Help Darksma and Vundo are ruining my life

[fatman01923]

Can anyone help me remove these nasty viruses, and Trojans permanently? Please step by step process, and no spyware detectors cause nothing works with them. So please look at my Hijack this file and tell me what to delete please somebody its a pain in the a**.

 

[kritius]

This next step is purely optional however viewpoint is considered foistware and is not needed on your computer,

'To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.'

Go to Start > Run and copy/paste or type: taskmgr

• Under the Processes tab find the following tasks or processes:
  ViewpointService.exe
  ViewMgr.exe
• Highlight and click "End Process".
• Exit Task Manager.

Click on Start > Run and type: services.msc

• Press "OK".
• Click the "Extended tab".
• Scroll down the list and find the service called "Viewpoint Manager Service"
• When you find the service, double-click on it.
• In the Properties Window > General Tab that opens, click the "Stop" button.
• From the drop-down menu next to "Startup Type", click on "Disabled".
• Now click "Apply", then "OK" and close any open windows.

Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Finally, delete the following folders if they still exist:
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder

Fix entries using HiJackThis

• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.defaulthomepage.info
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O4 - HKLM\..\Run: [e0430732] rundll32.exe "C:\WINDOWS\system32\xsijpgxj.dll",b
O4 - HKLM\..\Run: [BMe37034ae] Rundll32.exe "C:\WINDOWS\system32\ecpqvnab.dll",s

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\AskSBar\

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\system32\xsijpgxj.dll
C:\WINDOWS\system32\ecpqvnab.dll

After that, Reboot

: Download and Run DSS

Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.

• Close all applications and windows.
• Double-click on dss.exe to run it, and follow the prompts.
• When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
• Attach the main.txt and the extra.txt in your reply.

 

[fatman01923]

Results

These are my results...

 

[kritius]

I would recommend unistalling the following, the first two are optional but the others need to be removed.

BitTorrent
BitTorrent DNA
Download Accelerator Plus (DAP)
J2SE Runtime Environment 5.0 Update 8
Java(TM) 6 Update 3
LiveUpdate

Fix entries using HiJackThis

• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
O2 - BHO: (no name) - {446A0DE1-7CDD-4142-9528-FD1FF3A57DBE} - (no file)
O2 - BHO: {be90317e-3892-fd08-9ac4-1773813d4eb4} - {4be4d318-3771-4ca9-80df-2983e71309eb} - C:\WINDOWS\system32\shlkectc.dll
O2 - BHO: (no name) - {4f30f509-5151-410c-ab04-4f1cdf99e4fd} - (no file)
O2 - BHO: (no name) - {7607DD28-4982-4A91-B550-1E7F3FCDB81A} - C:\WINDOWS\system32\qoMdETKe.dll
O2 - BHO: (no name) - {8625194E-B724-465C-83C8-1C14C99A0DEF} - (no file)
O2 - BHO: (no name) - {B338F97B-26A0-40D1-B070-FECF81C5DA25} - (no file)
O2 - BHO: (no name) - {C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA} - C:\WINDOWS\system32\urqPfGWp.dll (file missing)
O2 - BHO: (no name) - {DEEB11F7-A760-426D-B87C-6F02F6D1FCF9} - (no file)
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [BMe37034ae] Rundll32.exe "C:\WINDOWS\system32\uaqlkrul.dll",s

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [kill explorer]
  C:\WINDOWS\system32\ojyqtntm.dll
  C:\WINDOWS\system32\shlkectc.dll
  C:\WINDOWS\system32\ecpqvnab.dll
  C:\WINDOWS\system32\qoMdETKe.dll
  C:\WINDOWS\system32\eKTEdMoq.ini2
  C:\WINDOWS\system32\jTBIPXyb.ini2
  C:\WINDOWS\system32\eNpYaccf.ini2
  C:\WINDOWS\system32\PYFOVvut.ini2
  C:\WINDOWS\system32\uBdKlnpo.ini2
  C:\WINDOWS\system32\HQqWycdd.ini2
  C:\WINDOWS\system32\LUBbKkkj.ini2
  C:\WINDOWS\system32\ps3sixaxis_en.exe
  C:\Program Files\AskSBar
  C:\VundoFix Backups
  HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}
  HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{446A0DE1-7CDD-4142-9528-FD1FF3A57DBE}
  HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4be4d318-3771-4ca9-80df-2983e71309eb}
  HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4f30f509-5151-410c-ab04-4f1cdf99e4fd}
  HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7607DD28-4982-4A91-B550-1E7F3FCDB81A}
  HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8625194E-B724-465C-83C8-1C14C99A0DEF}
  HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B338F97B-26A0-40D1-B070-FECF81C5DA25}
  HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA}
  HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEEB11F7-A760-426D-B87C-6F02F6D1FCF9}
  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}
  -HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BMe37034ae
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA}
  purity
  [start explorer]

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post and attach a new HJT log.

 

[fatman01923]

File/Folder not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ojyqtntm.dll
C:\WINDOWS\system32\ojyqtntm.dll NOT unregistered.
C:\WINDOWS\system32\ojyqtntm.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\shlkectc.dll
C:\WINDOWS\system32\shlkectc.dll NOT unregistered.
C:\WINDOWS\system32\shlkectc.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ecpqvnab.dll
C:\WINDOWS\system32\ecpqvnab.dll NOT unregistered.
C:\WINDOWS\system32\ecpqvnab.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\qoMdETKe.dll
C:\WINDOWS\system32\qoMdETKe.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\qoMdETKe.dll scheduled to be moved on reboot.
C:\WINDOWS\system32\eKTEdMoq.ini2 moved successfully.
C:\WINDOWS\system32\jTBIPXyb.ini2 moved successfully.
C:\WINDOWS\system32\eNpYaccf.ini2 moved successfully.
C:\WINDOWS\system32\PYFOVvut.ini2 moved successfully.
C:\WINDOWS\system32\uBdKlnpo.ini2 moved successfully.
C:\WINDOWS\system32\HQqWycdd.ini2 moved successfully.
C:\WINDOWS\system32\LUBbKkkj.ini2 moved successfully.
C:\WINDOWS\system32\ps3sixaxis_en.exe moved successfully.
C:\Program Files\AskSBar\SrchAstt\1.bin moved successfully.
C:\Program Files\AskSBar\SrchAstt moved successfully.
C:\Program Files\AskSBar\bar\Settings moved successfully.
C:\Program Files\AskSBar\bar\History moved successfully.
C:\Program Files\AskSBar\bar\Cache moved successfully.
C:\Program Files\AskSBar\bar\1.bin moved successfully.
C:\Program Files\AskSBar\bar moved successfully.
C:\Program Files\AskSBar moved successfully.
C:\VundoFix Backups moved successfully.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}\\ not found.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{446A0DE1-7CDD-4142-9528-FD1FF3A57DBE} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{446A0DE1-7CDD-4142-9528-FD1FF3A57DBE}\\ not found.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4be4d318-3771-4ca9-80df-2983e71309eb} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4be4d318-3771-4ca9-80df-2983e71309eb}\\ not found.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4f30f509-5151-410c-ab04-4f1cdf99e4fd} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4f30f509-5151-410c-ab04-4f1cdf99e4fd}\\ not found.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7607DD28-4982-4A91-B550-1E7F3FCDB81A} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7607DD28-4982-4A91-B550-1E7F3FCDB81A}\\ not found.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8625194E-B724-465C-83C8-1C14C99A0DEF} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8625194E-B724-465C-83C8-1C14C99A0DEF}\\ not found.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B338F97B-26A0-40D1-B070-FECF81C5DA25} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B338F97B-26A0-40D1-B070-FECF81C5DA25}\\ not found.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA}\\ not found.
< HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEEB11F7-A760-426D-B87C-6F02F6D1FCF9} >
Registry key HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEEB11F7-A760-426D-B87C-6F02F6D1FCF9}\\ not found.
< HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} >
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}\ deleted successfully.
File/Folder -HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BMe3 7034ae >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\BMe3 7034ae not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ ShellExecuteHooks\\{C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ ShellExecuteHooks not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA}\ deleted successfully.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04262008_180348

Files moved on Reboot...
DllUnregisterServer procedure not found in C:\WINDOWS\system32\qoMdETKe.dll
C:\WINDOWS\system32\qoMdETKe.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\qoMdETKe.dll scheduled to be moved on reboot.

 

[kritius]

That looks pretty much clean.

I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  o Scan using the following Anti-Virus database:
  o Extended (If available, otherwise use standard)
  o Scan Options:
  o Scan Archives
  o Scan Mail Bases
• Click OK
• Under select a target to scan, select My Computer
• The scan will take a while so be patient and let it run.
• Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
• Click the Save Report As... button (see red arrow below)
  
  
  
  
  
• In the Save as... prompt, select Desktop
• In the File name box, name the file
• In the Save as type prompt, select Text file (see below)
  
  
  
  
  
• Include the report in your next post.

 

[fatman01923]

Thanks a bunch

I will perfrom this scan, and i want to thank you for all of your hard work, I will try to help anyone new here with this problem like you did with me, now i will be more careful ,and do this final scan like u said, Thanks again!

 

[kritius]

No problem, once we see what that scan says we should be in the final stretch.

 

[fatman01923]

Results

This is my results to the scan...

 

[kritius]

Please open the OTMoveIt2 by OldTimer

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [kill explorer]
  C:\WINDOWS\system32\bjrgihrr.dll_old
  C:\WINDOWS\system32\byXPIBTj.dll_old
  C:\WINDOWS\system32\pbwgwbyu.dll_old
  C:\WINDOWS\system32\qoMdETKe.dll
  purity
  [start explorer]

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

 

[fatman01923]

This is my result of the new scan

C:\WINDOWS\system32\bjrgihrr.dll_old moved successfully.
C:\WINDOWS\system32\byXPIBTj.dll_old moved successfully.
C:\WINDOWS\system32\pbwgwbyu.dll_old moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\qoMdETKe.dll
C:\WINDOWS\system32\qoMdETKe.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\qoMdETKe.dll scheduled to be moved on reboot.
< purity >
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04272008_103946

Files moved on Reboot...
DllUnregisterServer procedure not found in C:\WINDOWS\system32\qoMdETKe.dll
C:\WINDOWS\system32\qoMdETKe.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\qoMdETKe.dll scheduled to be moved on reboot.

 

[kritius]

1. Please download The Avenger2 by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\qoMdETKe.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V).
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip

 

[fatman01923]

Alright all cleaned up now

Thanks for all the troubles, those were some nasty Trojans. Hope to be of some help here in the forums in the future.
Take care man.