Problem with new MSN virus, or old i'm not sure

[turnip14]

Hey guys, just recently got a virus from a link that was randomly sent to me through MSN, if you recognise it the link is "Is that u in this photo? (hyperlink to what looks like a photo bin), it was from one of my friends i see everyday, so i didn't think it was that suspicious, even though it was sent while he was offline...

I've ran through all the standard procedures, using AVG and Ad-aware, aswell as Spybot SD.
AVG picked up about 5 trogans and apparently healed them. I also ran Spybot which picked up about 3-4 entries, and it fixed them
CCleaner got rid of a lot of trash from my PC, i ran it a couple of times just to be sure, then finally i created this Hyjackthis report!

The virus vault in AVG contained a load of files which i told it to get rid of aswell.

If you can point out anything out of the ordinary, cause i'd really like to know if i've got rid of this virus.

 

[howard_hopkinso]

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard


This thread is for the use of turnip14 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[turnip14]

Ok i've followed the intructions as best i could and here is my AVG and Hyjack this report.
Can you see if anything is still wrong?

 

[howard_hopkinso]

Sorry mate, but you haven`t followed the instructions properly.

It`s very important that your rename HJT and that you scan with AVG Antispyware in safe mode with system restore turned off. That`s why your AVG Antispyware log says you`ve got infections in system volume information(system restore). When you turn off system restore it deletes all your restore points and anything nasty that`s in them.

Please go back to the instructions and follow them again carefully.

Once you`ve done that, post fresh HJT and AVG Antispyware logs.

I`ll then be able to help you further.

Regards Howard

This thread is for the use of turnip14 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[turnip14]

Ok i've done what you said now, restarted the PC in safe mode and turned off the System Restore and ran antispyware and then Hyjack this, after i renamed hyjack this Hyjackthis1991.

I hope thats right lol :S

 

[howard_hopkinso]

That`s much better. Now we can get you cleaned up.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

MicroSoft Media Tools

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

MSmedia.exe
wyeyprof.exe
winstall.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {0D98A3EB-F381-46C3-B6C6-D131FD6D4193} - (no file)

O2 - BHO: SelasI Class - {59F4F380-01A0-4083-9FA4-E3B827319F7E} - C:\WINDOWS\system32\vcbhmazb.dll

O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Chris\Desktop\winstall.exe

O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

O20 - Winlogon Notify: jkkjg - C:\WINDOWS\System32\jkkjg.dll (file missing)
O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing)

O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\wyeyprof.exe
C:\WINDOWS\MSmedia.exe
C:\Documents and Settings\Chris\Desktop\winstall.exe

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

This is the filepath you need to enter into killbox.

C:\WINDOWS\system32\vcbhmazb.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard

This thread is for the use of turnip14 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.