Virtumondo.C

It does not appear that you ran at least two of the online scanners requested in step 5 of the READ ME. Is there a reason for not running them.

Please read the step 7 of the READ & RUN ME again and install and run HijackThis properly for future logs. All logs must be attachments and they must be unedited. To repeat part of step 7 here:

Make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Also before you attach a new log, I would recommend that you first run the steps in the below link and attach the SpySweeper log (then attach a new HJT log).

Running Spy Sweeper...

 

Okay! Perhaps I missed something the first time and did not notice the two online scans which I do see know. I apologize!

Did you want the two below R1 settings?
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=VOB


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {48F8D92D-2C3C-4BB6-9B66-7F30E0A5FB13} - C:\WINDOWS\mindep.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: http://*.63.219.181.7
O20 - Winlogon Notify: mllmk - C:\WINDOWS\system32\mllmk.dll (file missing)


After clicking Fix, exit HJT.

Now reboot in normal mode and post a new HJT log. And tell us how things are working now?

 

Uninstall or disable SpySweeper's protections. It may be blocking the fixes I gave you. Then rerun the previous fix. If that does not help, we may need to do the same with MS Antispyware.

 

We are not looking for the Trusted Site anymore. Just the other items we were trying to fix. Now they are fixed.

Just have HJT fix the below remnant from SpySweeper:
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

How are things working?

Note: HJT logs should always be from normal boot mode unless specified otherwise. So maybe you should boot into normal mode and post another hopefully final log.

 

Which other item?

Also in message number 4 I asked the below:

 

Let's see if we can remove the TZ IP address.

Run IE, select Tools, Internet Options. Now select Security and then click the Trusted Sites circle. Then click the Sites button. Look for the *.63.219.181.7 address in the Web sites box and select it. Then click Remove. Then at the bottom make sure there is a check mark in the box that says Require server verification...... blah blah. Now click OK. And OK again.

 

Were you logged in with Administrator priviledges when you fixed it? And what method did you use to fix it? Using HJT will more than likely not work.

Don't waste time posting unnecessary logs before fixes. Only post them after running the fixes.

You may need to uninstall MS Antispyware too.

 

I repeat my question from my last message!

 

Download RemV3.Zip to your computer somewhere you can find it.

Extract all the files to a folder (make it a folder for only these tools).
Then boot into safe mode and run the remv3.bat file.

 

Do what I gave to you in message # 17?

Then let me know your status.

 

Did you run it in safe mode?

Have you rebooted in normal mode afterwareds? If so, post a new HJT log from normal boot mode.

 

Make sure you are log in with Administrator priviledges and try message # 11 again.

 

It would seem that something is blocking some of the fixes. The REMV3.Bat fix normally fixes the problems. It could be that your Norton AV is blocking some fixes.

Boot into safe mode and disable any Norton processes from running. Make sure you are physically disconnected (unplug your cable) and that no browsers are opened and then run the remv3.bat file again. Then reboot in normal mode and let me know if the O15 line is gone.

 

Do you know how to use regedit? If so, I want you to look to see if you find any of the below registry keys:


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd\Files]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd\Processes]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd\RegKeys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ms4Hd\RegValues]

 

Please download DelDomains and unzip it to your desktop.

Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

(Please note if you have Spybot S&D installed you will need to "Immunize" again because deldomains will remove all of the sites Spybot adds.)

Is the O15 line still there? If so, run the below:

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

Make sure you reboot! And then check again! Did you re-immunize with Spybot?

Answers to which AV are in another sticky thread which you should now work thru if still clean:

How to Protect yourself from malware!

Do not re-install MS Antispyware until you reboot and make sure the O15 line is still gone. If the O15 comes back, then run WinPfind otherwise do not run WinPfind.

 

We advise against multiple AV programs running, not multiple antispyware. However using mutliple full blown AS programs like Ewido, MS Antispyware, SpySweeper, and CounterSpy can be a resource hog. Ad-Aware (free version), SpywareBlaster and Spybot (as long as you do not use Teatimer) are not resource intensive and really only use signifcant resources when scanning. Thus you can keep all of them.

Download the new AV that you choose. Then uninstall Norton. Then install the new AV and get its updates. Then run a fullscan with it.