Computer Help!! Vundo Varient + More

Hey this nasty virus started about a week ago, it disabled my automatic updates it wouldnt let me update any of my virus definition files and also wouldnt let me install mozilla. i ran the cleaning procedures and i believe i have stomped out all the remaining viruses but occassionally i get a pop up from avg witha random bho virus threat found

 

mgtools included
thnks in advance

 

Hi akadatboy,
Welcome to the Malware Forum!

First I have a question. The three files in the quote box all have dates in the future. Is your calendar set correctly? (There are actually more than these).

Now, please do the following:


1) Go to add/remove programs and uninstall the below:

- Viewpoint Media Player

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {2CDF4874-ABFE-4D06-AD25-FA2093723193} - C:\WINDOWS\system32\geBsPifE.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O20 - Winlogon Notify: pmnlklKb - pmnlklKb.dll (file missing)


Do the following programs need to load at startup? If not, please fix them as well.

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp

After you click fix, just close hijackthis.


4) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FILE::
C:\WINDOWS\system32\geBsPifE.dll
C:\WINDOWS\system32\oqymunsc.ini
C:\WINDOWS\system32\wudujfyc.ini
C:\DOCUME~1\Chris\LOCALS~1\Temp\13c453b8-82a7-4bca-8efb-b5f6196ceee5.tmp
C:\WINDOWS\system32\HFX39B.tmp
C:\WINDOWS\BM138aee08.txt

DIRLOOK::
C:\280616251

FOLDER::
C:\Documents and Settings\All Users\Application Data\Viewpoint            
C:\Documents and Settings\Chris\Application Data\Viewpoint
C:\Program Files\Viewpoint
C:\Program Files\WildTangent
C:\Documents and Settings\All Users\Application Data\WildTangent

REGISTRY::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlklKb]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2CDF4874-ABFE-4D06-AD25-FA2093723193}]

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


5) Now run CCleaner at the default setting with the Windows tab as the top one.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri