Please help me clean my computer

Please follow the directions in step 7 of the READ ME and install HijackThis exactly where requested (you installed it exactly where we said not to install it) and also you MUST rename the executable file as specified in step 7. And you MUST stop using MSconfig (also mentioned in step 7). Don't get a new log yet! First do the below!

PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode per the safe directions in the READ & RUN ME.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach this log along in your next reply.

Now run this Virtumonde aka Trojan Vundo Removal and attach the requested log.

Then attach a new log from a properly installed and renamed HijackThis along with a new log from ShowNew.

 

Normal boot mode.

 

First install the current version of Sun Java from: Sun Java Runtime Environment

Then uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6

Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {FFFCC5C9-F694-470E-88AC-3C3DF0D16327} - C:\WINDOWS\system32\ddayw.dll (file missing)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O18 - Filter: text/html - {7147713B-F7B8-421E-9435-E9380ED7A49E} - C:\WINDOWS\system32\ynffvbu.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: windpt32 - windpt32.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete (if found):
C:\WINDOWS\system32\ynffvbu.dll

Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You appear to have reinfected yourself somehow from the Vundofix backups folder. Let's see if you are really infected and try a simple fix. If it does not work we will need to use a more complex approach.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {5EC0079F-17E5-4529-AE55-8ED974B4941B} - C:\VundoFix Backups\ddayw.dll
O20 - Winlogon Notify: ddayw - C:\VundoFix Backups\ddayw.dll

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\VundoFix Backups <--- the whole folder

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).
Now reboot in normal mode and post a new HJT log and also new logs from ShowNew and GetRunKey

Make sure you tell me how things are working now.

 

That was what I was expecting. As I stated, you got reinfected and the procedure you need to run is below.

Start by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of ddayw.dll once and then click the kill button. After you have killed all of the ddayw.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of ddayw.dll and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {5EC0079F-17E5-4529-AE55-8ED974B4941B} - C:\VundoFix Backups\ddayw.dll
O20 - Winlogon Notify: ddayw - C:\VundoFix Backups\ddayw.dll


After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\VundoFix Backups\ddayw.dll

If Killbox does not reboot or if you get a Pending Operations type error message just click OK to continue and then just reboot your PC yourself.
After reboot locate the below folder and delete it if found:
C:\VundoFix Backups

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Joe Santoro\Local Settings\Temp

Now attach a new HJT log and tell me how the steps went.

Now download the current version of ShowNew (yours is out of date).
Now attach new logs from ShowNew and from GetRunKey.

Make sure you tell me how things are working now!

 

We still have some work to do in cleaning up the rest of the hidden problems due to the winlogonhook and Virtumonde infections you had. Let's continue.

Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to the following key and take ownership of it (explained further down):

HKEY_LOCAL_MACHINE\software\microsoft\mssmgr

To take ownership of the key do the following:

• Copy & Paste the registry key from above into the address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the Menu
• Select Take Ownership
• Now leave RegistrarLite running and continue
• Now run the REGISTRY PATCH below in this message.
• Tell me the results. Any error messages?
• Now in RegistrarLite click View and then Refresh
• Now navigate to HKEY_LOCAL_MACHINE\software\microsoft\mssmgr
• Does the above mssmgrkey still exist! If so, right click on it and select Delete.

Here is the Registry Patch

Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Once you have determined that the mssmgr registry key is gone, reboot your PC.

After reboot locate the below folder and delete it if found:
C:\Program Files\Common Files\{9CA3813E-0AE6-1033-1122-030305130001}

Also delete all files in the below folders except ones from the current date

Now delete the below from your Desktop
fixme.reg
fixWLK.reg
SmitfraudFix <--- the folder
VundoFix.exe

Now delete the below folder that is in C:\Program Files\
ASEMBL~1 Jul 28 2006 "a?sembly"

Now delete the below files and folder
C:\rapport.txt
C:\VundoFix.txt
C:\VundoFix Backups <--- the whole folder


Now run Pocket Killbox and select File, Cleanup, Delete All Backups!

Now attach the below new logs:
- HJT
- ShowNew
- GetRunKey

Make sure you tell me how things are working now!

 

A few more baddies showed up! Are you still downloading using the P2P applications on your PC? You need to stop that or we may never get you cleaned up!

Delete the below files:
C:\WINDOWS\system32\wnsapiit.exe
C:\WINDOWS\eSellerateEngine.dll

How is everything running?

 

Yes malware can attach itself to the Windows shell (explorer.exe); however, explorer.exe runs as soons as you start your PC. Without it, you would have no Desktop (no icons, no start button,...etc). Thus anything attached to explorer.exe would spread at each startup.


Did you delete those two files I mentioned?

How is everything working?