[Martin Ivancic]

I'm getting lots of pop-ups and companies attempting to get me to use them to stop it. I know not to click on them.

AVG scans clean. Malwarebytes Anti-Malware often has 30 or so hits. There are several that will not remove without reboot.
When I run Malwarebytes Anti-Malware after re-booting it is clean, but soon the pop-ups start again.

I used Vundo Fix but it did not find anything.

[Advertisements]

Happy Holidays and welcome to GTG.

Please read this topic and post your HijackThis log here when ready.

[greyknight17]

Happy Holidays and welcome to GTG.

Please read this topic and post your HijackThis log here when ready.

[Martin Ivancic]

I backed everything up and downloaded ERDNT. When I ran Malwarebytes' Anti-Malware I got zero (0) infections! I'm attaching this report. Normally, I would have had many, many more. But I'm not complaining. I did nothing else that I know of. I hope the Trojan.Vundo.H is finally gone.

I have gotten clean reports before after using the anti-malware program, but the malware came back with a vengeance.

Attached Files

•  mbam_log_2008_12_25__23_55_09_.txt   854bytes   228 downloads

[greyknight17]

Let's make sure Vundo is gone permanently this time

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

Download HijackThis at http://www.greyknigh.../HijackThis.exe Create a folder at C:\HJT and move HijackThis.exe there. Double-click on the program to run it.

1. If it gives you an intro screen, just choose Do a system scan and save a logfile.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

[Martin Ivancic]

Thanks for hanging in there with me on this.

Here are the two posts you requested.

Once I got help from the Old Timer, and he was so good
I have an immense trust in you guys.

Initially it would only allow me one upload so I put both in one file.

Attached Files

•  ComboFix.txt   19.6KB   180 downloads
•  COMBOFIX_AND_HIJACK_.txt   29.96KB   228 downloads

[greyknight17]

Seems like it found those troublesome files that made Vundo reappear again

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download the Flash Disinfector at http://www.techsuppo...Disinfector.exe and save it to your desktop. Double-click on it to run it and follow the on-screen instructions.

Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

Viewpoint

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Driver::
Viewpoint Manager Service
File::
c:\windows\system32\kusisepa.dll
c:\windows\system32\sofokujo.dll
c:\windows\system32\vinilipo.dll
Folder::
c:\documents and settings\All Users\Application Data\opwbybcn
C:\Program Files\Viewpoint\
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDoctor 2006 Free]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

[Martin Ivancic]

I plugged all my Flash Drives in on a hub and ran Flash Disinfector. Nothing came up. It said "Done" CLick OK.

I found two programs with the word Viewpoint (View Point Manager and Viewpoint Media Player) in Add/Remove Panel and removed them.

I ran HijackThis and it found the first file listed:

08-Extra content menu item: &Viewpoint Search-res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML

But I could not find the second one listed:

023-Service Viewpoint Manager Service- Viewpoint Corporaton - C:\Program Files\Viewpoint\Common\ViewpointService.exe

I checked the one I found and clicked "Fix Checked." I was ready to copy the text from the quote box into Notepad, but nothing was written in the quote box. I enclosed the picture of what it looked like.

Is that what was suppoesed to happen?

I did the HijackThis scan again and did not see the "08" line, but nothing came up in anything called a quote box so I stopped to write you back.

Attached Thumbnails

• 

[greyknight17]

Yes, that's normal.

Please proceed to ComboFix.

[Martin Ivancic]

I'm sorry if I'm being too careful. But I don't have any CFScript.txt in the same location as the COmbofix.exe. Should I run ComboFix.exe anyway?

[greyknight17]

Where did you save CFScript.txt? Please copy or save it to the desktop as specified in the instructions.

[Martin Ivancic]

After I ran HijackThis and clicked Fix Checked, I am lost as to what the CFScript.text is? Maybe I don't understand what the "quote box" is. I did see a box for HijackThis with nothing in it (I enclosed a picture) which you said was normal and for me to proceed to the ComboFix with the CFScript.txt. But I can't figure out what that is. I'm reluctant to click on ComboFix without it.

[greyknight17]

Please see Post #6 above. I need you to copy and paste those lines into Notepad and save it as CFScript.txt. The quote box is the box you will see enclosing those lines of text. I'll post it here again without the quote box:

Driver::
Viewpoint Manager Service
File::
c:\windows\system32\kusisepa.dll
c:\windows\system32\sofokujo.dll
c:\windows\system32\vinilipo.dll
Folder::
c:\documents and settings\All Users\Application Data\opwbybcn
C:\Program Files\Viewpoint\
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemDoctor 2006 Free]

I need you to copy those lines above in bold into Notepad. Then save it as "CFScript.txt" (with quotes intact) on your desktop. Then drag that file into ComboFix and let go. Let it run and produce a new log.

[Martin Ivancic]

I feel pretty stupid. Your instructions could not have been more clear. I was reading something I thought I was supposed to see-- not what your wrote. Sorry.

I enclosed the scan. Thanks for hanging in there with me.

Attached Files

•  ComboFix_log.txt   20.56KB   245 downloads

[greyknight17]

No problem. That's ok. Sometimes our instructions can be confusing, but we try to update them if possible to make it easier to follow through. So if you don't understand a step, feel free to ask.

Delete this folder:

c:\documents and settings\All Users\Application Data\Viewpoint

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.

[Martin Ivancic]

No problems at this time. Thank you so much.