Malware removal problems

Welcome to Majorgeeks!

You have a bunch of problems including Virtumonde is still present. Run the below.

Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX


Now please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

You forgot to attach the Look2Me-Destroyer log I asked for. Please attach it.

You are still getting popups because you still have some problems with Virtumonde. Run the below and attach the VundoFix log:

Virtumonde aka Trojan Vundo Removal

Then also attach a new HJT log. We still will have more work to do at this point. As I said in my first message, you had a bunch of problems.


To aid us in the next steps, Now download FindQool by LonnyRJones

• Extract the files and place the FindQool folder into root folder of your hard disk. This is usually C:\
• Open the folder and run Qlocate.bat
• attach the contents of the txt.log which will open wen the scan is finished.

 

First please refer to step 3 of the READ & RUN ME that you seem to have ignored. You have both AVG7 and Symantec antivirus programs installed. Choose one and uninstall the other.

You also did not complete step 0 of the READ & RUN ME properly. I still see the below installed:
Viewpoint Manager

Also uninstall SpywareRemover if it appears in Add/Remove programs!

Is your copy of SpySubtract a paid version! If not then uninstall it.

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ewheirs.exe
O4 - HKLM\..\Run: [SpywareRemover] C:\Program Files\SpywareRemover\SpywareRemover.exe -boot
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [ms065483135363] C:\WINDOWS\ms065483135363.exe
O4 - HKLM\..\Run: [cjnnxk] C:\WINDOWS\system32\crjvxm.exe reg_run
O4 - HKLM\..\Run: [w9caecb1.dll] RUNDLL32.EXE w9caecb1.dll,I2 0001fc6b09caecb1
O4 - HKCU\..\Run: [xguoy] C:\WINDOWS\system32\crjvxm.exe reg_run
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\SpywareRemover <--- the whole folder
C:\windows\newname9.exe <--- delete any files whose name starts with the text newname and ending in .exe (like newname1.exe, newname2.exe...etc)
C:\windows\mousepad9.EXE <--- delete any files whose name starts with the text mousepad and ending in .exe (like mousepad1.exe, mousepad2.exe...etc)
C:\windows\keyboard9.exe <--- delete any files whose name starts with the text KEYBOARD and ending in .exe (like KEYBOARD1.exe, KEYBOARD2.exe...etc)
C:\windows\GIMMYSMILEYS9.EXE <--- delete any files whose name starts with the text GIMMYSMILEYS and ending in .exe (like GIMMYSMILEYS1.exe, GIMMYSMILEYS2.exe...etc)
Also look in c:\ for any of the newnameX, mousepadX, keyboardX, GIMMYSMILEYSX files and delete them too
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\ms065483135363.exe
C:\WINDOWS\system32\crjvxm.exe
C:\WINDOWS\system32\w9caecb1.dll
C:\WINDOWS\system32\crjvxm.exe
C:\WINDOWS\system32\dmonwv.dll
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Now run the FindQool procedure and attach the log so we can work on the Qoologic infection.

 

Tell me the exact filenames you saw. There are .dat files showing up that are bad too.


Also you forgot to attach the followup HJT log I requested and you did not try running the FindQool procedure again and attach its log. We need to get this procedure to work. Make sure you really extracted the files from the ZIP. It still sounds like you were trying to run the qlocate.bat file from inside the ZIP file.

 

Delete those three files too.

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

Not according to your last log. It is possible that there has been some effect on your PC's performance due to whatever damage the malware caused while it was installed. However your last HJT log show nothing. You can have HJT fix the two below unnecessary startups (they are not malware, they are just not needed):

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

If you want to check a little deeper we could run a few other scans. Just let me know if you would like to try this. But if you have completed the How to protect thread, you will have an apparent slow down in startup due to a firewall being installed. This is a necessary sacrifice of performance for protection.

 

Do you have and iTunes? See: http://www.liutilities.com/products/wintaskspro/processlibrary/iTunesHelper/

Do you use AIM? I have no idea what the AOLLaunch.exe application is supposed to do or why it needs to always load at startup but it is from AOL. You could always try removing it with HJT and if it causes you a problem, you can restore it from the backup that HJT makes. Another alternative is to just use MSconfig to disable it from loading at startup and see what happens.


Here are the other scans to run!

Download & run Blacklight Beta

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that looks like fsbl-xxxxxxx.log
• Please attach the Blacklight log file here.

Now run the below Ewido scan and attach the Ewido log:

Running Ewido Anti-Malware

 

Okay Ewido found some more remnants of the Virtumonde infection but they were basically inactive.

How are things working now? You can uninstall Ewido now too unless you plan to buy it.

 

You're welcome!

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!