not-a-virus:AdWare.Win32.Virtumonde.gen

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by StanHill, Jan 15, 2006.

  1. StanHill

    StanHill Private E-2

    When I restart my computer, I get this message from F-Secure, my AV program from the cable company (Shaw). The full message is as follows:

    F-Secure:
    not-a-virus:AdWare.Win32.Virtumonde.gen
    in C:/Windows/System32/GEBYY.DLL

    That message is practically preventing starting any of the programs. Interestingly, I was able to start Bazooka and it was showing no infection, although a day before it showed WinAd. It is probably related to Winfixer as its pop-ups were showing up before.

    Please help. Here is my HJT log:

    • Edit by bjgarrick: Unrequested, Inline HJT log removed!
    Thanks in advance!

    Stan
     
    Last edited by a moderator: Jan 15, 2006
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Welcome to MajorGeeks.com!

    Please follow forum guidelines and perform cleaning steps in the sticky thread before posting HijackThis logs.

    Now, please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

    Download LSP-Fix

    After download is complete, Run LSP-Fix

    Check the Box labeled "I know what I'm doing" and then click on the winsflt.dll file (in the “Keep” section) to select it.

    Then, Select the >> button to move winsflt.dll into the Remove section.

    Now, click the Finish Button. When the Repair Summary box appears, click OK.

    (Note: If the file winsflt.dll is already in the remove section, then just click FINISH.)


    [​IMG] Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

    • Make sure you check version numbers and get all updates.
    [​IMG] Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

    [​IMG]After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

    [​IMG] Downloading, Installing, and Running HijackThis
     
  3. StanHill

    StanHill Private E-2

    Thanks, bjgarrick,

    I did as much as I could - according to the instructions. Here are the items to report:

    0. Overnight scan by ewido found 150 infection items; one of them was:
    C:\Windows\System32\awtsp.dll - Medium Risk Adware.Virtumonde.
    All were cleaned. Quick check in the morning was - all clean.
    Then I did the following:

    1. MSWindows Malicious... Tool didn't find anything.
    2. Ad-Aware - nothing found
    3. Spybot - 5 problem found and fixed:
    RealDownlaodExpress 4 Registry Keys
    WildTangent Program Directory - C:\Windows\wt\

    3. CounterSpy found:
    Adw.Afriz.DownloaderBrowser Hijacker (3 objects) - Quarantined
    Download Accelerator Plus (14 locations) - Ignored

    I got message here - "Windows XP System restore Point Failed". Notice, CounterSpy could not create a Windows XP System Restore Point. Would you like to continue with clean process anyway? I chose "Yes" and the program removed spyware from the computer.

    4. CWShredder and Kill2Me - showed no infections.

    5. I couldn't start Internet when I was in Safe mode, so I rebooted to safe Mode with Network and started Bitdefender.
    I had to stop the scan in the middle. At that point the following 6 infections were showing up with these viruses:
    Java.Trojan.Downloader.OpenStream.C 2
    Java.Trojan.OpenStream.T 1
    Trojan.Java.Byteverify.B 3

    Later I did seconf Bitdefender scan. This time, only one virus was found:
    BehavesLike: Trojan.Downloader.
    File was deleted, updated: "Instant Affiliate Secrets.zip".

    6. Then I did Panda Active Scan. Detected 32 spyware and 2 hacking tools/potentially unwanted tools.

    7. After switching to normal mode, I run LSP-Fix - according to your specific instructions, but winsflt.dll wasn't listed there.

    8. I did fresh HJT scan and made the log.

    Please analyze my info and tell me what can be done to clean my computer.

    Thanks a lot!

    Stan

    PS. I believe I had logs from CounterSpy, BitDefender and Panda Scan - when I was in Safe mode but can't find them in normal mode. Can you tell me why? Thanks!
     

    Attached Files:

  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    It's best if you do the fixes in a timely manner because the longer they stay on your machine the worse they can become. They can mutate or grow so it makes it a little harder when there is a delay in reply.

    Please see the below thread on how to install and run Spy Sweeper.

    Running Spy Sweeper...
     
  5. StanHill

    StanHill Private E-2

    Enclosed please find logs from SpySweeper and HJT.

    When I looked at the SpySweeper info, it looked that not everything got removed (e.g., 1 msn cookie trojan, 1 bf evolution, 3 from winad (out of 6), 27 from virtumonde (out of 32), 7 from downloader-conhook (out of 9).

    Thanks.

    Stan

    PS. Sorry, can't send the spysweeper log - it's 293K big - what to do?
     

    Attached Files:

  6. StanHill

    StanHill Private E-2

    Here is the zipped version of the Spyswepper log with regards to the computer with the Virtumonde virus (please re-work the threads).

    Thanks,

    Stan
     

    Attached Files:

  7. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

  8. StanHill

    StanHill Private E-2

    Hi, I did ewido and HJT scans. Logs enclosed.

    Ewido showed 82 infected objects.
    In HJT I still see the gebyy.dll on line 20 - this is probably behind Virtumonde virus...

    Sincerely,

    Stan
     

    Attached Files:

  9. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please look in Add or Remove Programs for the following and Uninstall them if found:

    Ewido

    Spy Sweeper

    Instant Buzz


    Now scan with HijackThis and check the boxes for the following entries:
    ( Make sure ALL browser windows are closed when you click FIX )

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

    O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\System32\gebyy.dll (file missing)
    O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx\pxbho.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)

    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)

    O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe

    O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE (file missing)
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE (file missing)
    O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE (file missing)

    O20 - Winlogon Notify: gebyy - C:\WINDOWS\System32\gebyy.dll (file missing)
    O20 - Winlogon Notify: jkhhe - jkhhe.dll (file missing)

    Again, make sure ALL browser windows are closed when you click FIX.

    Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

    C:\Program Files\Instant Buzz Delete this whole folder if it exist!

    Next, run CCleaner to clean up cookies and temp files.

    Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.

    Note: Remember to get all updates before doing the scans.



    Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    • Temporary Files
    • Temporary Internet Files
    • Recycle Bin
    And Click OK.


    After you complete the above, REBOOT to normal windows and proceed with the rest of this fix...

    Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:


    • Disable and Re-enable System Restore

    • Turn OFF System Restore to flush any bad Restore Points.

    • Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

    Scan with HijackThis and attach the new log.
    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.
     
    Last edited: Jan 20, 2006
  10. StanHill

    StanHill Private E-2

    I didn't have bigger problems with the instructions.
    Ad-Adware found 7 objects, Spybot - none.
    I had to do re-enable System Restore twice as I got an error message, but when I re-started, SR was on.

    I have a question re new HJT log.
    Line 08 - I'm not using Avant, Copernic, Instant Buzz - can I get rid of those lines?
    Also at Line 08 - Post To &WP: Pivotal Forex Trading... - is that line OK?
    Line 018 - file missing - can I fix it?
    Line 020 - file missing - can I fix it?
    Line 023 - it's probably about Prevx - I'm not using it - can I fix it?

    Other than that, computer looks fine.

    Thanks a lot!

    Stan
     

    Attached Files:

  11. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    The O8 you can fix if you dont use them, the others are legit. The current version of HJT has a few bugs that displaus "file missing" when they really are not.

    If your not having any further problem, surf to windows updates and install Service Pack 2.

    You should also see this article on How to Protect yourself from malware!
     
  12. StanHill

    StanHill Private E-2

    Thanks a lot!

    Stan
     
  13. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Your Welcome!:)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds