Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.
This is a mess, and will take several posts to clear up. You have a variant of the SDbot virus showing in your log (among other things). Even though the Virus has been identified and can be killed, because of it's backdoor functionality, there is no way to be sure what information has been stolen from your system. If you do any banking or have recently paid for goods or services online you will need to change all passwords where applicable and it would be wise to contact your bank or credit card company to inform them of your situation. This also applies to passwords for any confidential sites you use such as Paypal, Ebay, Email etc... The infection you have has the ability to download and execute files, log keystrokes, Redirect connections, Sniff sent packets for information & Steal personal information so it is a very serious threat.
Should you have any questions, please feel free to ask.
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.
---------------------------------------------------------------------------------------------
Please go to:
VirusTotal- At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to this file in BOLD:
nbdos.exe (you'll have to find the exact location of this file...it is likely in System32. If you cannot find it there, run a search for it using Windows Search function Start>Search>All files and Folders
- Click "Open".
- Then click the "Send" button at the top of the VirusTotal page.
- This will scan the file. Please be patient.
- Once scanned, copy and paste the results in your next reply.
---------------------------------------------------------------------------------------------
Please download
Brute Force Uninstaller to your desktop.
- Right click the BFU folder on your desktop, and choose Extract All
- Click "Next"
- In the box to choose where to extract the files to,
- Click "Browse"
- Click on the + sign next to "My Computer"
- Click on "Local Disk (C:) or whatever your primary drive is
- Click "Make New Folder"
- Type in BFU
- Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download
Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).
We'll use this later.
---------------------------------------------------------------------------------------------
Download
SDFix and save it to your Desktop.
Double click
SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix) We'll use this later.
---------------------------------------------------------------------------------------------
Please download
VundoFix.exe to your desktop
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt in your next reply
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button" when VundoFix appears upon rebooting.
---------------------------------------------------------------------------------------------
Please
Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3- First close any other programs you have running as this will require a reboot
- Double click NoLop.exe to run it.
- Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
- When scanning is finished you will be prompted to reboot only if infected, Click OK
- Now click the "REBOOT" Button.
- A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log in your next reply.
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program. --
---------------------------------------------------------------------------------------------
Go to Start>Run and copy/paste the following:
sc delete Windows Registry Service
Then Press Enter.
---------------------------------------------------------------------------------------------
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist
(make sure you do not miss any) and click
Fix Checked
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\nmfmsvpe.dll",setvm
O4 - HKCU\..\Run: [bind first] C:\DOCUME~1\DENNET~1\APPLIC~1\FUNKFA~1\Each Wma.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - blank (file missing)
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab
O18 - Filter: text/html - {7147713B-F7B8-421E-9435-E9380ED7A49E} - C:\WINDOWS\system32\deihz.dll
Close HijackThis now.
---------------------------------------------------------------------------------------------
Please then reboot your computer in
Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
---------------------------------------------------------------------------------------------
Then, please go to Start > My Computer and navigate to the C:\BFU folder.
- Start the Brute Force Uninstaller by doubleclicking BFU.exe
- Beside the scriptline to execute field click the folder icon
and select alcanshorty.bfu by double clicking on it.
- Press Execute and let it do it’s job. (You ought to see a blue progress bar if you did this correctly.)
- Wait for the complete script execution box to pop up and press OK.
- Press exit to terminate the BFU program.
---------------------------------------------------------------------------------------------
Delete the following files/folders:
C:\WINDOWS\system32\nmfmsvpe.dll
C:\Documents and Settings\DENNET~1 (your user name)\Application Data\FUNKFA~1 <<<this will be a folder which begins with Funk Fa
C:\WINDOWS\system32\deihz.dll
---------------------------------------------------------------------------------------------
- Open the extracted SDFix folder and double click RunThis.bat to start the script. (Use Task Manager to navigate to it if you need to)
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
- Finally paste the contents of the Report.txt back on the forum in your next reply.
---------------------------------------------------------------------------------------------
Next, please do this:
- Download ComboScan to your Desktop. Note: You must be logged onto an account with administrator privileges.
- Close all applications and windows.
- Double-click on comboscan.exe to run it, and follow the prompts.
- When the scan is complete, a text file will open - ComboScan.txt
- Copy and paste the contents of ComboScan.txthere.
- A folder, C:\ComboScan will also open. In it will be another text file, Supplementary.txt
- Please Attach Supplementary.txt to your post.
To attach a file to a new post, simply
- Click the[Manage Attachments] button under Additional Options>Attach Files on the post composition page, and
- copy and paste the following into the "Upload File from your Computer" box:
C:\ComboScan\Supplementary.txt
- Click Upload.
---------------------------------------------------------------------------------------------
So, that was a lot of work, and we're just beginning. Please return with results from:
VundoFix (C:\vundofix.txt)
NoLOP (C:\NoLOP.log)
SDFix (C:\SDFix\report.txt)
ComboScan.txt
Supplementary.txt