dr------- C:\Users\Husseyin\Desktop
2008-05-31 13:25:22 0 d--hs---- C:\Users\Husseyin\Cookies
2008-05-31 13:25:22 0 d--hs---- C:\Users\Husseyin\Application Data
2008-05-31 13:25:22 0 d--h----- C:\Users\Husseyin\AppData
2008-05-31 13:06:39 0 d-------- C:\Windows\SoftwareDistribution
2008-05-31 13:05:49 0 d-------- C:\Windows\Debug
2008-05-31 13:04:53 0 d-------- C:\Windows\Prefetch
2008-05-31 13:04:43 0 d--hs---- C:\System Volume Information


-- Find3M Report ---------------------------------------------------------------

2008-06-16 19:12:09 0 d-------- C:\Program Files\Common Files
2008-06-12 07:43:11 0 d-------- C:\Program Files\Windows Mail
2008-06-11 17:54:48 0 d-------- C:\Users\Husseyin\AppData\Roaming\LimeWire
2008-06-08 13:26:32 0 d-------- C:\Users\Husseyin\AppData\Roaming\HP
2008-06-07 17:58:09 0 d-------- C:\Users\Husseyin\AppData\Roaming\Macromedia
2008-06-03 16:32:45 0 d-------- C:\Users\Husseyin\AppData\Roaming\vlc
2008-06-01 19:14:10 0 d-------- C:\Users\Husseyin\AppData\Roaming\Adobe
2008-06-01 19:12:03 0 d-------- C:\Users\Husseyin\AppData\Roaming\Deckadance
2008-05-31 17:14:39 174 --ahs---- C:\Program Files\desktop.ini
2008-05-31 17:11:36 0 d-------- C:\Program Files\Windows Calendar
2008-05-31 17:11:34 0 d-------- C:\Program Files\Windows Defender
2008-05-31 17:11:26 0 d-------- C:\Program Files\Windows Sidebar
2008-05-31 14:07:48 0 d-------- C:\Users\Husseyin\AppData\Roaming\TuneUp Software
2008-05-31 13:25:26 0 d-------- C:\Users\Husseyin\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [31/05/2008 16:04]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [12/09/2007 05:28]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [12/09/2007 05:28]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [12/09/2007 05:28]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [18/06/2008 15:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [10/12/2006 21:52]
"MSServer"="C:\Windows\system32\xxyyyAPJ.dll" [12/06/2008 17:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [31/05/2008 15:52]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34]
"Steam"="c:\program files\valve\steam\steam.exe" [07/06/2008 11:56]
"cmds"="C:\Users\Husseyin\AppData\Local\Temp\fccddcbx.dll,c" []
"MSServer"="C:\Users\Husseyin\AppData\Local\Temp\urQICUmn.dll,#1" []
"BMbfa3e4f6"="C:\Users\Husseyin\AppData\Local\Temp\afycfxfm.dll,s" []
"bc90d76a"="C:\Users\Husseyin\AppData\Local\Temp\mcxritnu.dll,b" []

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [02/01/2007 21:40:10]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BD3C6F7C-6C8D-48F6-AC52-5E4071AEB257}"= C:\Windows\system32\xxyyyAPJ.dll [12/06/2008 17:55 59392]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bebf9396-2f09-11dd-94d5-806e6f6e6963}]
AutoRun\command- D:\SETUP.EXE /AUTORUN
configure\command- D:\SETUP.EXE
install\command- D:\SETUP.EXE


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-06-18 16:48:33 ------------


Extra DSS Log

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6000)
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Duo CPU E6550 @ 2.33GHz
Percentage of Memory in Use: 40%
Physical Memory (total/avail): 2045.56 MiB / 1209.49 MiB
Pagefile Memory (total/avail): 4326.18 MiB / 3302.39 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1917.4 MiB

C: is Fixed (NTFS) - 327.35 GiB total, 252.48 GiB free.
D: is CDROM (CDFS)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
K: is Fixed (FAT32) - 232.82 GiB total, 127.21 GiB free.

\\.\PHYSICALDRIVE0 - ST3360320AS ATA Device - 335.35 GiB - 2 partitions
\PARTITION0 - Unknown - 8.01 GiB
\PARTITION1 (bootable) - Installable File System - 327.35 GiB - C:

\\.\PHYSICALDRIVE2 - Generic- Compact Flash USB Device

\\.\PHYSICALDRIVE5 - Generic- MS/MS-Pro USB Device

\\.\PHYSICALDRIVE4 - Generic- SD/MMC USB Device

\\.\PHYSICALDRIVE3 - Generic- SM/xD-Picture USB Device

\\.\PHYSICALDRIVE1 - HP USB Device

\\.\PHYSICALDRIVE6 - WDC WD25 00BB-00GUC0 USB Device - 232.88 GiB - 1 partition
\PARTITION0 - Unknown - 232.88 GiB - K:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AS: AVG Anti-Spyware v7, 5, 1, 43 (GRISOFT s.r.o.) Disabled Outdated
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Husseyin\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HAXZOR-ENDKVICK
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Husseyin
LOCALAPPDATA=C:\Users\Husseyin\AppData\Local
LOGONSERVER=\\HAXZOR-ENDKVICK
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Husseyin\AppData\Local\Temp
TMP=C:\Users\Husseyin\AppData\Local\Temp
USERDOMAIN=HAXZOR-ENDKVICK
USERNAME=Husseyin
USERPROFILE=C:\Users\Husseyin
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Husseyin


-- Add/Remove Programs ---------------------------------------------------------

32 Bit HP CIO Components Installer --> MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
ASIO4ALL --> C:\Program Files\ASIO4ALL v2\uninstall.exe
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BitComet 1.01 --> C:\Program Files\BitComet\uninst.exe
Call of Duty® 4 - Modern Warfare™ --> C:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
Collab --> C:\Program Files\Image-Line\Collab\uninstall.exe
Deckadance --> C:\Program Files\VstPlugins\Deckadance\uninstall.exe
FL Studio 8 --> C:\Program Files\Image-Line\FL Studio 8\uninstall.exe
Fraps (remove only) --> "C:\Fraps\uninstall.exe"
Half-Life® 2 --> MsiExec.exe /I{D45EC259-4A19-4656-B588-C2C360DD18EA}
HP Customer Participation Program 8.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Deskjet & Photosmart Printer Driver Software 8.0.A --> C:\Program Files\HP\Digital Imaging\{981DE354-9301-440f-AAFC-025AA2354A93}\setup\hpzscr01.exe -datfile hppscr20.dat -onestop -showdisconnect -forcereboot
HP Imaging Device Functions 8.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Essential --> MsiExec.exe /X{EB21A812-671B-4D08-B974-2A347F0D8F70}
HP Solution Center 8.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update --> MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
HPSSupply --> MsiExec.exe /X{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}
IL Download Manager --> C:\Program Files\Image-Line\Downloader\uninstall.exe
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
LimeWire 4.16.2 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate BVRP Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe" -l0x9
Macromedia Dreamweaver 8 --> MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Magic ISO Maker v5.5 (build 0261) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
mobile PhoneTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F18E8A0F-BE99-4305-96A5-6C0FD9D7D999}\setup.exe" -l0x9
MP3 Player Utilities 3.79 --> MsiExec.exe /I{7784A172-61F1-445E-8368-601607E0DD22}
NVIDIA Drivers --> C:\Windows\system32\NVUNINST.EXE UninstallGUI
PoiZone --> C:\Program Files\Image-Line\PoiZone\uninstall.exe
Source Dedicated Server --> "C:\Program Files\Valve\Steam\steam.exe" steam://uninstall/205
Source SDK --> "C:\Program Files\Valve\Steam\steam.exe" steam://uninstall/211
Source SDK Base --> "C:\Program Files\Valve\Steam\steam.exe" steam://uninstall/215
Steam™ --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Toxic Biohazard --> C:\Program Files\Image-Line\Toxic Biohazard\uninstall.exe
TuneUp Utilities 2008 --> MsiExec.exe /I{5888428E-699C-4E71-BF71-94EE06B497DA}
VideoLAN VLC media player 0.8.6f --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}


-- Application Event Log -------------------------------------------------------

Event Record #/Type2956 / Error
Event Submitted/Written: 06/18/2008 03:58:05 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16681, time stamp 0x48113d17, faulting module afycfxfm.dll_unloaded, version 0.0.0.0, time stamp 0x484fa086, exception code 0xc0000005, fault offset 0x0c141558,
process id 0x1730, application start time 0xiexplore.exe0.

Event Record #/Type2953 / Error
Event Submitted/Written: 06/18/2008 03:56:55 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application Explorer.EXE, version 6.0.6000.16549, time stamp 0x46d230c5, faulting module msvcrt.dll, version 7.0.6000.16386, time stamp 0x4549bd61, exception code 0xc0000005, fault offset 0x00009bfd,
process id 0xae8, application start time 0xExplorer.EXE0.

Event Record #/Type2950 / Success
Event Submitted/Written: 06/18/2008 02:23:45 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type2930 / Success
Event Submitted/Written: 06/18/2008 02:15:39 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type2928 / Success
Event Submitted/Written: 06/18/2008 02:15:38 PM
Event ID/Source: 5615 / WinMgmt
Event Description:




-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type14508 / Warning
Event Submitted/Written: 06/18/2008 04:47:55 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%HAXZOR-ENDKVICK27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %HAXZOR-ENDKVICK27 can't undo changes that you allow.

For more information please see the following:
%HAXZOR-ENDKVICK275

Scan ID: {749C1140-638D-42AC-BC59-10B6DC777BE0}

User: HAXZOR-ENDKVICK\Husseyin

Name: %HAXZOR-ENDKVICK271

ID: %HAXZOR-ENDKVICK272

Severity ID: %HAXZOR-ENDKVICK273

Category ID: %HAXZOR-ENDKVICK274

Path Found: %HAXZOR-ENDKVICK276

Alert Type: %HAXZOR-ENDKVICK278

Detection Type: 1.1.1505.02

Event Record #/Type14507 / Warning
Event Submitted/Written: 06/18/2008 04:47:55 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%HAXZOR-ENDKVICK27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %HAXZOR-ENDKVICK27 can't undo changes that you allow.

For more information please see the following:
%HAXZOR-ENDKVICK275

Scan ID: {B84E10DB-14E1-4E9A-A4EA-C88F2CBC4AE2}

User: HAXZOR-ENDKVICK\Husseyin

Name: %HAXZOR-ENDKVICK271

ID: %HAXZOR-ENDKVICK272

Severity ID: %HAXZOR-ENDKVICK273

Category ID: %HAXZOR-ENDKVICK274

Path Found: %HAXZOR-ENDKVICK276

Alert Type: %HAXZOR-ENDKVICK278

Detection Type: 1.1.1505.02

Event Record #/Type14495 / Warning
Event Submitted/Written: 06/18/2008 04:37:51 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%HAXZOR-ENDKVICK27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %HAXZOR-ENDKVICK27 can't undo changes that you allow.

For more information please see the following:
%HAXZOR-ENDKVICK275

Scan ID: {5B4A8169-BB06-48B7-85B2-0F0565265403}

User: HAXZOR-ENDKVICK\Husseyin

Name: %HAXZOR-ENDKVICK271

ID: %HAXZOR-ENDKVICK272

Severity ID: %HAXZOR-ENDKVICK273

Category ID: %HAXZOR-ENDKVICK274

Path Found: %HAXZOR-ENDKVICK276

Alert Type: %HAXZOR-ENDKVICK278

Detection Type: 1.1.1505.02

Event Record #/Type14494 / Warning
Event Submitted/Written: 06/18/2008 04:37:51 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%HAXZOR-ENDKVICK27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %HAXZOR-ENDKVICK27 can't undo changes that you allow.

For more information please see the following:
%HAXZOR-ENDKVICK275

Scan ID: {ED9323F4-D054-4507-9574-65FB991D0E28}

User: HAXZOR-ENDKVICK\Husseyin

Name: %HAXZOR-ENDKVICK271

ID: %HAXZOR-ENDKVICK272

Severity ID: %HAXZOR-ENDKVICK273

Category ID: %HAXZOR-ENDKVICK274

Path Found: %HAXZOR-ENDKVICK276

Alert Type: %HAXZOR-ENDKVICK278

Detection Type: 1.1.1505.02

Event Record #/Type14485 / Warning
Event Submitted/Written: 06/18/2008 04:00:07 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%HAXZOR-ENDKVICK27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %HAXZOR-ENDKVICK27 can't undo changes that you allow.

For more information please see the following:
%HAXZOR-ENDKVICK275

Scan ID: {010AEAA8-0219-455E-B7D3-7240B15B383C}

User: HAXZOR-ENDKVICK\Husseyin

Name: %HAXZOR-ENDKVICK271

ID: %HAXZOR-ENDKVICK272

Severity ID: %HAXZOR-ENDKVICK273

Category ID: %HAXZOR-ENDKVICK274

Path Found: %HAXZOR-ENDKVICK276

Alert Type: %HAXZOR-ENDKVICK278

Detection Type: 1.1.1505.02



-- End of Deckard's System Scanner: finished at 2008-06-18 16:48:33 ------------

AVG Log File

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 17:05:03 18/06/2008

+ Scan result:



K:\Program Files (F)\WinAntivirus 2005 (TRIAL)\WinAntiVirus 2005 Pro\st.dat -> Adware.WinAntiVirus : Cleaned.
K:\Program Files (F)\WinAntivirus 2005 (TRIAL)\WinAntiVirus 2005 Pro\up.dat -> Adware.WinAntiVirus : Cleaned.
K:\Program Files (F)\WinAntivirus 2005 (TRIAL)\WinAntiVirus 2005 Pro\sr.exe -> Adware.WinFixer : Cleaned.
K:\Sony Vegas Pro 8.0a keygen.rar/keygen.exe -> Backdoor.SdBot.dqp : Cleaned.
K:\Program Files (F)\autominer\Autofighter Cheat Package\Macros\mouserec.exe -> Downloader.Delf.aup : Cleaned.
K:\SHARED MUSIC\MUMS MUSIC\already there westlife.mp3 -> Downloader.Wimad.n : Cleaned.


::Report end

Kaspersky scans showed ALOT of trojans, mainly with Agent in them. Will do a Kaspersky Scan now while i wait for a reply as it should help.

Thanks :)

BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:00 AM

Posted 18 June 2008 - 12:16 PM

Hello Zemzee

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible. I'm in Hijackthis school and Teachers will check my posts.
Posted Image

#3 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:00 AM

Posted 19 June 2008 - 06:27 AM

Hello :thumbsup:

Step #1
You have the program Windows Defender Real-time Protection running on your machine and that is good. But prior to doing the fix below with HiJackThis it needs to be turned off. Please do the following:
  • Open Windows Defender
  • Scroll down and uncheck Turn on real-time protection (recommended)
  • After you uncheck this, click on the Save button and close Windows Defender.
Unless it is turned off it could interfere with the fix by HiJackThis.

Step #2
Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\xxyyyAPJ.dll
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Husseyin\AppData\Local\Temp\fccddcbx.dll,c
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Husseyin\AppData\Local\Temp\urQICUmn.dll,#1
O4 - HKCU\..\Run: [BMbfa3e4f6] Rundll32.exe "C:\Users\Husseyin\AppData\Local\Temp\afycfxfm.dll",s
O4 - HKCU\..\Run: [bc90d76a] rundll32.exe "C:\Users\Husseyin\AppData\Local\Temp\mcxritnu.dll",b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)


Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Step #3
Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe



Please run Notepad and paste the following text into a new file:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BD3C6F7C-6C8D-48F6-AC52-5E4071AEB257}"=-


Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Step #4
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    C:\Windows\system32\ljJBsSMe.dll
    C:\Windows\system32\xxyyyAPJ.dll
    C:\Users\Husseyin\AppData\Local\Temp\mcxritnu.dll
    C:\Users\Husseyin\AppData\Local\Temp\afycfxfm.dll
    C:\Users\Husseyin\AppData\Local\Temp\urQICUmn.dll
    C:\Users\Husseyin\AppData\Local\Temp\fccddcbx.dll
    C:\Windows\system32\xxyyyAPJ.dll
    C:\Windows\system32\xxyyyAPJ.dll
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step #5
You are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer:Install it and then run a full scan. Let it quarantine/delete anything it finds. Let me know if there is anything that it reports but can not remove.

Step #6
Please download ATF-cleaner and save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser:

  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser:

  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Step #7
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Step #8
Please post OtMoveIt log, Mbam log and a fresh HijackThis log back here :)
Posted Image

#4 zemzee

zemzee
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 19 June 2008 - 09:55 AM

Okay thanks, gonna do that now.
:thumbsup:

#5 zemzee

zemzee
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 20 June 2008 - 02:13 PM

Hey,
been kinda busy so will carry on with step 6 Tomorrow.
Will post all logs Tomorrow, Sunday the latest.
Thanks
:thumbsup:

#6 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:00 AM

Posted 21 June 2008 - 04:30 AM

Hello :)

That's ok. :thumbsup:
Posted Image

#7 zemzee

zemzee
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 22 June 2008 - 03:20 PM

ahhh sorry ive been REALLY busy
I done all the steps and i seem to be clean,
I installed AVG Internet Security thats all legit and scanned and i seem to be fine
everythings clean so Thank you for your help.
If my mates need help ill send them to you :D

Thanks again.

#8 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:00 AM

Posted 22 June 2008 - 10:27 PM

Hello

Please post OtMoveIt log, Mbam log and a fresh HijackThis log back here. Then we can really see is your computer clean :thumbsup:

Edited by Baabiouz, 22 June 2008 - 10:27 PM.

Posted Image

#9 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:00 AM

Posted 30 June 2008 - 12:26 PM

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users