Vundo and Other Malwares - Help Reviewing My Logs

[7seven]

I have followed the 8-Step Virus Removal Instructions and have now produced the 3 essential logs. It looks like the procedure has removed most of the malwares in my system and any obvious manifestations are gone - Task Manager disabled, registry edit disabled, display customization disabled, etc.

Attached are the log files produced by MBAM, SASw, and HJT.

Please help reviewing these log files and what further steps I need to take to regain full control of my PC.

The 8-step Virus Removal Instructions have been extremely helpful and I am really appreciative.

Cheers!

 

[touch]

Hello 7seven

Download HostsExpert: http://www.majorgeeks.com/Hoster_d4626.html

Choose one of the servers at Majorgeeks....save the file on your desktop

Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
Run HostsXpert 4.2 - Hosts File Manager from its new home
Click on "File Handling".
Click on "Restore MS Hosts File".
Click OK on the Confirmation box.
Click on "Make Read Only?"
Click the X to exit the program.

Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


Download the Norton Removal Tool (SymNRT) to your Desktop.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

Go to your desktop and double click on the removal tool and then click Setup.
Once open Click Next
Accept the license agreement and click Next
Type in the letters/numbers that you see into the text box then click Next.
Then click Next and the tool will start running.
Once finished restart the PC and run the tool again to ensure everything has been removed.
Delete Nortonremoval tool from your Desktop.


You have Viewpoint on your computer ->
Viewpoint is considered foistware and is not needed on your computer.

Download and unzip to own folder on Desktop - http://bellsouthpwp.net/p/r/prprogramsstudios/viewpointkiller.zip

Run ViewpointKiller.exe

Reboot.

Attach new hijackthis log, and tell how things are running now ?

 

[7seven]

Thanks touch.

I will follow your instructions and post a new HJT log tonight.

I also have the same problem as on this thread as - topic126960

Should I also follow your suggestions in that thread?

 

[touch]

No, just follow the instructions you´ll get here in this thread.

 

[7seven]

Hi. I logged in to home PC last night and unfortunately, I am unable to connect to any website. I tried connecting to cnn.com and techspot and failed to connect to both. I tried with both firefox and IE. I waited and eventually got a message from firefox that it cannot connect to the server. I was able to connect and update my virus definitions for MBAntimalware, SuperAntiSpyware and Kaspersky with no problems so I am definitely connected to the Internet.

Therefore, I was not able to do any of the instructions you told me to do.

Any clue what's going on? I was able to do all the 8-steps and posted here with my logs the night prior. I remember checking my Yahoo! mail last before actually losing connection to the Internet the other night. I thought it was just slow and called it a night. Last night when I tried to open my browser, I was unable to connect to my homepage (cnn.com) or any other websites I tried.

SOS!

 

[7seven]

I managed to connect to the Internet again using Firefox. I did not try Internet Explorer yet. I haven't downloaded the Norton Removal Tool yet as I don't know the version I should download. I will check that and go back to that step.

In the meantime, here is my latest HJT log.

Thanks for your help thus far. It's been tremendously amazing!

 

[touch]

Ok. We´ll remove Norton , and possible infections using combofix ->

Please download Combofix:
http://subs.geekstogo.com/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Please connect all your external hard drive/flash drive before running Combofix, if you have any

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

 

[7seven]

Here's my latest status:

I ran ComboFix and it detected and warned that I still have Norton Internet Security running. I went ahead and ran ComboFix despite this warning. It deleted a few executables.

The ComboFix log and latest HJT log are attached.

I cannot connect to the Internet when Kaspersky is enabled. This is probably just a problem on my Kaspersky setting. I'll play around with that.

**Now, I still have the Google-redirect happening. Any thing else I need to do, to get this anomaly fixed?

Other than this, it seems like my PC is *almost* clean.

Thanks for your help thus far.

 

[touch]

Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
Folder::
c:\program files\Common Files\Symantec Shared
c:\program files\Common Files\Symantec
Driver::
EraserUtilRebootDrv
LiveUpdate Notice Service

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[7seven]

I was able to run Norton Removal Tool and ran it twice last night, but I did it after running Combofix. Should I still do your latest instructions which looks like attempting to clean up Symantec remnants?

 

[touch]

No, however, I suggest you attach fresh hijackthis log and tell how things are running ?

 

[7seven]

Latest HJT log attached.

I still have the Google-redirect problem. What else can I try? Should I try running Combofix again?

 

[touch]

Yes, please post new combofix log. And tell where are you redirected to ?

 

[7seven]

The Google-redirect is so nasty and virulent. After all the steps we attempted, it's still alive and creating havoc.

Here are some additional information that might help you isolate what is wrong with my PC.

1. It doesn't affect my IE. It could be because I stopped using IE when I first noticed the virus infection that started all these. It works both in the Google toolbar (which I have unistalled since) or in the default browser search box.

2. Like I said, it only affects my Firefox browser default search box. If you go to google.com first and you do the search from the google homepage, the search results are NOT redirected. Search results are only redirected when doing the search from the browser default search box. Search results from other search engines are NOT redirected.

3. Search results are redirected to a variety of sites like:
- bidcactus.com
- one-minute-gifts.com
- ez-suggestions.com
- findstuff.com
- nexplore.com

4. Sponsored links on the results page are NOT redirected.

5. Search results are being redirected via clickcheck.ru/check.php

6. I have uninstalled Firefox and reinstalled, with NO luck.

These are my observations. Hopefully, it helps isolating the problem.

My latest HJT and Combofix logs are attached.

Thanks a lot for your help.

 

[touch]

It certainly helps isolating the problem

I´ll suggest you download Spywareblaster:
http://www.majorgeeks.com/SpywareBlaster_d2859.html

(Choose one of the servers)

Install it, get updates. Click on Enable All Protections.

Please download http://jpshortstuff.247fixes.com/GooredFix.exe
and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
A log will open, please attach the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Note: Do not run Option #2 yet.

 

[7seven]

touch - should i disable kaspersky internet before doing your latest instructions?

 

[7seven]

I uninstalled Firefox last night when I detected that the malware is still there. So, I have 2 Gooredfix logs - one was with no Firefox installed and one after I re-installed Firefox. I have also attached my latest HJT log just in case. It looks like Gooredfix found something.

Thanks for staying with me on this.

 

[touch]

Looks like it.

Double-click GooredFix.exe on your Desktop to run it.
Select "2. Fix Goored" by typing 2 and pressing Enter
.
Make sure all instances of Firefox are closed at this point.
Type y at the prompt and press Enter again.

A log will open, pleaseattach the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system

 

[7seven]

Attached is the latest Goored log. GooredFix did not ask me to reboot my system.

 

[touch]

Ok. How are things running now ?

 

[7seven]

WOW! You are the hero!!! It went away. Yey! No more re-direct in both Firefox default search or Google homepage. I had to make sure IE still works, just in case. And it does! I have no more known problems in my system. I cannot express how much I appreciate your help. Thank you, thank you, thank you! :wave:

 

[touch]

That´s really good news :grinthumb

Now your computer problems are solved, it is time for the clean-up procedure.

You should Create a New Restore Point to prevent possible reinfection from an old one.
The easiest and safest way to do this is:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.

Please download OTCleanIt
Save it to desktop.
This will remove all the tools we used to clean your computer.
Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
How did I get infected in the first place


Keep safe :wave:

 

[7seven]

touch,

I just want to thank you once again for staying with me through the final resolution of my system infection. I'm glad I stumbled upon this forum and decided to seek help. One extremely satisfied customer here. :grinthumb

One last question - I ran OTCleanit to wrap things up. I guess that would not delete the programs I downloaded to remove the malwares, would it? I am referring to ViewPointKiller, SpywareBlaster, GooredFix, HostsXpert, and Norton_Removal_Tool. I guess I have to clean those up myself if I want to remove them, right?

Thanks for your help!
-7seven

 

[touch]

I´m glad to hear, we have got an "extremely satisfied customer"

Don´t delete SpywareBlaster.

You´re right, you have to delete - GooredFix, HostsXpert, and Norton_Removal_Tool - yourself

Use this link to remove viewpoint -

Download and unzip to own folder on Desktop - http://bellsouthpwp.net/p/r/prprogramsstudios/viewpointkiller.zip

Run ViewpointKiller.exe

Reboot.

 

[7seven]

Gotcha. OK, will do that.

I promise to stay safe and stay away from trouble. :blackeye:

Cheers!