Fun with Virtumundo & More

PhilliePhan,

I need your help as well!!! I appear to have Virtumundo on my computer, which I also cannot get rid of (and tried following the steps you suggested above, with no success). I also would like to know what admain.exe is. That seems to be slowing my computer down quite a bit and boots every time I start my computer. I can't find it anywhere when I do a search, so I still have no clue what it is. It is annoying, because I have to click "end process" every time I turn on my computer. I wanted to delete it from HijackThis REALLY badly, but I refrained, knowing that it probably wold cause something bad to happen if I did. Anyway, I have attached a log file from HijackThis. I REALLY appreciate your help!!! Also, could you let me know if there is something else I should be getting rid of? Thanks!

ag

 

Re: Hey, having some spyware related problems with StarWars Galaxies....

Hi Abby,

You have a lot of issues. Also, you need to move HijackThis to its own folder. See the instructions below.

Also, you may need this tool: http://www.cexx.org/lspfix.zip
Please download it, but do not use it yet.

You have other issues besides Virtumundo, so I would encourage you to start with the Cleanup Tutorial HERE:

READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

This will remove a lot of stuff that would otherwise clog a HJT log.

Please note the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

Post back and let us know how you fared. Also, send us a HijackThis Log. Make sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

ALSO, you might try the new Virtumundo removal tool from Symantec and see how it fares:
Symantec Virtumundo Eradication Tool

Run through the tutorial and attach a fresh log & I'll try to check back. I'm kinda tied up with work right now, so my appearances here are off and on. But, someone will help you get fixed up!

Best luck,
PP

 

Ok, I tried to do everything those instructions told me to. I was unable to get online while I was in safe mode, and I did not end up doing either of those scans in normal mode, because it was taking such a long time to load. I did everything else though. Admain.exe does not load when I boot up my computer anymore, so I am thrilled about that! Many times that I shut my computer down, it tells me that it is waiting to end "Program O" - whatever that is. I usually just click on the "End Program" button, because I have no idea what it is. Also, sometimes my computer will freeze for a little bit and then do like a re-load or something where the screen goes blank for a second and then everything comes back and it works again. I don't know why it does that, but sometimes it will happen and then happen again very soon afterwards and it is really annoying, and probably means there is something wrong. Anyway, those two things (the freezing and the Program O thing) were happening before I followed the directions, so it's not anything new. I am attaching my newest log file from HijackThis. Thanks so much!!!

 

Thanks for the speedy response! I have tried to update to the service pack 2 deal, but the problem is, somebody who fixed my computer about a year ago put Windows XP on it (I used to have ME) and so I think it is a pirated version. Therefore, my updater does not allow my computer to install the service pack. This is terribly annoying, since I never told anybody to download a pirated copy of XP, but now I have to deal with it. Any thoughts on that? C:\WINDOWS\System32\jylkua.exe is definitely a problem - or at least it is running a lot and I have never seen it before. C:\Program Files\Real\RealGames\Snood (Full Version)\Snood.exe shouldn't be a problem. I have a game called Snood on my computer, so I am sure that is all it is. As far as O1 - Hosts: jkazaa.cjt1.net #DK and O1 - Hosts: jkazaa.cjt1.net #DK is concerned, I don't know what to do. Is it associated with Kazaa Media Desktop? I do have that on my computer. I just don't know if that is what it is or not. The other stuff looks problematic. Well, I will just let an expert deal with it now. Thanks again!

 

Hi Abby, M.A.

Sorry it took so long to get back - Now that Chaslang's back, I'm trying to catch up on real life!

Abby, it looks like a program has installed improperly in the registry. We'll see what we can do with it.
Also, those 010 lines from before are now gone. (That's good)

Still, I'd like you to look in Add or Remove Programs for New.Net and Uninstall it if found.

Then, try these instructions. If, for some reason you lose Internet Connectivity after completing them (I doubt this will happen) then, and only then run LSP-Fix and just click "Finish." You probably will not need to do that.
------------------------------------------------------------------------------------------------------------

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

This is just to clear out what we can. Some of this will come back in the next log.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:

R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)

O1 - Hosts: jkazaa.cjt1.net #DK

O1 - Hosts: jkazaa.cjt1.net #DK

O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\ABBYGR~1\LOCALS~1\Temp\lrupct.dat

O2 - BHO: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\WINDOWS\DOWNLO~1\gamebar.dll

O2 - BHO: CATLEvents Object - {870B70D4-F6DA-47AE-9158-D146440A0A4D} - C:\DOCUME~1\ABBYGR~1\LOCALS~1\Temp\niamda.dat (file missing)

O2 - BHO: EventHandler Class - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WINDOW~4\jylkua.exe

O2 - BHO: (no name) - {EFAC4563-91CB-B2E9-59D9-BAC1E5CCB7D6} - C:\WINDOWS\system32\jkjuggnd.dll

O3 - Toolbar: Game Bar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\WINDOWS\DOWNLO~1\gamebar.dll

O4 - HKLM\..\Run: [wzvcqxil] C:\WINDOWS\opsrkxpk.exe

O4 - HKLM\..\Run: [lodwuovm] C:\WINDOWS\eoudrjza.exe

O4 - HKLM\..\Run: [o] C:\WINDOWS\System32\jylkua.exe

O4 - HKLM\..\Run: [v] C:\WINDOWS\System32\mifpna.exe

4 - HKLM\..\Run: [tcpurl] C:\WINDOWS\msagent\CHARS\tcpurl.exe

O4 - HKLM\..\Run: [*xmleula] C:\WINDOWS\java\TRUSTLIB\xmleula.exe

O4 - HKLM\..\Run: [*diskweb] C:\WINDOWS\Fonts\SF Slapstick Comic v1.0\diskweb.exe

O4 - HKLM\..\Run: [*regsys] C:\WINDOWS\addins\regsys.exe

O4 - HKLM\..\Run: [*dlliis] C:\WINDOWS\Speech\dlliis.exe

O4 - HKLM\..\Run: [WebInstall2] C:\WINDOWS\Temp\Adware\WebInstall.exe /R

O4 - HKLM\..\Run: [*hardbin] C:\WINDOWS\hardbin.exe

O4 - HKLM\..\Run: [*urldb] C:\WINDOWS\repair\urldb.exe

O4 - HKLM\..\Run: [*admain] C:\WINDOWS\system32\Microsoft\admain.exe

O4 - HKLM\..\Run: [] c:\WINDOWS\System32\}

O4 - HKLM\..\Run: [function redirec] c:\WINDOWS\System32\function redirect(){
O4 - HKLM\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;

O4 - HKLM\..\Run: [var strP] c:\WINDOWS\System32\var strPort;

O4 - HKLM\..\Run: [ top.location.replace(strTe] c:\WINDOWS\System32\ top.location.replace(strTemp);

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\}

O4 - HKCU\..\Run: [function redirec] c:\WINDOWS\System32\function redirect(){
O4 - HKCU\..\Run: [var strT] c:\WINDOWS\System32\var strTemp;

O4 - HKCU\..\Run: [var strP] c:\WINDOWS\System32\var strPort;

O4 - HKCU\..\Run: [ top.location.replace(strTe] c:\WINDOWS\System32\ top.location.replace(strTemp);

Again, make sure All Browser Windows are Closed when you Click FIX.

Now boot into Safe Mode and DELETE the following if they remain:

C:\WINDOWS\opsrkxpk.exe
C:\WINDOWS\eoudrjza.exe
C:\WINDOWS\System32\jylkua.exe
C:\WINDOWS\System32\mifpna.exe
C:\WINDOWS\msagent\CHARS\tcpurl.exe
C:\WINDOWS\system32\jkjuggnd.dll

Reboot to Normal Windows and Scan with HijackThis and attach that log. Let us know of any problems you may have encountered with the above instructions.

Best luck
PP

 

Hi friends!

I did what you told me to do. It might have been my fault a little bit (that things were not installed properly in the registry). I found the New.Net thing while I was following the first set of instructions and tried to remove it, so hopefully, I did not mess anything up. Anyway, I did not find New.Net in Add/Remove Programs. I was able to follow the instructions you gave me. There was only one thing I cold not quite find in HijackThis. I believe it was this one: O2 - BHO: EventHandler Class - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WINDOW~4\jylkua.exe. There was something really similar, but I did not want to check the box, in case it wasn't the right thing. Unfortunately, I did not note what it was. Again, I have attached the new log file, and again, thanks for all your help! Have a Happy Turkey Day!!!

 

Hi again,

I did what you said. Attached is the log file. Things are running ok, although I haven't done too much on my computer since I did all that stuff, so it's hard to say.

 

Hi Abby,

Looks like you are getting the full treatment from everybody here , I wanted to add something as well! Since you are pretty much stuck with the XP on your machine, I suggest that you implement as many of Chaslang's recommendations as possible: How to Protect yourself from malware!

Happy Turkey Day

PP

 

PhilliePhan, chaslang, and Major Attitude,

First of all, THANK YOU ALL SO SO SO MUCH!!! You have all been such a great help in cleaning up my computer! I can't tell you how many forums I have visited that seem to be completely useless before finding this one. I am definitely bookmarking this one, and referring others here (I actually have already to some degree). Fellas, hopefully I won't need to, but I'll be back if need be. I had a few questions about chaslang's ways to protect from malware. First, I have had some anti-virus software on my computer in the past, but I am not totally sure if I still do, or if I even want what is on here anymore. How can I tell if I have some/get rid of it if I do so I can download one of the ones listed on this page? When I lived in the dorms at my college, they made us all download some stuff so that they could monitor the network, because some pretty crappy viruses were going around, which is why my computer went haywire and needed fixing and I now have a pirated copy of Windows XP. Yes, one of the tech people at my school (actually, the main tech person) downloaded pirated software on my computer - I would have never guessed!
Secondly, does it matter if I have more than one firewall, and again, how do I know if I have one or not? My next question deals with Microsoft Java and Sun Java. What are those programs exactly? Does getting rid of Microsoft Java mean losing any settings of any sort? My last question is about using Mozilla FireFox in place of Internet Explorer. Will I lose my favorites and all of those fun things if I switch? Do I want to remove Internet Explorer completely? I know, I am so computer knowledge challenged! Anyway, thanks again for all of your help, and I hope you can answer my questions! I hope you all had a great Thanksgiving and ate lots of good food in between answering all my questions and dealing with my problems!

 

chaslang,

How would I go about getting a legit version of XP and how do I download it/would it screw with my settings? In case you can't tell, I am obsessive about not having to re-do my settings. It's annoying and I can never remember how I had them. I downloaded Avast! and it is telling me (very loudly, I might add) that I have a virus. Something about a trojan and now I forgot what it was called. Shoot. I seem to be having a rough time downloading the Sun Java thing. Their website keeps bringing me to the same pages when I try to click the download links. Any thoughts? I did dowload FireFox and it is working fine. I am trying to get used to it right now. Actually, that is the browser I am currently in.
All is well otherwise. My Thanksgiving was great. Good food. Yummm... I especially enjoyed the pumpkin pie.

 

Hello!

I did successully downoad Sun Java. You were right - I had to use IE. I can't believe I didn't think to use it! Oh well. I am kind of confused as to how this Avast! thing works, so hopefully I can give you the information that you need. It is telling me that I have a virus, and under virus name, it says, "Win32:Trojan-gen. {UPX!}" and under file name, it says, "C:\WINDOWS\SYSTEM32\rsd.exe". There is also the virus chest thing (man, I do not get this at all!), which has the following in it:

jjj.exe in C:\WINDOWS\SYSTEM32
kernel32.dll in C:\WINDOWS\SYSTEM32
winsock.dll in C:\WINDOWS\SYSTEM32
wsock32.dll in C:\WINDOWS\SYSTEM32

I hope that was useful! Thanks again!

ag

 

chaslang,

I looked at the properties of that file. There was no tab that said version - only the general tab. It said that it was created over a year ago though. It's probably nothing, but it's really annoying when Avast! suddenly blasts out an alarm noise and yells that there is a virus on my computer!

So, by buying an upgrade for XP, it would make what I have legit and I would be able to download the security pack? How much would that cost (I am currently very poor)?

ag

 

chaslang,

I did what you told me to (at least I hope I did it right). The same thing happened. I did a scan with Avast! and it said the same thing. I don't know what it means.

Yes, I did mean service pack. I had a momentary lapse when I wrote that and could not think of what it was called. For some reason, security came to mind, although I was pretty sure that was not it. Anyway, I will look around when I get the chance.

Thanks again,
ag

 

Chaslang,

Well, it looks as though I may have overlooked a bunch of these things! It is telling me that I have the following things on my computer (one of them is the re-named file):

VPS Version: 0449-1, 12/02/2004
File Name: C:\WINDOWS\SYSTEM32\hs.exe
Virus Name: Win32:Trojan-gen. {UPX!}

VPS Version: 0449-1, 12/02/2004
File Name: C:\WINDOWS\SYSTEM32\jylkua.exe
Virus Name: Win32:Trojan-gen. {UPX!}

VPS Version: 0449-1, 12/02/2004
File Name: C:\WINDOWS\casbridge2.exe
Virus Name: Win32:Trojan-gen. {UPX!}
(this was one I was originally concerned with, but I couldn't remember the name of it)

VPS Version: Win32:Trojan-gen. {Other}
File Name: C:\WINDOWS\fybqnccs.dll
Virus Name: 0449-1, 12/02/2004

VPS Version: Win32:Trojan-gen. {UPX!}
File Name: C:\WINDOWS\SYSTEM32\rsdexe.bad.exe
Virus Name: 0449-1, 12/02/2004

VPS Version: 0449-1, 12/02/2004
File Name: C:\t.dll
Virus Name: Win32:Trojano-359 [Trj]

VPS Version: Win32:Trojan-gen. {UPX!}
File Name: C:\Program Files\Internet Explorer\update.exe
Virus Name: Win32:Trojan-gen. {UPX!}

VPS Version: 0449-1, 12/02/2004
File Name: C:\Program Files\KaZaA\PerfectNavUninstall.exe
Virus Name: Win32:Trojan-gen. {Other}

VPS Version: 0449-1, 12/02/2004
File Name: C:\Program Files\HijackThis\backups\backup-20041124-22431
Virus Name: Win32:Trojan-gen. {Other}

VPS Version: 0449-1, 12/02/2004
File Name: C:\System Volume Information\_restore{EF5611D2-F95F-4D42-A
Virus Name: Win32:Trojan-gen. {VC}

VPS Version: Win32:Trojan-gen. {UPX!}
File Name: C:\System Volume Information\_restore{EF5611D2-F95F-4D42-A (I messed up copying this one and didn't get the full path)
Virus Name: Win32:Trojan-gen. {UPX!}

VPS Version: 0449-1, 12/02/2004
File Name: C:\System Volume Information\_restore{EF5611D2-F95F-4D42-A043-3A35B9C6AFDC}\RP7\A0000602.exe
Virus Name: Win32:Trojan-gen. {UPX!}

VPS Version: 0449-1, 12/02/2004
File Name: C:\System Volume Information\_restore{EF5611D2-F95F-4D42-A043-3A35B9C6AFDC}\RP7\A0000601.exe
Virus Name: Win32:Trojan-gen. {UPX!}

VPS Version: 0449-1, 12/02/2004
File Name: C:\System Volume Information\_restore{EF5611D2-F95F-4D42-A043-3A35B9C6AFDC}\RP7\A0000603.exe
Virus Name: Win32:Trojan-gen. {UPX!}

VPS Version: 0449-1, 12/02/2004
File Name: C:\System Volume Information\_restore{EF5611D2-F95F-4D42-A043-3A35B9C6AFDC}\RP7\A0000604.dll
Virus Name: Win32:Trojan-gen. {Other}

VPS Version: 0449-1, 12/02/2004
File Name: C:\System Volume Information\_restore{EF5611D2-F95F-4D42-A043-3A35B9C6AFDC}\RP7\A0000605.exe
Virus Name: Win32:Trojan-gen. {UPX!}

VPS Version: 0449-1, 12/02/2004
File Name: C:\System Volume Information\_restore{EF5611D2-F95F-4D42-A043-3A35B9C6AFDC}\RP7\A0000606.dll
Virus Name: Win32:Trojano-359 [Trj]

VPS Version: 0449-1, 12/02/2004
File Name: C:\System Volume Information\_restore{EF5611D2-F95F-4D42-A043-3A35B9C6AFDC}\RP7\A0000608.exe
Virus Name: Win32:Trojan-gen. {Other}

VPS Version: 0449-1, 12/02/2004
File Name: :\System Volume Information\_restore{EF5611D2-F95F-4D42-A043-3A35B9C6AFDC}\RP7\A0000611.dll
Virus Name: Win32:Trojan-gen. {Other}

VPS Version: 0449-1, 12/02/2004
File Name: C:\System Volume Information\_restore{EF5611D2-F95F-4D42-A043-3A35B9C6AFDC}\RP7\A0000607.exe
Virus Name: Win32:Trojan-gen. {UPX!}

VPS Version: 0449-1, 12/02/2004
File Name: C:\System Volume Information\_restore{EF5611D2-F95F-4D42-A043-3A35B9C6AFDC}\RP7\A0000601.exe
Virus Name: Win32:Trojan-gen. {UPX!}

I am pretty sure I screwed up a bunch of times posting all that, so if there are repeated entries, or incomplete ones, I apologize. It was popping up like every two seconds for a while there. I did the best that I could and I hope this is the information that you need!

Thanks,
ag

 

I don't know how to re-name the file like that. I only re-named it the way I know how, which is clearly not the right way to do it. How do I do that? Also, if I delete the Kazaa folder, I will have no more Kazaa, and I like Kazaa. I'm sorry to be so delinquent!

 

I did everything you told me to (I think I did it right anyway), except I did not delete the Kazaa folder. I know that Kazaa is "NO NO", but before I rid my computer of it for good, I thought I should mention that I do have Kazaa Lite. I don't know if that is good for anything, but I thought it was supposed to make it ok to have Kazaa on your computer. Maybe I am wrong. Let me know what you think about that before I do anything with Kazaa, because I will cry if I have to delete it altogether! Well, maybe not, but I'll be so sad!

The scan with Avast! seemed to go well. Nothing popped up as a virus, so I am hoping that is a good sign. Thank you, yet again!

ag

 

chaslang,

I guess 30 posts later, we are finally done! I can't thank you and the other guys on here enough! It feels so much better to know that there isn't tons of junk on my computer that could potentially mess things up. I love that I am not worrying about pop-up windows and stuff like that anymore. I am thinking about the Kazaa thing, but I have looked at and followed your malware thread, chaslang. I have two questions regarding Mozilla Firefox. The first is this: whenever I close all the Mozilla Firefox windows, it seems like my cookies are gone. If I open a new one up, I cannot start typing in the web page and have it pop up in the address bar, like it does on Internet Explorer. Why is that? I tried going into Tools, Options, and then clicking on Cookies and setting it to Allow site to set cookies and Keep cookies until they expire (actually, it was already like that I think), but that doesn't do anything. Is there a way that the sites will stay in the address bar so I don't have to type the whole thing out every time? The second question is that if I have a Mozilla window open and I click on a desktop shortcut to a web page, rather than opening a new window, it makes a window that I already have opened go to this new web page. That can be really annoying when I am in the middle of doing something on that page and then suddenly it switches over to a completely new page. Can anything be done about that? Ok, I can almost promise you that I won't bother you anymore after these questions are answered! Thanks again, and if I ever have any more questions or problems, I know where you are - you're the best help I've ever found on the net! Thank you, thank you, thank you!

ag