Unknown Malware infection- popups, browser redirected.

Please download the current version of ShowNew and attach a new log!

 

You appear to be running Symantec Antivirus but I also see the below from TrendMicro:

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

You need to uninstall Trend Micro OfficeScan Client


Start by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of winudt32.dll once and then click the kill button. After you have killed all of the winudt32.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Now repeat the above step for the below two DLLs:
khfgdcy].dll
vtutq.dll

Next double click on explorer.exe and again click once on each instance of winudt32.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below two DLLs:
khfgdcy].dll
vtutq.dll

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {77299895-8FAF-418F-8FC6-0103A5BFCC98} - C:\WINDOWS\system32\vtutq.dll
O4 - HKCU\..\Run: [Uxbmna] C:\WINDOWS\system32\CROSOF~1.NET\JVAW~1.EXE
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} -
O20 - Winlogon Notify: vtutq - C:\WINDOWS\system32\vtutq.dll
O20 - Winlogon Notify: winudt32 - winudt32.dll (file missing)


After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now click Start, Run, and enter cmd and click OK! This will open a command prompt window. In the command prompt window enter the below commands each followed by the Enter key.
del %windir%\temp\win*.*
exit


Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\CROSOF~1.NET\JVAW~1.EXE
C:\Program Files\TClock\tclock_install.exe
C:\WINDOWS\system32\khfgdcy.dll
C:\WINDOWS\system32\vtutq.dll
C:\WINDOWS\system32\qtutv.tmp
C:\WINDOWS\system32\qtutv.ini
C:\WINDOWS\system32\qtutv.ini2

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot, delete the below folder if found:
C:\Program Files\TClock

Also delete all files in the below folder except ones from the current date (Windows will not let you delete the files from the current day).
C:\Documents and Settings\jhouse\Local Settings\TEMP

Now attach a new HJT log and tell me how the steps went.
Also attach a new log from ShowNew.
Make sure you tell me how things are working now!

 

Okay now just havae HijackThis fix the below line:

O2 - BHO: (no name) - {3BD0FA94-C5F3-45CD-AFD1-ECDE6485365F} - C:\WINDOWS\system32\vtutq.dll (file missing)

Other than that, you are clean. How are things working? If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

Make sure you follow the link to update your Sun Java version. You just need to update. You don't need to uninstall MS Java. After updating, uninstall the below old versions of Sun Java.

J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0

 

MSconfig was not designed to be used for this purposed. If you never want certain software to load yu should either uninstall it or just disable it from running at startup. You should not use MSconfig to do this. A program like this Startup CPL is a better choice.

Is Ewido a paid subscriptions or free trial?

• If free, uninstall it to free up system resources and avoid conflicts with Windows Defender
• If paid, uninstall Windows Defender and keep Ewido.

Yes there is.

The below process should be stopped and the file and folder should be deleted:

C:\Program Files\Common Files\{14BDCE0E-07CA-1033-0123-060601170001}\Update.exe

 

Why do you keep downloading new copies of vundofix.exe ?

 

You should only be running what we ask you to run now. Vundofix would not have fixed or even detected the original problems as you may now have already realized.

Did you delete the folder or just the update.exe file. Make sure it does not come back after another reboot.

If it does, then attach a new log from GetRunKey. There is a registry key where this is often loaded from.

 

In fact let's do something that I have used before to fix this.

Please download and install Registrar Lite

Run Registrar Lite navigate to the following keys and take ownership of them (explained further down):

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

To take ownership of the key do the following:

• Copy & Paste the above registry key into the address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the Menu
• Select Take Ownership
• Now right click on the {14BDCE0E-07CA-1033-0123-060601170001} key in the right window pane and select Delete (let me know if you receive any error messages )
• Exit Registrar Lite

Attach a new ShowNew log (the runkeys.txt file).

Also check your HJT log and make sure the update.exe process no longer is seen in the process list after reboot.

 

Let's get the current version (1.5.0_07) from Majorgeeks.

Sun Java Runtime Environment

You had a few infections. The main ones were Virtumonde and winlogonhook (aka conhook). You still have a file that I want you to delete in your Temp folder. It seems to have come back. Delete the below file and make sure it stays deleted:

C:\Documents and Settings\jhouse\Local Settings\Temp\b111.exe

You're welcome Julie! Have you finished all of the How to protect thread (other than the Sun Java update)?

 

You're welcome! Make sure you have toggled System Restore as requested too!