Help Removing Malware

Welcome to Majorgeeks!

Are your copies of CounterSpy, Spy Sweeper and Ewido paid versions or free trials?

You need to run ShowNew properly as instructed in the download page. You did not extract it from the ZIP file and run the .bat file using Windows Explorer. You ran it from inside the ZIP file. Please follow the directions and attach a new log.

Also you are using MSconfig which we ask you not to use in step 7 of the READ ME. Run MSconfig and select Normal Startup.

Now run this Virtumonde aka Trojan Vundo Removal and attach the requested log.

Now attach a new HJT log too.

 

Okay uninstall both Ewido and CounterSpy now before continuing.

I also see XoftSpy installed. Is it an active realtime blocker or just an on demand scanner? Is it a paid version or free version?

I see the below installation programs saved in your C:\Program Files folder:

Code:

"C:\Program Files\"
nav061~1.exe  15 Aug 2006    31358781  "NAV061200IN.exe"
quickt~1.exe  15 Aug 2006     8981779  "quicktimealt147.exe"
utorrent.exe  14 Aug 2006      174163  "utorrent.exe"

This is not a good place to save these. This folder is where installed programs should be and nothing else. If you need these files, move them someplace else.

Now install the current version of Sun Java from: Sun Java Runtime Environment

Then uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 6

You have not installed and renamed HijackThis as requested in step 7 of the READ ME. You have it here:
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

That is exactly where we requested that it not be installed and you did not rename it which is very important. Please correct this NOW before continuing.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {9E33EC22-C8FA-43FC-A4E9-494CAFBEE550} - C:\WINDOWS\system32\awvvs.dll (file missing)
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - blank (file missing)
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\dpwvijpr.dll
C:\WINDOWS\system32\rxviqqxc.dll
C:\WINDOWS\system32\uygegwdv.dll
C:\WINDOWS\system32\_000006_.tmp.dll

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

Now reboot in normal mode
Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Administrator\Local Settings\Temp

Now attach a the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!
Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Okay you have one more suspicious file:

C:\WINDOWS\system32\iprgnybd.dll

I want you to scan this file using the below online file scanning site. Report back what it finds.

http://virusscan.jotti.org/

Just use the Browse button to locate the file on your PC and submit it.

Also please tell me how things are working! You did not tell me last time.

 

Yes! Delete the C:\WINDOWS\system32\iprgnybd.dll file!

More than likely it is not malware slowing your PC down. I would suggest you try an experiment.

Uninstall your Symantec Antivirus package!
Also uninstall Spy Sweeper.

How are things running now? If they are running better, do not stay in the unprotected mode. I would then suggest you download and install AVG Free Edition and give it a try in place of Symantec for a few days and let me know what you think.

Then try reintsalling Spy Sweeper. If things slow down too much again, let me know and we will try to use some free tools to replace it. They may not be as capable as Spy Sweeper but Spy Sweeper can be too demanding on certain PCs resources.

 

You're welcome. Did you try that experiment with Symantec and Spy Sweeper?

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
3. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and enable System Restore to create a new clean Restore Point.
4. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!