Need help with not-a-virus:Adware.Win32.Virtumonde.bjl

Welcome to Major Geeks!

First run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0

Is the below proxy server setting something you configured and require?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 201.247.248.117:6588

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {23E16309-6D72-4C05-9DC3-1CE90567A8E2} - C:\WINDOWS\system32\awvvw.dll (file missing)
O2 - BHO: (no name) - {68657764-C05D-4683-803C-EFFC86CC1C01} - C:\WINDOWS\system32\vturs.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Weather Studio - {849CC480-5983-4D30-A12C-774E8E8D8291} - C:\Program Files\Weather Studio\bin\WeatherStudio.dll (file missing)
O2 - BHO: {321a5dc3-e9a3-1518-4964-bfbb41232e6b} - {b6e23214-bbfb-4694-8151-3a9e3cd5a123} - C:\WINDOWS\system32\fjtfiarx.dll
O3 - Toolbar: Weather Studio - {C6139A57-16FB-4FA4-8045-A847FBFFD695} - C:\Program Files\Weather Studio\bin\WeatherStudio.dll (file missing)
O4 - HKLM\..\Run: [cc528e63] rundll32.exe "C:\WINDOWS\system32\etcbrtwa.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O20 - Winlogon Notify: yayaxur - C:\WINDOWS\

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Jim\Local Settings\Temp

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

I see you logged in. Hang around for a few minutes. I'm look thru your logs now and will give you a status report soon.

 

You did not answer my question about the proxy setting. Please answer now!

Also if you have not updated Java, please do it now.

You are still infected and I have to work up another fix. DO NOT reboot or power down as that could change the problems and make my fix not work.

 

We'll fix it anyway since you said you don't use it.


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 201.247.248.117:6588
O2 - BHO: {837ba2ee-98b1-46c9-8714-5398f8966781} - {1876698f-8935-4178-9c64-1b89ee2ab738} - C:\WINDOWS\system32\aqnfmufr.dll
O2 - BHO: (no name) - {AB910831-1B99-4E5B-8CB4-09F23D889387} - C:\WINDOWS\system32\vturs.dll (file missing)

After clicking Fix, exit HJT.

Run avenger.exe by double-clicking on it.

• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

Are you saying that ComboFix is trying to run each time you startup? Or are you saying you have an alert from Kaspersky or AVG Antispyware about ComboFix trying to run?

Yes it did not work and you need to try again. But this time exit/shutdown AVG AntiSpyware and Kaspersky first and also make sure you close your all browsers too.

 

Uninstall AVG Antispyware. It may be necessary to uninstall Kaspersky if we cannot get this to run. The only other way to remove the files is manual (and you may have problems doing this if the malwar blocks it) or using ComboFix which you could not get to run and that could also be due to Kaspersky.

Cannot read them! Don't take screen snap shots. Just take snapshots of the popup. Are these popups about ComboFix?

 

Okay now I need a new MGlogs.zip file.

Also I cannot read your popups. Are they still occurring?

 

Yes this is all part of ComboFix and this is why you could not get ComboFix to run. You blocked it from running with Kaspersky. You should have allowed it to run.

The resolution was not good enough to read just by clicking on the link. The way they come up in IE changes the resolution. If I download them, then I can read them but that is more work. If you just take snapshots and post them here, it is easier and it also gives us a feature reference since your offsite links will eventually disappear.


You're logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Okay but something about Kaspersky is still treating it incorrectly and it still may have been the reason that it was not able to run initially.

I do but just not all the time. It is actually more of a hinderance while working in the forum with the things I need to do. It does not behave well with vBulletin code and does lot's of strange things to fixes we try to post. And if we don't notice them, the fixes would not work. Thus rather than having to double check all the time, it is easier to not use it while doing most of the work here.

 

Oh and one other thing I should mentioned out of fairness to IE. I could disable the automatic image resizing in Advanced options but that messes up other things I need to do and I don't want to keep changing it. It is just easier to have smaller snapshots taken and posted here anyway like I said for future reference.