Please help my with my horrible MALWARE!

Welcome to Majorgeeks!


There are specific instructions for running our set of scans on Vista within the below link, searching other scenarios on the forum may not work for you as they are likely to be for XP and as you will know Vista is significantly different Windows version so needs a different route to cleaning malware,

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

 

MGtools did not run properly. Make sure you have disable UAC as instructed in the instructions for Using MGtools. See the C:\MGtools\disableUAC.reg file that you have to double click on to disable UAC.

Note you logs show signs of several antivirus programs. If you have more than one antivirus still installed, you must uninstall ALL but one now. Then do the below to get a new MGlogs.zip file to upload.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created.

 

Uninstall the below old versions of software:
Java(TM) SE Runtime Environment 6


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MSVPS System - {A716011B-4637-44D0-922B-F1E88CC7CC73} - C:\Windows\werbetpql.dll
O2 - BHO: MSVPS System - {F7CDF7FE-98B1-43FE-A694-E52E605AA60D} - C:\Windows\werbetxdp.dll
O3 - Toolbar: The hdtip - {70EC7CA3-2FFC-4E43-97DE-3C91B2F65D36} - C:\Windows\hdtip.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O21 - SSODL: gormet - {FF8C123F-B47C-4386-864C-A10C21B57E3D} - C:\Windows\gormet.dll
O21 - SSODL: pmkret - {FD9E57DC-9632-4DAF-AB48-3BB185AEED07} - C:\Windows\pmkret.dll

After clicking Fix, exit HJT.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now print the below instructions because at a point during them you MUST (this is can be critical) shutdown all browsers. I will tell you when to exit the browsers during the muti-part procedure.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktip or the below will not work. Do not run it!
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have the below icons on your Desktop (double click the thumbnail to expand it)

• Now refer to the above image and use your mouse to drag CFScript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run Ccleaner!


Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from ComboFix.

Make sure you tell me how things are working now!

 

Download ComboFix.exe again and make sure you save it on your Desktop. Then complete my previous instructions. Be sure to read them again as I made a correction to the filename to save the fix for combofix to.

 

You have one more file to delete. Please delete the below file. Let me know if you are successful or run into any problems.

C:\Windows\monhop.exe


If you successfully delete this file, continue on to the below instructions.


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!