Step 8 of 8-step Removal Instructions

[bigpianist]

Hello,
I just wanted to check with you guys to make sure that I've successfully removed this virus from my computer. I did Step 1 with Symantec Antivirus. I couldn't find any monitoring programs in Step 3, so I did nothing. I ran CCleaner twice, as well as Malwarebytes twice. I've attached the logs as requested. Thanks a bunch!

 

[Bobbye]

Good Morning! We have a few thing to deal with. I would have like you to tell us what "this virus" was!

First, you have Vundo malware in the restore points. We will remove the old restore points when your system is clean. In the meantime, do NOT use System Restore.

Adware.Vundo Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)>> (Trojan.Agent)
O20 - AppInit_DLLs: dcngzx.dll

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
Start> Run> msconfig> enter> Selective Startup> Startup tan> UNCHECK any Viewpoint entries> Apply> OK

Start> Run> services.msc> double click on the Viewpoint Service> change the Startup type to Disabled

Control Panel> Add/Remove Programs> UNINSTALL Viewpoint entries.

Reboot into Normal Mode. Ignore the nag entry and close it after checking 'don't show this message again.' Stay in Selective Startup.

Please verify that the following entries are for your corporate network. I cannot identify the CLSID and the only URL I can get is: http://classifiedventures.com/

O17 - HKLM\Software\..\Telephony: DomainName = corp.classifiedventures.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F4FBCB9-EC70-41EC-9228-5F7D5C9D9E2B}: Domain = corp.classifiedventures.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.classifiedventures.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.classifiedventures.com

IF these are indeed your domain, leave. If not, check for Hijackthis to remove.

Please download ComboFix.: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

• Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

When through, rescan with HijackThis. Attach logs for that and Combofix.

 

[bigpianist]

Thanks bobbye! This post was for the Sagipsul virus- I had assumed that this 8-step guide was for that virus specifically, since that's how i found the guide- sorry! I've followed your instructions up to the Combofix part. Viewpoint Manager has been successfully removed from my computer- is the Combofix part still necessary? I understand that Combofix may be the tool that removes the bugs from the restores, so if it is still necessary, I'll do it.
Also, classifiedventures is my corporate url. I've attached a new hijackthis.log file after having followed the viewpoint manager removal instructions- please take a gander!

Thanks again

 

[Bobbye]

I had assumed that this 8-step guide was for that virus specifically, since that's how i found the guide

No, it is the beginning-and if we're lucky-the end of the malware cleaning. We can determine if additional programs need to be run by viewing the entries in the logs.

The HijackThis logs is clean and the O20 - AppInit_DLLs: dcngzx.dll did not reappear. However, it is not uncommon to have other malware files with a bad AppInit entry. I would be more comfortable of you ran either SDFix or ComboFix to make sure we haven't missed any of those files.

Please download SDFix and follow the direction on Post #7 here:
https://www.techspot.com/vb/topic115941.html

1. Download and Install SDFix
* Download SDFix and save it to your Desktop.
* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
2. Boot into Safe Mode
* Restart your computer and start pressing the F8 key on your keyboard.
* Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
3. Run SDFix

* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
* Attach Report.txt back here

If this handles it, we'll remove the cleaning programs and old restore points.