Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Having trouble removing Vundo with normal ways


  • This topic is locked This topic is locked

#1
ZeframCochrane

ZeframCochrane

    New Member

  • Member
  • Pip
  • 3 posts
I have recently been infected by Vundo, I ran VundoFix, which found a file and deleted it, but the problem wasn't solved. Now VundoFix insists to say there are no files, but I still get nasty pop-ups.
I tried VirtumundoBeGone and SDFix too. But problems are still there.
Please help, I really don't know what else to do, I have tried everything that was advised...

This are both VirtumundoBeGone's VBG.txt file and HijackThis' log:

VBG.txt:

[05/17/2008, 20:05:03] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Flavio\Desktop\VirtumundoBeGone.exe" )
[05/17/2008, 20:05:07] - Detected System Information:
[05/17/2008, 20:05:07] - Windows Version: 5.1.2600, Service Pack 2
[05/17/2008, 20:05:07] - Current Username: Flavio (Admin)
[05/17/2008, 20:05:07] - Windows is in NORMAL mode.
[05/17/2008, 20:05:07] - Searching for Browser Helper Objects:
[05/17/2008, 20:05:07] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Supporto di collegamento per Adobe PDF Reader)
[05/17/2008, 20:05:07] - BHO 2: {22b4f5d8-40b4-4ebc-868d-68661b3b0d7b} ()
[05/17/2008, 20:05:07] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 20:05:07] - Checking for HKLM\...\Winlogon\Notify\mrfexrqc
[05/17/2008, 20:05:08] - Key not found: HKLM\...\Winlogon\Notify\mrfexrqc, continuing.
[05/17/2008, 20:05:08] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/17/2008, 20:05:08] - BHO 4: {7087AC6E-000A-471A-ACF0-0D94BD28197C} ()
[05/17/2008, 20:05:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 20:05:08] - Checking for HKLM\...\Winlogon\Notify\efcCrSij
[05/17/2008, 20:05:08] - Key not found: HKLM\...\Winlogon\Notify\efcCrSij, continuing.
[05/17/2008, 20:05:08] - BHO 5: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[05/17/2008, 20:05:08] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/17/2008, 20:05:08] - BHO 7: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/17/2008, 20:05:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 20:05:08] - No filename found. Continuing.
[05/17/2008, 20:05:08] - BHO 8: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[05/17/2008, 20:05:08] - BHO 9: {C108AE59-C97F-4517-8B74-5590BE3C2A82} ()
[05/17/2008, 20:05:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 20:05:08] - Checking for HKLM\...\Winlogon\Notify\hgGvSJDt
[05/17/2008, 20:05:08] - Found: HKLM\...\Winlogon\Notify\hgGvSJDt - This is probably Virtumundo.
[05/17/2008, 20:05:08] - Assigning {C108AE59-C97F-4517-8B74-5590BE3C2A82} MSEvents Object
[05/17/2008, 20:05:08] - BHO list has been changed! Starting over...
[05/17/2008, 20:05:08] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Supporto di collegamento per Adobe PDF Reader)
[05/17/2008, 20:05:08] - BHO 2: {22b4f5d8-40b4-4ebc-868d-68661b3b0d7b} ()
[05/17/2008, 20:05:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 20:05:08] - Checking for HKLM\...\Winlogon\Notify\mrfexrqc
[05/17/2008, 20:05:08] - Key not found: HKLM\...\Winlogon\Notify\mrfexrqc, continuing.
[05/17/2008, 20:05:08] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/17/2008, 20:05:08] - BHO 4: {7087AC6E-000A-471A-ACF0-0D94BD28197C} ()
[05/17/2008, 20:05:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 20:05:08] - Checking for HKLM\...\Winlogon\Notify\efcCrSij
[05/17/2008, 20:05:08] - Key not found: HKLM\...\Winlogon\Notify\efcCrSij, continuing.
[05/17/2008, 20:05:08] - BHO 5: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[05/17/2008, 20:05:08] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/17/2008, 20:05:08] - BHO 7: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/17/2008, 20:05:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 20:05:08] - No filename found. Continuing.
[05/17/2008, 20:05:08] - BHO 8: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[05/17/2008, 20:05:08] - BHO 9: {C108AE59-C97F-4517-8B74-5590BE3C2A82} (MSEvents Object)
[05/17/2008, 20:05:08] - ALERT: Found MSEvents Object!
[05/17/2008, 20:05:08] - Finished Searching Browser Helper Objects
[05/17/2008, 20:05:08] - *** Detected MSEvents Object
[05/17/2008, 20:05:08] - Trying to remove MSEvents Object...
[05/17/2008, 20:05:09] - Terminating Process: IEXPLORE.EXE
[05/17/2008, 20:05:10] - Terminating Process: RUNDLL32.EXE
[05/17/2008, 20:05:10] - Disabling Automatic Shell Restart
[05/17/2008, 20:05:10] - Terminating Process: EXPLORER.EXE
[05/17/2008, 20:05:10] - Suspending the NT Session Manager System Service
[05/17/2008, 20:05:10] - Terminating Windows NT Logon/Logoff Manager
[05/17/2008, 20:05:11] - Re-enabling Automatic Shell Restart
[05/17/2008, 20:05:11] - File to disable: C:\WINDOWS\system32\hgGvSJDt.dll
[05/17/2008, 20:05:11] - Renaming C:\WINDOWS\system32\hgGvSJDt.dll -> C:\WINDOWS\system32\hgGvSJDt.dll.vir
[05/17/2008, 20:05:11] - File successfully renamed!
[05/17/2008, 20:05:11] - Removing HKLM\...\Browser Helper Objects\{C108AE59-C97F-4517-8B74-5590BE3C2A82}
[05/17/2008, 20:05:11] - Removing HKCR\CLSID\{C108AE59-C97F-4517-8B74-5590BE3C2A82}
[05/17/2008, 20:05:12] - Adding Kill Bit for ActiveX for GUID: {C108AE59-C97F-4517-8B74-5590BE3C2A82}
[05/17/2008, 20:05:12] - Deleting ATLEvents/MSEvents Registry entries
[05/17/2008, 20:05:12] - Removing HKLM\...\Winlogon\Notify\hgGvSJDt
[05/17/2008, 20:05:12] - Searching for Browser Helper Objects:
[05/17/2008, 20:05:12] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Supporto di collegamento per Adobe PDF Reader)
[05/17/2008, 20:05:12] - BHO 2: {22b4f5d8-40b4-4ebc-868d-68661b3b0d7b} ()
[05/17/2008, 20:05:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 20:05:12] - Checking for HKLM\...\Winlogon\Notify\mrfexrqc
[05/17/2008, 20:05:12] - Key not found: HKLM\...\Winlogon\Notify\mrfexrqc, continuing.
[05/17/2008, 20:05:12] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[05/17/2008, 20:05:12] - BHO 4: {7087AC6E-000A-471A-ACF0-0D94BD28197C} ()
[05/17/2008, 20:05:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 20:05:12] - Checking for HKLM\...\Winlogon\Notify\efcCrSij
[05/17/2008, 20:05:12] - Key not found: HKLM\...\Winlogon\Notify\efcCrSij, continuing.
[05/17/2008, 20:05:12] - BHO 5: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[05/17/2008, 20:05:12] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/17/2008, 20:05:12] - BHO 7: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/17/2008, 20:05:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/17/2008, 20:05:12] - No filename found. Continuing.
[05/17/2008, 20:05:12] - BHO 8: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[05/17/2008, 20:05:12] - Finished Searching Browser Helper Objects
[05/17/2008, 20:05:12] - Finishing up...
[05/17/2008, 20:05:12] - A restart is needed.
[05/17/2008, 20:05:26] - Attempting to Restart via STOP error (Blue Screen!)


HJThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20.37.16, on 17/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\Programmi\Raxco\PerfectDisk\PDEngine.exe
C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe
C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe
C:\Programmi\LClock\lclock.exe
C:\Programmi\Windows Live\Messenger\msnmsgr.exe
C:\Programmi\uTorrent\uTorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
C:\Programmi\File comuni\Nero\Lib\NMIndexStoreSvr.exe
C:\Programmi\Google\Google Updater\GoogleUpdater.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://it.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\Programmi\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmi\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [d8238aba] rundll32.exe "C:\WINDOWS\system32\kytbxryf.dll",b
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BMdb10b926] Rundll32.exe "C:\WINDOWS\system32\clddrvsi.dll",s
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LClock] C:\Programmi\LClock\lclock.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Programmi\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [\\NOTEBOOK\EPSON Stylus DX7000F Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBKE.EXE /FU "C:\DOCUME~1\Flavio\IMPOST~1\Temp\E_S9.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Programmi\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Post Image to Blog - res://C:\Programmi\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\Programmi\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Transload Image to ImageShack - res://C:\Programmi\ImageShackToolbar\ImageShackToolbar.dll/5004
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\Programmi\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\Programmi\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Invia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: I&nvia a OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail....es/MSNPUpld.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.image...hackToolbar.cab
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-w...agi3.0.84.2.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programmi\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programmi\File comuni\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programmi\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmi\File comuni\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programmi\Raxco\PerfectDisk\PDEngine.exe

--
End of file - 9450 bytes
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [d8238aba] rundll32.exe "C:\WINDOWS\system32\kytbxryf.dll",b
O4 - HKLM\..\Run: [BMdb10b926] Rundll32.exe "C:\WINDOWS\system32\clddrvsi.dll",s


Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\kytbxryf.dll
C:\WINDOWS\system32\clddrvsi.dll


Don't worry if you have problems removing the two fiiles above....

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
ZeframCochrane

ZeframCochrane

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Very clear instructions. Thanks, I am very grateful.
I have not yet proceeded to follow them, because I have a question, and I understand that due to the random nature of the names of the files, it is of the utmost importance to get rid them at the first try.

When you mention to delete the two DLLs, and you say that I may have trouble deleting them, what should I do if I don't manage to delete them? Will the following step (Combofix) allow me to delete either of the two DLLs?
Or should I just try deleting them manually until they do accept to be deleted?

Edited by ZeframCochrane, 17 May 2008 - 02:58 PM.

  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Don't even worry about the two files if you can't delete or find them. They can change their names. We'll take care of it in the next step after you do the fixes.
  • 0

#5
ZeframCochrane

ZeframCochrane

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I very much appreciate you help, but I must admit I have in the meantime decided to give in and refomat my hard drive and install a fresh copy of my OS (I do it periodically, and it was about time I did it anyway).
Please feel free to close this thread, or tag it as Solved, or in any way you see fit.

Many thanks, as your help has been much appreciated anyway.
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

I will close this topic now.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP