Vundo virus

Mike,

latest logs for ya !

rgds

Paul

Might want to check this out:
O20 - AppInit_DLLs: qnlifb.dll

Also this entry for Tech support at Symantec:
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab

Hi Paul

Did you not do post 35: O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/tech...l/SymAData.cab

and

Post 38: O20 - AppInit_DLLs: qnlifb.dll

If not then run HJT delete them and post new HJT log.
----------------------------------------------------------------------------------------------------------------------------------
OK lets see if we can't get rid of norton (Norton/Symantec is extremely hard to eradicate)

Drag mouse copy for pasting all inside the box below

Code:

@echo off
cd\
attrib  -h -s -r norton*.* /s  /d >"%USERPROFILE%"\Desktop\NortonLeftOvers.txt
echo ...............................................
dir /b /s norton*.* >>"%USERPROFILE%"\Desktop\NortonLeftOvers.txt
echo ................................................
del /s norton*.* /f /q >>"%USERPROFILE%"\Desktop\NortonLeftOvers.txt
rd /s /q norton*.*

attrib  -h -s -r syman*.* /s /d >"%USERPROFILE%"\Desktop\SymantecLeftOvers.txt
echo .................................................
dir /b /s syman*.* >>"%USERPROFILE%"\Desktop\SymantecLeftOvers.txt
echo ..................................................
del /s syman*.* /f /q >>"%USERPROFILE%"\Desktop\SymantecLeftOvers.txt
rd /s /q synan*.*
exit
exit

Then open the command prompt and paste directly to the Black screen.

Attach the norton and symantec files created on the desktop.

Then go here do all in this post except the registry editing we will do that differently and deeper.

http://www.techspot.com/vb/post560473-8.html
Note when you run rnav2003 do all versions but decline to reboot until the last one (no need to reboot 4 times)
----------------------------------------------------------------------------------------------------------------------------------

SYMMSICLEANUP.reg ftp://ftp.symantec.com/public/english_us_canada/linked_files/tsgen/SYMMSICLEANUP.reg

Save the file to the Windows desktop.
If using Firefox. Right-click the following link and then click Save Link As to download the file.

On the Windows desktop, double-click SYMMSICLEANUP.reg,
Click Yes when prompted, and then click OK.

Download RegSeeker http://www.hoverdesk.net/dl/en/RegSeeker.zip

Unzip install and run.

Click Find in Registry
type
norton
delete all it finds

do same process with Symantec

You are finally clean of Norton/Symantec.

Enough for one post.

Good night,
Mike

Mornin Mike...

I have done all courses of action to eradicate Notron/sysmantec...

logs attached

The Symantec entry still hasn't been removed:
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} -

Please use the Norton Removal Tool:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

Download> Save to desktop and run as instructed.

Good morning from here anyway

Apparently Bobbye did not read all we did in post #43, that entry no longer exists anyway but the one below does.

After you do the below Last thing do a HJT Scan only and remove
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} -

Delete all the log files we created on the desktop.

Then cut and past operation on the box in my last post.
I had a typo and added a couple of lines.

Then send me the norton and syman files again.

After all above now delete the entry above and send HJT log.

Mike

Look up the CLSID: It is related to Symantec products, specifically 'Related to Symantec Script Runner class.'
So the SymantecLeftOvers.txt did not fully remove the entry, which was why I suggested the Norton Removal Tool.

This bother me:

You instructed the use to enter code but now said there was a 'typo' and you added lines? It would be of concern what happens if the incorrect, too short code is used.

Paul

Please, please excuse and ignore this entire post as it has nothing to do with you or your thread!

Bobbye from my very last post can you not see this or just intent on finding fault O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} -

I glad you worry for me I am not perfect I make mistakes I admit and take responsibility and correct my mistakes.

But I am glad someone perfect mistake free like you is worrying for me.

So continue worrying and let Paul and I finish up, we have cleaned his infections and are now doing some other general system cleanup!

You have found fault several times in this post on things that were not faults at all but had already been addressed. Actually the same ones twice!

Find something real and I will thank you.

Mike

I was only point out the the Norton entry had not been remove using the program you gave.

Paul, this post was inappropriately put here. My apology to you, TechSpot members can contact each other privately and should not drag out personal matters at the expense of the person with the problem.

Hey guys....

dont fall out over me,

i read everything..!! and take advice where needed and really appreciate the help given..


Thanks again..

my latest log from HJT...

i have ran all the norton removal tools,

Ran regsweeper etc..

i found invalid entries for Nokia software that is no longer used, so deleted all entries for that too..

(i will be slow in replying to work) so apologies guys for that in advance..

Rgds
Paul

Mike, Bobbye,

have you sighted my latest logs ?

any recommendations now ?

Thanks

Yeah I guess I did..

It is clean now you are clean.

I enjoyed helping you. You did a fabulous job following the many instructions.

I hope you expected me to be thorough. And I don't give up! I noticed in another thread you referred to me as a Whiz Kid well at 64 I and hardly a Kid but thanks. I just volunteer here but I do this professionally for a living and have for 30 years. And even with (CRS) and as slow as I am you are bound to pickup on a few things.

This thread will be here a long time, refer to it every so often let us know how things are doing.

I will close in the next post but here is one final performance tweak you might consider.

Clean and tweak services

In services stop and disable all of the below.

Nothing is un-installed or deleted, only disabled from running!

They can be put back anytime later but I would not, as none of them are needed by most home users and very few business users. Basically stuff M$ thought you should have.

Disabled uses no memory (RAM) and no CPU cycles.
Manual uses the RAM but a small amount of CPU.
Auto and not started they use even more RAM and CPU.
Auto and started even more RAM and CPU ..

Leave off until it is noticed that you need one (not likely for 99%) then it can be enabled.

Leaving these all off, then becomes a performance tweak/boost as they free some RAM and CPU cycles!

Special note. If you are going to pick and choose then be aware that the small amount of RAM and CPU cycles of each one individually is not significant but as a group it is!

So if you need most of them (or just think you do because you don't) then just as well enable them all)!

Distributed Link Tracking Client
Distributed Transaction Coordinator
DNS Client
Fast User switching
Health Key and Certificate Management Service
Indexing service
Messenger
Net logon (only needed to log into a Domain Server)
Net.TCP Port Sharing
NetMeeting Remote Desktop Sharing
IPsec services
QoS RSVP
Remote Registry (also a security risk)
Uninterruptable power supply
Universal Plug and play
Web Client
Windows media player Network Sharing

IF you are using a wired network card and "NOT" using wireless on this computer then you can also disable ....

Wireless Zero configuration

Wireless Zero configuration is only used on computers with a wireless NIC like a Laptop.

Do not disable Wireless Zero configuration on a Laptop. Has nothing to do with other wireless hardware like wireless routers etc.

In short if this computer has a CAT 5 or 6 cable and no ability to connect wirelessly if that cable is unplugged, then you can disable Wireless Zero configuration.

This is not to be confused with Wired Auto Config do not disable that!

Mike

Paul, please give me your system status: This has gone on for a long time and you've run a lot of programs, maybe it's time to just regroup and see where we are:

What were the original problems?
Have they been resolved?
What problems-if any-exist now?

I may have you run Malwarebytes and SuperAntispyware once more- but the HijackThis log is clean.

Well, Mike and I were posting at the same time- so I don't know where this will go.
Edit2: Regarding changing the Startup type for Services, I am leaving two references sites to assist in this. he most important thing to remember when changing Services is to always check the Dependency tab. And it's best the work with the Services in Safe Mode:
http://www.blackviper.com/WinXP/servicecfg.htm
http://www.ss64.com/ntsyntax/services.html

Thread closing-------------------------------------------------------------------
Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.
These tools update so often they require downloading again later if needed.

Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

Approve all if prompted by Firewall, Widows Defender or other guards or security programs about OTCleanIt attempting access to the Internet, allow all.

If prompted to Reboot click Yes.
OTCleanit will delete itself when finished, if not delete it by yourself.

-------------------------------------------------------------------------------------
Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

http://www.majorgeeks.com/ATF_Clean...---------------------------------------------
The issues found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------

Every 2 weeks or so run mbam and sas until clean They take a while so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be schedules not to interfere with computer time.

If they find something they can not clean then get back to us.

Additionally run CCleaner.

I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to co-exist with other Virus scanners.

Additionally it uses totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity. It's like looking at it with 2 sets of eyes and from a different angle.

You must read the documentation on the website as it learn what you run and after approval will not prompt on that item. So there is a small learning curve for you.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/

Install Hostman and allow it to disable DNS Client and select all 4 Host files and the Update
Hostman http://www.abelhadigital.com/2008/07...-released.html

A Disk scan and Defrag are in order.

Mike

Guys,
just in from work and sighted your postings...

sincere thanks for the help you have both given to me..

only area i need to look at is my system resore seems to have turned off and disapeared from the tabs !

but that will wait for another time..

best wishes to you in the USA ..

Paul in UK...

ps.
Mike the pitcher will be on ice !

cheers...

For System Restore:

All Programs> Accessories> system Tools> System Restore> UNCHECK 'turn off System Restore'> Apply> OK> Reboot. Set a new restore point.

A Tip: create a shortcut for System Restore and put it in the Quick Launch Toolbar. Very handy and a good reminder to set your won restore points.

Great Paul I love Beer can't wait to get there!

If you find SR is still not available go back to DAF and Hammerhead (2nd page)

Reinstall System Restore.

Then create a SR Point.

I don't know how many times in helping people that we have tried a SR and found none available, or find one to restore and it will not install.

So I use this in addition.

ERUNT
Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

ERUNT http://www.larshederer.homepage.t-online.de/erunt/
Yes! Even if you use system restore and other backups Registry and Images.

Mike

Re: Virtumondo Trojan infections.....
I joined this forum because of a bad Vundo infection....and got lucky.

As a shot in the dark I tried running lLavaSoft AdAware.....it gave the option of downloading the latest "Anniversary Edition" which I did. One pass and I was clean!!!! something that AVG and Spybot weren't able to do.....

Might try this option before some of the more exotic things that I see posted on these forums...

Let me know if this helps anyone else

Thanks
slgeebrr

Seeming you quoted 3 poor quality scanners (AVG; Ad-Aware; Spybots S&D)
I must inform you and any others to look here: UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions
Avira is presently the best free Antivirus IMO