Vundo and other problems

You are still infected.

Is your copy of Spy Sweeper a paid version or free trial? If free, uninstall it now.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Now uninstall Ask Toolbar

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
O2 - BHO: (no name) - {956E8A23-505A-433D-8736-6431A3A27304} - C:\WINDOWS\system32\awtqq.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\KARENS~1\APPLIC~1\FNTS~1\wuauboot.exe" -vt yazb
O4 - HKCU\..\Run: [QdrModule12] "C:\Program Files\QdrModule\QdrModule12.exe"
O4 - HKUS\S-1-5-18\..\Run: [sys_up1] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{98AE1DAC-0AE9-1033-1108-040416200001}] "C:\Program Files\Common Files\{98AE1DAC-0AE9-1033-1108-040416200001}\Update.exe" mc-110-12-0000228 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{98AE1DAC-0AE9-1033-1108-040416200001}] "C:\Program Files\Common Files\{98AE1DAC-0AE9-1033-1108-040416200001}\Update.exe" mc-110-12-0000228 (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Search - ?p=ZCxdm343YYUS
O8 - Extra context menu item: Crawler Search - tbr:iemenu

After clicking Fix, exit HJT.


Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

RenV::
----a-w            63,712 2008-02-02 18:05:54  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w           290,816 2008-02-02 17:28:47  C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr .exe
----a-w           659,456 2008-02-02 18:05:55  C:\Program Files\Philips\Philips Device Manager\bin\DeviceManager .exe
----a-w           129,536 2008-02-02 18:05:51  C:\Program Files\Yahoo!\browser\ybrwicon .exe
----a-w           407,032 2008-02-02 18:05:53  C:\Program Files\Yahoo!\YOP\yop .exe
 
File::
C:\Program Files\QdrModule\QdrModule12.exe
C:\Program Files\Common Files\{98AE1DAC-0AE9-1033-1108-040416200001}\Update.exe
C:\WINDOWS\SYSTEM32\abadd.bak1
C:\WINDOWS\SYSTEM32\abadd.bak2
C:\WINDOWS\SYSTEM32\abadd.ini2
C:\WINDOWS\SYSTEM32\jlnmp.bak1
C:\WINDOWS\SYSTEM32\jlnmp.bak2
C:\WINDOWS\SYSTEM32\jlnmp.ini2
C:\WINDOWS\SYSTEM32\L143E.tmp
C:\WINDOWS\SYSTEM32\L9347.tmp
 
Folder::
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Program Files\AskSBar
C:\Program Files\ewido anti-malware
C:\Program Files\QdrModule
C:\Program Files\Common Files\{98AE1DAC-0AE9-1033-1108-040416200001}
C:\WINDOWS\Temp\2wswlog
 
Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"sys_up1"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]
"{98AE1DAC-0AE9-1033-1108-040416200001}"=-
 

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

These issues may not be due to malware. You can try the below but if the below does not work, you will have to post in the Software Forum.

Copy the contents of the below Quote Box into Notepad. Then click File and then Save As. Change the Save as Type to All Files. In the File Name field enter C:\WinUpFix.cmd and then click save. This will create the WinUpFix.cmd file in the root folder of drive C.

Now while you can directly run the WinUpFix.cmd file by double clicking on it, that will not allow you to see any errors if any do occur. So a better method is to run it from a command prompt window. Click Start, Run, and enter cmd and click OK. This opens the command prompt window. In the command prompt window type the following lines each followed by the enter key:
cd c:\
WinUpFix.cmd

Write down any error messages if you get any, and post them back in your next message in a thread in the Software Forum. Post the exact word for word message. You do not need to write down the success messages which will be output as the script runs. Only note any failures.

If you do not get any error messages, check to see if Windows Update works now.

 

Sorry but since you did things on your own and none of this has anything to do with malware, all I can say now is try the Software Forum. Doing a repair at the wrong time can do more harm then good at times.

You can try the rest of my instructions anyway if you like but the problems you are describing are not related to the malware you had and that my instructions would have removed. It is worth a try continuing though.