vundo, smitfraud, mbr rootkit removal needed

inkliing · May 8, 2010

I have an HP Pavilion Media Center PC m7457c, pentium D 3GHz cpu (x86 32bit), 2GB ram, running Microsoft Windows XP Media Center Edition Version 2002 Service Pack 3 with free Antivir and windows firewall.

I noticed a mostly-blank-screen, several-second lag each time Google web search attempted to display results, but no lag for Google images, video, etc. Also, the Google web search links were hijacked to display a relatively small number of virus-related vendors, so that if you clicked on on a displayed wikipedia result, for example, it would instead take you to some virus-related vendor website.

Antivir or one of the other scans found trojan.rootkit/gen or some such.

Spybot found fraud.sysguard, but while it was scanning, I noticed it was scanning files like virtumonde.dll, Zlob.downloader, and HelpAssistant. When spybot finished, it could not remove sys.guard. The system froze, had to be physically shut down by holding down the off switch, and rebooted.

Googling revealed I had Vundo (virtumende), smitfraud (Zlob), and a master boot record rootkit virus due to the presence in Documents & Settings of a HelpAssistant account, which should not be there.

I ran Ccleaner, checked task manager/running processes (found nothing), ran hijackthis, found nothing.

Googling got me to majorgeeks's special removal procedures. I followed the smitfraud removal procedure. The special removal procedures page also listed vundo, and directed me to the READ & RUN ME FIRST malware removal guide. I followed every step. The computer seemed clean, so I uninstalled and deleted everything, including all of the files & logs in the c: root dir and all of the folders, files, logs, quarantines, etc. associated with malewarebytes antimaleware, superantispyware, combofix, etc. All of them.

But the virus was not gone, so now I regret deleting the earlier logs. After a couple days, Google reverted to its earlier behavior. After being deleted, the HelpAssistant account returned after reboot.

I repeated the process. I followed every step again, from the start. I named the log for selection 1 (search) in smitfraudfix 'smitfraudfix search log 050710 124900.txt,' and when I attempted to reboot into safe mode, the system froze at the 'windows is shutting down..." screen and I had to physically shut it off. I went into safe mode and physically disconnected my network cable (I have no wireless internet connection), ran smitfraudfix selection 2 to clean infected files and the registry. It didn't ask me to replace wininet.dll. The log for smitfraudfix selection 2 is called 'smitfraudfix clean log 050710 125800.txt' I then ran selection 3 to restore trusted zones, then rebooted to normal, still with the network cable physically disconnected, and ran selection 5 to clean DNS hijacks (the log is 'smitfraudfix dns log 050710 132712.txt'). Then I reconnected the netwrok cable.

Superantispyware found nothing.

Malwarebyte's Anti-Malware froze while removing the virus it found. I ran the scan again, found the same virus, and while mbam attempted to remove the virus, mbam said the comp needed a reboot to complete the removal, but the restart froze at the 'windows is shutting down...' screen and I had to physically shut off the comp. So the system freezes every time mbam tries to remove this virus.

Combofix found a rootkit virus.

Ran rootrepeal.

MGtools displayed an '16 bit MS-DOS Subsystem' error briefly then stopped. I ran it again. Same error '16 bit MS-DOS Subsystem' said 'NTVDM has encountered a system error' and offered the choice of close or ignore. I closed it. Strange that such an error crashed MGtools during the 1st run, or did it? It didn't crash the 2nd run, and after I chose 'close' in response to the '16 bit MS-DOS Subsystem' error, it completed.

After these scans, I'm still having problems. The system is slow, freezes often; the HelpAssistant account will reinstall itself after reboot; and malwarebytes antimalware still cannot remove the virus it found without crashing. The logs are attached.

Help me Obi-wan Kanobi, you're my only hope!

inkliing · May 8, 2010

here are the rest of the logs

TimW · May 8, 2010

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

No matter what happens with the above, attach the above logs and then immediately continue with the below in normal boot mode!

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

File::
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\sgkvmjoeq
C:\WINDOWS\temp\$$$dq3e    
C:\WINDOWS\temp\$67we.$

Folder::
C:\Documents and Settings\HelpAssistant
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

inkliing · May 9, 2010

HelpAsst_mebroot_fix.exe got to 'checking mbr,' then froze. I waited 4 hrs, then physically shut down the comp.

Then I ran mbr -f twice, helpasst -mbrt, combofix w/CFscript, and C:\MGtools\GetLogs.bat, Logs are attached.

To test the system, I reran HelpAsst_mebroot_fix.exe. It completed almost immediately with no problems found.

I surfed a bit, checked google web searches for lags, hijacks, etc., restarted a few times, checked google again. HelpAssistant has not returned after multiple restarts.

But the system still intermittently freezes and needs to be physically shut off. It froze during superantispyware (I'm rerunning all the scans), tho the 2nd SAS run went fine and found no problems. It also froze once when I went to google.

Assumming my logs are clean, then I suspect that the system freezes are unrelated to the recent virus, will be hard to identify & fix, and are probably related to the many windows updates that I recently did on that comp (It had been neglected. Internet explorer was still IE6. many windows updates were needed.)

TimW · May 9, 2010

Let's try again:

Please download HelpAsst_mebroot_fix.exe by noahdfear and save it to your Desktop.
Double click HelpAsst_mebroot_fix.exe to run the tool.

When the tool completes it will inform you HelpAssistant was successfully removed, or it may require a reboot. DO NOT reboot at this point if it tells you this. Do the below first.

With Windows Explorer, navigate to the C:\MGtools folder and double click on mbrfix.bat ( If not sure how to use Windows Explorer, you can optionally click Start > Run and enter C:\MGtools\mbrfix.bat into the run box and click OK. ) This will run quickly flashing a black screen in front of you too fast to read.
* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

File::
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\sgkvmjoeq
C:\WINDOWS\temp\$$$dq3e
C:\WINDOWS\temp\$67we.$
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOW REBOOT!

After reboot run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).
Then attach the new C:\MGlogs.zip file

Make sure you tell me how things are working now!

inkliing · May 9, 2010

The new HelpAsst_mebroot_fix.exe link you just posted keeps giving me a 404 error. I tried it from 2 different comps. Is this the same HelpAsst_mebroot_fix.exe file as before? Should I use the file I already have? Or redownload from the link you initially posted (post #3)?

inkliing · May 9, 2010

I tried to follow all of your steps as best I could. The HelpAsst_mebroot_fix.exe link that you just posted in post #5 was broken and gave me a error 404 from 2 different comps. I used the HelpAsst_mebroot_fix.exe file that I already have. It finished quickly and found no HelpAss profile and reported both kernals virus free. There was no log & no reboot.

Ran C:\MGtools\mbrfix.bat.

Deactivated Antivir & disabled windows firewall.

Dropped the new CFscript.txt on combofix. It found a rootkit and asked to be rebooted. I clicked to allow the reboot. It rebooted again during the 50 steps. It finished and produced a log.

After combofix completed, I rebooted.

Ran C:\MGtools\GetLogs.bat.

Rebooted, checked documents & settings for HelpAss account (gone), checked google web search for hijacks & lags (none).

inkliing · May 9, 2010

System is blue-screen crashing every few hours or so

inkliing · May 10, 2010

HelpAssistant acount in documents & settings has returned

inkliing · May 10, 2010

Just before I noticed the return of the HelpAssistant account, I ran spybot and 2 odd things happened. In the status bar at the bottom of spybot, as it was running, it displayed "checking bot (xxxxx/1299xxxx aaaaa.aaa)" or something similar, where the xs are digits and the as are alpha-numeric. The first odd thing was that the aaaa.aaa displayed a virtual encyclopedia of viruses, flashing thru them very quickly. I saw zango, adlaunch, cnnic searcher, smitfraud-c, spysheriff, virusheat, and many others. I couldn't jot them all down quickly enough. If these are files that spybot was scanning then I'm in a lot of trouble. The other odd thing is that the xxxxx number stopped far short of the total 1299xxxx, yet nevetheless spybot completed with no problems found.

TimW · May 10, 2010

The mbr infection is becoming more and more difficult to remove. Let's try it again and see what we can do.
Please re-runHelpAsst_mebroot_fix.exe.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

No matter what happens with the above, attach the above logs and then immediately continue with the below in normal boot mode!

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

File::
C:\WINDOWS\temp\$$$dq3e
C:\WINDOWS\temp\$67we.$
C:\WINDOWS\temp\mmw4
C:\WINDOWS\temp\scs8.tmp
C:\WINDOWS\temp\scs9.tmp
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Please run this: GMER - running with a random name and attach the log from GMER.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
* GMER log.
* C:\ComboFix.txt
* C:\MGlogs.zip

inkliing · May 11, 2010

HelpAsst_mebroot_fix.exe completed this time. It didn't ask to run 'mbr -f,' nor did it shut down the comp.

Ran helpasst -mbrt. HelpAsst.log is attached.

Ran mbr -f twice.

Shut down. Waited 5min. Started up. Waited 5min.

Ran helpasst -mbrt again. HelpAsst1.log is attached.

Deactivated Antivir, disabled windows firewall. By the way, even tho I deactivate Antivir before running combofix, combofix so far has restarted at least once each time it runs, thus reactivating antivir at startup. I don't know if this interferes with combofix.

Dropped new CFscript.txt on combofix.exe. It updated. It then found rootkit activity and asked to reboot. Then later while it was running its 50 steps, it rebooted again on its own. Then it completed. Log is attached.

Ran GMER - running with a random name, got the 'GMER has detected rootkit activity' message, selected no. Then scanned. log is attached.

When I went to run C:\MGtools\GetLogs.bat, I noticed from task manager that lsass.exe and avguard (antivir) each had exactly 50% of the cpu, locking up the comp. I couldn't access the start menu. I could access windows explorer but it froze when I clicked on my computer. I could have run C:\MGtools\GetLogs.bat from new task in task manager but I worried that it would freeze, so I decided to reboot. Shut down from task manager also froze so I physically shut it off.

Booted and ran C:\MGtools\GetLogs.bat. Log is attached.

I can't say whether the comp is clean, clearly. It seems that HelpAsst_mebroot_fix.exe deactivates HelpAssistant each time we do this, so that, when I test Google for hijacked links, it seems O.K. Nevertheless, the mbr virus remains, thus far, holed away in its dark little corner.

So I'm going to forego any testing of the system and just shut it down and wait for your analysis of the logs.

inkliing · May 11, 2010

MGtools log

TimW · May 11, 2010

Nastie little buggar!!

Make sure that you have followed the sixth item in the Read and Run First instructions, then:

Please download maxlook , saving the file to your desktop.

Double click maxlook.exe to run it. Note - you must run it only once!

As instructed when the tool runs, restart the computer and logon to the Recovery Console.

This will require you to change the boot order in the bios to the cd drive as first and then boot with the xp disc in the drive inorder to go into the RC.

Execute the following bolded command at the C:\windows> prompt. Refer to the snapshot to see how it will look. Double click the thumbnail to enlarge it.

batch look.bat

http://noahdfear.net/WTT/lookXP.gif

You will see 1 file copied many times then return to the x:\windows> prompt.

Type Exit to restart your computer then logon in normal mode.

Click Start >> Run and then type the following in the run box ( note the space before the - sign )

maxlook -sig

It will produce looklog.txt on the desktop and open it.

Please attach the log to your next message.

inkliing · May 11, 2010

When I originally read step 6 in READ & RUN ME FIRST, I worried that I wasn't entirely clear on what disk emulation software is. I suppose it's when part of the hard drive (perhaps a partition) or memory is used to emulate a virtual CD or DVD, more or less. I'm pretty sure there are none on this comp, unless it is hidden somehow. I used partition commander years ago to partition the hard drive on this comp. Partition commander is no longer installed, but the hard drive is still partitioned. I hope there are no hidden drivers in the MBR or in the boot records or boot directories of these partitions, since they are technically virtual partitions of a physical hard drive. But the hard drive was partitioned before I bought it: it included a system recovery partition, which was virtual; not a separate physical drive.

My boot order is already set to boot from CD before hard drive, but I don't have a windows CD: my computer didn't come with one. Microsoft, in its infinite wisdom, provided my hard drive with a recovery partition instead (drive D, which, I believe, uses the same virus-infected MBR. I tried to boot into the RC, which I've never used, by spamming f10, which my startup screen identifies as 'system recovery.' This brought me to the operating system selection screen listing two choices: 1) microsoft windows recovery console, or 2)windoes xp media center edition. Choosing 1 repeatedly led to a blue screen crash which advised me to scan for viruses.

Does this mean I have to puchase a windows xp CD? Would that even be guaranteed to work? What if the new windows CD and the installed windows don't like each other? Have the wrong security keys, or whatever? Microsoft and windows can be so difficult about those things sometimes.

Starting to feel very depressed, but you probably know of several ways to get me into the recovery console <finger crossed>.

TimW · May 12, 2010

You will need access to a different computer to do the following:
*** Please print these instructions ***

1. Download Hiren's BootCD Iso to the desktop of a clean computer.
2. Extract the zipped HirensBootCD.zip to your desktop.
3. Open the extracted HirensBootCD folder and extract the zipped HirensBootCD.iso.
4. Double click the BurnToCD.cmd bat file contained in the HirensBootCD folder. This will launch BurnCDCC.
5. Insert a blank CD in your drive.
6. Press Start. This will burn the image to disc. After it has completed...
7. Restart your sick computer and boot from the HBCD you created.
o If your PC is not booting from the CD, you need to change the boot order:
+ Restart your PC
+ As soon as you get an image, press the Setup key. This is usually F2, F10, F12 or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
+ Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
+ Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
+ The tab should now show your current boot order.
+ If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
+ Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
o Your PC should now boot from your CD.
o Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
8. When the CD boots choose "DOS BootCD".
http://noahdfear.net/10.2_startup.gif
At the Hiren's BootCD main menu, select Next and hit Enter.
http://noahdfear.net/main_menu.gif
At the second menu select 1 MBR (Master Boot Record)Tools
http://noahdfear.net/menu2.gif
In the list of MBR Tools select 1 MBR Work 1.08
http://noahdfear.net/mbr_tool.gif
This screen will show the hard drive configuration.
http://noahdfear.net/mbr_tool_fix.gif
Type 5 to Install standard MBR code then hit Enter
Type 1 to select Standard then hit Enter
Type Y then hit Enter to confirm
Type E then hit Enter to exit
Press Ctrl+Alt+Del to restart the machine

Now:

Double click HelpAsst_mebroot_fix.exe to run the tool.

When the tool completes it will inform you HelpAssistant was successfully removed, or it may require a reboot. DO NOT reboot at this point if it tells you this. Do the below first.

With Windows Explorer, navigate to the C:\MGtools folder and double click on mbrfix.bat ( If not sure how to use Windows Explorer, you can optionally click Start > Run and enter C:\MGtools\mbrfix.bat into the run box and click OK. ) This will run quickly flashing a black screen in front of you too fast to read.

Now re-run the ComboFix fix I gave you in post #11

NOW REBOOT!

After reboot run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the new C:\MGlogs.zip and the new Combo logfiles

Make sure you tell me how things are working now!

inkliing · May 13, 2010

Just to be clear, I did not run maxlook or execute the instructions in post #14 of this thread since I didn't have a usable recovery console: so I didn't run 'batch look.bat' from the RC windows prompt, it didn't copy any files, and I didn't run 'maxlook -sig.'

Booted to Hiren's BootCD, installed standard MBR code, exited. It did some stuff, then, after just a few seconds, stopped at a 'R:\TOOLS>' prompt. I didn't know if it was done yet, so I waited 10min, then restarted with Ctrl+Alt+Del. This returned me to Hiren's initial menu, and I choose 'Boot from hard drive' since I assumed that using Hiren's 'mini windows xp' would not employ the infected MBR and, if I did it that way, then, perhaps, HelpAsst_mebroot_fix.exe & combofix would not be able to interact the infected MBR, assuming they interact with it directly.

There was immediate good news. Checking Task Manager just after startup showed that services.exe did NOT run approx. 70sec worth of startup services, which it had done every time I had previously started windows ever since the initial virus infection: at windows startup, services.exe would use 20-80% cpu for about 70 sec, more or less, then finally stop. I was never clear to me as to whether this had been standard procedure for windows startup before the virus, but I had a sneaking suspicion it wasn't since I had no clear recollection of this having ever occurred before. Let us hope that this clean-MBR-inspired joy is not short lived!

Ran HelpAsst_mebroot_fix.exe. It finished and didn't want to reboot.

Ran C:\MGtools\mbrfix.bat.

Deactivated antivir, disabled windows firewall.

Ran post #11's CFscript.txt + combofix.exe. It updated. It did not find rootkit activity and did not ask to reboot. Then later after it ran its 50 steps, it rebooted again on its own. Then it completed. Log is attached.

Then I rebooted. Again, no long services.exe cpu usage.

Ran C:\MGtools\GetLogs.bat. Log is attached. GetLogs.bat took very much less time than before, and never displayed the '16 bit MS-DOS Subsystem' error that it had on every previous run.

Feeling hopeful, I tested the system:

1. Google web search didn't lag or have hijacked links.
2. Rebooted. It did not linger at the 'windows is shutting down...' screen as it had many time before, nor did services.exe run the cpu much at startup.
3. Rechecked google. It was fine. Randomly surfed, Downloaded a torrent.
4. Ran CCleaner. Rebooted (still no extensive services.exe cpu usage at startup). Checked documents & settings for a HelpAssistant account. Nothing.
5. Updated and ran SAS, Mbam, antivir, spybot. Most of the scans were considerably shorter than before. All clean.
6. Ran CCleaner, checked task manager/processes for anything that shouldn't be there. Ran hijackthis. No problems.
7. Rebooted, rechecked google, rechecked for helpassistant in documents & settings. Ran fport & netstat. So far so good. No crashes, nothing suspicious.

But considering the way this tricky little bug misbehaved
I'll wait till you look at the logs before I dance on its grave.
(almost rhymes)

TimW · May 13, 2010

Sweet. Your logs are clean. You may wish to post in the software forum about making a disc image in case you ever need to reinstall.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /uninstall

Notes: The space between the combofix" and the /uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

inkliing · May 13, 2010

And you, sir, are a steely eyed missile man!

Kudos and gratz at besting the beastie little bugger!

I offer you a beer!

<hands TimW a virtual beer>

It's good, Really. O.K. Maybe it wont get you drunk, but it might still make you feel good.

Thank you very much and I will now follow the rest of the protection instructions.

<another happy helpee whistles away down the series of tubes>

TimW · May 14, 2010

You are most welcome. Do surf safely!!

vundo, smitfraud, mbr rootkit removal needed

inkliing Private E-2

Attached Files:

inkliing Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

inkliing Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

inkliing Private E-2

inkliing Private E-2

Attached Files:

inkliing Private E-2

inkliing Private E-2

inkliing Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

inkliing Private E-2

Attached Files:

inkliing Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

inkliing Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

inkliing Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

inkliing Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member