Please help with persistent malware!

Welcome to Majorgeeks!

You have a bunch of problems. A few layers of Vundo infections, PurityScan and more.

First you need to uninstall Viewpoint Manager which you should have uninstalled in step 0 of the READ & RUN ME.
Next you need to make sure you EMPTY your Norton and CounterSpy quarantines.

1. Now Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run this Virtumonde aka Trojan Vundo Removal

Now attach the below new logs and tell me how the above steps went.

1. ComboFix
2. VundoFix
3. GetRunKey
4. ShowNew
5. HJT

Now answer a few questions!

1. Is your copy of Ewido a paid or free trial version? If free, uninstall it.
2. Is your copy of Spy Sweeper a paid or free trial version? If free, uninstall it.
3. Is your copy of CounterSpy the free trial version from the READ ME?
4. Is the Acoona stuff in your search settings (see the R1 & R0 lines in HijackThis) valid?
5. What is the below for and what is drive F?
   O4 - HKLM\..\Run: [ISNISWireless] F:\wireless.exe

 

Okay! Get started with the below while I work thru your logs.

Uninstall CounterSpy now since it is the trial and since you have Ad-Aware SE Pro.

Is Trojan Remover 6.5.3 a free trial or paid version?



Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Mozilla Firefox (1.5.0.8)

Now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox

 

After finishing what I gave you in message number 7, continue here.


I recommend you delete the below from your Desktop unless you are sure these are all safe!

Continue by downloading a tools we will need - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Shutdown Ad-Aware's Ad-watch feature before continuing so that it does not get in the way of fixes.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assis...urce=efc&utm_medium=bund&utm_campaign=efc0605
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.accoona.com/search_assis...urce=efc&utm_medium=bund&utm_campaign=efc0605
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {30975F35-9DA1-C22B-80FC-B56944DB8DB4} - (no file)
R3 - URLSearchHook: (no name) - {DBED079A-935B-98DB-7003-BA896A2963E9} - C:\WINDOWS\system32\oearkv.dll (file missing)
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\sattqenk.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISNISWireless] F:\wireless.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvcom.dll,startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mdns] "C:\WINDOWS\system32\MCROSO~1\netdde.exe" -vt ndrv
O4 - HKCU\..\Run: [Mnh] C:\WINDOWS\system32\T?sks\r?gsvr32.exe
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: hksrv.dll - {F75528A8-0631-4D39-A920-C2D47EBFE159} - hksrv.dll (file missing)

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Mitch Brink\Local Settings\Temp\3wc8b0v5.exe
C:\WINDOWS\system32\drvcom.dll
C:\WINDOWS\system32\hpevqjme.exe
C:\WINDOWS\system32\mvheyhfo.exe
C:\WINDOWS\system32\wnstsit.exe
C:\WINDOWS\system32\ddcayww.dll
C:\WINDOWS\system32\drvcom.dll
C:\WINDOWS\system32\sattqenk.dll
C:\WINDOWS\system32\tkvgdykd.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

Now locate the below folder and delete it if found:
C:\Documents and Settings\Mitch Brink\Local Settings\Application Data\Viewpoint

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Documents and Settings\Mitch Brink\Local Settings\Temp

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Doesn't your Symantec software include its own firewall???

Download and run this to remove Windows Messenger: Disable/Remove Windows Messenger

Since Trojan Hunter's trial expires 30 days after first installed, you can uninstall it now or wait until it expires and then uninstall (your choice). That's assuming you are not going to buy it.

It does not look like you ran the fixme.reg patch that I gave in my previous message. Did you run it? Did it give you a success message or did you get an error message. Try it again and tell me what happens. Make sure you follow the directions exactly or you will not create the proper type file.

Delete the below folder:
C:\Program Files\Common Files\Viewpoint

Attach a new log from ShowNew if the fixme.reg patch gave you a success message; otherwise, tell me what happened.

Also have HJT fix the below line:
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab'


How are things working?

 

Sorry! I meant to say I need a new GetRunKey log. Please attach one.

Windows Firewall is not a true bidirectional firewall and does not provide adequate protection. You really need to use something different anyway. So I would not waste anymore time with it.

If Norton does not contain a firewall, what the heck is the below for?
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

In reality my fix would be the below and followed exactly in this order:

1) download but do not install ZoneAlarmFree

2) physically disconnect (unplug cable) from the internet

3) uninstall all NAV software

4) install ZoneAlarmFree and reset after install (it normally tells you this is needed)

5) reinstall NAV

6) connect to the net and get all updates for NAV

How are things now?


By the way, also delete the below folder:
C:\Program Files\Common Files\Viewpoint

 

You're welcome. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You're welcome. Surf safely.

 

It could be a complication due to using Norton software. I use ZA on many PCs and have no problems although it will demand the sacrifice of some computing power, but so do ALL firewalls. Is ZoneAlarm always causing problems, or only once in awhile. I have had a couple occasions where I noticed at startup that ZA is eating up loads of resources and keeps on doing so after that Desktop has appeared. If I rebooted at this point, everything was fine. It happens in frequently and each time I have seen it, it seem to occur when another tool like an antivirus or similar initiated autoscanning or updating at startup.

When you first installed ZA, you did not have Norton installed (is that true)? Was ZA okay at that time?

Have you tried ZA again without Norton installed? There are other free choices for firewalls but I prefer ZA. I however do not recommend Norton.

 

Zonealarm does have an option for Email protection. What happens when it is disabled (in bound and outbound)?

I use ZA on about 10 pc's that also use Outlook Express and have no problems like this. But I do not have any Norton/Symantec software installed on them.

Is would be worth a try just to see if you still have the same problems with NAV totally uninstalled.

 

Which browser are you using? If Internet Explorer, have you tried a different browser (like FireFox or Maxthon). If not, please try another browser to see if the same problems occur. I'm not sure that you are having malware problems.

Also Download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of the BlackLight log.