Vundo check please and why the registry change

Banquo1 · Dec 27, 2008

Hello,

Thank you for the clear directions on the fix. I think I have finally removed all the Vundo and Trojan.Agent.

Random websites would occur when I clicked on a link in Firefox. I tried several different website fixes, but upon restart I would always get this message:

Rundll
Error loading c:\Windows.0\ovewiroz.dll
The specified module could not be found.

Ovewiroz.dll was the infected trojan that was removed. Running Malwarebytes and Spybot would delete the registry key, but on restart it would reappear.

I followed all your directions on Malware removal, and it seems to have finally been removed. Can check these logs to make sure for me?

Problem: Now that it is removed, when I type Msconfig in the run window from start I get a missing file. I can still run msconfig by browsing and double clicking, but I'm worried about the changed registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\AppPaths\MSConfig.exe

is now

\pchealth\helpctr\Binaries\MSConfig.exe

should be

c:\Windows\pchealth\helpctr\Binaries\MSConfig.exe

I'm sure the changed registry key for MSConfig is the result of the fixes I did for the Malware. Do I need to be worried? If I change this registry key will I get reinfected?

Thank you in advance

Banquo1 · Dec 27, 2008

last log

TimW · Dec 29, 2008

Your logs are clean.....let's do this to fix the msconfig issue:

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSCONFIG.EXE]
@="C:\\WINDOWS\\PCHealth\\helpctr\\Binaries\\MSCONFIG.EXE"

Click to expand...

Make sure you get a success message.

If you are not having any other malware issues, then:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection, but are effective as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

Banquo1 · Dec 30, 2008

Working good now, thank you very much!

Happy New Year

TimW · Dec 30, 2008

You are most welcome.....safe surfing.

Log in or Sign up

Vundo check please and why the registry change

Banquo1 Private E-2

Attached Files:

SASlog.txt

mbam-log-2008-12-27 (13-31-59).txt

ComboFix.txt

Banquo1 Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Banquo1 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member