Print this out for reference during the fix as for part of it you will be in Safe Mode and unable to access this site.
Download SDFix and save it to your Desktop. Don't run it yet.
Run
HijackThis and place checks beside the following:
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\agkxptkg.dll (file missing)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {62B25A6F-1FE3-453C-BF2C-DE490A6F8011} - C:\WINDOWS\system32\vtsqq.dll (file missing)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: (no name) - {B6F1A4CB-DADD-4D0C-BDFC-E945647302C1} - c:\wmplayer.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {B9697716-61E6-4FBC-89FD-EAC504D9EFE3} - C:\WINDOWS\system32\khffeby.dll (file missing)
O2 - BHO: (no name) - {B96DD6E3-2E26-4544-BD68-1C17DCE3D813} - C:\WINDOWS\system32\vhaarkeb.dll (file missing)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
Close all open browsers/windows and click the
Fix button.
Boot into Safe Mode. To do this:
[*]Reboot your computer.
[*]Tap the F8 button as your computer is booting to bring you to an Advanced Options Menu.
[*]Select Safe Mode and press Enter
Unhide System files. To do this:
[*]Close all programs so that you are at your desktop.
[*]Double-click on the My Computer icon (or click
Start, then select
My Computer)
[*]Select the
Tools menu and click
Folder Options.
[*]After the new window appears select the
View tab.
[*]Put a checkmark in the checkbox labeled
Display the contents of system folders.
[*]Under the
Hidden files and folders section select the radio button labeled
Show hidden files and folders.
[*]Remove the checkmark from the checkbox labeled
Hide file extensions for known file types.
[*]Remove the checkmark from the checkbox labeled
Hide protected operating system files.
[*]Press the
Apply button and then the
OK button and shutdown My Computer.
Now your computer is configured to show all hidden files.
Search for and delete these
Files:
C:\Program Files\
ie_updater.exe
C:\WINDOWS\system32\
rpcc.exe
C:\WINDOWS\system32\
nxvuvekn.dll
C:\WINDOWS\system32\
svchosts.exe(
DO NOT delete
scvhost.exe that is a valid file.
C:\Windows\
xpupdate.exe
C:\
wmplayer.dll
Use the Windows Search function(Windows Key+F) to search for and delete this
File:
tcpipmon.exe
Double click
SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
[*] Open the extracted SDFix folder and double click
RunThis.bat to start the script.
[*] Type
Y to begin the cleanup process.
[*] It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
[*] Press any Key and it will restart the PC.
[*] When the PC restarts the Fixtool will run again and complete the removal process then display
Finished, press any key to end the script and load your desktop icons.
[*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as
Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Please do an online scan with
Kaspersky WebScanner
Click on
Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky,
Click
Yes.
[*]The program will launch and then begin downloading the latest definition files:
[*]Once the files have been downloaded click on
NEXT
[*]Now click on
Scan Settings
[*]In the scan settings make that the following are selected:
[*]
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
[*]
Scan Options:
Scan Archives Scan Mail Bases
[*]Click
OK
[*]Now under select a target to scan:
Select
My Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
[*]Now click on the
Save as Text button:
[*]Save the file to your desktop.
Post the contents of the Kaspersky scan, Report.txt and a new
HijackThis log please.
@Fredil - Yes... he has had a Vundo infection(along with others) from the beginning. Evident by the lack of 02's and 020's in the original logs. You'll notice they showed up after I had him rename
HijackThis.exe to kota.exe. Some variants of Vundo will hide those lines in a
HjT log if
HijackThis.exe is not renamed to something other than
HijackThis.exe.
This 04 is also a Vundo indicator...
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\nxvuvekn.dll",setvm
One thing you must do that I've noticed you haven't been is instructing to delete bad files/folders after you've fixed lines with
HijackThis. Just fixing the lines will not delete the files... you need to instruct to do delete the files/folders to ensure you've cleaned the system properly.
