MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 01-15-06, 14:21
StanHill StanHill is offline
Private E-2
 
Join Date: Jan 2006
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Default not-a-virus:AdWare.Win32.Virtumonde.gen

When I restart my computer, I get this message from F-Secure, my AV program from the cable company (Shaw). The full message is as follows:

F-Secure:
not-a-virus:AdWare.Win32.Virtumonde.gen
in C:/Windows/System32/GEBYY.DLL

That message is practically preventing starting any of the programs. Interestingly, I was able to start Bazooka and it was showing no infection, although a day before it showed WinAd. It is probably related to Winfixer as its pop-ups were showing up before.

Please help. Here is my HJT log:

  • Edit by bjgarrick: Unrequested, Inline HJT log removed!
Thanks in advance!

Stan

Last edited by bjgarrick; 01-15-06 at 14:25.. Reason: Unrequested, Inline HJT log removed!
Reply With Quote
Sponsored links
  #2  
Old 01-15-06, 14:24
bjgarrick's Avatar
bjgarrick bjgarrick is offline
MajorGeeks Admin - Malware Expert
 
Join Date: Oct 2004
Location: Southern Alabama
Posts: 16,069
Thanks: 0
Thanked 224 Times in 221 Posts
Default Re: not-a-virus:AdWare.Win32.Virtumonde.gen

Welcome to MajorGeeks.com!

Please follow forum guidelines and perform cleaning steps in the sticky thread before posting HijackThis logs.

Now, please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

Download LSP-Fix

After download is complete, Run LSP-Fix

Check the Box labeled "I know what I'm doing" and then click on the winsflt.dll file (in the Keep section) to select it.

Then, Select the >> button to move winsflt.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.

(Note: If the file winsflt.dll is already in the remove section, then just click FINISH.)


Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
  • Make sure you check version numbers and get all updates.
Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

Downloading, Installing, and Running HijackThis
Reply With Quote
  #3  
Old 01-17-06, 14:45
StanHill StanHill is offline
Private E-2
 
Join Date: Jan 2006
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: not-a-virus:AdWare.Win32.Virtumonde.gen

Thanks, bjgarrick,

I did as much as I could - according to the instructions. Here are the items to report:

0. Overnight scan by ewido found 150 infection items; one of them was:
C:\Windows\System32\awtsp.dll - Medium Risk Adware.Virtumonde.
All were cleaned. Quick check in the morning was - all clean.
Then I did the following:

1. MSWindows Malicious... Tool didn't find anything.
2. Ad-Aware - nothing found
3. Spybot - 5 problem found and fixed:
RealDownlaodExpress 4 Registry Keys
WildTangent Program Directory - C:\Windows\wt\

3. CounterSpy found:
Adw.Afriz.DownloaderBrowser Hijacker (3 objects) - Quarantined
Download Accelerator Plus (14 locations) - Ignored

I got message here - "Windows XP System restore Point Failed". Notice, CounterSpy could not create a Windows XP System Restore Point. Would you like to continue with clean process anyway? I chose "Yes" and the program removed spyware from the computer.

4. CWShredder and Kill2Me - showed no infections.

5. I couldn't start Internet when I was in Safe mode, so I rebooted to safe Mode with Network and started Bitdefender.
I had to stop the scan in the middle. At that point the following 6 infections were showing up with these viruses:
Java.Trojan.Downloader.OpenStream.C 2
Java.Trojan.OpenStream.T 1
Trojan.Java.Byteverify.B 3

Later I did seconf Bitdefender scan. This time, only one virus was found:
BehavesLike: Trojan.Downloader.
File was deleted, updated: "Instant Affiliate Secrets.zip".

6. Then I did Panda Active Scan. Detected 32 spyware and 2 hacking tools/potentially unwanted tools.

7. After switching to normal mode, I run LSP-Fix - according to your specific instructions, but winsflt.dll wasn't listed there.

8. I did fresh HJT scan and made the log.

Please analyze my info and tell me what can be done to clean my computer.

Thanks a lot!

Stan

PS. I believe I had logs from CounterSpy, BitDefender and Panda Scan - when I was in Safe mode but can't find them in normal mode. Can you tell me why? Thanks!
Attached Files
File Type: log hijackthis17012006a.log (11.5 KB, 3 views)
Reply With Quote
  #4  
Old 01-17-06, 14:47
bjgarrick's Avatar
bjgarrick bjgarrick is offline
MajorGeeks Admin - Malware Expert
 
Join Date: Oct 2004
Location: Southern Alabama
Posts: 16,069
Thanks: 0
Thanked 224 Times in 221 Posts
Default Re: not-a-virus:AdWare.Win32.Virtumonde.gen

It's best if you do the fixes in a timely manner because the longer they stay on your machine the worse they can become. They can mutate or grow so it makes it a little harder when there is a delay in reply.

Please see the below thread on how to install and run Spy Sweeper.

Running Spy Sweeper...
Reply With Quote
  #5  
Old 01-17-06, 18:04
StanHill StanHill is offline
Private E-2
 
Join Date: Jan 2006
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: not-a-virus:AdWare.Win32.Virtumonde.gen

Enclosed please find logs from SpySweeper and HJT.

When I looked at the SpySweeper info, it looked that not everything got removed (e.g., 1 msn cookie trojan, 1 bf evolution, 3 from winad (out of 6), 27 from virtumonde (out of 32), 7 from downloader-conhook (out of 9).

Thanks.

Stan

PS. Sorry, can't send the spysweeper log - it's 293K big - what to do?
Attached Files
File Type: log hijackthispcjan17350pm.log (11.8 KB, 4 views)
Reply With Quote
Sponsored links
  #6  
Old 01-18-06, 01:13
StanHill StanHill is offline
Private E-2
 
Join Date: Jan 2006
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: not-a-virus:AdWare.Win32.Virtumonde.gen

Here is the zipped version of the Spyswepper log with regards to the computer with the Virtumonde virus (please re-work the threads).

Thanks,

Stan
Attached Files
File Type: zip spysweeperpc.zip (17.7 KB, 31 views)
Reply With Quote
  #7  
Old 01-19-06, 00:48
bjgarrick's Avatar
bjgarrick bjgarrick is offline
MajorGeeks Admin - Malware Expert
 
Join Date: Oct 2004
Location: Southern Alabama
Posts: 16,069
Thanks: 0
Thanked 224 Times in 221 Posts
Default Re: not-a-virus:AdWare.Win32.Virtumonde.gen

Please see the below thread on how to install and run Ewido Security Suite.
Reply With Quote
  #8  
Old 01-19-06, 13:47
StanHill StanHill is offline
Private E-2
 
Join Date: Jan 2006
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: not-a-virus:AdWare.Win32.Virtumonde.gen

Hi, I did ewido and HJT scans. Logs enclosed.

Ewido showed 82 infected objects.
In HJT I still see the gebyy.dll on line 20 - this is probably behind Virtumonde virus...

Sincerely,

Stan
Attached Files
File Type: txt Scan reportpc_20060119.txt (28.5 KB, 3 views)
File Type: log hijackthispcjan191141.log (11.7 KB, 1 views)
Reply With Quote
  #9  
Old 01-19-06, 23:54
bjgarrick's Avatar
bjgarrick bjgarrick is offline
MajorGeeks Admin - Malware Expert
 
Join Date: Oct 2004
Location: Southern Alabama
Posts: 16,069
Thanks: 0
Thanked 224 Times in 221 Posts
Default Re: not-a-virus:AdWare.Win32.Virtumonde.gen

Please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

Spy Sweeper

Instant Buzz


Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\System32\gebyy.dll (file missing)
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users.WINDOWS\Application Data\Prevx\pxbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)

O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)

O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe

O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE (file missing)
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE (file missing)
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE (file missing)

O20 - Winlogon Notify: gebyy - C:\WINDOWS\System32\gebyy.dll (file missing)
O20 - Winlogon Notify: jkhhe - jkhhe.dll (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\Instant Buzz Delete this whole folder if it exist!

Next, run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.

Note: Remember to get all updates before doing the scans.



Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
  • Temporary Files
  • Temporary Internet Files
  • Recycle Bin
And Click OK.


After you complete the above, REBOOT to normal windows and proceed with the rest of this fix...

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

  • Disable and Re-enable System Restore

  • Turn OFF System Restore to flush any bad Restore Points.

  • Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Last edited by bjgarrick; 01-20-06 at 22:59..
Reply With Quote
  #10  
Old 01-20-06, 11:06
StanHill StanHill is offline
Private E-2
 
Join Date: Jan 2006
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: not-a-virus:AdWare.Win32.Virtumonde.gen

I didn't have bigger problems with the instructions.
Ad-Adware found 7 objects, Spybot - none.
I had to do re-enable System Restore twice as I got an error message, but when I re-started, SR was on.

I have a question re new HJT log.
Line 08 - I'm not using Avant, Copernic, Instant Buzz - can I get rid of those lines?
Also at Line 08 - Post To &WP: Pivotal Forex Trading... - is that line OK?
Line 018 - file missing - can I fix it?
Line 020 - file missing - can I fix it?
Line 023 - it's probably about Prevx - I'm not using it - can I fix it?

Other than that, computer looks fine.

Thanks a lot!

Stan
Attached Files
File Type: log hijackthispcjan200854.log (9.9 KB, 1 views)
Reply With Quote
Sponsored links
  #11  
Old 01-20-06, 22:47
bjgarrick's Avatar
bjgarrick bjgarrick is offline
MajorGeeks Admin - Malware Expert
 
Join Date: Oct 2004
Location: Southern Alabama
Posts: 16,069
Thanks: 0
Thanked 224 Times in 221 Posts
Default Re: not-a-virus:AdWare.Win32.Virtumonde.gen

Quote:
Originally Posted by StanHill
I have a question re new HJT log.
Line 08 - I'm not using Avant, Copernic, Instant Buzz - can I get rid of those lines?
Also at Line 08 - Post To &WP: Pivotal Forex Trading... - is that line OK?
Line 018 - file missing - can I fix it?
Line 020 - file missing - can I fix it?
Line 023 - it's probably about Prevx - I'm not using it - can I fix it?
The O8 you can fix if you dont use them, the others are legit. The current version of HJT has a few bugs that displaus "file missing" when they really are not.

If your not having any further problem, surf to windows updates and install Service Pack 2.

You should also see this article on How to Protect yourself from malware!
Reply With Quote
  #12  
Old 01-21-06, 13:04
StanHill StanHill is offline
Private E-2
 
Join Date: Jan 2006
Posts: 13
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: not-a-virus:AdWare.Win32.Virtumonde.gen

Thanks a lot!

Stan
Reply With Quote
  #13  
Old 01-21-06, 17:44
bjgarrick's Avatar
bjgarrick bjgarrick is offline
MajorGeeks Admin - Malware Expert
 
Join Date: Oct 2004
Location: Southern Alabama
Posts: 16,069
Thanks: 0
Thanked 224 Times in 221 Posts
Default Re: not-a-virus:AdWare.Win32.Virtumonde.gen

Your Welcome!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 02:23.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger