let's get rid of the malware first.

Boot into safe mode, and navigate to and delete the following folders/files:

C:\WINDOWS\TEMP\abxwakhi.exe <-- this file

while still in safe mode, close all windows, open hjt, click 'perform system scan only', place a tick next to the following and click 'fix checked':

O2 - BHO: CIEPl Object - {F3727275-224F-4AB0-8642-7D461EFB82D8} - C:\WINDOWS\system32\mkagq.dll (file missing)
O20 - Winlogon Notify: mkagq - mkagq.dll (file missing
O20 - Winlogon Notify: ws_3s32 - C:\WINDOWS\SYSTEM32\ws_3s32.dll

SAS picked up a lot of stuff, but now some other stuff is raising it's head.

As for the jpg issue, right click it, choose 'open with' and then choose the program you want to open it with. If you don't see the program listed, choose browse and navigate to the one you want. If that is the app that you ALWAYS want to have open, tick the box that says 'always use this program' at the bottom.

reboot, and post a new log.

thanks,

v

Ok, so the file "abxwakhi.exe did not exist, the only file that was showing in c:\windows\temp was "perflib_perfdata"

in hjt the file 02 BHO...mkagq and 020....mkagq did not exist, and 020....ws_3s2 showed up but appears to have stuck around (according to my latest hjt log).

The funny thing about the jpg is that windows picture and fax viewer is my default, however even if I right click and choose it, there is still no response, I changed my picture viewer default to IE and it opens them when I click them, I just have to close each one, and open a new one, as it doesn't understand the concept of a folder.

let me know what is next...

Swizz

Attached Files

hijackthis.log (5.7 KB, 2 views)

okay, let's deal with the infections first.

Please download VundoFix.exe
to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please attach C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

thanks,

v

hope we are getting closer.

Swizz

Attached Files

	VundoFix.txt (1.7 KB, 1 views)
	hijackthis.log (5.9 KB, 1 views)

getting there.....

run hjt, click 'perform system scan only', place a tick next to the following, click 'fix checked':

O2 - BHO: (no name) - {335DB538-08BF-4CB6-9E85-002757D58844} - C:\WINDOWS\System32\kfvexfgw.dll
O2 - BHO: CIEPl Object - {F3727275-224F-4AB0-8642-7D461EFB82D8} - C:\WINDOWS\System32\blklf.dll
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\qmbmehij.dll",setvm
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/in...eanerstart.cab
O20 - AppInit_DLLs: cmdl32.dll
O20 - Winlogon Notify: blklf - C:\WINDOWS\SYSTEM32\blklf.dll

It's a pesky vundo, so this may take a few whacks with a hammer. Regardless, reboot, and post a new log.

Thanks,

v

Hi Valis, so I have attached my hjt log, however when fixing the checked items the following error happened....."an unexpected error occured at procedure "modbackup_makebackup sitem=020- appinit_dllscmdl32.dll" error =5 invalid procedure call or argument.

Attached Files

hijackthis.log (5.8 KB, 2 views)

take two:

Please download VundoFix.exe
to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please attach C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

next, hjt:

run hjt, click 'perform system scan only', place a tick next to the following, click 'fix checked':

O2 - BHO: (no name) - {335DB538-08BF-4CB6-9E85-002757D58844} - C:\WINDOWS\System32\bxlsrqro.dll
O2 - BHO: CIEPl Object - {F3727275-224F-4AB0-8642-7D461EFB82D8} - C:\WINDOWS\system32\blklf.dll
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\xtxcserj.dll",setvm
O20 - Winlogon Notify: blklf - C:\WINDOWS\SYSTEM32\blklf.dll


post back with both the vundo text and a new hjt log, please.....going to have to break out some bigger hammers, methinks.

v