Hi,
No worries =) I went to sleep anyway
Your system is infected with a variety of malware
(Please
back up your registry before you do the next step)
You may wish to copy and paste these instructions on notepad for easier reference later.
Boot into safe mode under your normal user name. See how
HERE
Next turn on "Show all files and folders, including hidden and system". See how
HERE
Go to start > run and type services.msc. Press the enter key.
Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
BSplayer_WhenUSave_Installer
user32.dll
rare
Shell23
Go to start > Control Panel > Add and Remove Programs.
Remove anything related to the following:
BSplayer_WhenUSave_Installer
Video ActiveX Access
VideoEggPublisher
Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:
iesmn.exe
VideoEggPublisher.exe
After that,
run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
O3 - Toolbar: Protection Bar - {31615D5C-5126-448A-818A-A7CDFEE85A9B} - C:\Program Files\Video ActiveX Access\iesbpl.dll (file missing)
O4 - HKLM\..\Run: [BSplayer_WhenUSave_Installer] C:\Program Files\BSplayer_WhenUSave_Installer\BSplayer_WhenUSave_Installer.exe
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe
Fix all O6 entries Do this if this is your personal system or the aministrator did not set any such restrictions.
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} -
http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O21 - SSODL: rdihost - {14906C60-AA68-44FC-92E8-01F391E310F2} - rdihost.dll (file missing)
O22 - SharedTaskScheduler: heterandrous - {735e980d-45d2-4777-af82-9923d3c8d3ae} - C:\WINDOWS\system32\kgkdbsk.dll (file missing)
Close HJT.
Navigate in Windows Explorer and delete the following
files and
folders in
bold.
C:\WINDOWS\
Cafezee Client Uninstaller.exe
C:\WINDOWS\system32\
kgkdbsk.dll
C:\WINDOWS\system32\
Explorer.exe
C:\Program Files\
Video ActiveX Access\
Go to Start > Run and type regedit. Press Enter.
Navigate manually to HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run and delete the following keys:
"Shell23"="C:\\WINDOWS\\system32\\Explorer "
"BSplayer_WhenUSave_Installer"="C:\\Program Files\\BSplayer_WhenUSave_Installer\\BSplayer_WhenUSave_Installer.exe"
Next, navigate manually to HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run and delete the following:
"rare"="C:\\Program Files\\Video ActiveX Access\\imsmain.exe"
"user32.dll"="C:\\Program Files\\Video ActiveX Access\\iesmn.exe"
Also, press ctrl + F and search for all instances of the following and delete them.
kgkdbsk.dll
rdihost.dll
Driveinfo.exe
sxs.exe
Close the program.
Reboot into normal mode and rehide your protected OS files.
Thereafter, please post fresh HJT and ComboFix logs from normal mode as an attachment into this thread.
Regards,
Your friendly Momok =)
This thread is for the use of Jacal only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.