Followed directions; still having problems

Discussion in 'Malware Help (A Specialist Will Reply)' started by wlmjwlguy, Mar 26, 2006.

  1. wlmjwlguy

    wlmjwlguy Private E-2

    Many thanks in advance for your help with this. This site is a blessing.

    I am having a problem with Internet Explorer. When I start it and it directs me to my home page everything is perfect. Shortly after I attempt to enter any other site one of two messages pop up.

    The first is an error message that says my computer may be infected with the "blackworm virus" and that I must remove it immediately. The site it refers me to reads:

    "You may be infected by 'Blackworm'! We recommend you DOWNLOAD
    one of these security software programs to prevent further malware infections

    The dangerous 'Blackworm' computer virus activated February 2006 and has started destroying data on computers it has reached. The lethal virus, which has already infected over 1,000,000 computers in several countries, continues to spread rapidly over the Internet.

    Attention! Security Center has detected spyware on your PC sending private information and documents to a remote computer. One of the processes (Win32res.exe) has just sent this information"


    Even if I press cancel I am still directed to thiswebpage that reads like a virus scan log and recommends that I install WinAntiVirusPro and the web page address is www.amaena.com (i think). It then freezes my explorer if I attempt to cancel it.

    The second message that appears says something like my registry files are corrupt and I need to immediately download Win Fixer 2006 to fix it. Same problem, I try and cancel and it freezes.

    I am currently using AOL browser which works, however as I was typing this one of these messages appeared on its own. I have followed each instruction using the various programs you recommend and they have all discovered their share of problems which have been fixed. I am including my HiJackThis log. For some reason I am having problems attaching it to this post. I am not including the Bitdefender as the only noted problem was WxBug in my AIM folder which I deleted. I am also not including the Panda Log as the only problems noted were 9 cookies which I deleted. If I was wrong to do this I will attach the logs in the next post.

    If you have time, could you please assist me? Many thanks for your help.

    Edit by chaslang: Inline log attached
     

    Attached Files:

    Last edited by a moderator: Mar 27, 2006
    wlmjwlguy, Mar 26, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    You had two HijackThis sessions running last time! The below one should not be running:
    C:\DOCUME~1\NICKGI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    You have a few problems! Let's try to fix the Virtumonde infection first! Run the steps below and attach the VundoFix log to you next message.

    Virtumonde aka Trojan Vundo Removal

    Also look for Spyware Vanisher in Add/Remove programs and uninstall if found. You should not download garbage like this off the internet. There are close to 300 rogue tools out there. Only download malware cleaning tools from reputable sites like Majorgeeks.

    Then also attach a new HJT.
     
    Last edited: Mar 27, 2006
    chaslang, Mar 27, 2006
    #2
  3. wlmjwlguy

    wlmjwlguy Private E-2

    Thank you very much. Attached is the Vundo log and the most recent HJT log. I deleted the spyware vanisher folder but saw nothing in the add/remove programs list for it. Can you see anything else I need to correct? Also, how often would you recommend using all the programs that I downloaded per your instructions to sweep for viruses and spyware? Thanks again.
     

    Attached Files:

    wlmjwlguy, Mar 27, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\system32\jkkli.dll (file missing)
    O4 - HKCU\..\Run: [SOProc_SoRefRegSoAlertAjMiniTest] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack SoRefRegSoAlertAjMiniTest
    O4 - HKCU\..\Run: [Spyware Vanisher] c:\spywarevanisher-free\FreeScanner.exe -FastScan
    We recommend against these online poker/casino sites but these two O9 line are at your option. The correct way to remove this is via Add/Remove programs.
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\Program Files\SoftwareOnline <--- the whole folder
    c:\spywarevanisher-free <--- the whole folder

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Mar 27, 2006
    #4
  5. wlmjwlguy

    wlmjwlguy Private E-2

    Thanks again. So far so good. However, when I went into C: to delete the files you mentioned I couldn't find any of them. Hopefully thats a good thing.
    Attached is the HJT log. Again I'm having problems attaching it so it is listed below. Thanks.


    Edit by chaslang: Inline log attached
     

    Attached Files:

    Last edited by a moderator: Mar 27, 2006
    wlmjwlguy, Mar 27, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!

    Make sure you update your Sun Java version and then uninstall the old version you are currently running.
     
    chaslang, Mar 27, 2006
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds