Help with Vundo Please

Welcome to Major Geeks!

You appear to have skipped step 2 of the READ ME. Please do it now so that the malware files cannot hide from you.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Mozilla Firefox (1.0.6)

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox

Also uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Continue by downloading two tools we will need

-
ProcessExplorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe
properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill
button.
agphgdh.dll
cryotn.dll
doxihoof.dll
rwofmogs.dll
tuvsqoo.dll
vtuts.dll
winmbj32.dll

After you have killed all instances of any of the above DLLs under winlogon click ok.
(If you do not find these DLLS, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the
kill button.
agphgdh.dll
cryotn.dll
doxihoof.dll
rwofmogs.dll
tuvsqoo.dll
vtuts.dll
winmbj32.dll

After you have killed all instances of any of the above DLLs under Explorer click ok.
(If you do not find these DLLS, just continue on.)

Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the
kill button.
agphgdh.dll
cryotn.dll
doxihoof.dll
rwofmogs.dll
tuvsqoo.dll
vtuts.dll
winmbj32.dll

After you have killed all instances of any of the above DLLs under iexplore click ok.
(If you do not find these DLLS, just continue on.)

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all
browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {B2BE131D-7A90-48CA-97F3-89598993EB2D} - C:\WINDOWS\system32\ddaya.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\oghqywvm.dll (file missing)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3083D~1\Bar888.dll
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\nrafwmoc.dll",realset
O20 - Winlogon Notify: ddaya - C:\WINDOWS\system32\ddaya.dll
O20 - Winlogon Notify: efccyxu - efccyxu.dll (file missing)
O20 - Winlogon Notify: mljgggh - C:\WINDOWS\SYSTEM32\mljgggh.dll

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as"
type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp
  Files.
• Then after it deletes the files click the Exit (Save Settings)
  button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing

• CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\RAS.DLL
C:\WINDOWS\system32\agphgdh.dll
C:\WINDOWS\system32\cryotn.dll
C:\WINDOWS\system32\doxihoof.dll
C:\WINDOWS\system32\rwofmogs.dll
C:\WINDOWS\system32\smanager.7.exe
C:\WINDOWS\system32\tuvsqoo.dll
C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\winmbj32.dll
C:\WINDOWS\system32\stutv.bak1
C:\WINDOWS\system32\stutv.bak2
C:\WINDOWS\system32\sgomfowr.tmp
C:\WINDOWS\system32\"ewvflqfl.ini
C:\WINDOWS\system32\foohixod.ini
C:\WINDOWS\system32\omtyhkii.ini
C:\WINDOWS\system32\pglnhdiy.ini
C:\WINDOWS\system32\sgomfowr.ini
C:\WINDOWS\system32\stutv.ini

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue
(But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.