Win32:vndrop virus

Status
Not open for further replies.
Pat I see you are on!

just booted ubcd4win.

Looking for another solution. will be a few moments.

Mike

OK here goes. Browse to c:\windows\system32\config.

Find the file "system" without an extension and rename it to system.bck.
then find the newest system.sav or system.bak etc and rename it just "system"

Then find the file "software" with no extension and rename it software. bck
Thendo same as above find newest software.sav etc and rename it just "software"

Shutdown ubcd and try to boot.

mike
 
When I moved the save files to software & system, the reboot gave an error message looking for the system.sav file.
 
Boot back browse back to and give me all the names of system and software that are there.

There should be just a system and software without an extension like system.sav etc among them.

Mike
 
It's letting me perform a normal boot

The signon got me to the windows user signon prompt. When I put in any of the original user IDs on the PC, I get a following message:

A problem is preventing Windows from accurately checking the license for this computer. error code 0x80090019.
 
Are you saying you get to the Desktop?

What happens exactly?

And can you do other things? More details.

Mike
 
I do not get to the desktop. Windows starts the boot, I get to the log on to Windows screen looking for a user and password. I put one the user names on the PC and I get a Windows Activation box with the message posted earlier 'A problem is preventing Windows from accurately checking the license for this computer. error code 0x80090019.'. Clicking OK returns to the log on to Windows screen.
 
OK will all profiles (users) bootup or only Administrator?

And will it boot to Safe Mode Networking?

If above true update and run MBAM and SAS and post logs (we were in process of cleaning Malware when this all happened remember).

If or not the above run next delete SDFix from Desktop and the C:\SDFix folder that contains Runthis.bat.

Then uninstall ComboFix..

Start-Run-cmd
type
combofix/u
Click OK.

Delete comdix or renamed ComboFix from desktop.

Redownload both ComboFix and SDFix and run.

Post all logs.

Mike
 
I can only get as Administrator and only run the malware check. SAS notes that I do not have ADmin rights to setup. Here is the log from the malware check.
 
Good we should be able to fix it now

But in Safe mode networking or not?

If you still have the the Fixer folder then enter it and Dbl Clik the RepairAssoc.reg approve it to run.

When it finishes run the RatsCheddar and enable all. then Daft do a scan and check any red items to fix.

Now try the steps as posted in post #37. If one don't work proceed with the next. If some work and some don't reboot and retry the ones that did not run again.


Mike
 
No we are running them to cover everything!

Before we try to log on another profile we need to be sure MBAM and SAS are clean.

Check the logs if found removed items post logs and run again until clean.

After both MBAM and SAS are clean and logs posted run ComboFix again and post logs.

Mike
 
Ran MBAM twice, logs attached. Cannot run setup of SAS, telling me that I Administrator has set policies to prevent this installation.
 
Now ComboFix first then another MBAM Quick scan.

What did you do between the above MBAM scans as the first one at 5pm was clean and the second one at 6pm found Malware??

You seem to be getting reinfected. Did you visit a website use a Flash drive etc?

Mike
 
Will do. As a note, I have been running the MBAM full scan, but will do the quickscan this time.

After the first MBAM and the second it tried to to normal Windows start. I killed it, went back to Safe mode w/networking and did a rerun. Going to techspot site tried to bring up flashplayer, causing Explorer to die.

where do I get ComboFix from?
 
Thought we had done that earlier.

Here.. combofix and sdfix run both!

Download ComboFix

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.
=========================================

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.

Mike
 
The Combo and HJT log...

Now in system in Normal mode!!!!!

Ran SD Fix. Attached report.txt. What's next?
 
You are now COOKIN!

Great job!

In normal mode in all user accounts?

Run ComboFix again in normal mode as it had findings need to confirm clean!

HJT in normal mode.

OK there are signs of Norton in the HJT log. Are you usning Avast now?

Run HJT Scan only and select and Fix all lines listed below
Any line that has (file missing) and/or (no file) at the END of the line, ONLY at the end Plus the following.
O8 - Extra context menu item: &Search - ?p=ZJxdm172YYUS.
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - Unknown owner - C:\Program Files\Comodo\Firewall\cmdagent.exe (file missing)
And if not using Norton/Symantec any line that contains the word Symantec.

If Norton was once used but now uninstalled let me know and I will post links to the removal tools.

Do Temp and Reg cleanup
Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean. You may have this from the 8 Steps.

Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
-------------------------------------------------------------------------------------
The issues can and are likely found is in System Restore so do the below

Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "Cleanup at TechSpot".

Then Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

It clears what is known as Shadow copies which are used by specialized back up programs.

This is if you have the Volume Shadow Copy running which is the default.
-------------------------------------------------------------------------------------
ERUNT
Add a redundent Reg backup, get and install ERUNT let it add itself to startup and do a backup on install check all boxes.

ERUNT http://www.larshederer.homepage.t-online.de/erunt/
Yes! Even if you use system restore and other backups Registry and Images.

Go here Download DrWeb https://www.techspot.com/vb/post724044-3.html

Then....

Boot to Safe Mode only! Not with Networking and run...

DrWeb will fisrt do an Express Scan on its own when it completes then you should do a full scan.

The first Virus it finds select Cure and it will use this as the default automatically for all the rest. What it can't fix will be Quarantined!

This will take a while based on CPU and HD speed and size, but is worth it!

Mike
 
Norton was on the computer at one point but am now using avast. Attached the Combo and HJT log from normal mode.
 
Status
Not open for further replies.
Back