Vundo variant, SAS log, how to remove?

Welcome to Major Geeks!

Uninstall all cracked software and delete all keygens and illegal software to start.
Then uninstall Bearshare if installed. Then continue on to the below.


Please follow the instructions in the below link and attach the requested logs when you finish these instructions. If something does not run, write down the info to explain to us later but keep on going. Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide

 

All of the READ & RUN ME needs be followed before any help will be given.

 

Uninstall the below BearShare <-- should have been uninstalled in step 0 of the READ ME

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: {81c6edca-7c2c-0239-9594-1badb5035c02} - {20c5305b-dab1-4959-9320-c2c7acde6c18} - C:\WINDOWS\system32\vrrhwhkv.dll
O2 - BHO: (no name) - {E257F83E-33E2-4412-B927-065DE6A21811} - (no file)
O2 - BHO: {a864b6cc-8cd9-6c48-9e54-384db9e4bd63} - {36db4e9b-d483-45e9-84c6-9dc8cc6b468a} - (no file)

After clicking Fix, exit HJT.


Now we need to use ComboFix

• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location where you saved ComboFix.exe (cf.exe).
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt in the C:\ folder since that is where you saved ComboFix.
• Now open Windows Explorer (right click Start and select Explore).
• Navigate to the C:\ folder
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe or cf.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

The below line did not get fixed.


O2 - BHO: (no name) - {E257F83E-33E2-4412-B927-065DE6A21811} - (no file)

Try fixing it again and then run the C:\MGtools\GetLogs.bat file by double clicking on it.
Then attach the newC:\MGlogs.zip


Make sure you tell me how things are working now!

 

I will have to work up a special procedure to see if we can get the BHO removed. However I curious as to how you are missing my questions in big bold print. In message # 7 I said:

And you did not respond in message # 8. Thus in my next fix I then made it bigger and in a new color

Still no response???? Yes the BHO will not remove but that does not tell me how things are working which is the most important detail. The BHO is not really an issue but it would be nice to get it removed.

WHY are you running the below?

C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

You should not be running this!!!!! Analyse.exe which is embedded into MGtools is what I asked you to run and when you run GetLogs.bat, you should not have HijackThis.exe running. Please do not run this copy of HijackThis anymore.

Please run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


Please download and install Registrar Lite

Run Registrar Lite navigate to the following key and take ownership of it:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

• To take ownership of the key do the following
• Click-on the above Registry Key
• Click-on Security in the Menu
• Select Take Ownership
• Now locate the below key under the Browser Helper Objects key and select it then right click on it and select delete:

{E257F83E-33E2-4412-B927-065DE6A21811}

• After deleting it exit Registrar Lite

Then run the C:\MGtools\GetLogs.bat file by double clicking on it.
Then attach the newC:\MGlogs.zip


Make sure you tell me how things are working now!

 

Probably normal behavior. Explorer does reload at various times during starting/stopping of some processes. The slowness may just be due to Norman.

Okay let's see if it is a permissions issue.


Run Registrar Lite navigate to the following keys and Set Permissions for Everyone(I explained how to do that further down).

To set permissions for Everyone for each key, do the following[/color][/size][/b]

• Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the top Menu
• Select Edit Permissions so we can change permissions to everyone. Now here is what I expect you to see in the Group or user names area of the form that comes up:
• Everyone
• SYSTEM
• Select Everyone by clicking on it.
• Now at the bottom in the Permissions box click the check box for Full Control.
• Then click Apply and then OK to get back to the main Registrar Lite screen.
• Now right click on the registry key and select Delete.
• Then click View and Refresh. Check to see if the registry key just deleted truly deleted.
• If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.

Just tell me whether the key deletes or not. We don't really need a new log. We will know by whether it deletes.