Ran Steps 1-7, found some, not sure if fixed

Hello and thank you for this excellent site. Having Malware issues for a few days on my Dell laptop - thankfully I just got a new desktop so this machine isn't mission critical. Unfortunately it has a fritzy cd/dvd drive so couldn't just reinstall windows...

Was having unauthorized popups/warnings from my PC-Cillin and found some stuff with that and Ad-aware. Seemed to find more with Bit-Defender but machine still slow and browser hijacks attempted - seemed to be "conversion.cpvfeed.com" and "Winantivirus" sites trying to load.

Then found your site and followed the steps. Logs attached. I did run Kaspersky as well since other info suggested it was good for this type of Malware. It found the Virtumunde virus/trojan and removed it. Then ran the other steps, not much else found except "ppxfmgnr".

System now seems much better with less disk activity/slowdown but not sure if I got everything. Hijack seems to report OK but there's some references to "pcpitstop" and Mcafee - both of which I don't run. CSV didn't find anything so I didn't bother with log
Spyware Scan Details
Start Date: 11/12/2006 12:11:41 AM
End Date: 11/12/2006 1:29:57 AM
Total Time: 1 hrs 18 mins 16 secs

Detected spyware
No spyware were found during this scan


I'd appreciate verification to know if I did all I needed to or any suggested steps. I will be very grateful for any help received.

Mark

 

Here's the HJT report and Shownew:

 

Oop - here's previous log from Safe Mode version from Kaspersky. I truncated the txt file on this report as it was very long and the only positive finding was the Virtumunde. Kaspersky just now detected and deleted "trojanwin32.BHO.q" as well.

 

Let's start by downloading two tools we will need

- Process Explorer 10.21

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of vturo.dll once and then click the kill button. After you have killed all of the vturo.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of vturo.dll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {564EEE02-58E1-40D0-9AD6-14FA0F23658F} - C:\WINDOWS\system32\vturo.dll

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O20 - Winlogon Notify: vturo - C:\WINDOWS\system32\vturo.dll


Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.


C:\WINDOWS\SYSTEM32\orutv.ini
C:\WINDOWS\SYSTEM32\orutv.ini2
C:\WINDOWS\SYSTEM32\orutv.bak
C:\WINDOWS\SYSTEM32\orutv.bak1
C:\WINDOWS\SYSTEM32\orutv.bak2
C:\WINDOWS\SYSTEM32\orutv.tmp
C:\WINDOWS\system32\vturo.dll
C:\WINDOWS\system32\xxyxyww.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

Thanks very much. All done except the item 02 was not present - in safe mode Kaspersky still seemed to block it and that may have been reason(?)

O2 - BHO: (no name) - {564EEE02-58E1-40D0-9AD6-14FA0F23658F} - C:\WINDOWS\system32\vturo.dll

HJT file attached (normal mode, after above fix). This site is absolutely fantastic and I really appreciate the help. If you ever need advice about your lungs I owe you...

Hope this has killed the beast!
Mark

 

Looks good, are you having any further problems?

 

So far, so good. Thanks again. This experience has taught me a lot both about the good and bad sides of the internet these days. Right now I'm running trial version of Kaspersky, CSV antispyware and Windows FIrewall, Kaspersky made me uninstall my prior PC-Cillin 2007 Suite (which is paid for for another year). Any thoughts on best choices of these to continue with?

Mark

 

Kaspersky and PC-Cillin are both great antivirus programs, if you're looking for good and free then AVG AntiVirus is the one to have. If you have a year left then I would stick with that because it's a good AV.

For a firewall you need something a bit more secure such as ZoneAlarm.

You should see this article on How to Protect yourself from malware!