Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.
1. I will be working on your
Malware issues. This
may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please
DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
Error loading C:\WINDOWS\$NtUninstallMTF1011$\mmduch.dll”
“The specified module could not be found”
This is part of the infection.Open
HijackThis and select
Do a system scan onlyPlace a check mark next to the following entries: (if there)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cofbesfq] "C:\Documents and Settings\Owner.STEVE\Local Settings\Application Data\wsfaxolto\yxivrunshdw.exe"
O4 - HKLM\..\Run: [fjmpxcnr] "C:\Documents and Settings\Owner.STEVE\Local Settings\Application Data\lggyyxyef\yobnhkashdw.exe"
O4 - HKLM\..\Run: [bipro] "rundll32" "C:\WINDOWS\$NtUninstallMTF1011$\mmduch.dll",,Run
O4 - HKCU\..\Run: [mediafix70700en02.exe] "C:\Documents and Settings\Owner.STEVE\Application Data\6AF4966B29C8168896C6D1749ED8A6A1\mediafix70700en02.exe"
O4 - HKCU\..\Run: [XBV6RD5SZF] "C:\DOCUME~1\OWNER~1.STE\LOCALS~1\Temp\Rh2.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10i_Plugin.exe -update plugin
O4 - S-1-5-18 Startup: ibygm.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: ibygm.exe (User 'Default user')
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: 6to4 - - (no file)Important: Close all open windows except for
HijackThis and then click
Fix checked.Once completed, exit
HijackThis.*************************************
Download
Security Check by screen317 from one of the following links and save it to your desktop.
Link 1Link 2* Unzip
SecurityCheck.zip and a folder named
Security Check should appear.
* Open the
Security Check folder and double-click
Security Check.bat* Follow the on-screen instructions inside of the black box.
* A
Notepad document should open automatically called
checkup.txt* Post the contents of that document in your next reply.
Note: If a security program requests permission from
dig.exe to access the Internet, allow it to do so.
*************************************
Please download
ComboFix from
BleepingComputer.comAlternate link: GeeksToGo.comRename ComboFix.exe to commy.exe before you save it to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
A guide to do this can be found hereClick
Start>Run then copy paste the following command into the Run box & click
OK "%userprofile%\desktop\commy.exe" /stepdelAs part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of
C:\ComboFix.txt in your next reply.
If you have problems with ComboFix usage, see
How to use ComboFix