Trojan-downloader.conhook
Hello everybody !
Some how my laptop is infected with what “PC Tools Spyware Doctor” calls Trojan-Downloader.ConHook
Bitdefender 2008 does not see it.
The symptoms are as follows; at start up some program or ****** overrules the privacy setting in “internet options “ and allows all cookies.
Left unchecked, it tries to open all kinds of web pages and download all kind Trojans ETC.
The following suspect registry values recreate themselves after deletion.
Threat Name - Trojan-Downloader.ConHook
Type - Registry Key
Risk Level - High
Infection - HKEY_USERS\S-1-5-21-3213442940-3722362377-2370026465-1004\Software\Microsoft\MS Juan
Threat Name - Trojan-Downloader.ConHook
Type - Registry Value
Risk Level - High
Infection - HKEY_USERS\S-1-5-21-3213442940-3722362377-2370026465-1004\Software\Microsoft\MS Juan, (Default)
Please help me remove this pest !
I will post the HighjackThis log next
Thanks
/applications/core/interface/file/attachment.php?id=1256" data-fileid="1256" rel="">hijackthis.rar
Comments
-
Next time, simply paste the content of the log here. If you attach the file on Malware talk, only mods/sm/vr will be able to downloade it.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:19 PM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ezSP_Px.exe
\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apvfb.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe\Program Files\UPHClean\uphclean.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\mqsvc.exe\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox 3 Beta 2\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Andrei
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} -\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "D:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - .DEFAULT User Startup: E-Flyer.lnk = C:\Program Files\Sony\E-Flyer\E-Flyer.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Zoom &In - C:\Documents and Settings\Andrei Tudoran.MIRACLE\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomin.htm
O8 - Extra context menu item: Zoom &Out - C:\Documents and Settings\Andrei Tudoran.MIRACLE\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} -\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121775805920
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136462966394
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools -\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools -\Spyware Doctor\swdsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. -\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
--
End of file - 8091 bytes0 -
Next time, simply paste the content of the log here. If you attach the file on Malware talk, only mods/sm/vr will be able to downloade it.
Thanks, how about some suggestions on how to deal with the above !0 -
Hi,
I think you have got a ConHook variant which hide itself from Hijackthis as I can't find any suspicious entry.
1-Try VundoFix first (instruction given below).
Download VundoFix by Atribune to your desktop.- Double-click VundoFix.exe to run it.
- When VundoFix opens, click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
In this case, VundoFix will run on reboot, simply follow the above instructions above, starting from "Click the
Scan for Vundo button" when VundoFix appears at reboot.
2. Then run hijackthis, close all open windows, run scan, check the following entry and click on fix:
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
this one looks to me can be fixed also:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Andrei
3. Please post the contents of C:\vundofix.txt and a new HiJackThis log in this thread.
In case you have removed the infection and don't want to post the result remove vundofix and its .txt file from your system.0 -
Hi,
I think you have got a ConHook variant which hide itself from Hijackthis as I can't find any suspicious entry.
Will do and post0 -
Hi,
I think you have got a ConHook variant which hide itself from Hijackthis as I can't find any suspicious entry.
1-Try VundoFix first (instruction given below).
As you will see bellow, Vundofix found a few files and fixed them, together with Hijackthis the infestation might have been stopped.
Thanks, give me a few days to make sure.
VundoFix V6.7.7
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 6:50:15 PM 12/29/2007
Listing files found while scanning....
C:\WINDOWS\system32\ciytkdgw.dll
C:\WINDOWS\system32\dqdoaxkk.ini
C:\WINDOWS\system32\fmlhjhtp.dll
C:\WINDOWS\system32\gteertqy.dll
C:\WINDOWS\system32\hiqlaoyk.dll
C:\WINDOWS\system32\kkxaodqd.dll
C:\WINDOWS\system32\ljhfe.dll
C:\WINDOWS\system32\nohvbchm.dll
C:\WINDOWS\system32\otbmaaeh.dll
C:\WINDOWS\system32\pthjhlmf.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ciytkdgw.dll
C:\WINDOWS\system32\ciytkdgw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\dqdoaxkk.ini
C:\WINDOWS\system32\dqdoaxkk.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\fmlhjhtp.dll
C:\WINDOWS\system32\fmlhjhtp.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gteertqy.dll
C:\WINDOWS\system32\gteertqy.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hiqlaoyk.dll
C:\WINDOWS\system32\hiqlaoyk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\kkxaodqd.dll
C:\WINDOWS\system32\kkxaodqd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ljhfe.dll
C:\WINDOWS\system32\ljhfe.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nohvbchm.dll
C:\WINDOWS\system32\nohvbchm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\otbmaaeh.dll
C:\WINDOWS\system32\otbmaaeh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pthjhlmf.ini
C:\WINDOWS\system32\pthjhlmf.ini Has been deleted!
Performing Repairs to the registry.
Done!0 -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:01 PM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ezSP_Px.exe\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apvfb.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe\Program Files\UPHClean\uphclean.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\mqsvc.exe\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15F4A2B3-3119-4658-98E2-EB7B3C53DCDD} - C:\WINDOWS\system32\ljhfe.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {87FFAAC7-767C-4A6A-BA78-442DAE6F084F} - (no file)
O2 - BHO: InlineSearchHandleHotKeys Class - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} -\Program Files\Core Services\Inline Search\InlineSearch.dll
O2 - BHO: {f7feb0eb-f21f-5409-0324-f7dd75448a8c} - {c8a84457-dd7f-4230-9045-f12fbe0bef7f} - C:\WINDOWS\system32\hoksfkyw.dll
O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} -\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: (no name) - {FC6AFFD0-D9EA-49E7-A724-B171DD7AE9B9} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} -\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [sonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "D:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [bDAgent] "D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - .DEFAULT User Startup: E-Flyer.lnk = C:\Program Files\Sony\E-Flyer\E-Flyer.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Zoom &In - C:\Documents and Settings\Andrei Tudoran.MIRACLE\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomin.htm
O8 - Extra context menu item: Zoom &Out - C:\Documents and Settings\Andrei Tudoran.MIRACLE\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} -\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121775805920
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136462966394
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: wvuusqp - wvuusqp.dll (file missing)
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools -\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools -\Spyware Doctor\swdsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. -\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
--
End of file - 8840 bytes0 -
Good work. Your Hijackthis log is much better now. It is showing the HBO items and the infected (and removed) Winlogon.
But to make sure I suggest the following steps:
· Remove old Java versions due to security vulnerability. Go to start-control panel- add or remove programs and uninstall/remove all old versions of Java (Java version 1.4.2.3 and 1.4.2.5).
· Find the "hoksfkyw.dll " (C:\WINDOWS\system32\hoksfkyw.dll). It may be hidden. Unhide it by going to start-control panel- folder options- view- check display the contents of system folders, check show hidden files and folders, uncheck hide extensions for known file type, click on apply.
· Please make a copy, zip password protected (password: "infected") and send it to a new topic. It helps the future prevention when it is added to database. Read this for more information.
· Close all windows including this one. Run hijackthis, click "Do a system scan only", check the following item and click on fix ckecked.
O2 - BHO: {f7feb0eb-f21f-5409-0324-f7dd75448a8c} - {c8a84457-dd7f-4230-9045-f12fbe0bef7f} - C:\WINDOWS\system32\hoksfkyw.dll
· Then chek if the file is removed. If the file is not removed it maybe in use. In that case go to safe mode and remove "hoksfkyw.dll " manually.
· Run VundoBeGone to scan your computer. To do that:
1.Click here download VundoBeGone and place it to your desktop.
2. Run VundoBeGone.exe and follow the instruction, it finishes and restarts the computer, you may experience BSOD (blue screen), this is normal.
Restart computer manually if needed.
When it finishes it creates a log: VirtumundoBegone (VBG.txt) on your desktop.
Please post the log with a new hijackthis log.
At the next step when your system is totally clean we fix the leftover items of hijackthis.
0 -
Good work. Your Hijackthis log is much better now. It is showing the HBO items and the infected (and removed) Winlogon.
But to make sure I suggest the following steps:
· Remove old Java versions due to security vulnerability. Go to start-control panel- add or remove programs and uninstall/remove all old versions of Java (Java version 1.4.2.3 and 1.4.2.5).
· Find the "hoksfkyw.dll " (C:\WINDOWS\system32\hoksfkyw.dll). It may be hidden. Unhide it by going to start-control panel- folder options- view- check display the contents of system folders, check show hidden files and folders, uncheck hide extensions for known file type, click on apply.
· Please make a copy, zip password protected (password: "infected") and send it to a new topic. It helps the future prevention when it is added to database. Read this for more information.
· Close all windows including this one. Run hijackthis, click "Do a system scan only", check the following item and click on fix ckecked.
O2 - BHO: {f7feb0eb-f21f-5409-0324-f7dd75448a8c} - {c8a84457-dd7f-4230-9045-f12fbe0bef7f} - C:\WINDOWS\system32\hoksfkyw.dll
· Then chek if the file is removed. If the file is not removed it maybe in use. In that case go to safe mode and remove "hoksfkyw.dll " manually.
· Run VundoBeGone to scan your computer. To do that:
OK here's where we are , after rebooting , my privacy settings were reset again. I ran Vundofix once again; it found and deleted the dll you were looking for, together with a couple of other ones.
VundoBeGone did not find anything.
I fixed the BHO's in Hijackthis , there are a couple of other ones without any files attached. Will wait for further instructions and post the new logs0 -
[12/30/2007, 15:25:16] - VirtumundoBeGone v1.5 ( "D:\Software downloads\VirtumundoBeGone.exe" )
[12/30/2007, 15:25:21] - Detected System Information:
[12/30/2007, 15:25:21] - Windows Version: 5.1.2600, Service Pack 2
[12/30/2007, 15:25:21] - Current Username: Andrei Tudoran (Admin)
[12/30/2007, 15:25:21] - Windows is in NORMAL mode.
[12/30/2007, 15:25:21] - Searching for Browser Helper Objects:
[12/30/2007, 15:25:22] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[12/30/2007, 15:25:22] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/30/2007, 15:25:22] - BHO 3: {87FFAAC7-767C-4A6A-BA78-442DAE6F084F} ()
[12/30/2007, 15:25:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/30/2007, 15:25:22] - No filename found. Continuing.
[12/30/2007, 15:25:22] - BHO 4: {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} (InlineSearchHandleHotKeys Class)
[12/30/2007, 15:25:22] - BHO 5: {CC7E636D-39AA-49b6-B511-65413DA137A1} (IE Developer Toolbar BHO)
[12/30/2007, 15:25:22] - BHO 6: {FC6AFFD0-D9EA-49E7-A724-B171DD7AE9B9} ()
[12/30/2007, 15:25:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/30/2007, 15:25:22] - No filename found. Continuing.
[12/30/2007, 15:25:22] - Finished Searching Browser Helper Objects
[12/30/2007, 15:25:22] - Finishing up...
[12/30/2007, 15:25:22] - Nothing found! Exiting...
[12/30/2007, 15:36:50] - VirtumundoBeGone v1.5 ( "D:\Software downloads\VirtumundoBeGone.exe" )
[12/30/2007, 15:36:52] - Detected System Information:
[12/30/2007, 15:36:52] - Windows Version: 5.1.2600, Service Pack 2
[12/30/2007, 15:36:52] - Current Username: Andrei Tudoran (Admin)
[12/30/2007, 15:36:52] - Windows is in NORMAL mode.
[12/30/2007, 15:36:52] - Searching for Browser Helper Objects:
[12/30/2007, 15:36:52] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[12/30/2007, 15:36:52] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/30/2007, 15:36:52] - BHO 3: {87FFAAC7-767C-4A6A-BA78-442DAE6F084F} ()
[12/30/2007, 15:36:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/30/2007, 15:36:52] - No filename found. Continuing.
[12/30/2007, 15:36:52] - BHO 4: {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} (InlineSearchHandleHotKeys Class)
[12/30/2007, 15:36:52] - BHO 5: {CC7E636D-39AA-49b6-B511-65413DA137A1} (IE Developer Toolbar BHO)
[12/30/2007, 15:36:52] - BHO 6: {FC6AFFD0-D9EA-49E7-A724-B171DD7AE9B9} ()
[12/30/2007, 15:36:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/30/2007, 15:36:52] - No filename found. Continuing.
[12/30/2007, 15:36:52] - Finished Searching Browser Helper Objects
[12/30/2007, 15:36:52] - Finishing up...
[12/30/2007, 15:36:52] - Nothing found! Exiting...0 -
VundoFix V6.7.7
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 8:54:37 AM 12/30/2007
Listing files found while scanning....
C:\WINDOWS\system32\hoksfkyw.dll
C:\WINDOWS\system32\ijdulmpl.ini
C:\WINDOWS\system32\lpmludji.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\hoksfkyw.dll
C:\WINDOWS\system32\hoksfkyw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ijdulmpl.ini
C:\WINDOWS\system32\ijdulmpl.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\lpmludji.dll
C:\WINDOWS\system32\lpmludji.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.7.7
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 10:38:39 AM 12/30/2007
Listing files found while scanning....
No infected files were found.0 -
Removed old java & will post Vundofix backup with the the infected files, remove the "bad" extension !
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:04 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe\Program Files\UPHClean\uphclean.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\mqsvc.exe\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Apoint\Apvfb.exe\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Mozilla Firefox 3 Beta 2\firefox.exe\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {87FFAAC7-767C-4A6A-BA78-442DAE6F084F} - (no file)
O2 - BHO: InlineSearchHandleHotKeys Class - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} -\Program Files\Core Services\Inline Search\InlineSearch.dll
O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} -\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O2 - BHO: (no name) - {FC6AFFD0-D9EA-49E7-A724-B171DD7AE9B9} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} -\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [sonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "D:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [bDAgent] "D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - .DEFAULT User Startup: E-Flyer.lnk = C:\Program Files\Sony\E-Flyer\E-Flyer.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Zoom &In - C:\Documents and Settings\Andrei Tudoran.MIRACLE\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomin.htm
O8 - Extra context menu item: Zoom &Out - C:\Documents and Settings\Andrei Tudoran.MIRACLE\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} -\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121775805920
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136462966394
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: wvuusqp - wvuusqp.dll (file missing)
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools -\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools -\Spyware Doctor\swdsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. -\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
--
End of file - 8574 bytes0 -
Hi again,
The browser hijacker is gone and there is no more infection on your Hijack log. I expect you have got control over your browser again. Yet run VunoFix once to make sure there is no left over files. After that lets do some cleaning:
1. Run hijackthis, close all windows including this one.click "Do a system scan only", check the following items and click on fix checked:O2 - BHO: (no name) - {87FFAAC7-767C-4A6A-BA78-442DAE6F084F} - (no file)
O2 - BHO: (no name) - {FC6AFFD0-D9EA-49E7-A724-B171DD7AE9B9} - (no file)
O20 - Winlogon Notify: wvuusqp - wvuusqp.dll (file missing)
2. Empty your Temp folder, to do this:
First unhide the Temp folder by going to start-control panel- folder options- view- check display the contents of system folders, check show hidden files and folders. If you have not return the setting to default I believe you have done this before and don't need to do it again.
Second reboot your computer then go C:\Documents and Settings\Andrei Tudoran \Local settings\Temp. Open Temp then click on one of the files inside it, then Ctrl+A to choose all the content and then delete to empty your Temp folder.
3. Go to start-control panel- Internet options- General- click delete- delete all- check 'Also delete files and settings stored by add-ons'
4. Go to start-run- type "cleanmgr.exe" (without "), it shows C drive to be cleaned, click OK, check all the items or at least Temporary internet files, Temporary files and Recycle Bin. Click Ok to confirm.
5. Reboot and check if your computer is running fine. Then empty your restore volume to get rid of recreation of infection by windows recovery. To do that: go to start-control panel- system- system restore- check turn off system restore on all drives. Click apply. By doing this you loose all your (often infected) restore point. Reboot and don't forget to uncheck "the turn off system restore on' to create a clean restore point.
6. Update spyware doctor and do a complete scan, it eventually removes the (harmless) registry left overs. Update BitDefender and do a deep scan. Remove VunoFix and VundoBeGone.
If you need further assistance report back. Don't forget: Prevention is better than cure.
Success!0 -
H6. Update spyware doctor and do a complete scan, it eventually removes the (harmless) registry left overs. Update BitDefender and do a deep scan. Remove VunoFix and VundoBeGone.
If you need further assistance report back. Don't forget: Prevention is better than cure.
Success!
Done everything, computer squeaky clean !
Thanks for your help, it was a learning experience.0 -
You are welcome soidog2. I am glad everything is fine.
Have a nice day, and a happy new year in advance.0
