antipywaremaster or vundo

Discussion in 'Malware Help (A Specialist Will Reply)' started by jrmojo, May 23, 2008.

  1. jrmojo

    jrmojo Private E-2

    Hijackthis log attached.
    Background
    Girlfriends computer. Expired TrendMicro (why??) and of course, now a problem. Her computer has antispywaremaster roguishly installed, apparently, as it shows up in the task bar and on the desktop. However, when i tried to uninstall it, it didn't show up. It also doesnt show up in the running processes, and I couldn't find it in the registry. My first approach was to install and run spybot, then smitfraudfix. No luck. I ran one freeware virus checker program and it found a Vundo trojan. So I tried vundofix and it couldn't find anything. I tried VirtumundoBegone and still nothing. Ad-aware wont even run, and the desktop is now hijacked by some weird Hilary Clinton page. Her computer is just about impossible to work on.... I have run out of resources....and need help here. Thanks!!!

    I hope this info is proper...I don't have much ability to work on her computer anymore...

    BTW, its Windows XP Media edition SP2. Not sure how many updates were installed after that.

    Logfile:

    Edit by chaslang: Inline HJT log attached. READ & RUN ME sticky not followed.
     

    Attached Files:

    • hjt.txt
      File size:
      12.2 KB
      Views:
      1
    Last edited by a moderator: May 23, 2008
    jrmojo, May 23, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions. If something does not run, write down the info to explain to us later but keep on going. Do not assume that because one step does not work that they all will not. Make sure the you disable Spybot's Teatimer as requested in the instructions because it will get in the way of removal procedures.

    READ & RUN ME FIRST. Malware Removal Guide
     
    chaslang, May 23, 2008
    #2
  3. jrmojo

    jrmojo Private E-2

    Still Having problems

    Just attaching the logs per the Windows XP Cleaning Procedure: Step 3.
    I have installed and run all the scans as requested. Along the way Spybot gave me the blue screen of death when fixing problems, but otherwise the cleanup seemed ok. Unfortunately, now at startup I get the following errors dialog boxes referencing a missing msvcr71.dll: wltray.exe, adproxy.exe and ding.exe. I also get a run.dll error in the windows\system32\{bfabcbc0-0297-9543-d310-e45e72078afe}.dll. Not sure if I am adequately describing these errors. Hopefully, it makes sense to you all.

    Logs attached. I will hopefully be able to attach the fourth in this thread
     
    jrmojo, May 26, 2008
    #3
  4. jrmojo

    jrmojo Private E-2

    Re: Still Having problems

    Fourth attachment

    Thanks!!!

    john
     

    Attached Files:

    jrmojo, May 26, 2008
    #4
  5. jrmojo

    jrmojo Private E-2

    Re: Still Having problems

    seems like the first three did not attach....
     

    Attached Files:

    jrmojo, May 26, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, May 26, 2008
    #6
  7. jrmojo

    jrmojo Private E-2

    Re: Still Having problems

    oops....sorry, I didn't understand that was a requirement. do I need to repost to that one with the attachments?
     
    jrmojo, May 26, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Still Having problems

    No! I will merge them into one thread. I just needed to be sure it was the same PC.

    Do you use an analog mode and did you install the below?
    ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe


    Is the below the start page your girlfriend set?
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whynotsearchhere.com/start.php

    Did you purchase SpyNoMore or is it just an evaluation? What did it find? Did it fix anything at all? If it is just a trial, I suggest that you uninstall it now.


    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below software:
    Java 2 Runtime Environment, SE v1.4.2_03
    Viewpoint Manager (Remove Only) <-- should have been uninstalled in step 0 of the READ ME
    Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: {1711da01-bf88-5168-5e44-6c79b9969d3e} - {e3d9699b-97c6-44e5-8615-88fb10ad1171} - C:\WINDOWS\system32\jymjpqlo.dll (file missing)
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [{A2-26-6D-DB-DW}] C:\windows\system32\jpwnw64r.exe DWram
    O4 - HKLM\..\Run: [{6dcbacf5-3f6d-0515-f10b-3ac5a2f0f0d4}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{bfabcbc0-0297-9543-d310-e45e72078afe}.dll" DllInit
    O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, May 26, 2008
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds