Major Computer Issues.

Welcome to MGs!

Please do not post any logs inline. Theymust be attachments to your message. This is all covered in the READ & RUN ME sticky which you did not completely follow.

Problems:
1) Did not do any of step 6
2) Did not install HJT properly per step 7. You are running it from the ZIP file using WinRar:
C:\DOCUME~1\CHASEJ~1\LOCALS~1\Temp\Rar$EX00.562\HijackThis.exe
3) Posted inline log instead of attachment.

Please complete the rest of the READ & RUN ME. But also run the below because you have one of the new forms of Virtumonde.

Virtumonde aka Trojan Vundo Removal

Make sure to attach the log from VundoFix.

 

What about PandaActiveScan?

And did you di the rest of what I posted yet?

 

By the way, that is not a BitDefender log. It is only a log summary which is of no use to us. You must follow step 6 exactly as written to get a full log.

 

You did not attach the log. Make sure you follow the directions exactly as written or you will not get the correct log. The log will actually be an html file (save as a .txt file) when you do it properly.

Have you installed HJT properly yet?

I see you are having problems with VundoFix. See if you can run it in safe mode. If not, we will use another procedure.

 

That is still not correct you must follow the directions exactly as written.

 

For the Vundo problem try the below:

Download VirtumundoBeGone by secured2k

• Save the file to your desktop
• Close all running programs (including your Internet Browser)
• Double-click VirtumundoBeGone.exe on the desktop
• Read the introductory information, and then click Continue
• Click Start
• When asked if you want to continue, click Yes to run the fix
• Click Save Log

Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.

The log created by VirtumundoBeGone called VBG.TXT will be on located on your desktop. Please attach the VBG.TXT to your next message. And then attach a new HJT log too.

 

Not yet! I'm not sure what your problem is but you are not following the directions as they are written. Hundreds of people do this every week and have no problems performing this step.

 

Let's just continue with fixes for your system and and ignore BitDefender for now.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\med.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/...lowActiveX.CAB
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://moviefone.kontiki.com/secured...y/main/kdx.cab
O20 - Winlogon Notify: med - C:\WINDOWS\SYSTEM32\med.dll
O21 - SSODL: IEFilter - {FCF46A44-03A3-4E41-82BD-A155C0B243B0} - IEFilter.dll (file missing)


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if found):
C:\Program Files\PartyPoker <--- the whole folder
C:\WINDOWS\kwv2.dat
C:\WINDOWS\SYSTEM32\IEFilter.dll
C:\WINDOWS\SYSTEM32\djqwuqqd.dll
C:\WINDOWS\SYSTEM32\dlqmghpf.dll
C:\WINDOWS\SYSTEM32\dudnsmwc.dll
C:\WINDOWS\SYSTEM32\hcgnxkon.dll
C:\WINDOWS\SYSTEM32\hoxjvcxl.dll
C:\WINDOWS\SYSTEM32\ifygxjex.dll
C:\WINDOWS\SYSTEM32\ijllmmcg.dll
C:\WINDOWS\SYSTEM32\iykbqoix.dll
C:\WINDOWS\SYSTEM32\med.dll
C:\WINDOWS\SYSTEM32\nwxkolef.dll
C:\WINDOWS\SYSTEM32\xjxfusin.dll
C:\WINDOWS\SYSTEM32\ymqqcbrt.dll
C:\WINDOWS\SYSTEM32\yyxjfcsq.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Did Word just start misbehaving now or was it broken for awhile?
When was the last time you used it without a problem?

There is nothing in what we just fixed in the last message that should impact Word. However you have a new problem that was not in your previous HJT log:

O23 - Service: Service - Unknown owner - C:\WINDOWS\system32\Service.exe

I'll give you something to do to fix this in my next message.

Is your copy of Spyware Doctor a paid version that you keep up to date?

 

We just simply don't trust any of those sites and while cleaning systems of problems always remove them. It's up to you in the end! It's your PC! But we do not recommend them.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Service ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Service

Note HJT may or may not find this. If you get an error message, just ignore continue!


Now exit HJT but and reboot like it requests but boot into safe mode and delete:
C:\WINDOWS\system32\Service.exe <--- DO NOT delete services.exe only service.exe

After reboot run HJT and fix the below line if stil present.
O23 - Service: Service - Unknown owner - C:\WINDOWS\system32\Service.exe

How are things running now?

 

I assume this means that O23 line is gone?

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!