Vundo and Other Malwares - Help Reviewing My Logs

By 7seven
May 5, 2009
  1. I have followed the 8-Step Virus Removal Instructions and have now produced the 3 essential logs. It looks like the procedure has removed most of the malwares in my system and any obvious manifestations are gone - Task Manager disabled, registry edit disabled, display customization disabled, etc.

    Attached are the log files produced by MBAM, SASw, and HJT.

    Please help reviewing these log files and what further steps I need to take to regain full control of my PC.

    The 8-step Virus Removal Instructions have been extremely helpful and I am really appreciative.

  2. touch

    touch TS Rookie Posts: 978

    Hello 7seven

    Download HostsExpert:

    Choose one of the servers at the file on your desktop

    Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
    Run HostsXpert 4.2 - Hosts File Manager from its new home
    Click on "File Handling".
    Click on "Restore MS Hosts File".
    Click OK on the Confirmation box.
    Click on "Make Read Only?"
    Click the X to exit the program.

    Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

    Download the Norton Removal Tool (SymNRT) to your Desktop.

    Once downloaded please close ALL open browsers, also save any work because this may require a restart.

    Go to your desktop and double click on the removal tool and then click Setup.
    Once open Click Next
    Accept the license agreement and click Next
    Type in the letters/numbers that you see into the text box then click Next.
    Then click Next and the tool will start running.
    Once finished restart the PC and run the tool again to ensure everything has been removed.
    Delete Nortonremoval tool from your Desktop.

    You have Viewpoint on your computer ->
    Viewpoint is considered foistware and is not needed on your computer.

    Download and unzip to own folder on Desktop -

    Run ViewpointKiller.exe


    Attach new hijackthis log, and tell how things are running now ?
  3. 7seven

    7seven TS Rookie Topic Starter

    Thanks touch.

    I will follow your instructions and post a new HJT log tonight.

    I also have the same problem as on this thread as - topic126960

    Should I also follow your suggestions in that thread?
  4. touch

    touch TS Rookie Posts: 978

    No, just follow the instructions you´ll get here in this thread.
  5. 7seven

    7seven TS Rookie Topic Starter

    Hi. I logged in to home PC last night and unfortunately, I am unable to connect to any website. I tried connecting to and techspot and failed to connect to both. I tried with both firefox and IE. I waited and eventually got a message from firefox that it cannot connect to the server. I was able to connect and update my virus definitions for MBAntimalware, SuperAntiSpyware and Kaspersky with no problems so I am definitely connected to the Internet.

    Therefore, I was not able to do any of the instructions you told me to do.

    Any clue what's going on? I was able to do all the 8-steps and posted here with my logs the night prior. I remember checking my Yahoo! mail last before actually losing connection to the Internet the other night. I thought it was just slow and called it a night. Last night when I tried to open my browser, I was unable to connect to my homepage ( or any other websites I tried.

  6. 7seven

    7seven TS Rookie Topic Starter

    I managed to connect to the Internet again using Firefox. I did not try Internet Explorer yet. I haven't downloaded the Norton Removal Tool yet as I don't know the version I should download. I will check that and go back to that step.

    In the meantime, here is my latest HJT log.

    Thanks for your help thus far. It's been tremendously amazing!
  7. touch

    touch TS Rookie Posts: 978

    Ok. We´ll remove Norton , and possible infections using combofix ->

    Please download Combofix:

    And save to the desktop.

    Close all other browser windows.

    Please connect all your external hard drive/flash drive before running Combofix, if you have any

    Double-click on the combofix icon found on your desktop.

    Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post
  8. 7seven

    7seven TS Rookie Topic Starter

    Here's my latest status:

    I ran ComboFix and it detected and warned that I still have Norton Internet Security running. I went ahead and ran ComboFix despite this warning. It deleted a few executables.

    The ComboFix log and latest HJT log are attached.

    I cannot connect to the Internet when Kaspersky is enabled. This is probably just a problem on my Kaspersky setting. I'll play around with that.

    **Now, I still have the Google-redirect happening. Any thing else I need to do, to get this anomaly fixed?

    Other than this, it seems like my PC is *almost* clean.

    Thanks for your help thus far.
  9. touch

    touch TS Rookie Posts: 978

    Open notepad and copy/paste the text in the quotebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  10. 7seven

    7seven TS Rookie Topic Starter

    I was able to run Norton Removal Tool and ran it twice last night, but I did it after running Combofix. Should I still do your latest instructions which looks like attempting to clean up Symantec remnants?
  11. touch

    touch TS Rookie Posts: 978

    No, however, I suggest you attach fresh hijackthis log and tell how things are running ?
  12. 7seven

    7seven TS Rookie Topic Starter

    Latest HJT log attached.

    I still have the Google-redirect problem. What else can I try? Should I try running Combofix again?
  13. touch

    touch TS Rookie Posts: 978

    Yes, please post new combofix log. And tell where are you redirected to ?
  14. 7seven

    7seven TS Rookie Topic Starter

    The Google-redirect is so nasty and virulent. After all the steps we attempted, it's still alive and creating havoc.

    Here are some additional information that might help you isolate what is wrong with my PC.

    1. It doesn't affect my IE. It could be because I stopped using IE when I first noticed the virus infection that started all these. It works both in the Google toolbar (which I have unistalled since) or in the default browser search box.

    2. Like I said, it only affects my Firefox browser default search box. If you go to first and you do the search from the google homepage, the search results are NOT redirected. Search results are only redirected when doing the search from the browser default search box. Search results from other search engines are NOT redirected.

    3. Search results are redirected to a variety of sites like:

    4. Sponsored links on the results page are NOT redirected.

    5. Search results are being redirected via

    6. I have uninstalled Firefox and reinstalled, with NO luck.

    These are my observations. Hopefully, it helps isolating the problem.

    My latest HJT and Combofix logs are attached.

    Thanks a lot for your help.
  15. touch

    touch TS Rookie Posts: 978

    It certainly helps isolating the problem ;)

    I´ll suggest you download Spywareblaster:

    (Choose one of the servers)

    Install it, get updates. Click on Enable All Protections.

    Please download
    and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
    A log will open, please attach the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

    Note: Do not run Option #2 yet.
  16. 7seven

    7seven TS Rookie Topic Starter

    touch - should i disable kaspersky internet before doing your latest instructions?
  17. 7seven

    7seven TS Rookie Topic Starter

    I uninstalled Firefox last night when I detected that the malware is still there. So, I have 2 Gooredfix logs - one was with no Firefox installed and one after I re-installed Firefox. I have also attached my latest HJT log just in case. It looks like Gooredfix found something.

    Thanks for staying with me on this.
  18. touch

    touch TS Rookie Posts: 978

    Looks like it.

    Double-click GooredFix.exe on your Desktop to run it.
    Select "2. Fix Goored" by typing 2 and pressing Enter
    Make sure all instances of Firefox are closed at this point.
    Type y at the prompt and press Enter again.

    A log will open, pleaseattach the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

    Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system
  19. 7seven

    7seven TS Rookie Topic Starter

    Attached is the latest Goored log. GooredFix did not ask me to reboot my system.
  20. touch

    touch TS Rookie Posts: 978

    Ok. How are things running now ?
  21. 7seven

    7seven TS Rookie Topic Starter

    WOW! You are the hero!!! It went away. Yey! No more re-direct in both Firefox default search or Google homepage. I had to make sure IE still works, just in case. And it does! I have no more known problems in my system. I cannot express how much I appreciate your help. Thank you, thank you, thank you! :wave:
  22. touch

    touch TS Rookie Posts: 978

    That´s really good news :grinthumb

    Now your computer problems are solved, it is time for the clean-up procedure.

    You should Create a New Restore Point to prevent possible reinfection from an old one.
    The easiest and safest way to do this is:
    Go to Start > All Programs > Accessories > System Tools > System Restore
    Select Create a restore point, and Ok it.
    Next, go to Start > Run and type in cleanmgr
    Select the More options tab
    Choose the option to clean up system restore and OK it.

    This will remove all restore points except the new one you just created.

    Please download OTCleanIt
    Save it to desktop.
    This will remove all the tools we used to clean your computer.
    Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
    When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
    Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

    To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
    How did I get infected in the first place

    Keep safe :wave:
  23. 7seven

    7seven TS Rookie Topic Starter


    I just want to thank you once again for staying with me through the final resolution of my system infection. I'm glad I stumbled upon this forum and decided to seek help. One extremely satisfied customer here. :grinthumb

    One last question - I ran OTCleanit to wrap things up. I guess that would not delete the programs I downloaded to remove the malwares, would it? I am referring to ViewPointKiller, SpywareBlaster, GooredFix, HostsXpert, and Norton_Removal_Tool. I guess I have to clean those up myself if I want to remove them, right?

    Thanks for your help!
  24. touch

    touch TS Rookie Posts: 978

    I´m glad to hear, we have got an "extremely satisfied customer" :)

    Don´t delete SpywareBlaster.

    You´re right, you have to delete - GooredFix, HostsXpert, and Norton_Removal_Tool - yourself

    Use this link to remove viewpoint -

    Download and unzip to own folder on Desktop -

    Run ViewpointKiller.exe

  25. 7seven

    7seven TS Rookie Topic Starter

    Gotcha. OK, will do that.

    I promise to stay safe and stay away from trouble. :blackeye:

Topic Status:
Not open for further replies.

Similar Topics

Create an account or login to comment

You need to be a member in order to leave a comment
TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...

Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.