Spyware removal help please!

Hi there!

Thanks for this great forum, I've already learned alot so far.

First off, I've already followed all 1-7 steps in the "READ & RUN ME FIRST Before Asking for Support" sticky thread and I still have problems, therefore why I am asking for help!

I tried to open a file for a mp3 converter, and it seems to have given me a trojan of sorts and possible some other things. I've experienced severe Spyware before, but this definately isn't severe. It's annoying though and I want to get rid of it.

First of all something called VSAdd-In was installed without me knowing and seemed to cause some trouble, but I think I've got rid of it.

I am now getting pop-ups from nowhere, not too frequently though. I am also getting pop-ups for the following a lot:

"ErrorSafe" - errorsafe.com
"WinAntiVirus Pro 2006" - amaena.com

These advertise spyware removal software and then try to install and therefore take over the browser.

I'm sure you've come across this before.

One or two spyware programs found "purityscan" and another trojan that I can't remember the name of, but they haven't seemed to remove them.

Anyway, did all the steps in 1-4, then did the scans in SafeMode. "Windows Malicious Software Removal Tool" found nothing. "Spybot Search & Destroy" found one thing, but removed it. "Windows Defender" found nothing either.

I've then done the Bitdefender and Panda ActiveScan scans and they found things, but couldn't remove them without payment.

I've therefore attached all the log files that you ask to attach and I've done all the instructions for the HiJackThis program.

Hope you can help me! Thanks in advance!

Cheers,

Dale

 

The rest of the attachements...

Thanks again!

 

Please see the below thread on how to install and run VundoFix.

• Virtumonde aka Trojan Vundo Fix w/ Tool ...

Once you complete the thread above, attach the log from the scan along with a fresh HJT log.

 

Thanks so much for the reply! Very much appreciated!

I ran the Vundo Fix program, it found a few .dll files in the system32 folder and removed them. I then did a fresh HJT log and have attached it along with the Vundo Fix log.

I'm also getting one or two problems again with "VSAdd-in". It seems to be replacing itself somehow. Will Vundo Fix have fixed that at all?

Anyway, look forward to your reply!

Thanks again!

Cheers,

Dale

 

One more thing....

Ever since doing the scans during safe mode on the 2nd of November, I've had a RUNDLL error everytime I start up the computer.

It says:

"Error Loading C:\WINDOWS\system32\drvvaz.dll

The specified module could not be found."

Is that a serious error? It seems to be coming up in conjunction with a security alert saying that Norton Anti-Virus software is turned off, which it isn't.

Could you offer any help here?

Thanks again!

Cheers,

Dale

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {EA870106-3409-4084-ABC0-B7932488FE6F} - C:\WINDOWS\system32\mllml.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\agehtmqq.dll

O4 - HKLM\..\Run: [CTDrive] "rundll32.exe" C:\WINDOWS\system32\drvvaz.dll,startup

O11 - Options group: [INTERNATIONAL] International*

O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system32\drvvaz.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\system32\agehtmqq.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, REBOOT and proceed with the rest of this fix...

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Thanks again for the help!

Did everything you asked and have attached the HJT log.

Didn't encounter any problems during your instructions, and everything seems to be running a lot better. Since I ran that Vundo Fix program, it ran faster.

There is no RUNDLL error now. So far, no more pop-ups with anti-virus removal things either.

Only one problem seems to remain. I still get a balloon popping up from a red shield with a cross in it everytime I start up, saying the following:

"Your computer might be at risk

Norton AntiVirus is turned off

Click this balloon to fix the problem."

As I said before though, Norton AntiVirus is switched on. Any suggestions?

How does the log look? Everything seem to be cleared? Any more things I should do?

Thanks again for all your help! You've saved my life, hehe!

Cheers,

Dale

 

Your log looks good! Personally I would recommend using AVG AntiVirus Free instead of Norton simply because it's a hundred times better and uses less resources. It's up to you but that's what I recommend.

If Norton is "On" then click the alert and choose "I have an antivirus I'll monitor...." and it will go away.

 

OK, that's great the log looks good!

The fixing with HJT also seems to have taken away problems I had with certain web pages working.

Still can't fix this balloon though, and now Windows Defender is saying that I haven't scanned today, when I have. Any tips there?

Thanks again!

Cheers

 

What balloon?

Make sure you date and time is correct as this could cause this. Also, be sure you definitions are up-to-date.

 

The balloon saying that Norton AntiVirus isn't turned on. Tried doing what you said about telling it I would manage my own antivirus software. Although it dissapears after 10 seconds...odd...

Will try what you also said about Windows Defender.

Thanks!

 

If you check "I have an antivirus I'll monitor...." it should not popup any longer. This is manual override that controls those alerts. There is also one for the windows firewall.

 

Ah, I found it in one of the menu options. That's done it!

Can I now uninstall/delete VundoFix and KillBox? I might keep the others just incase I have to do checks again.

Thanks again for all your help! Much appreciated!

 

Yes, you can delete anything I had you download. If needed we will download them again later as they update on a regular basis.