Can't complete 8 Steps - infected w/ Vundo!grb virus

[meloman]

Hello Folks!:wave: I am new to this community. Based on what I've read thus far I am very impressed with the support system and responsiveness by this tech community.

Well, apparently I downloaded a friendly virus to my pc sometime in the last few weeks. The virus that continuously shows up in my virus scan logs is one called the "Vundo!grb". I've been running virus scans daily as well as using Spybot in the background to block new registry entries.

Anyways, to give you a little history of my feeble attempts to cleanse my pc, I poked around on numerous sites and tried a few things but to date nothing seems to work. When I came across this site I knew I was in the right place. My latest attempt has been to implement the 8-step preliminary instructions from this site. Unfortunately, I was only able to complete the process through step 3. I get to step 4, try to install the Malwarebytes Anti-Malware software and the installation simply times out. I don't get beyond the "Do you want to run this file" prompt.

For the time being, I can only provide the log from my latest scan using McAfee VirusScan Ent. 8.0 (attached). The log reflects a total of 38 infected files being removed. The log from 3/16 reflected 64 infected files that were removed.

If there is anyone that can assist me I would greatly appreciate it. Thank you very much for taking the time to read my post.

-meloman

 

[kritius]

HighjackThis Instructions

• Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
  
• Run the HijackThis Installer and it will automatically place HJT in its own folder, usually C:\Program Files\Trend Micro\HijackThis. Please don't change the directory as it is necessary to create backups.
  
• After installing, the program launches automatically, select Scan now and save a log
  
• After the scan is complete attach the log into your reply.

Do not attempt to fix any item yet.

Do not add anything to the ignore list.

Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.

 

[meloman]

Hello Kritius,

Thank you very much for replying to my post - I appreciate your assistance. I was able to successfully install & run HJT per your exact instructions. Attached is the HJT log that I saved after running a scan.

-meloman

 

[kritius]

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please attach the contents of C:\vundofix.txt
  

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please Download VirtumundoBeGone by secured2k

• Save the file to your desktop
• Close all running programs (including your Internet Browser)
• Double-click VirtumundoBeGone.exe on the desktop
• Read the introductory information, and then click Continue
• Click Start
• When asked if you want to continue, click Yes to run the fix
• Click "Save Log"

Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.

The log created by VirtumundoBeGone called VBG.TXT will be on located on your desktop. Please retain VBG.TXT.

Empty Recycle Bin.

Reboot and attach the VBG.TXT into this thread.
Also please describe how your computer behaves at the moment.

Fix entries using HiJackThis

• Launch HiJackThis
  
• Click the Do a system scan only button
  
• Put a check next to the entries listed below
  

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
O2 - BHO: (no name) - {009F8E3A-E59E-4B14-8DE2-10EC555432A4} - (no file)
O2 - BHO: (no name) - {06900AF0-D739-46AD-81E5-19CE912CC5AB} - (no file)
O2 - BHO: (no name) - {17C8904E-A739-4090-8DBA-0DFE42B83C1D} - (no file)
O2 - BHO: (no name) - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - (no file)
O2 - BHO: {6007d181-f605-683a-c254-d42fb3d86912} - {21968d3b-f24d-452c-a386-506f181d7006} - C:\WINDOWS\system32\pjhpze.dll
O2 - BHO: (no name) - {286B81BE-434A-4304-83C6-A3E4431C719F} - (no file)
O2 - BHO: (no name) - {39404956-E1A1-4C09-80EA-3947D35A69B0} - (no file)
O2 - BHO: (no name) - {3F264BF9-C00B-4210-A762-233C542BCA7C} - (no file)
O2 - BHO: (no name) - {4B34CC27-B876-4254-A4DD-246CEA589CD1} - (no file)
O2 - BHO: (no name) - {6d243397-4460-46ec-a1eb-b5f2e9850f9e} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {89D4E2F0-27B9-4CA2-B6ED-E01D2A60ED38} - (no file)
O2 - BHO: (no name) - {8E9C114E-B5EE-4A5C-8BC3-7000352984CA} - C:\WINDOWS\system32\ddaby.dll (file missing)
O2 - BHO: (no name) - {AEB011CB-2956-477F-A3D0-EC91A0BDFB0E} - (no file)
O2 - BHO: (no name) - {AFBEF6C1-774B-41AE-8BAF-808770D819E6} - (no file)
O2 - BHO: (no name) - {C2F58EE5-4283-4997-974B-8BBD4D18764F} - (no file)
O2 - BHO: (no name) - {C7762723-D196-4366-9603-A663843A4162} - (no file)
O2 - BHO: (no name) - {CC8DB43C-26FA-4B1E-8FE9-1C3597EDD1FA} - (no file)
O2 - BHO: (no name) - {D3CDF205-7F9B-432C-9568-F8135BB5AA11} - (no file)
O2 - BHO: (no name) - {D72036BA-8496-4E3D-BD70-2521D6096A39} - (no file)
O2 - BHO: (no name) - {E25C53E2-681E-4346-AF91-FD6D136ADC0D} - (no file)
O2 - BHO: (no name) - {E2D54797-D50B-4059-A295-88259E2D9B64} - (no file)
O2 - BHO: (no name) - {E606B3D5-079D-44C7-BCD5-7EE0881C0125} - (no file)
O2 - BHO: (no name) - {E9B82D1D-053B-48E5-86B7-B1038B8D860E} - (no file)
O2 - BHO: (no name) - {EBBD5234-3CE5-46E8-BA1C-AC0DCB6BB130} - (no file)
O2 - BHO: (no name) - {EDFB2747-DDAD-4623-983C-76307187811E} - (no file)
O2 - BHO: (no name) - {fa094d0f-05b5-414f-a089-a529f3b696fe} - C:\WINDOWS\system32\fekenafo.dll
O2 - BHO: (no name) - {FD29AF90-369D-4489-9F61-F8FFFCD60A8B} - (no file)
O3 - Toolbar: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O4 - HKLM\..\Run: [dikowasobe] Rundll32.exe "C:\WINDOWS\system32\heyakiko.dll",s
O4 - HKLM\..\Run: [70e025b8] rundll32.exe "C:\WINDOWS\system32\sepajimo.dll",b
O4 - HKLM\..\Run: [CPM73d31624] Rundll32.exe "c:\windows\system32\juhijudu.dll",a
O8 - Extra context menu item: &Search - ?p=ZNfox000
O20 - AppInit_DLLs: C:\WINDOWS\system32\mezipawe.dll hufghh.dll yhzzue.dll rvfiyt.dll ietfbd.dll pjhpze.dll c:\windows\system32\juhijudu.dll
O20 - Winlogon Notify: khfcdaa - khfcdaa.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\juhijudu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\juhijudu.dll

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
  
• Click the Fix checked button and close HiJackThis
  
• Reboot HijackThis if necessary

Combofix
Download Combofix to your desktop from one of these locations:
Link 1
Link 2
Link 3

• Double click combofix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  
  
  
  
  
  Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
  
  
  
  Click on Yes, to continue scanning for malware.
  
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attach back,

1) ComboFix log
2) VundoFix.txt
3) Virtmundobegone log
4) Fresh HijackThis log

 

[meloman]

Kritius,

VundoFix -

I started with step 1 of your instructions below. I ran the initial scan with VundoFix and at the conclustion of the scan it stated that no infected files were found. I did not receive the option to remove any files. I rebooted my computer and ran the scan again. Once again, VundoFix did not find any infected files, from there I proceeded to the next step. Attached is the log.

VirtumundoBeGone -

I installed and ran the VirtumunoBeGone program. I saved the log and attached it here. I did not get a BSOD. I emptied the recycle bin as instructed.

HiJackThis –

I opened the program and checked off every file listed in your post. After completion of the “Fix”, I closed the program.

ComboFix –

I’ve attempted to install this program numerous times. The installation times out. I’ve tried to bypass saving the executable file to my desktop by running it directly from the download link and that will not work either. After a few minutes, the attached message appears on my computer.

As for the behavior of the pc, it seems to be randomly stalling out programs throughout. Spybot S&D, which is running in the background, continuously pops up message. I’ve attached a ss to provide you with an example of what is happening.

What do you advise at this point?

Thank you for your time and patience kritius.

-meloman

 

[kritius]

DDS by sUBs
Please download DDS by sUBs from HERE or HERE and save it to your Desktop.

Vista users. Right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

• Double click on dds to run it.
• When done, DDS.txt will open.
• You will receive another prompt after a while. Click Yes at the prompt. It will take another few minutes to scan.
• When done, Attach.txt will open.
• Please zip and attach the contents of DDS.txt and Attach.txt in your next reply.

If that doesn't work,

RSIT
Download random's system information tool (RSIT) by random/random from here and save it to your Desktop.

• Double click on RSIT.exe to run.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open.
• log.txt <will be maximized and info.txt <will be minimized
• Please post the contents of both logs in the next reply.

 

[meloman]

Hello Kritius,

I followed your instructions regarding the DDS program. I ran it as instructed and have attached an archive file containing the two logs that DDS produced.

As DDS did work, I assume I did not need to also run RSIT? Just wanted to double check

I can not thank you enough for your assistance.

-meloman

 

[kritius]

Ok, we need to try and get ComboFix installed again.

Download and Run ComboFix

• Download this file to your desktop from either of the two below listed places : when downloading it rename it to meloman.exe
  
  HERE or HERE
  
  
• Then double click meloman.exe & follow the prompts.
  
• When finished, it shall produce a log for you. Attach that log in your next reply
  

WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[meloman]

Hey Kritius,

Well that wasn't fun! After nearly an hour elapsed, causing 3 reboots and multiple scans, ComboFix finally generated a log. I've attached the log here. Question though, upon the last reboot, ComboFix loaded and asked me to wait while it generated a report. I didn't see much of anything going on in the background so I thought the program had timed out, but it hadn't. While ComboFix was running, Spybot S&D was/is also running in the background (at all times it would seem), and while ComboFix was generating the log, S&D asked me to approve multiple registry changes. I denied every request, there must have been about 20 or so. Just thought I would mention that activity. That begs the question, should I leave S&D on my system for the time being, I wouldn't want it to interfere with another task we may be applying here.

Once again, thank you so very much Kritius. You are truly a rare find.

Oh yes, almost forgot. My Antivirus is going nuts now. About every couple of minutes a window pops up displaying the message, "VirusScan Alert!" "Vundo!grb has been detected and deleted. I attached an ss as a pt of reference.

-meloman

 

[kritius]

Oh, my, goodness.

Go to add remove programs and unistall sweetim if present, it may be bundled with Macrogaming.

This next step is purely optional however viewpoint is considered foistware and is not needed on your computer,

'To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.'

Go to Start > Run and copy/paste or type: taskmgr

• Under the Processes tab find the following tasks or processes:
  ViewpointService.exe
  ViewMgr.exe
• Highlight and click "End Process".
• Exit Task Manager.

Click on Start > Run and type: services.msc

• Press "OK".
• Click the "Extended tab".
• Scroll down the list and find the service called "Viewpoint Manager Service"
• When you find the service, double-click on it.
• In the Properties Window > General Tab that opens, click the "Stop" button.
• From the drop-down menu next to "Startup Type", click on "Disabled".
• Now click "Apply", then "OK" and close any open windows.

Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Finally, delete the following folders if they still exist:
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder

Run CFScript
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
c:\windows\system32\dodedeva.dll
c:\windows\instsp2.exe
c:\windows\system32\fugafizu.dll
c:\windows\instsp1.exe
c:\windows\system32\juhijudu.dll.vir
c:\windows\system32\sepajimo.dll
c:\windows\system32\rajuguke.dll
c:\windows\system32\miperuwo.dll
c:\windows\system32\lofuvika.dll
c:\windows\system32\zopiwahe.dll
c:\windows\system32\wopilawu.dll
c:\windows\system32\zizaduvu.dll
c:\windows\system32\nefuwipi.dll
c:\windows\system32\nahilifo.dll
c:\windows\system32\mivojova.dll
c:\windows\system32\wolugeri.dll
c:\windows\system32\wehebopa.dll
c:\windows\system32\yelosuso.dll
c:\windows\system32\pavogare.dll
c:\windows\system32\feyajute.dll
c:\windows\system32\vufosesa.dll
c:\windows\system32\dunulaju.dll
c:\windows\system32\yivoboki.dll
c:\windows\system32\kiyajeru.dll
c:\windows\system32\zopeyuhi.dll
c:\windows\system32\luveteyo.dll
c:\windows\system32\ziniguhe.dll
c:\windows\system32\fonaneki.dll
c:\windows\system32\nezogeju.dll
c:\windows\system32\nisinupo.dll
c:\windows\system32\redivipo.dll
c:\windows\system32\virinida.dll
c:\windows\system32\zadowebi.dll
c:\windows\system32\bevukeyo.dll
c:\windows\system32\refobaju.dll
c:\windows\system32\jigefuwi.dll
c:\windows\system32\tebudati.dll
c:\windows\system32\gavulowe.dll
c:\windows\system32\newuwiyo.dll
c:\windows\system32\gerogije.dll
c:\windows\system32\lewiyidi.dll
c:\windows\system32\bonafanu.dll
c:\windows\system32\yosineku.dll
c:\windows\system32\hilafija.dll
c:\windows\system32\jepazeje.dll
c:\windows\system32\gizisuyo.dll
c:\windows\system32\veyevida.dll
c:\windows\system32\tiwedihu.dll
c:\windows\system32\zebelivu.dll
c:\windows\system32\risumega.dll
c:\windows\system32\pajazeba.dll
c:\windows\system32\wumugaka.dll
c:\windows\system32\nalusihe.dll
c:\windows\system32\hiwipafi.dll
c:\windows\system32\hizohunu.dll
c:\windows\system32\gidahumu.dll
c:\windows\system32\ruyopaku.dll
c:\windows\system32\kidoyera.dll
c:\windows\system32\hetuyevo.dll
c:\windows\system32\fifugiku.dll
c:\windows\system32\gitisowe.dll
c:\windows\system32\fupipivo.dll
c:\windows\system32\zasulege.dll
c:\windows\system32\tojowebo.dll
c:\windows\system32\muwevola.dll
c:\windows\system32\zibibozi.dll
c:\windows\system32\fimohinu.dll
c:\windows\system32\jifopufo.dll
c:\windows\system32\vodewenu.dll
c:\windows\system32\wokoguri.dll
c:\windows\system32\zerarapo.dll
c:\windows\system32\dezuzara.dll
c:\windows\system32\bodalene.dll
c:\windows\system32\gemidesu.dll.vir
c:\windows\system32\zogovaro.dll
c:\windows\system32\hajigira.dll
c:\windows\system32\tuhemasa.dll
c:\windows\system32\joludune.dll
c:\windows\system32\telezeva.dll
c:\windows\system32\gidobedi.dll
c:\windows\system32\lehelojo.dll
c:\windows\system32\waduzaga.dll
c:\windows\system32\gevimasi.dll
c:\windows\system32\kosuyapu.dll
c:\windows\system32\jowuhese.dll
c:\windows\system32\veseyusi.dll
c:\windows\system32\niyihifi.dll
c:\windows\system32\nevihezu.dll
c:\windows\system32\jituwuwa.dll
c:\windows\system32\jiremeye.dll
c:\windows\system32\zitakihu.dll
c:\windows\system32\binatoko.dll
c:\windows\system32\juposeno.dll
c:\windows\system32\komabagi.dll
c:\windows\system32\dukotibe.dll
c:\windows\system32\defarewo.dll
c:\windows\system32\dedovewu.dll
c:\windows\system32\dojiralo.dll
c:\windows\system32\F5DD7F3EA3.sys
c:\windows\system32\farakive.dll
c:\windows\system32\fiyahena.dll
c:\windows\system32\heyakiko.dll
c:\windows\system32\KGyGaAvL.sys
c:\windows\system32\knjemr.dll
c:\windows\system32\ldjtkp.dll
c:\windows\system32\masekaba.dll
c:\windows\system32\numitopi.dll
c:\windows\system32\pamukuhu.dll
c:\windows\system32\royotago.dll
c:\windows\system32\swzzkm.dll
c:\windows\system32\yadebene.dll
c:\windows\system32\zakawuli.dll


Folder::
C:\KEWGZXJVDERAPVAD
c:\program files\Viewpoint

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SweetIM"=-
"dikowasobe"=-
"CPM73d31624"=-
"70e025b8"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Please download ATF Cleaner by Atribune.

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

• Open a folder window (for example, double-click My Computer).
• From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
• Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
• IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
• You should see a series of folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.

FindAWF

Download FindAWF.exe and save it to your desktop.

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to Press any key to continue.
• Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
• Attach the AWF.txt file in your next reply.

After this run a fresh HijackThis log for me.

In your responce you should have,
1)ComboFix log
2)AWF log
3)HijackThis log

 

[meloman]

Hello Kritius,

I hope you are doing well today. This is turning out to be quite an intensive project - it's remarkable how well you know this stuff. Alrightty then, here we go.

Sweetim (Macrogaming) -
I was unable to locate any program named by either sweetim or macrogaming, therefore I was not able to remove it from the programs list.

Viewpoint Media Player -
Ironically enough, when the virus first infected my system, this was the first program that started to malfunction. I recall removing it from my system entirely then, including from start-up. That is probably why I could not locate it from the programs list, nor any files and/or folder directories associated with the program on my system. Further, because of the fact that this program would load with windows on startup, my pc would constantly or start to function erradically. I then decided to remove the program from start-up. Once I did that, things went downhill from there.

To that end, (from my recollection), Viewpoint was previously removed from my system and start-up and I was unable to locate any associated files or directories.

ComboFix -
I followed your instructions & created the CFscript.txt log which I then dragged into the ComboFix executable icon. The only issue I encountered was that it would initialize due to the fact that we had renamed previously to meloman.exe (it wouldn't run otherwise). I renamed the executable file back to ComboFix.exe and successfully merged the log. Attached is the ComboFix log.

ATF Cleaner -
I ran this program as instructed and also applied the modifications you requested.

FindAWF -
I ran this program and attached the log as requested.

Hijack This -
I ran this program and attached the log as requested.

Ah yes, regarding the change of time format that ComboFix implemented, is there a way of changing it back to the way it was before, ie DD, MM, YYYY? Apparently, some of my programs do not understand the current format of YYYY, DD, MM and effectively won't run. Perhaps I'm getting ahead of myself here, but was just wondering.

Thank you so much Kritius, if I lived closer to you I'd take you out for some Guinness! :grinthumb

 

[meloman]

*msg removed*

 

[kritius]

Fix AWF Infection Step 2

Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\Microsoft ActiveSync\bak\wcescomm.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"E:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Adobe\Abobe Acrobat 8 Pro\Acrobat\bak\Acrotray.exe"
"C:\Program Files\Citrix\GoToMyPC\bak\g2svc.exe"
"C:\Program Files\Macrogaming\SweetIM\bak\SweetIM.exe"
"C:\Program Files\Network Associates\Common Framework\bak\UpdaterUI.exe"
"C:\Program Files\WordPerfect Office X3\Programs\bak\QFSCHD130.EXE"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Common Files\Network Associates\TalkBack\bak\TBMon.exe"
"C:\Program Files\eCopy\Desktop 9.0\Bin\bak\eDP2eD.exe"
"C:\Program Files\eCopy\Desktop 9.0\Bin\bak\InboxMonitor.exe"
"C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"E:\WINDOWS\system32\bak\ctfmon.exe"
"E:\WINDOWS\system32\bak\NeroCheck.exe"

• Double-click on the FindAWF.exe file to run it.
  
• It will open a command prompt and ask you to "Press any key to continue".
  
• Press 2 then Enter
  
• Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
  
• Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  
• The program will proceed to move the legit files and will perform another scan for bak folders.
  
• It may take a few minutes to complete, so please be patient.
  
• When it is complete, it will open a text file in Notepad called AWF.txt.
  
• Please attach the AWF.txt file in your next reply.
  

Fix AWF Infection Step 3

Copy the paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\iTunes\bak
C:\Program Files\Microsoft ActiveSync\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\system32\bak
E:\WINDOWS\system32\bak
C:\Adobe\Abobe Acrobat 8 Pro\Acrobat\bak
C:\Program Files\Citrix\GoToMyPC\bak
C:\Program Files\Macrogaming\SweetIM\bak
C:\Program Files\Network Associates\Common Framework\bak
C:\Program Files\WordPerfect Office X3\Programs\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\Network Associates\TalkBack\bak
C:\Program Files\eCopy\Desktop 9.0\Bin\bak
C:\Program Files\eCopy\Desktop 9.0\Bin\bak
C:\Program Files\Java\jre1.6.0_01\bin\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak
C:\WINDOWS\system32\bak
E:\WINDOWS\system32\bak
E:\WINDOWS\system32\bak

• Double-click on the FindAWF.exe file to run it.
  
• It will open a command prompt and ask you to "Press any key to continue".
  
• Select Option 3 from the menu and press Enter.
  
• Press any key to continue.
  
• A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
  
• Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
  
• The program will proceed to remove the folders and will perform another scan for bak folders.
  
• It may take a few minutes to complete so be patient.
  
• When it is complete, it will open a text file in Notepad called AWF.txt.
  
• Please copy and paste the contents of the AWF.txt file in your next reply.
  

Before you close FindAWF, Select Option 4 from the menu and press Enter.

When it's finished the tool will return to the main menu.

Press E to close FindAWF.

Run Smitfraudfix

• Download Smitfraudfix by S!ri from HERE
• Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
• Double-click SmitfraudFix.exe
• Select 2 and hit Enter to delete infected files.
• You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
• The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
• A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
• Instead of Windows loading as normal, the Advanced Options Menu should appear
• Select the first option, to run Windows in Safe Mode, then press Enter
• Choose your usual account.
  
• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to the clipboard ready for posting back on the forum).
• Finally attach the Report.txt back on the forum with a new HijackThis log

Can you try getting Malwarebytes to run? If it can't run then boot into safe mode and try it from there.

I have to say that this inection is very tricky, it keeps regenerating.

I am quite reluctant to try much more incase we do major damage. At the minute the best option may be to re install.

 

[meloman]

Hello Kritius,

Thank you for responding so quickly. I was only able to get through the AWF section of your post. I downloaded Smitfraudfix and attempted to reboot my computer in safe mode, unfortunately I seem to be unable to. Once either of the three safe-boot methods are selected (ie safe mode, safe mode with networking or safe mode with command prompt), I either get a reboot that loads me normally, or I get a sweet bsod.

Based on your closing statement, it would appear that this is the end of the line for me yes?

Should I bother running Malwarebytes at this point?

I really do value the time and effort you have spent here. I can't thank you enough. Please let me know where I may send a donation.

 

[kritius]

It looks to be the case.

The problems just are not going away. Really sorry to say that.

I would advise backing up all of your data and then re installing.

Don't worry about a donation, even if I had have been able to get you up and running I wouldn't have accepted one.

 

[mousilein]

Kritius,

I have the same problem but the fix did not find the virus on my OS. I am new here and can therefore not attach a file to view. I am missing 2 system 32 drivers gitisowe and fahapera, can find the first one but not the 2nd? Any further suggestions? Thanks!!

 

[kimsland]

Read: How to post a New Thread

By the way, you can ATTACH files from the moment you join