Read & Run Me First question

Problem: I have winfixer(virtumonde?) Deldir.A Adtomi tribal fusion Alexa and a few others. I have completed Read & Run and hijackthis. I was reading another thread from ilovegrits and they had an issue with downloading vs. installing. My instructions from thread 35407 4: Downloading Tools says to install. How do I know if I installed or downloaded? Or should I just send my logs and have you tell me?

 

If you have completed the READ ME, attach a current HJT log along with the two logs from the online scans.

 

Unfortunately, I don't know how to attach. The bdscan and pandaactivescan are in Documents & Setting - Admistrator - Desktop but no icon or shortcut on the desktop. the hijackthis.log is in Program Files.

Thanks.

 

Click on "Reply" and then towards the bottom of the box you type in click the button "Manage Attachements". Locate your logs and attach all 3 of them.

Let me know if you have any problems.

 

Here are the logs - the bdscan1.txt looked funny to me so I redid the scan in safe network mode and that is bdscan2.txt.
I had a popup blocker enabled so that why I had a problem with attaching.

I'm having winfixer popups and adultfinder.com which is a XXX site and I have two small children that use the computer.

Thank you.

 

Please see the below thread on how to install and run VundoFix.

• Virtumonde aka Trojan Vundo Fix w/ Tool ...

After you complete the above, reboot and attach the log from the tool and a new Hijack This log.

 

I installed and ran VundoFix and did the hijackthis. I have two hijackthis.exe in my HJT folder (I'm trying to follow the instructions from Using WinZip from instructions 74216). When trying to do the extract to on one of hijackthis.zip it says it will replace the existing one so I did nothing. Please help? I know how to upload the VundoFix but not the hijackthis.

 

Click on hijackthis.exe and choose the option "run a scan and save a log". Using manage attachments locate this text file created in the folder where you run hijackthis.exe and attach it.

 

Hope this is the right one.

 

First, please relocate your HJT as your are currently running it from an unsecure location.

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:

• Click START > My Computer > Local Disc C: > Program Files
• Now, Right Click on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:

• Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
• (C:\Program Files\HJT) and click Next.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

After you complete the above, please see the below threads on how to install and run Spy Sweeper and Ewido Anti-Malware. After you ran both programs, attach the logs to your next post along with a fresh HJT log from normal mode.

• Running Spy Sweeper...
  
  
• Running Ewido Security Suite ...

 

I completed Spysweeper but when it came to the save as option I know I didn't do the right thing it became a pdf file. How do I copy it from the session log. I don't know how to paste to notepad. As you can tell I'm just winging it.

Thanks

 

It's ok, run Ewido and afterwards attach a fresh HJT log and we will go from there.

 

Okay, I ran Ewido and hijackthis. Hope the logs are readable. I'm having problems saving some of the files because I don't know what I'm doing. Some turn into pdf if that makes sense. I'm having problems attaching the ewido. The ewido is in program files - ewido anti-malware folder - then in reports folder and its called scan report_20060203txt.txt and it won't attach - it's not supposed to have the txt twice is it. Then after it wouldn't attach I did a search from the start menu and copied it to program file and made a new folder ewido log and that won't attach either. I'm sorry. Is there a tutorial on how to save this stuff.

 

It's ok, we can do without those logs.

Please look in Add/Remove Programs for the following and uninstall them if found:

Ewido

Spy Sweeper

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O20 - Winlogon Notify: ddayy - ddayy.dll (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

• Temporary Files
• Temporary Internet Files
• Recycle Bin

And Click OK.

After you complete the above, REBOOT and proceed with the rest of this fix...

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

I tried it again and it works but can you read it? Of course my husband just got home and I asked for help and it worked.

 

Go ahead and procede with the fix in my previous post, afterwards attach a fresh HJT log and we will see how things are from there.

 

I followed all the instruction when I scanned with Ad-Aware SE it removed 8 negligible objects - Spybot S&D found Winfixer and removed. When I scanned with Ad-Aware a prompt asked do you want to also remove the saved files in quarantine and the reports and I clicked yes. Was that correct?
In re to the system restore I had to manually restart it didn't do itself both times.

Comcast offers free McAfee (3 products) should I install those or just keep what you've had me download or install?

Do you think the computer is clean now? Can I use the internet?

I really appreciate all your help - you are doing a great justice by fighting the Malware creeps.

 

I see you have Norton currently installed, personally I would stay away from Norton and McAfee for many reasons.

First, you need to update your OS. You need to install Service Pack 2 for security purposes. Then you need to install a firewall.

My recommendations are..

Antivirus: AVG Free Edition

Firewall: ZoneAlarm Free Edition

Antispyware: Spy Sweeper

You should see this article on How to Protect yourself from malware!

 

Thanks, Norton came with the computer and it is expired just I just do the add/remove program to remove it?

I have read How to protect yourself and I will use mozilla do I just go to tool internet options and use mozilla for the home page?

I will do the service pack update and follow you recommendations.

Again many thanks.

You Rock!!!

 

Yes, just remove it from there. If you have any problems removing it from Add/Remove let me know and I will send you a utility to remove it.

You can change it to whatever you like.