winfixer issue

In step 6 of the READ & RUN ME we gave you a link to Special Removal Procedures

You should have clicked it. Try it now and see the links there. One mentions Winfixer aka Virtumonde

 

Look in the process list of your log. If you see a process file named cmd.exe then just edit the text to say command exec. For example if you see:

c:\windows\system32\cmd.exe change it to c:\windows\system32\command exec

There is a bug in the vB system that prevents files with that text from being uploaded.

If you still cannot attach it, either put it in a ZIP file and upload that, or post the log inline and I will convert it.

 

Looks to me like you have not follow the procedure properly. I'll write it out for you here.


Please print these instructions or save them locally so you can run them after booting in Safe Mode (the steps below will tell you when to boot in safe mode). You must do this in Safe Mode or it probably will not work. If you are having any problems booting in safe mode, make sure you tell.


Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning.
  it should look like this

• At this point press enter one time.
• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\vtsts.dll
​

• Press Enter to continue with the fix.
• Next you will see:

• At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\ststv.*
​

• Press Enter to continue with the fix.
• The fix will run then HijackThis will open, if it does not open automatically please open it manually.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\vtsts.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15379bfc0c4cd860d704/netzip/RdxIE601.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
O20 - Winlogon Notify: vtsts - C:\WINDOWS\system32\vtsts.dll


​

• After you have fixed these items, close Hijackthis.
• Press enter to exit the program then manually reboot your computer.

Once your machine reboots please attach a new HJT log from normal mode.

 

You never installed HJT properly per the instructions. You have it here:

C:\Documents and Settings\Anthony Mellon\Desktop\HijackThis.exe

You should fix this!

Run HijackThis and select the below lines and make sure ALL browsers are closed and then click Fix:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/15379bfc0c4cd860d704/netzip/RdxIE601.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - Winlogon Notify: vtsts - C:\WINDOWS\system32\vtsts.dll (file missing)

Now post a new HJT log and tell how things are working.

Why do I see both Symantec and Avast antivirus applications running? See step 3 of the READ ME.

 

Your log is clean but you still have part of Symantec. A service is still running.

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Are you sure it completely uninstalled? Try this: Removing your Norton program using SymNRT

See if the O23 line is gone afterwards.

 

You're welcome! No make sure you work thru the below. Some steps you already have:

How to Protect yourself from malware!