Scanned and scanned and browser windows keep popping open

Welcome to Major Geeks!

We need all of the logs that were requested in the READ ME. Here are the ones you did not attach.

CounterSpy - only for Windows XP, 2K, & NT users
AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
Bitdefender - from step 6
Panda Scan - from step 6

Also you need to properly install and rename HijackThis as requested in step 7 of the READ ME and then you will need to also attach a new log from HijackThis. You have the exact type of infection that makes this critical. Make sure you are getting your HijackThis log from normal boot mode.



You also need to properly complete step 2 of the READ ME.


You have a Virtumonde infection that we will be removing but we need all of the other logs to work up a complete fix.

You also need to do the below which was requested in step 6 of the READ ME.

Uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.2
Java 2 Runtime Environment, SE v1.4.2_13
Java 2 Runtime Environment, SE v1.4.2_14
er <-- should have been uninstalled in step 0 of the READ ME

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


Are the below policies something you or your company created?

 

These Java versions are possibly the reason you are infected with Vundo. Vundo infections take advantage of security issues in these old versions and use the weakness to infect you. It is not a good idea to keep these on a PC.

This is the nature of Vundo. It will keep doing this until all the hidden files and registry keys are removed and sometime it can take a few iterations. Vundo can respawn and also mutate/spread during each reboot or powerdown or power up.

I'm looking at your new logs now.

 

NOTE: We highly recommend against putting anything in the Trusted Zone. Do you really need to have those entries in your Trusted Zone to get access to them.


Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: PolicyMaker Browser Helper - {0A9CDB52-EBDF-4210-9C6A-B90C2FD410AB} - C:\WINDOWS\system32\pmbho.dll
O2 - BHO: (no name) - {2275B658-20F8-451E-886B-639FD2026644} - C:\WINDOWS\system32\awvtt.dll
O2 - BHO: {0e08d50e-262b-897a-46e4-373d1bf89f42} - {24f98fb1-d373-4e64-a798-b262e05d80e0} - C:\WINDOWS\system32\noqmncba.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {381651F4-A6B8-43D0-8BCE-E70463749F50} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {90F48912-338B-1853-DA5D-4BE602F3099F} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {FE54F776-2104-4D39-B596-7736F5D3EBB6} - (no file)
O4 - HKLM\..\Run: [7c9057a2] rundll32.exe "C:\WINDOWS\system32\wawbluvd.dll",b
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

 

Was your HJT logged obtain before you did the fix? I still see the items I asked you to fix. Check a new scan right now and attach it but first disable MSconfig as requested in the READ ME.

 

Okay since I missed you while you were logged in, I will just assume those items are still in your HJT log. You must make sure that you exit ALL browsers before clicking Fix checked in HijackThis otherwise you can have problems fixing certain items. Also if you notice you are having difficulty fixing items, it could be necessary to shutdown protection software since they can also block fixes.
First make sure you have set MSconfig to Normal Startup as requested in the READ ME and then continue.

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: PolicyMaker Browser Helper - {0A9CDB52-EBDF-4210-9C6A-B90C2FD410AB} - C:\WINDOWS\system32\pmbho.dll
O2 - BHO: {0e08d50e-262b-897a-46e4-373d1bf89f42} - {24f98fb1-d373-4e64-a798-b262e05d80e0} - C:\WINDOWS\system32\noqmncba.dll
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {381651F4-A6B8-43D0-8BCE-E70463749F50} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {90F48912-338B-1853-DA5D-4BE602F3099F} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {EA8BE8AF-5641-451F-AB1F-B3FD50D5D568} - C:\WINDOWS\system32\awvtt.dll
O2 - BHO: (no name) - {FE54F776-2104-4D39-B596-7736F5D3EBB6} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

After clicking Fix, exit HJT.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!