Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with Virtumonde - Please help!

  • This topic is locked This topic is locked
2 replies to this topic

#1 corpsefire


  • Members
  • 1 posts
  • Local time:07:52 PM

Posted 07 April 2010 - 10:05 PM

Hi guys,

I've been infected with Virtumonde/Vundo for about a week now. I first noticed this issue through pop up adds and sluggish performance. Over the last week I have tried every fix I could find including several anti-virus/malware programs, specialty programs(VundoFix) etc with zero success.

Any help will be greatly appreciated.

Here's my DDS.txt info...

DDS (Ver_10-03-17.01) - NTFSx86
Run by Kewazza at 22:54:57.62 on Sun 04/04/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1553 [GMT -7:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kewazza\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {96bf2a73-d87e-4b29-8833-592e11aa290d} - feyujafi.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
mRun: [SkyTel] SkyTel.EXE
mRun: [GBB36X Configure] c:\windows\system32\JMRaidTool.exe boot
mRun: [potehuniwe] Rundll32.exe "wulubuvo.dll",s
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [hunuwaneb] Rundll32.exe "c:\windows\system32\gojobeju.dll",a
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: lejorude.dllc:\windows\system32\henivalo.dll c:\windows\system32\yulobuka.dll c:\windows\system32\gojobeju.dll
SSODL: dusomineg - {968d9372-df94-44e2-b36e-d467a0efb587} - c:\windows\system32\bozuneyi.dll
SSODL: fayawidup - {89b24302-7970-4634-9e3a-bb5161bef606} - c:\windows\system32\bozuneyi.dll
SSODL: monenutiz - {b0dff497-7a90-4f29-b629-6c31684bda91} - c:\windows\system32\gojobeju.dll
STS: kupuhivus: {968d9372-df94-44e2-b36e-d467a0efb587} - c:\windows\system32\bozuneyi.dll
STS: tokatiluy: {89b24302-7970-4634-9e3a-bb5161bef606} - c:\windows\system32\bozuneyi.dll
STS: jugezatag: {b0dff497-7a90-4f29-b629-6c31684bda91} - c:\windows\system32\gojobeju.dll
LSA: Notification Packages = scecli lejorude.dll
IFEO: MpCmdRun.exe - c:\windows\system32\svchost.exe
IFEO: MSASCui.exe - c:\windows\system32\svchost.exe
IFEO: MsMpEng.exe - c:\windows\system32\svchost.exe
IFEO: msseces.exe - c:\windows\system32\svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kewazza\applic~1\mozilla\firefox\profiles\zlxsojjg.default\
FF - prefs.js: browser.startup.homepage - hxxp://us.blizzard.com/en-us/index.html
FF - plugin: c:\documents and settings\kewazza\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_HotbarSA.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-4-2 217032]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-4-21 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-4-21 234888]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-4-2 112592]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-3-28 20968]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2009-10-29 1021256]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-15 24652]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-11-26 25832]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-26 38224]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-4-2 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-4-2 1142224]

=============== Created Last 30 ================

2010-04-05 05:51:05 0 ----a-w- c:\documents and settings\kewazza\defogger_reenable
2010-04-03 16:38:34 0 d-----w- c:\program files\TrendMicro
2010-04-03 15:50:51 0 d-----w- C:\VundoFix Backups
2010-04-03 06:40:18 882 ----a-w- c:\windows\RegSDImport.xml
2010-04-03 06:40:18 879 ----a-w- c:\windows\RegISSImport.xml
2010-04-03 06:40:18 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-03 06:40:18 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-03 06:40:18 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-03 06:40:18 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-03 06:40:18 131 ----a-w- c:\windows\IDB.zip
2010-04-03 06:40:18 1152444 ----a-w- c:\windows\UDB.zip
2010-04-03 06:37:18 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-04-03 06:37:18 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-03 06:37:13 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-03 06:37:13 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-04-03 06:37:13 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-04-03 06:37:13 217032 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-03 06:37:07 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-04-03 06:37:07 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-03 06:36:59 0 d-----w- c:\program files\Spyware Doctor
2010-04-03 06:36:59 0 d-----w- c:\program files\common files\PC Tools
2010-04-03 06:36:59 0 d-----w- c:\docume~1\kewazza\applic~1\PC Tools
2010-04-03 06:36:59 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-04-02 05:53:31 146120 ----a-w- c:\docume~1\kewazza\applic~1\DrWU.exe
2010-04-02 05:42:59 0 d-----w- c:\documents and settings\kewazza\DoctorWeb
2010-04-02 05:42:39 0 d-----w- c:\program files\DrWeb
2010-04-02 00:38:36 62464 --sh--w- c:\windows\system32\buhedina.dll
2010-03-29 04:54:07 53248 ----a-w- c:\windows\system32\CSVer.dll
2010-03-29 04:53:50 0 d-----w- C:\Intel
2010-03-29 04:47:05 0 d-----w- c:\program files\Intel Corporation
2010-03-29 04:38:50 0 d-----w- c:\program files\CPUMon
2010-03-29 04:19:52 20968 ----a-w- c:\windows\system32\drivers\cpuz133_x32.sys
2010-03-29 04:19:52 0 d-----w- c:\program files\CPUID
2010-03-25 05:08:35 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-03-25 05:08:35 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2010-03-25 05:08:27 0 d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-03-25 04:11:39 0 d-----w- c:\windows\Logs
2010-03-25 04:10:59 0 d-----w- c:\windows\system32\xlive
2010-03-23 21:48:47 0 d-----w- c:\docume~1\kewazza\applic~1\AdventureTools
2010-03-23 21:48:14 0 d-----w- c:\program files\Wizards of the Coast
2010-03-23 20:33:46 2285056 ----a-w- c:\windows\system32\TUKernel.exe
2010-03-23 19:44:30 29512 ----a-w- c:\windows\system32\TURegOpt.exe
2010-03-23 19:44:28 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2010-03-23 19:44:16 0 d-----w- c:\docume~1\kewazza\applic~1\TuneUp Software
2010-03-23 19:44:07 0 d-----w- c:\program files\TuneUp Utilities 2010
2010-03-23 19:43:53 0 d-----w- c:\docume~1\alluse~1\applic~1\TuneUp Software
2010-03-23 19:43:26 0 d-sh--w- c:\docume~1\alluse~1\applic~1\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-03-10 16:12:01 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-10 04:33:38 1025024 -c----w- c:\windows\system32\dllcache\browseui.dll

==================== Find3M ====================

2010-03-30 07:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-09 11:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-01-04 05:50:59 92160 --sha-w- c:\windows\system32\bozuneyi.dll
2010-01-02 00:39:09 62464 --sha-w- c:\windows\system32\feyujafi.dll
2010-01-03 03:42:12 39424 --sha-w- c:\windows\system32\gitabiga.dll
2010-01-05 05:51:16 92160 --sha-w- c:\windows\system32\gojobeju.dll
2010-01-02 00:38:28 39424 --sha-w- c:\windows\system32\gulidowu.dll
2010-01-02 15:41:48 39424 --sha-w- c:\windows\system32\hatakuvu.dll
2010-01-03 03:42:12 92160 --sha-w- c:\windows\system32\henivalo.dll
2010-01-04 17:51:15 39424 --sha-w- c:\windows\system32\leheliyo.dll
2010-01-02 00:39:09 62464 --sha-w- c:\windows\system32\lejorude.dll
2010-01-05 05:51:16 39424 --sha-w- c:\windows\system32\makezimu.dll
2010-01-03 15:42:16 39424 --sha-w- c:\windows\system32\turazapu.dll
2010-01-03 03:42:12 61952 --sha-w- c:\windows\system32\vekukedu.dll
2010-01-02 00:39:09 62464 --sha-w- c:\windows\system32\wulubuvo.dll
2010-01-04 05:50:59 39424 --sha-w- c:\windows\system32\yujitana.dll
2010-01-03 15:42:16 92160 --sha-w- c:\windows\system32\yulobuka.dll
2010-01-02 15:41:48 92160 --sha-w- c:\windows\system32\zesupoma.dll

============= FINISH: 22:55:14.73 ===============

Attached Files

BC AdBot (Login to Remove)


#2 sempai



  • Malware Response Team
  • 5,288 posts
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:52 AM

Posted 11 April 2010 - 05:22 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.


P2P Warning:
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Vuze).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Asksbar/AskBarDis warning:
I strongly suggest that you uninstall Asksbar/AskBarDis. Some of the bad practices of this toolbar are:
  1. Promoting its toolbars on sites targeted to kids. Details.
  2. Promoting its toolbars through ads that appear to be part of other companies' sites. Details.
  3. Promoting its toolbars through other companies' spyware. Details.
  4. Installing without any disclosure whatsoever and without any consent whatsoever. Details.
  5. Soliciting installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link. Details.
  6. Making confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit. Details.
Please read the full details HERE.

If you decided to remove Ask Toolbar. Go to Start > Control Panel > Add Remove programs and remove Asksbar/AskBarDis.
Then go to C: > Program Files and delete Asksbar/AskBarDis folder.

Viewpoint Warning:
I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player


Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper.



You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 

#3 sempai



  • Malware Response Team
  • 5,288 posts
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:52 AM

Posted 16 April 2010 - 07:03 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.


You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users