virus help!

Welcome to Majorgeeks!

You should get all those Torrents off your Desktop and save them someplace else if you need them. Also it would be best not to install GetRunKey orShowNew on your Desktop expecially since there is a load of junk on it already. It clutters up the logs.

Also please empty your PestPatrol\Quarantine as requested in step 0 of the READ ME.

Please run this Virtumonde aka Trojan Vundo Removal and attach the log here.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log to your next reply

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now attach the below new logs (it will take two message) and tell me how the above steps went.

1. VundoFix
2. ComboFix
3. GetRunKey
4. ShowNew
5. HJT

Make sure you tell me how things are working now!

 

We have more to cleanup!!!

You have both Norton Internet Security and ntl Netguard Security installed. You also have Authentium's Command AV installed (which may or may not be part of ntl Netguard ). This is a conflict of what is mentioned in step 3 of the READ ME. Please choose one and uninstall the other now before continuing.

Now uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.2_05

Make sure you reboot after uninstalling the above!

Now please uninstall the CounterSpy trial since we are finished with it now. Then delete the below two folders which will be left over from it:
C:\Documents and Settings\Natalie\Local Settings\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software


Now Run this ViewpointKiller to remove Viewpoint Media software.


Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\rfyydviy.dll (file missing)
O2 - BHO: (no name) - {AAD6FD12-D33A-4D93-8D6A-95F313D52140} - C:\WINDOWS\inf\ajvaawve.dll (file missing)e"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [workflow] D:\installs\workflow.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\rhyoxpqq.exe
C:\WINDOWS\system32\oyokrmos.dll
C:\WINDOWS\system32\phaynipt.ini

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

Now run Ccleaner
Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Please make sure to refresh and read my instructions again. I was editing them when you logged in.

 

Please read the instructions on the download pages and follow them. That is why they are there. This error message is mention and you need to fix this.

You also seem to have ignored this message which was supposed to be done before anything else.

Attach new logs (GetRunKey, ShowNew, and HJT) after fixing the problem with the error message and after uninstalling either Norton or ntl Netguard.

 

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now see if you can run ShowNew and GetRunKey without an error occuring. Attach logs if you can.

Attach a new HJT log either way.