Need help with not-a-virus:Adware.Win32.Virtumonde.bjl

[DBsummit]

Hi, I'm new here. I've had an infection problem for a few weeks now. I know I got it when I was trying to help someone get a Microsoft Office Key and I downloaded a virus instead of a Key Generator.

I had Nod32 but it wasn't getting rid of the problem. After a little research I tried VundoFix and replaced Nod32 with Kaspersky. I think they removed some things, but I've still been getting alerts about every half hour. It seems to have been getting worse as well; I'm not sure if it's related, but now every time I open up Firefox, it gives me an error message that it has encountered a problem and needs to close.

I went through the steps for the Windows XP cleaning procedure on here, but (I apologize for this) when I tried to get a report from AVG Anti-Spyware, there was nothing there to save, so that's missing. EDIT: Wait, I just realized I had to hit "New Scan" before it generated a report for me. I'll attach it in the next post since I can't figure out how to do it here while I'm editing this post.


Oh and I think ComboFix stopped working when it was deleting files...after about an hour, I closed it...ComboFix.txt is probably incomplete and worthless.

[DBsummit]

Here's the AVG Report.

[DBsummit]

I tried running ComboFix again and it just hanged while it was deleting files again, crashing windows explorer as well, and when I tried to run it again through the task manager, it would give me the "explorer needs to close" error again every time.

I'd like to get this fixed soon, it's getting very annoying.

[chaslang]

Welcome to Major Geeks!

First run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0

Is the below proxy server setting something you configured and require?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 201.247.248.117:6588

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {23E16309-6D72-4C05-9DC3-1CE90567A8E2} - C:\WINDOWS\system32\awvvw.dll (file missing)
O2 - BHO: (no name) - {68657764-C05D-4683-803C-EFFC86CC1C01} - C:\WINDOWS\system32\vturs.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Weather Studio - {849CC480-5983-4D30-A12C-774E8E8D8291} - C:\Program Files\Weather Studio\bin\WeatherStudio.dll (file missing)
O2 - BHO: {321a5dc3-e9a3-1518-4964-bfbb41232e6b} - {b6e23214-bbfb-4694-8151-3a9e3cd5a123} - C:\WINDOWS\system32\fjtfiarx.dll
O3 - Toolbar: Weather Studio - {C6139A57-16FB-4FA4-8045-A847FBFFD695} - C:\Program Files\Weather Studio\bin\WeatherStudio.dll (file missing)
O4 - HKLM\..\Run: [cc528e63] rundll32.exe "C:\WINDOWS\system32\etcbrtwa.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O20 - Winlogon Notify: yayaxur - C:\WINDOWS\

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

Quote:

Files to delete:
C:\WINDOWS\system32\boucktpc.dll
C:\WINDOWS\system32\dppmrlwv.dll
C:\WINDOWS\system32\ffqmgevh.dll
C:\WINDOWS\system32\fjtfiarx.dll
C:\WINDOWS\system32\gbjgohoc.dll
C:\WINDOWS\system32\goppshlg.dll
C:\WINDOWS\system32\gyrjkahb.dll
C:\WINDOWS\system32\hvrcqcvv.dll
C:\WINDOWS\system32\ilhcoxbb.dll
C:\WINDOWS\system32\ioehvcqp.dll
C:\WINDOWS\system32\jdiyslvn.dll
C:\WINDOWS\system32\kwiragjq.dll
C:\WINDOWS\system32\lwxdpmop.dll
C:\WINDOWS\system32\mksxpiky.dll
C:\WINDOWS\system32\navbvgrl.dll
C:\WINDOWS\system32\ncjdfnwp.dll
C:\WINDOWS\system32\njslsxle.dll
C:\WINDOWS\system32\pymceyvu.dll
C:\WINDOWS\system32\rfviqina.dll
C:\WINDOWS\system32\ryyvorgw.dll
C:\WINDOWS\system32\sbdfaufn.dll
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\awtrbcte.ini
C:\WINDOWS\system32\srutv.ini
C:\WINDOWS\system32\srutv.ini2
C:\WINDOWS\system32\imon1.dat

Registry keys to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayaxur

Registry values to delete:
HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks | {B2D2D370-1406-4BA9-8702-0BD96CBD4CBD}

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Jim\Local Settings\Temp

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

[DBsummit]

Wow, thank you so much. You have fixed my Firefox and Windows Explorer problem. I still haven't got any reports about the malware yet, let's hope it stays that way. The only step I didn't do was I didn't download and install the Java Runtime Environment yet, I'm late for work as I type this.

Here are the logs.

Thanks again.

[chaslang]

I see you logged in. Hang around for a few minutes. I'm look thru your logs now and will give you a status report soon.

[chaslang]

You did not answer my question about the proxy setting. Please answer now!

Also if you have not updated Java, please do it now.

You are still infected and I have to work up another fix. DO NOT reboot or power down as that could change the problems and make my fix not work.

[DBsummit]

I don't know about the proxy setting and I couldn't find it in Firefox or Internet Explorer, so I don't know where it's from.

Edit: Wait, I just found it in the LAN settings for Internet Explorer. It's not being used anyway, as it is greyed out.

Also I did install Java a few minutes ago.

[chaslang]

Quote:

Originally Posted by DBsummit

Edit: Wait, I just found it in the LAN settings for Internet Explorer. It's not being used anyway, as it is greyed out.

We'll fix it anyway since you said you don't use it.


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 201.247.248.117:6588
O2 - BHO: {837ba2ee-98b1-46c9-8714-5398f8966781} - {1876698f-8935-4178-9c64-1b89ee2ab738} - C:\WINDOWS\system32\aqnfmufr.dll
O2 - BHO: (no name) - {AB910831-1B99-4E5B-8CB4-09F23D889387} - C:\WINDOWS\system32\vturs.dll (file missing)

After clicking Fix, exit HJT.

Run avenger.exe by double-clicking on it.

• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

Quote:

Files to delete:
C:\WINDOWS\system32\aqnfmufr.dll
C:\WINDOWS\system32\asxqsfya.dll
C:\WINDOWS\system32\brqxphrf.dll
C:\WINDOWS\system32\drjlpaki.dll
C:\WINDOWS\system32\ecjmexhk.dll
C:\WINDOWS\system32\etcbrtwa.dll
C:\WINDOWS\system32\gbaekodi.dll
C:\WINDOWS\system32\idqxokrl.dll
C:\WINDOWS\system32\jbbbidws.dll
C:\WINDOWS\system32\jwoxjasy.dll
C:\WINDOWS\system32\ltcvlpuw.dll
C:\WINDOWS\system32\mdirtftd.dll
C:\WINDOWS\system32\msnqgjbg.dll
C:\WINDOWS\system32\ojhkfrve.dll
C:\WINDOWS\system32\pgohuhvr.dll
C:\WINDOWS\system32\qfdlbggb.dll
C:\WINDOWS\system32\qmdcnuhm.dll
C:\WINDOWS\system32\rhlweocd.dll
C:\WINDOWS\system32\urcfnyxo.dll
C:\WINDOWS\system32\vmmqikrx.dll
C:\WINDOWS\system32\wafileso.dll
C:\WINDOWS\system32\wqwrgtfx.dll
C:\WINDOWS\system32\wsrvvvdf.dll
C:\WINDOWS\system32\xjeqsgel.dll

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

[DBsummit]

Okay, still no virus alerts have been popping up except for combofix.exe every time I restart.
(Also, judging from what I read in avenger.txt something went wrong?)

[chaslang]

Quote:

Originally Posted by DBsummit

Okay, still no virus alerts have been popping up except for combofix.exe every time I restart.

Are you saying that ComboFix is trying to run each time you startup? Or are you saying you have an alert from Kaspersky or AVG Antispyware about ComboFix trying to run?

Quote:

Originally Posted by DBsummit

(Also, judging from what I read in avenger.txt something went wrong?)

Yes it did not work and you need to try again. But this time exit/shutdown AVG AntiSpyware and Kaspersky first and also make sure you close your all browsers too.

[DBsummit]

I tried it again after exiting AVG and Kaspersky first, but after the restart it said avenger.txt was not found and asked me if I wanted to create it. Now avenger.txt contains nothing in it.

As for the alerts from Kaspersky, I have taken 2 screenshots of what pops up.

http://img178.imageshack.us/img178/7...enshot1ri1.jpg
http://img160.imageshack.us/img160/7...enshot2ki9.jpg


I will try to exit as many applications in the task bar as possible and run avenger once more.

[chaslang]

Quote:

Originally Posted by DBsummit

I tried it again after exiting AVG and Kaspersky first, but after the restart it said avenger.txt was not found and asked me if I wanted to create it. Now avenger.txt contains nothing in it.

Uninstall AVG Antispyware. It may be necessary to uninstall Kaspersky if we cannot get this to run. The only other way to remove the files is manual (and you may have problems doing this if the malwar blocks it) or using ComboFix which you could not get to run and that could also be due to Kaspersky.

Quote:

Originally Posted by DBsummit

As for the alerts from Kaspersky, I have taken 2 screenshots of what pops up.
.

Cannot read them! Don't take screen snap shots. Just take snapshots of the popup. Are these popups about ComboFix?

[DBsummit]

I think I got it to work on the third try. It may be worth noting that my internet was still disabled when I started back up and I had to manually enable the connection again.

[chaslang]

Okay now I need a new MGlogs.zip file.

Also I cannot read your popups. Are they still occurring?

[DBsummit]

Yes they occur every time I start the computer again, one snapshot says something about catchme.cfexe which I believe is part of ComboFix. The other one says combofix.exe has a virus called HeiruInvader.

Why is it that you cannot read them, are they too big for you?

I've cropped the screenshot images to show only the popups.

[chaslang]

Quote:

Originally Posted by DBsummit

Yes they occur every time I start the computer again, one snapshot says something about catchme.cfexe which I believe is part of ComboFix. The other one says combofix.exe has a virus called HeiruInvader.

Yes this is all part of ComboFix and this is why you could not get ComboFix to run. You blocked it from running with Kaspersky. You should have allowed it to run.

Quote:

Originally Posted by DBsummit

Why is it that you cannot read them, are they too big for you?

The resolution was not good enough to read just by clicking on the link. The way they come up in IE changes the resolution. If I download them, then I can read them but that is more work. If you just take snapshots and post them here, it is easier and it also gives us a feature reference since your offsite links will eventually disappear.


You're logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

[DBsummit]

Yes this is all part of ComboFix and this is why you could not get ComboFix to run. You blocked it from running with Kaspersky. You should have allowed it to run.

That's not true. I've always allowed it to run and hit skip as opposed to quarantine or delete.

If I had blocked it, it would have stopped alerting me about it a long time ago.

The resolution was not good enough to read just by clicking on the link. The way they come up in IE changes the resolution. If I download them, then I can read them but that is more work. If you just take snapshots and post them here, it is easier and it also gives us a feature reference since your offsite links will eventually disappear.

Use Firefox =P



I'll delete all that stuff now. Thank you very much, you've been a great help.

[chaslang]

Quote:

Originally Posted by DBsummit

That's not true. I've always allowed it to run and hit skip as opposed to quarantine or delete.

Okay but something about Kaspersky is still treating it incorrectly and it still may have been the reason that it was not able to run initially.

Quote:

Originally Posted by DBsummit

Use Firefox =P

I do but just not all the time. It is actually more of a hinderance while working in the forum with the things I need to do. It does not behave well with vBulletin code and does lot's of strange things to fixes we try to post. And if we don't notice them, the fixes would not work. Thus rather than having to double check all the time, it is easier to not use it while doing most of the work here.

[chaslang]

Quote:

Originally Posted by DBsummit

Use Firefox =P

Oh and one other thing I should mentioned out of fairness to IE. I could disable the automatic image resizing in Advanced options but that messes up other things I need to do and I don't want to keep changing it. It is just easier to have smaller snapshots taken and posted here anyway like I said for future reference.