Cry for help. Problems return after reboot

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by floridasun5, Aug 30, 2005.

  1. floridasun5

    floridasun5 Private E-2

    I have been having problems lately with the trafficexplorer, match service and winfixer popups as well. I have gone through all the steps in the sticky thread on how to remove spyware, downloaded everything, scanned everything, removed old java, installed new sun java, updated windows, etc. I have ALSO ran hijackthis, read through my HJT log and fixed the three items that I knew didnt belong. I am somewhat computer savvy and could understand the log, so I could determine what shouldnt have been there and fixed them. Last night when I turned my computer off, it seemed to be working perfectly. No popups, no issues. This morning, I turn my computer on and the issues start again. I had system restore turned off yesterday for everything except the java uninstall/reinstall which I performed late last night, which I see that it created a restore point for. So, I am assuming that either the problems were not fixed yesterday even though I thought they were or for some reason my computer brought back the problems with it was turned off/on. Can anyone help me with what the next step might be? Obviously either all the programs I have run, including HJT either are not fixing the problem completely, or the problems are returning once my computer is restarted. :confused: Can someone please help me further? Thanks so much!
     
    floridasun5, Aug 30, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow the steps below:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Aug 30, 2005
    #2
  3. floridasun5

    floridasun5 Private E-2

    Ok, here is my logfile. I didnt notice anything out of the ordinary. Thanks for the help! :D
     

    Attached Files:

    floridasun5, Aug 31, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I would uninstall Party Poker if I were you. I have also included it in my list of things to fix with HJT below.

    You have a Vundo.B problem.

    Okay let's start by downloading two tools we will need:

    - Process Explorer 9.2

    - Pocket KillBox

    Extract them to there own folder somewhere that you will be able to locate them later.

    Reboot in Safe Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of comdns.dll once and then click the kill button. After you have killed all of the comdns.dll 's under winlogon click ok. (If you do not find the dll, just continue on.)

    Next double click on explorer.exe and again click once on each instance of comdns.dll then click the kill button. Once you have done that click ok again. (If you do not find the dll, just continue on.)

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\$NtUninstallKB899587$\comdns.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O20 - Winlogon Notify: comdns - C:\WINDOWS\$NtUninstallKB899587$\comdns.dll


    Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox:
    Choose Tools > Delete Temp Files and click OK.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click YES and it will reboot.

    C:\WINDOWS\$NtUninstallKB899587$\comdns.dll

    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    After reboot post a new HJT log and tell me how things are working.
     
    chaslang, Aug 31, 2005
    #4
  5. floridasun5

    floridasun5 Private E-2

    I apologize for not getting back to you sooner...I was never notified that there was a reply to the thread :confused: Anyway, I have followed your directions exactly and have run HJT again with the new log file attached. Can you please check to see if the problem was taken care of? Or is there anything else I need to do? I havent had any problems yet with my browser, but the problems were very intermittent anyway and only popped up occassionally. Thank you again.
     

    Attached Files:

    floridasun5, Aug 31, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your Vundo.B problem appears to be fixed. The only other thing that is a problem (not a malware problem) is the fact that you have AVG and McAfee antivirus applications installed. You should only use one antivirus application. So pick the one you prefer and uninstall the other.
     
    chaslang, Aug 31, 2005
    #6
  7. floridasun5

    floridasun5 Private E-2

    Thanks so much Chas! :)
     
    floridasun5, Aug 31, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Aug 31, 2005
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds