Problems with the Read & Run Me First Process

I am attempting to clean a major malware infection on my son's computer with XP. I have followed the "Read and Run Me First Process," but near the end have run into some problems:

1. I ran Windows Defender, which identified 11 problems. When I told it to remove all 11, I received an error message: 0x800106ba and the program ceased. I ran the program again, with the same result.

2. I used the link to connect to the Bitdefender site, but when the page loaded, there was an error on the page and the link for agreeing to the license was not active. I tried several work-arounds, including getting to the site from the Bitdefender homepage, and re-booting in normal mode and trying both ways of acessing the program, but always with the same result: I can't accept the license, and thus can't proceed.

I'd be most grateful for advice on both of these issues.

 

Major Malware Problems--Please Help

I am trying to rid my son's computer (using XP) of multiple malware problems. I followed the instructions for general cleaning. Steps 1-5 went fine, but Windows Defender did not complete its process, despite repeated efforts, and gave an error message: 0x800106ba.

I then proceeded to step six. I could not run Bitdefender, in safe mode or in normal mode, since when the page loaded there was an error in the page and I could not accept the licese agreement. (I tried from another computer, one working well, and had the same problem).

I then ran Panda ActiveScan. The report is attached.

Finally, I did step 7. The HJT log is attached.

I would very much appreciate advice on steps to take.

 

Follow the directions for Virtumonde aka Trojan Vundo Removal.

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Download
- Pocket Killbox
- ExplorerXP

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.


Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post the Vundo log and a fresh HijackThis log.

 

Viruses and Spyware Persist

Thanks. That is what I did, as described in my subsequent post, when I worked all the way through the last step, and then posted the ActiveScan and HijackThis logs.

Can you advise what to do based on the logs? I am still getting numerous ad popups in IE even when IE is not open (I generally use Firefox). And Active Scan and Windows Defender both indicate viruses, even though I use McAfee.

Thanks.

 

Re: Viruses and Spyware Persist

I edited my original post after I merged your threads.

 

Thanks for the detailed instructions. I've followed them, and posted the Vundo log and a new HijackThis log. What'll I do now, or am I clean?

 

Persistent Malware---Help, Please!

Malware infections continue. Just as this screen opened, McAfee sent me a notice that the trojan HackerDefender.sys was detected and cleaned. Just prior to this, I re-ran Bitdefender , ActiveScan, and HijackThis. Results from earlier today are posted in my previous post, though I was not then able to run Bitdefender.

Advice would be enormously appreciated!!!!

 

Please don't take this the wrong way. I'm grateful for the superb help given on this site. But right now I'm not sure if I need to post additional info to elicit a response. I followed shadow's instructions and posted the Vundo log and a second HJT log this morning. Earlier this evening, I re-ran the clean-up sequence and posted logs for Bitdefender, ActiveScan, and HJT.

If I've done something I shouldn't have done (or failed to do something I should have), please advise. I really need help, and thank you in advance for it!

David

 

Other than what I pointed out earlier and the stuff that chas has pointed out; your logs give no other indications of an infection.

What specific Malware problems are you experiencing?

 

SDP (and Chas),

I ran through all of the scans and fixes in the "Read and Run Me first" process once again. Here are the results:

Windows defender identified Download.AI, AvenueMedia.DYFuCa, and SearchCentrix. However, it did not fix the problems, giving me again an error message 0x800106ba.

The Bitdefender, ActiveScan, and HJT logs are attached.

Unfortunately, I got the last message while these scans were underway, so only after they were completed did I do the following:

C:\gimmysmileys1.exe
C:\PROGRAM FILES\Flt <--- the whole folder
C:\Documents and Settings\caitlin stern\Favorites\Inernet <--- the whole folder

and merged the regedit text with my registry.

I could not find this file: C:\WINDOWS\system32\oppon.dll

Next steps?

 

Here are the logs I forgot to attach just now.

 

Scan With HijackThis and fix the follwoing:

Reset your browser setting by following the directions in How to Reset Web Settings.

Reboot to Safe Mode.

DELETE the following:

You have an infected Backup archive at C:\_RESTORE\ARCHIVE\FS1035.CAB DELETE it.

Reboot to Normal Mode.

Follow the directions to Disable and Enable System Restore: System Restore

This will flush all restore points from your system and create a new one.

Post a fresh HijackThis log.

 

Done and fresh HJT log attached.

A couple of questions:

When you said "Follow the directions to Disable and Enable System Restore: System Restore" I took you mean that I should disable system restore and reboot. Should I know re-enable it?

Secondly, every time I boot up I get a message from McAfee that it has detected an infection by HackerDefender.sys of the mxdefdrv.sys file and delted the file. What's going on here?

 

Boot to safe mode and delete mxdefdrv.sys. Enable System Restore. Otherwise your HijackThis log is clean.

 

Thanks for your help. It has been superb!