Jump to content

HELP--Nasty virus taking over my email


Recommended Posts


I have a nasty virus that has taken over. Yesterday, it sent an email from my wife's web-based email account to everyone in her contact list. It turned off my automatic updates. Also after startup, it disables Panda Cloud for approximately 3-5 minutes. I've run MBAM...it identifies the virus (Vundo variant) and says that it will delete it on reboot...however, that doesn't happen. MBAM and HJT Logs attached...





Link to post
Share on other sites

Welcome to the forum.

Please download and run ComboFix:

A few notes first:

  • ComboFix is compatible exclusively with W2K, XP, Vista, and Windows 7 (32-bit only).
  • ComboFix must be run from an Administrative account.
  • Vista and W7 users - Right click, choose "Run as Administrator"
  • It must be downloaded to and run from your desktop.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can and will interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    ComboFix Guide <---please read!


Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon and choose disable/exit. More info HERE<-------
    They may interfere with the running of ComboFix.
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.


1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix permanently prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun ASAP!.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If a reboot doesn't restore your connection, please try this:

Check HERE

For XP systems download and run WinSockFix

Vista users: Check HERE

Windows 7 systems: Download and run this Winsockfix.bat

5.Give ComboFix at least 20-30 minutes to finish if needed.


Link to post
Share on other sites

Please do this:

Scan for malware with Malwarebytes' Anti-Malware:

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select "Perform Quick Scan", then click Scan.

Note: -->Do not run a full scan with MBAM. It is not required or needed.

The scan may take some time to finish,so please be patient.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy&Paste the entire report in your next reply along with a fresh HJT log.


If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.


I also see you have SUPERAntiSpyware installed on the system, please update it and run a scan.


Link to post
Share on other sites

Your logs are clean, How is it???

Just get these:

Run HJT and..............

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O23 - Service: Retrogamer Service (RetrogamerIEService) - Unknown owner - C:\PROGRA~1\RETROG~2\bar\1.bin\6hbarsvc.exe (file missing)

Click on Fix Checked when finished and exit HijackThis.


Link to post
Share on other sites

I have to leave the forum for a while, so can you do this also:

Please do this:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Link to post
Share on other sites


I followed your instructions. However, I'm unable to remove the O23 file...(see attached log). Is there another way to get rid of it.

Also, can you explain to me what type of virus was on my system. I try to be very careful with my internet habits and I run what I think is a decent security suite. However, this is the 2nd major virus that I've had this year. Is there anything else that you would recommend to help me keep a clean system?




Link to post
Share on other sites

Well ComboFix found this:


c:\program files\RetrogamerEI

c:\program files\RetrogamerEI\Installr\1.bin\k7EIPlug.dll

c:\program files\RetrogamerEI\Installr\1.bin\k7EZSETP.dll.nanflmrkxtns

c:\program files\RetrogamerEI\Installr\1.bin\NPk7EISb.dll

c:\program files\RetrogamerEI\Installr\Cache\060EC9D4.exe

c:\program files\RetrogamerEI\Installr\Cache\files.ini


Go to Start > Run > type CMD > click OK

Now copy and paste this in and hit enter:

sc delete RetrogamerIEService

You should receive a conformation that the service was deleted.


Lets take a look at the systems sercurity:

Please do this:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.