:cheesy: Boy can you tell you've been trying to get rid of that NoName BHO, those little devils are tricky and change their name every time.
Before you begin the fix, you will need to download some files. You will probably want to print these instructions because they are going to need to be done in Safe Mode. Before booting into safemode, you must make sure that All files and folders are showing, including system files, and that System Restore is disabled, or you will become reinfected. Also, please make sure that your SpySweeper definitions are updated.
Please download
Process Explorer by Systernals, Also download
KillBox by Option^Explicit,
Shoot the Messenger,
UnhackMe, and RegSupremePro, (this one's in my sig}
Then boot up in SAFE MODE and stay in safe mode untill the entire fix is done.(hit f8 when booting up)
Unzip Process Explorer and double click on procexp.exe
In the top section of the Process Exlporer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.
Once you see this screen click on each instance of ddcyv.dll once and then click the kill button. You will need to repeat this with these as well;geeda.dll, sstqp.dll, and vturr.dll
After you have killed all of the named .dll's under winlogon click OK.
Next In the top section of the Process Exlporer screen again , double click on explorer.exe and again click once on each instance of ddcyv.dll, and each of the other .dll files listed above, then click the kill button.
Once you have done that click OK again.
Please install and run Unhackme. Let it remove anything that it finds.
Next run HijackThis and place a check beside each of the following;
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.onlineregister.com/epson/...240%20%28EN%29
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\ddcyv.dll
O4 - HKLM\..\Run: [Diam prosessor] nuasa.exe
O4 - HKLM\..\Run: [0go40948.dll] RUNDLL32.EXE 0go40948.dll,b 95671
O4 - HKLM\..\Run: [winsystems25] winsystems.exe
O4 - HKLM\..\RunServices: [Diam prosessor] nuasa.exe
(yes they're there 2ce)O4 - HKLM\..\RunServices: [winsystems25] winsystems.exe
O20 - Winlogon Notify: ddcyv - C:\WINDOWS\SYSTEM32\ddcyv.dll
O20 - Winlogon Notify: geeda - C:\WINDOWS\SYSTEM32\geeda.dll
O20 - Winlogon Notify: sstqp - C:\WINDOWS\SYSTEM32\sstqp.dll
O20 - Winlogon Notify: vturr - C:\WINDOWS\SYSTEM32\vturr.dll
Please copy the text in the quote below, and paste it into a blank notepad window.
Save it as vundo.reg and in the save as type box choose all files.
Once you have saved it double click it and allow it to merge with the registry.
REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B5527 4-0F9A-41E5-9067-A3539BD9E860}] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB 5-BD7D-4D49-A1AA-8AB0F3D3CB44}] [-HKEY_CLASSES_ROOT\CLSID\{581F22DA-7202-4F21-AEF3-114787156016}] [-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}] [-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}] [-HKEY_CLASSES_ROOT\MSEvents.MSEvents] [-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEve nts] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEve nts.1]
Double click on Killbox.exe and then check the delete on reboot button.
Enter the following filepath and filename into the Full path of file to delete box
C:\WINDOWS\system32\ddcyv.dll and repeat for the following, geeda.dll, sstqp.dll, and vturr.dll
Click the red circle with the white x and allow your computer to reboot.
Now you will need to search for and delete the following if they exist on your computer
foo.exe, norat.exe, ssgrate.exe, winsystems.exe, nuasa.exe, 0go40948.dll,b 95671, 0go40948.dll
Please install and run Shoot the Messenger, you have Windows Messenger enabled, it is unnecessary and is leaving you open to PopUp attacks.
Please run a full SpySweeper scan, and save the log.
Now please run CCleaner again, and reboot your computer.
When you have rebooted into Normal Mode, install and run RegSupremePro, it will want to make a backup of your cache, let it. Click on Registry Cleaner and choose Aggressive. When it has finished, click on Select, choose All. Click on Fix, and let it fix everything that it finds.
Please run HijackThis again, and post that log, along with your SpySweeper log back here.
This may be the most important part, part of why you got so infected even though you have done so much to protect yourself, (very good BTW) is because you have not been keeping your computer updated, and you have terrible security holes in your system that cannot be protected without the updates. AS SOON AS YOU ARE CLEAN!! you need to go to Microsoft Updates and go through all of the critical updates for your PC.
I look forward to your reply,
See you on the other side.
TTFN
LGW
PC Help Forum
» Security & Safety
» [Fixed] Hijackthis! Logs
»
[Fixed] Help with Hijackthis Log
[Fixed] Help with Hijackthis Log
