Adware.Vundo Variant that won't go away

Welcome to Major Geeks!


Uninstall the below old versions of software:
Java(TM) 6 Update 10



Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Run this procedure: Resetting Registry and File Permissions Make sure you reboot as instructed.

Afer reboot, run SUPERAntiSpyware and first check for updates. Then run and fix anything found. Do the exact same with Malwarebytes.

Then reboot and run another new scan with SUPERAniSpyware and Malwarebytes to see if they come back clean or still has detections. Attach these second logs.

 

Important Notice: A new version of SUPERAntiSpyware is out that may help with some of your problems.

• Please uninstall your current version (this is necessary).
• Then download this SUPERAntiSpyware
• Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
• After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
• Now run a new full scan of your system. And attach this first log later.
• Since this infection has been reappearing after a reboot, you will have to reboot again and then run an additional scan to make sure it comes back clean. Attach this second log too.

Now as a redundant backup, do the below.




Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the 2 new SAS logs.
• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You need to attach the 2 new logs from SUPERAntiSpyware that I requested.

 

Okay let's try another fix.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {9F5B012F-16AF-4D46-AE89-616F785BB1AA} - C:\WINDOWS\system32\qoMcbCSi.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O20 - Winlogon Notify: efcDTJbY - C:\WINDOWS\SYSTEM32\efcDTJbY.dll

After clicking Fix, exit HJT.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner!

Now goto this link Using MGtools and download the new version of MGtools.exe using the black bold print link in the first sentence.

Run MGtools.exe then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

At this point it is VERY IMPORTANT that you do not reboot or power down your PC after attach your logs. These kinds of infections spread and mutate on reboots. So if you reboot after attaching your logs, they may no longer be valid and that would make my next fix invalid too.

 

No! When you keep posting, you keep bumping yourself to the bottom of the work queue. Have you read this sticky thread:

Don't Bump! It Only Hurts You!!!

Also you must not install or run anything that we do not request. This was stated up front in the READ & RUN ME. You ran Normal Malware Cleaner and it removed a ton of items from your hosts file that were put there to protect you from bad sites. Uninstall Norman now and then run Spybot and re-Immunize so that all this protection is added back into your hosts file.

Did you just install PrevxCSI and WinPatrol too? Uninstall them too.

SpywareBlaster is okay to keep. You always should have had this on your PC.

I'm starting to think that your Sygate firewall is not protecting you. Where and when did you download and install this from. As far as we knew Sygate was purchases by Symantec long ago and this product became unsupported and out of date. What version number do you have?

Do you know what the below driver is for? Right click on it an look at Properties info to see if you can find out.

Code:

"C:\WINDOWS\system32\drivers\"
fstarf~1.sys  Oct 24 2008        9216  "FStarForce.sys"

Please remove the below from your Desktop. It does not belong here and we asked you to put in in C:\ in the instructions in the READ & RUN ME.

Code:

"C:\Documents and Settings\Manny\Desktop\"
mgtools.exe   Jan  1 2009     1314971  "MGtools.exe"

You are using NOD32 but I see the below install which are part of TrendMicro antiviral software

Code:

 
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2009-01-04 206608]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2009-01-04 206608]

Did these just come from installing RUBotted? The dates imply this is new.

What is drive F and what is the below file for?

Code:

f:\PciCon.sys

This is appearing as a driver in your logs.




You are out of date with your version of SUPERAntiSpyware.

• Please uninstall your current version (this is necessary).
• Then download this SUPERAntiSpyware
• Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
• After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
• Now run a new full scan of your system. And attach this new log.

You are also out of date with Malwarebytes, run it and update to the current database and run a new scan with it too. Attach the new log.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - Startup: is-DF16G.lnk = C:\Documents and Settings\Manny\Desktop\Virus Removal Tool\is-DF16G\startup.exe

After clicking Fix, exit HJT.


Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner!

Now goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Save it to C:\MGtools.exe as we request in the instructions. Overwrite any existing MGtools.exe file with this one.


Run MGtools.exe then attach the below logs:

• the new logs from SUPERAntiSpyware and Malwarebytes.
• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!