Have done R&R - still infected

You seem to have some of Symantec Antivirus still running on your PC but you appear to be using AVG now. We will have to remove the left over Symantec software. But first let's get started on your malware.

Now Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm


IMPORTANT: Do NOT run any other options until you are asked to do so!

 

You may no longer have Zlob but let's be sure by running the below anyway.

PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode per the safe directions in the READ & RUN ME.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach this log along in your next reply.

Then reboot in normal mode and attach new logs from:
- HJT
- GetRunKey
- Shownew

Also tell me exactly what problems you are still having.

 

Please see step 3 of the READ ME. You have AVG and Symantec installed. You must uninstall one of them now before continuing.

Also is Ewido a free trial or paid version? If free, uninstall it now.
If Ewido is a paid version then keep it and uninstall Windows Defender now.

After doing the above please follow the directions in step 7 of the READ ME and install and rename HijackThis as requested. You are running it exactly how we request not to run it. Do this now before continuing! Do not attach a new log yet!


Also goto Add/Remove Programs and uninstall the below:
J2SE Runtime Environment 5.0 Update 6
SearchAssist"


Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\vVX3000.exe
C:\WINDOWS\vVX3000.dll
C:\WINDOWS\VX3000.dll
C:\Program Files\iMediaCodec <--- the whole folder

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode
Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach a the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!
Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You still have both Avast and Symantec installed. That was first step in my last message to complete!

 

Okay! Well you do have a few other folders from Symantec around (and yes Norton is actually owned by Symantec). If you do not use Norton Ghost then yes you should uninstall it via Add/Remove programs. However there seems to be more than that still running from Symantec. Notice in the below quote box what was in your last HJT log:

This software is still running from Symantec and the below three folders were seen in your ShowNew log

In addition to Symantec/Norton, you have folder hanging around from McAfee. Did you use McAfee at one time too. I see these: