Hi Julio,
I came across your solution for removing spyware and malware and gave it a go.
Please could you look at the log files attached, as mentioned in your post. While doing carrying out the solution i seem to have lost the system32\oidlmehb.dll and the system32\gaxhrtrs.dll. Also the solution has not removed a trojan (AVAST keeps alerting to) Win32:Agent-BSU [TrJ]. Please help.

Attached Files

	ComboFix.txt (12.7 KB, 4 views)
	hijackthis.log (9.5 KB, 6 views)
	AVGReport-Scan-20080327-001111.txt (14.0 KB, 3 views)

Hi,

Before I can look over the log I would like you to do a couple of things for me,

1)Disable Teatimer
Please disable Teatimer as it may interfere with the fix.
First:

• Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
• Choose Exit Spybot S&D Resident

Second:

• Open Spybot S&D
• Click Mode, check Advanced Mode
• Go To Left Panel, Click Tools, then also in left panel, click Resident
• If your firewall raises a question, say OK
• Uncheck the box labeled Resident Tea-Timer and OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

Once your log is clean you can re-enable those settings in TeaTimer.

2)Run the avg antispyware again and get it to quarantine the results,

3)I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  o Scan using the following Anti-Virus database:
  o Extended (If available, otherwise use standard)
  o Scan Options:
  o Scan Archives
  o Scan Mail Bases
• Click OK
• Under select a target to scan, select My Computer
• The scan will take a while so be patient and let it run.
• Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
• Click the Save Report As... button (see red arrow below)
  
  
  
• In the Save as... prompt, select Desktop
• In the File name box, name the file
• In the Save as type prompt, select Text file (see below)
  
  
  
• Include the report in your next post.

Thanks, and sorry for getting looked over yesterday, its pretty busy round here.

Hi,
Thanks for that. Please see kaspersky scan log attached. Let me know what you think.

Attached Files

kapersky.txt (27.1 KB, 3 views)

Delete Files and Folders

• Right Click on the start button and chose explore
• Show all hidden files and folders, see how HERE
• Navigate to the following files and folders and delete them(if still present)

C:\d.exe<---------This File
C:\Documents and Settings\Varinder\Local Settings\Temp\2961271612.exe<---------This File
C:\Documents and Settings\Varinder\Local Settings\Temp\csrssc.exe<---------This File
C:\Program Files\MSN Messenger\riched20.dll<---------This File
C:\WINDOWS\system32\jfiehayd.dll<---------This File
C:\WINDOWS\system32\service.exe<---------This File

• Empty the recycle bin.

If that does not work then repeat the process in safe mode. See how to boot into Safe mode HERE.
***DO NOT USE MSCONFIG TO BOOT INTO SAFE MODE***

********************NOTICE***************************************

This one is service.exe and not services.exe

Navaigate to this folder and delete the contents of it but not the folder itself,
C:\QooBox\Quarantine
Empty the recycle bin

Run HijackThis again after you have turned off Spybots TeaTimer using the instructions I gave earlier.
Also run Kaspersky again.

Hi Kritius,
tried to set "show all hidden files and folders" but for some reason option is not available. Tried through windows help and got message " this operation is cancelled due to restrictions in affect on this computer" Please contact system admin.

Back up the registry, see how HERE

1. Click Start - Run - type Regedit
2. Here expand to HKEY_CURRENT_USER
SOFTWARE
MICROSOFT
WINDOWS
CURRENTVERSION
POLICIES
EXPLORER
3. in the right-side pane check for the DWORD value NoFolderOptions
4. If it is not there then create a new DWORD value by right-clicking
NEW-DWORD
5. Type a name 'NoFolderOptions" and press Enter.
6. Double-click the entry and set the value to 0
7. Open any folder and see if Folder Options is there. If it is still not
there then Log Off and Log in again or make a restart

Try that

Thanks i'll give it a shot.

Couldn't run regedit message "regedit disabled by administrator" even though i am one.
What i did.
1, Tried to run backup utilit- wouldn't backup to cd drive. Instead saved to desktop then copied to cd successfully.
2, Couldn't unhide hidden files and folders so used search to find files listed and removed that way instead. Not sure if this will give same result.
3, Since running Kapersky computer got worse, more WIN32:agents messages. Also Google page turned black. Also when i tried to uncheck resident teatimer resident kept blocking this even though i had exited at system tray. took a few goes before it allowed it.
4, After doing 1, and 2, No more WIN32: bsu messages yet. Google page is normal. However tried running regedit still saying it is disabled. Also still getting messag that modules c:\windows\system32\oidlmehb.dll and gaxhrts.dll not found.

About to run kapersky again will post as soon as it finishes.

Download RatsCheddar.zip
It contains a program written by Rathat, and it is a Policy Controller.
Save and extract this program to the desktop.
Once extracted, click on the RatsCheddar.exe file.
Enable everything, then click Exit
Reboot your Computer.

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach the log into your next reply.
• If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

This thread is for the use of shiva64 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Hi,
I'll do that now. Please find HJT and Kaspersky scans attached.

Attached Files

	hijackthis.log (8.9 KB, 1 views)
	kapersky2.txt (26.4 KB, 1 views)

Can you run HJT from normal mode please? After Malwarebytes finishes

I'll try it now and post if doable with malware log.

I need it after Mlawarebytes finishes.

Tried to upload both scans but wabpage froze. Triying to upload again but attachment screen just says attachment in progress and upload errors.

try deleting your previous uploads

Please find sca attached. Hijackthis was done after mlawarebytes had finished.

Attached Files

	hijackthis2.txt (9.2 KB, 1 views)
	mbam-log2-3-30-2008 (13-38-53).txt (10.3 KB, 1 views)

Ill look over them as soon as I can. pretty backlogged here.

No probs catch up later.

Hi Kritius,
Did u get a chance to look at those scans i sent?

Fix entries using HiJackThis

• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below

O4 - HKLM\..\Run: [343a4aeb] rundll32.exe "C:\WINDOWS\system32\gaxhrtrs.dll",b
O20 - Winlogon Notify: nnnoonn - C:\WINDOWS\

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

Boot into safe mode and delete this file,

C:\WINDOWS\system32\gaxhrtrs.dll

Boot into normal mode

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please attach C:\vundofix.txt

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please Download VirtumundoBeGone by secured2k

• Save the file to your desktop
• Close all running programs (including your Internet Browser)
• Double-click VirtumundoBeGone.exe on the desktop
• Read the introductory information, and then click Continue
• Click Start
• When asked if you want to continue, click Yes to run the fix
• Click "Save Log"

Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.

The log created by VirtumundoBeGone called VBG.TXT will be on located on your desktop. Please retain VBG.TXT.

Empty Recycle Bin.

Reboot and "attach" a new HijackThis log file along with the VBG.TXT into this thread.
Also please describe how your computer behaves at the moment.