I think I'm seriously infected

amaforafl · Nov 23, 2005

I seem to have several problems that recently developed and I can't get rid of them. I have been getting the winfixer pop-ups constantly; in addition, when I start my computer Nortons says I have a Trojan.Vundo virus in c:windows\system32\qomnk.dll. I cannot close the window once it pops up. . I have run the repair tool from Norton (vs. 4.1) but it does not help.

I have completed all the steps on your "read & run me first" page. I ran Bitdefender and it said I had a C:\Program Files\Norton AntiVirus\Quarantine\7DE639A3.dll=>(Quarantine-2) virus and that it had fixed it. I then ran Trend Micro & they said everything was fine.

I ran ccleaner, Ad Aware, spybot search & destroy, microsoft antispyware in safe mode. Only microsoft antispyware found anything and deleted it but I am still having the same problems. I ran Hijack This according to your instructions and am attaching the log. Thanks for any help you can give me.

chaslang · Nov 23, 2005

The READ & RUN ME sticky step 6 gives you a link to: Special Removal Procedures
which contains a link to: Virtumonde aka Trojan Vundo Fix w/ Tool

Run that procedure. The lines you will need to be concerned with are:

O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\qomnk.dll
O20 - Winlogon Notify: qomnk - C:\WINDOWS\system32\qomnk.dll

The other alternative to running that procedure is to run Spy Sweeper. See: Running Spy Sweeper...

amaforafl · Nov 23, 2005

Thanks for your help. I was really desperate.
I ran VundoFix and here is the new log.

chaslang · Nov 23, 2005

Did you configure these next two lines for Windows Media Player and for a Proxy Server for something?
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\qomnk.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O20 - Winlogon Notify: qomnk - C:\WINDOWS\system32\qomnk.dll (file missing)

After clicking Fix, exit HJT.
Now reboot in normal mode and post a new HJT log. And tell us how things are working.

amaforafl · Nov 23, 2005

I have no knowledge of configuring Windows Media Player or Proxy Server. I rarely use WMP.

I am not getting the Norton trojan when I start up any more. I have not been on the web except for here so I am not sure about the winfixer.

I ran Spysweeper as well as hijack this again and am enclosing the logs. I can't begin to tell you how much I appreciate your help.

chaslang · Nov 23, 2005

You're welcome.

Okay we are almost done.

Run HJT and select the below lines but do not click Fix until all browsers are closed (including this one):
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080

Now Exit HJT.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Your clean now! Time to work thru the below:

How to Protect yourself from malware!

amaforafl · Nov 23, 2005

Thank you so much. My computer was always trying to connect to the web when I started it, and I had no idea what it was. Thanks for all your help. Hopefully, the winfixer is gone.

chaslang · Nov 23, 2005

You're welcome. Surf safely!

Log in or Sign up

I think I'm seriously infected

amaforafl Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

amaforafl Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

amaforafl Private E-2

Attached Files:

hijackthis.log

Spy Sweeper Session Log.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

amaforafl Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member