Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Needed So Much With Vista


  • This topic is locked This topic is locked
4 replies to this topic

#1 losty77

losty77

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 19 September 2008 - 09:22 PM

Hi im Jason and I dont't know where to start ! All happened when im trying install an avg i downloaded from the Net ..The next thing i know i got alot errors and viruses .

Im a Vista Home edition user .

I done all the Scaning from Spybot , Ad aware , stinger and i can get part of the virus but one . Not not only this because my smart ass i accidently deleted few exe from Vista . sidebar.exe ! I cant even retore it and Rundll32 msg always popup say vista shutting down it .

When start my pc i get popups msg aleart about Dynamic link Library cant run because sidebar.exe missing and rundll32 is shutting down because errors which they didnt say what kind errors .

Im really in real trouble ? I really need Help guys :thumbsup: im clue less now Pls..Im now accessing using another pc .

Please do tell me what i should do and not in here !

Here my Hijacklog

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:36 AM, on 9/20/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\System32\YUR7F7B.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\system32\perfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {324FC19C-A1B5-446E-B1F5-22E95578BB17} - C:\Windows\system32\awtQkLFw.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: {7ddc8e53-cc41-6db8-0d44-ed153e14664a} - {a46641e3-51de-44d0-8bd6-14cc35e8cdd7} - C:\Windows\system32\pfgzct.dll
O2 - BHO: (no name) - {E20EB313-C14B-4732-9B8D-E3D5BEB2C21C} - C:\Windows\system32\yayvTlIX.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [\YUR7521.exe] C:\Windows\system32\YUR7521.exe
O4 - HKLM\..\Run: [\YUR761B.exe] C:\Windows\system32\YUR761B.exe
O4 - HKLM\..\Run: [\YUR79D2.exe] C:\Windows\system32\YUR79D2.exe
O4 - HKLM\..\Run: [\YUR7B97.exe] C:\Windows\system32\YUR7B97.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\ljJayARk.dll,#1
O4 - HKLM\..\Run: [\YURFA86.exe] C:\Windows\system32\YURFA86.exe
O4 - HKLM\..\Run: [\YUR6660.exe] C:\Windows\system32\YUR6660.exe
O4 - HKLM\..\Run: [\YUR6631.exe] C:\Windows\system32\YUR6631.exe
O4 - HKLM\..\Run: [\YUR68A1.exe] C:\Windows\system32\YUR68A1.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [\YURFDBE.exe] C:\Windows\system32\YURFDBE.exe
O4 - HKLM\..\Run: [\YUR6AA4.exe] C:\Windows\system32\YUR6AA4.exe
O4 - HKLM\..\Run: [\YUR6891.exe] C:\Windows\system32\YUR6891.exe
O4 - HKLM\..\Run: [\YURE30E.exe] C:\Windows\system32\YURE30E.exe
O4 - HKLM\..\Run: [\YURC551.exe] C:\Windows\system32\YURC551.exe
O4 - HKLM\..\Run: [\YURC937.exe] C:\Windows\system32\YURC937.exe
O4 - HKLM\..\Run: [06e13f21] rundll32.exe "C:\Windows\system32\pxtltwkp.dll",b
O4 - HKLM\..\Run: [\YUR67D6.exe] C:\Windows\system32\YUR67D6.exe
O4 - HKLM\..\Run: [\YUR7628.exe] C:\Windows\system32\YUR7628.exe
O4 - HKLM\..\Run: [\YUR7A0F.exe] C:\Windows\system32\YUR7A0F.exe
O4 - HKLM\..\Run: [\YUR7963.exe] C:\Windows\system32\YUR7963.exe
O4 - HKLM\..\Run: [\YUR7232.exe] C:\Windows\system32\YUR7232.exe
O4 - HKLM\..\Run: [\YUR7270.exe] C:\Windows\system32\YUR7270.exe
O4 - HKLM\..\Run: [\YUR3496.exe] C:\Windows\system32\YUR3496.exe
O4 - HKLM\..\Run: [\YURA3EC.exe] C:\Windows\system32\YURA3EC.exe
O4 - HKLM\..\Run: [\YUR8E5.exe] C:\Windows\system32\YUR8E5.exe
O4 - HKLM\..\Run: [\YUR8D8F.exe] C:\Windows\system32\YUR8D8F.exe
O4 - HKLM\..\Run: [\YUR7F7B.exe] C:\Windows\system32\YUR7F7B.exe
O4 - HKLM\..\Run: [\YUR782B.exe] C:\Windows\system32\YUR782B.exe
O4 - HKLM\..\Run: [\YUR6E2.exe] C:\Windows\system32\YUR6E2.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [\YUR7521.exe] C:\Windows\system32\YUR7521.exe
O4 - HKCU\..\Run: [\YUR761B.exe] C:\Windows\system32\YUR761B.exe
O4 - HKCU\..\Run: [\YUR79D2.exe] C:\Windows\system32\YUR79D2.exe
O4 - HKCU\..\Run: [\YUR7B97.exe] C:\Windows\system32\YUR7B97.exe
O4 - HKCU\..\Run: [\YURFA86.exe] C:\Windows\system32\YURFA86.exe
O4 - HKCU\..\Run: [\YUR6631.exe] C:\Windows\system32\YUR6631.exe
O4 - HKCU\..\Run: [\YUR6660.exe] C:\Windows\system32\YUR6660.exe
O4 - HKCU\..\Run: [\YUR68A1.exe] C:\Windows\system32\YUR68A1.exe
O4 - HKCU\..\Run: [\YURFDBE.exe] C:\Windows\system32\YURFDBE.exe
O4 - HKCU\..\Run: [\YUR6AA4.exe] C:\Windows\system32\YUR6AA4.exe
O4 - HKCU\..\Run: [\YUR6891.exe] C:\Windows\system32\YUR6891.exe
O4 - HKCU\..\Run: [\YURE30E.exe] C:\Windows\system32\YURE30E.exe
O4 - HKCU\..\Run: [\YURC551.exe] C:\Windows\system32\YURC551.exe
O4 - HKCU\..\Run: [\YURC937.exe] C:\Windows\system32\YURC937.exe
O4 - HKCU\..\Run: [\YUR67D6.exe] C:\Windows\system32\YUR67D6.exe
O4 - HKCU\..\Run: [\YUR7628.exe] C:\Windows\system32\YUR7628.exe
O4 - HKCU\..\Run: [\YUR7A0F.exe] C:\Windows\system32\YUR7A0F.exe
O4 - HKCU\..\Run: [\YUR7963.exe] C:\Windows\system32\YUR7963.exe
O4 - HKCU\..\Run: [\YUR7232.exe] C:\Windows\system32\YUR7232.exe
O4 - HKCU\..\Run: [\YUR7270.exe] C:\Windows\system32\YUR7270.exe
O4 - HKCU\..\Run: [\YUR3496.exe] C:\Windows\system32\YUR3496.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [\YURA3EC.exe] C:\Windows\system32\YURA3EC.exe
O4 - HKCU\..\Run: [\YUR8E5.exe] C:\Windows\system32\YUR8E5.exe
O4 - HKCU\..\Run: [\YUR8D8F.exe] C:\Windows\system32\YUR8D8F.exe
O4 - HKCU\..\Run: [\YUR7F7B.exe] C:\Windows\system32\YUR7F7B.exe
O4 - HKCU\..\Run: [\YUR782B.exe] C:\Windows\system32\YUR782B.exe
O4 - HKCU\..\Run: [\YUR6E2.exe] C:\Windows\system32\YUR6E2.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: pfgzct.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe

--
End of file - 9516 bytes

BC AdBot (Login to Remove)

 


#2 losty77

losty77
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 19 September 2008 - 09:48 PM

This the Popup errors from my vista :

control.exe Original Not found
The Ordinal 7 Could not be located in the dynamic link libary sfc_os.dll

==============
sidebar.exe Original Not found
The Ordinal 7 Could not be located in the dynamic link libary sfc_os.dll

==============

Windows host process ( rundll32) has stopped working
A problem caused the program to stop working correctly .
Windows will close the program and notify you if a solution is available .

==============

Alob.POrn.Ad adware also popup too ! Scanned but cant get it out :thumbsup:

=====

Im not dare touch this pc again cause more i touch more got Worst..Im so need help :)

Jason

Edited by losty77, 19 September 2008 - 09:50 PM.


#3 losty77

losty77
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 20 September 2008 - 05:15 AM

I run Malwarebytes' Anti-Malware seem clear all viruses and adwares but everytime i start pc..i got this msg !

Sidebar.exe - Oridinal Not found
The ordinal 7 could not be located in the dynamic link library sfc_os.dll

========================================================

Malwarebytes' Anti-Malware 1.28
Database version: 1180
Windows 6.0.6001 Service Pack 1

9/20/2008 12:57:44 PM
mbam-log-2008-09-20 (12-57-44).txt

Scan type: Quick Scan
Objects scanned: 39576
Time elapsed: 1 minute(s), 28 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 12
Registry Values Infected: 58
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 28

Memory Processes Infected:
C:\Windows\System32\YUR6E2.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\Windows\System32\yayvTlIX.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\pfgzct.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a46641e3-51de-44d0-8bd6-14cc35e8cdd7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a46641e3-51de-44d0-8bd6-14cc35e8cdd7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a8985ffb-2a33-4471-afb0-b37ff5c53fd3} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a8985ffb-2a33-4471-afb0-b37ff5c53fd3} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\06e13f21 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur6e2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur6e2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur60a5.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur60a5.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7521.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur761b.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur79d2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7b97.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurfa86.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur6660.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur6631.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur68a1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurfdbe.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur6aa4.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur6891.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yure30e.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurc551.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurc937.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur67d6.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7628.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7a0f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7963.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7232.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7270.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur3496.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yura3ec.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur8e5.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur8d8f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7f7b.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur782b.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7521.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur761b.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur79d2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7b97.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurfa86.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur6631.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur6660.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur68a1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurfdbe.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur6aa4.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur6891.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yure30e.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurc551.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yurc937.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur67d6.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7628.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7a0f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7963.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7232.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7270.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur3496.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yura3ec.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur8e5.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur8d8f.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur7f7b.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur782b.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\yayvtlix -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\yayvtlix -> Delete on reboot.

Folders Infected:
C:\Program Files\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\pfgzct.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\yayvTlIX.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\XIlTvyay.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\XIlTvyay.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\pxtltwkp.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\pkwtltxp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\rpsygcnp.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\pncgyspr.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\YUR6E2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\YUR60A5.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\atpexmjx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\ehotuehi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\vwgaur.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\wtlgxxeh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\x (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV.ooo (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV0.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV1.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Windows\System32\YUR7628.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\tdssmain.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\MicroAV.cpl (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Users\User\Desktop\Micro Antivirus 2009.lnk (Rogue.XPertAntivirus) -> Quarantined and deleted successfully.

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:33 PM

Posted 02 October 2008 - 04:12 PM

:thumbsup: to BleepingComputer.com

I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.

If you do not still need help, please let me know, so that I can move on to other users who still need help.

Please take note of the following:
  • While a HJT Team member is working with you, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please reply using the Posted Image button in the lower left hand corner of your screen.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" :).
If you would still like help, please follow the instructions below:

We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • OTViewIt.txt
  • Extra.txt
  • Kaspersky's Log

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:33 PM

Posted 04 October 2008 - 08:19 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users