*sigh* another virtumundo problem

i apologize to be taking up your time but i've spent hours trying to get rid of virtumundo but maybe i'm just a sped when it comes to technology. i've read through Virtumundo Problems/Resolution and scanned my computer multiple times. i was able to delete about 15 adware files but the ones that i can't seem to be able to delete are "cvs.dat" and "sndelo.dat" i've read through some of the specific directions you gave other members and ran hijack, hoping that i might have the same type of files and be able to mix my problem by following similar directions. unfortunely, i'm still infected. programs are running slower, my internet connection lags, i suffer through popups - a couple of xxx ones, my IE gets frozen a lot, sometimes websites would load slower than they're suppose to, i have low virtual memory problems, etc. i've disabled system restore, enabled the viewing of hidden files, and now i'll wait to see if anyone out there can possibly help. virtumundo is killing me. =[

p.s. first time posting in the majorgeeks forum so i apologize if i've neglected a rule.

 

If you are running WinXP or WinME be sure System Restore is DISABLED!

Download the Removal Tool


Then, follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs. TIP: Create a folder on your C:\ drive for the tools/utilities you will need to use. For example: Navigate to your Program Files directory, right click on a blank spot in the window > choose New > Folder. Name this folder Spyware Tools. Now you can save the needed tools to this folder and if you prefer, create sub-folders named for each individual utility.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an ATTACHMENT.
All instructions are covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


Now post a Hijack This log as an ATTACHMENT to your message (Do NOT copy/paste the log into your post). Please close unnecessary running programs before you run HijackThis. You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc.

DO NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

i followed the directions from the sticky and scanned my comp with the programs twice. however, it still says that i have adware - virtumundo on my computer. =[

 

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an ATTACHMENT.
All instructions are covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


Now post a Hijack This log as an ATTACHMENT to your message (Do NOT copy/paste the log into your post). Please close unnecessary running programs before you run HijackThis. You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc.

DO NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

ok, ive uploaded the log. and here's some other info. that you might want to know.

here's what i got from the second time i scanned things (in order from which program i used first):

housecall - 16 viruses - deleted them
symantec - 9 viruses
stinger - nothing
cwshredder - nothing
kill2me - nothing
hsremove - 10 items - deleted
spybot - nothing
microsoft virus scan - 2 virtumundo adwares - quarantined because they couldn't be deleted.

 

Your HijackThis is waaaay out of date: Logfile of HijackThis v1.97.7 and you are running it from an unsafe location. Please read bjgarrick's last post and follow his instructions so that we can get you fixed up in a timely manner!

PP

 

woops. i apologize. =[ ok, so i'v placed it in C:\Program Files\HJT (it's own folder) but when i extract the latest hijackthis to the folder, my Microsoft Security Center deletes the file and says it's infected with a W32/Generic.worm!p2p and deletes it automatically. that's why i have the older version. it's the only one that seems to work.

 

You need to update your McAfee Virus Definitions. This is a known problem with the new version of HJT. There is NO virus in HJT. Simply, update your definitions and then run the new HJT and post your log so we can get you cleaned up.

Download Hijack This 1.99.1


As PP mentioned, after you download the new version of HJT, place it in a safe location.

Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

 

okay, i think i got it now. here's the log file again. hope i did it right.

 

Are you familiar with Cursors? Seems you have some type of Cursors installed.


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvseriesensation.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://by22fd.bay22.hotmail.msn.com/cgi-bin/HoTMaiL?curmbox=F000000001&a=96b5b42 5dd126c19591669f6759927d5&fti=yes
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://controlpad.verizon.net/portal/vasp

O2 - BHO: CATLEvents Object - {13589181-4F0D-4553-B9F8-B4B72172C139} - C:\DOCUME~1\GIANGL~1\LOCALS~1\Temp\evawksid.dat (file missing)
O2 - BHO: CATLEvents Object - {2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0} - C:\DOCUME~1\DUNGLE~1\LOCALS~1\Temp\mocrc.dat (file missing)
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\DUNGLE~1\LOCALS~1\Temp\ccaca.dat (file missing)
O2 - BHO: CATLEvents Object - {98BC949B-3D81-4750-836F-4BC57BD032EE} - C:\DOCUME~1\DUNGLE~1\LOCALS~1\Temp\alueofni.dat
O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\DUNGLE~1\LOCALS~1\Temp\niwten.dat (file missing)
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\DUNGLE~1\LOCALS~1\Temp\ipatrba.dat

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [acacc] C:\WINDOWS\msagent\acacc.exe
O4 - HKLM\..\Run: [*acacc] C:\WINDOWS\msagent\acacc.exe
O4 - HKLM\..\Run: [*vbnet] C:\WINDOWS\inf\vbnet.exe
O4 - HKLM\..\Run: [*asc] C:\WINDOWS\AppPatch\asc.exe
O4 - HKLM\..\Run: [*dos] C:\WINDOWS\Web\dos.exe
O4 - HKLM\..\Run: [*antidvd] C:\WINDOWS\msagent\antidvd.exe
O4 - HKLM\..\Run: [*xmlutil] C:\WINDOWS\xmlutil.exe
O4 - HKLM\..\Run: [*vgaeula] C:\WINDOWS\inf\vgaeula.exe
O4 - HKLM\..\Run: [*accsys] C:\WINDOWS\java\classes\accsys.exe
O4 - HKLM\..\Run: [*accap] C:\WINDOWS\Web\accap.exe
O4 - HKLM\..\Run: [*mainas] C:\WINDOWS\msagent\intl\mainas.exe
O4 - HKLM\..\Run: [*mfcvss] C:\WINDOWS\Fonts\mfcvss.exe
O4 - HKLM\..\Run: [*webcom] C:\WINDOWS\Registration\webcom.exe
O4 - HKLM\..\Run: [*vsshard] C:\WINDOWS\inf\vsshard.exe
O4 - HKLM\..\Run: [*unmain] C:\WINDOWS\msagent\unmain.exe
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\DUNGLE~1\LOCALS~1\Temp\200537161629_mcinfo.exe /insfin
O4 - HKLM\..\RunOnce: [*infoeula] C:\WINDOWS\Cursors\infoeula.exe rerun
O4 - HKCU\..\Run: [acacc] C:\WINDOWS\msagent\acacc.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.hotmail.com

O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab

O20 - Winlogon Notify: infoeula - C:\DOCUME~1\DUNGLE~1\LOCALS~1\Temp\alueofni.dat
O20 - Winlogon Notify: oledns - C:\DOCUME~1\DUNGLE~1\LOCALS~1\Temp\sndelo.dat


Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\WINDOWS\msagent\acacc.exe

C:\WINDOWS\inf\vbnet.exe

C:\WINDOWS\AppPatch\asc.exe

C:\WINDOWS\Web\dos.exe

C:\WINDOWS\msagent\antidvd.exe

C:\WINDOWS\xmlutil.exe

C:\WINDOWS\inf\vgaeula.exe

C:\WINDOWS\java\classes\accsys.exe

C:\WINDOWS\msagent\intl\mainas.exe

C:\WINDOWS\Fonts\mfcvss.exe

C:\WINDOWS\Registration\webcom.exe

C:\WINDOWS\inf\vsshard.exe

C:\WINDOWS\msagent\unmain.exe

C:\WINDOWS\Cursors\infoeula.exe


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

problems that i encountered:
- 4 of the files that you instructed to "fix" with hijackthis were not deleted. im not sure if that's ok?
- after i booted in Safe Mode and try to delete files that may remain, the file C:\\WINDOWS\Cursors\infoeula.exe could not be deleted. i also see a infoeula.exe program in the C:\\WINDOWS page
- i find the following to be supspicious files. should i delete them too?

C:\\WINDOWS\msagent\dvditna.bak2

C:\\WINDOWS\java\classessyscca.bak2

C:\\WINDOWS\msagent\intl\saniam.bak2

the following is the new log.

 

These type files usually indicate backups. I wouldnt delete them.


Please look in Add or Remove Programs for the following and Uninstall them if found:

Cursors (anything relating to Cursors that you do not recognize)


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it:

infoeula.exe


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: CATLEvents Object - {98BC949B-3D81-4750-836F-4BC57BD032EE} - C:\DOCUME~1\DUNGLE~1\LOCALS~1\Temp\alueofni.dat

O4 - HKLM\..\RunOnce: [*infoeula] C:\WINDOWS\Cursors\infoeula.exe rerun

O20 - Winlogon Notify: infoeula - C:\DOCUME~1\DUNGLE~1\LOCALS~1\Temp\alueofni.dat
O20 - Winlogon Notify: oledns - C:\DOCUME~1\DUNGLE~1\LOCALS~1\Temp\sndelo.dat


Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\WINDOWS\Cursors\infoeula.exe


NEXT:
You must run CCleaner !!

Now, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!


(If you still cant delete this file, let me know and we will delete it another way.)

 

BJ is correct that these are backups. Unfortunately, they are the backups of the baddies! If you want to keep this nasty from reconstituting itself and coming back, you need to remove all traces of it. Especially those backups!

Note the pattern to the bad files. Namely the corresponding baddies with the backward spelling.

C:\\WINDOWS\msagent\dvditna.bak2
C:\\WINDOWS\java\classes\syscca.bak2
C:\\WINDOWS\msagent\intl\saniam.bak2

O4 - HKLM\..\Run: [*antidvd] C:\WINDOWS\msagent\antidvd.exe
O4 - HKLM\..\Run: [*accsys] C:\WINDOWS\java\classes\accsys.exe
O4 - HKLM\..\Run: [*mainas] C:\WINDOWS\msagent\intl\mainas.exe


If you take a look at the generic solutions in the Virtumundo Sticky, you should be able to see how to clean this guy! Delete all of the various extensions that you find. (.exe, .ini, .dat, .bak, etc...)

If you guys still need help, let me know.

PP

 

Thanks PP!

 

No problem! We don't see too many of these since Symantec released their Removal Tool. This latest variety is a bit different - There is more to dig out. Lots of backups, etc... The burden really lies with each user to find all of these various related files since all we can really do is point them in the right direction.

PP

 

ok, i was able to delete the infoenula file just a couple of minutes ago. things have been going smoother since the first time i deleted the infected files with hijackthis so i want to thank you for that. theres no more popups and low virual memory problems. however, though my comp doesn't really seem to be infected anymore, my mcafee virus scan still says there's one more adware and i can't seem to be able to delete it. here's a new logfile =]

p.s i deleted the backups too.

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

msvcc.exe

kbiis.exe


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\DUNGLE~1\LOCALS~1\Temp\ccvsm.dat

O4 - HKLM\..\RunOnce: [*msvcc] C:\WINDOWS\security\logs\msvcc.exe rerun
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINDOWS\repair\kbiis.exe ren my_time:1110403133

O20 - Winlogon Notify: msvcc - C:\DOCUME~1\DUNGLE~1\LOCALS~1\Temp\ccvsm.dat

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\security\logs\msvcc.exe

C:\WINDOWS\repair\kbiis.exe


NEXT:
Run CCleaner
Note: Be sure you complete this step so it will remove the TEMP folder.


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

*crosses fingers* i hope this is it. my mcafee v.s says there's no infected files.

 

Do one last scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O20 - Winlogon Notify: msvcc - C:\DOCUME~1\DUNGLE~1\LOCALS~1\Temp\ccvsm.dat


Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:

Do a search for ccvsm.dat and delete if found.
Note: When searching go to "All Files & Folders", click on "More Advanced Options" and be sure the first 3 boxes are checked.

NEXT:
Run CCleaner
Note: Only run the first two scans!

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

i can't delete ccvsm.dat =[

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


O20 - Winlogon Notify: msvcc - C:\DOCUME~1\DUNGLE~1\LOCALS~1\Temp\ccvsm.dat

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
While in Safe Mode, Do a search for ccvsm.dat and delete if found.

Note: When found give me the EXACT location if you cant delete it in Safe Mode.

 

Again, note the reverse spellings:

O4 - HKLM\..\RunOnce: [*msvcc] C:\WINDOWS\security\logs\msvcc.exe rerun

You could try looking in that logs folder for ccvsm & msvcc and try to remove backups, etc... Then try deleting again.

Looks like you guys got most of it.

PP

 

i didn't find such files in the security\logs folder.

C:\Documents and Settings\Dung Le\Local Settings\Temp\ccvsm.dat - this is where the file is located. i looked through my folders to see if there's any backups of bad files and i found 2-3 so deleted them but i still cant delete ccvsm.dat. am i running something that's involved with the file w/o knowing it and therefore i cant delete it?

O20 - Winlogon Notify: msvcc - C:\DOCUME~1\DUNGLE~1\LOCALS~1\Temp\ccvsm.dat --- even after i deleted this w/ hijackthis, it still comes back.

 

It should also be in your Prefetch folder - You should flush that!

Then, with viewing of hidden files enabled, use windows explorer to run a search of your computer for:

bkinst
msvcc
ccvsm

Note that you should leave off file extensions. Let us know what you find.

PP

 

do you mean that i shoudl delete all the files in my prefetch folders? nothing that looks related to msvcc and bkinstl seems to be in it.

bkinstl - nothing
tlsinkb - nothing
msvcc - nothing
ccvsm - ccvsm.dat (still cant delete)

yup, i never include extensions when i search for files =]

 

i use Windows search and i did exactly what you just explained out.

 

Please download Pocket KillBox

NOW:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixmundo.reg


REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msvcc]



Leave it for now.


Next:
Make sure you are completely disconnected from the Internet.

Then, run CCleaner.


Now:
DoubleClick on the fixmundo.reg file you made and follow the prompts to allow it to merge the registry entries into the registry.

NEXT:
Run Pocket KillBox and select the Delete on Reboot option.
Type or Copy and Paste C:\DOCUME~1\DUNGLE~1\LOCALS~1\Temp\ccvsm.dat into the box and click the red X to delete it and then YES or OK until KillBox reboots your machine.

Scan with HJT and attach the log and we'll see if we need to have another go at it.

PP

 

here's the new log ^^

 

Log is clean!

Are you experiencing any further problems?

 

really? thank you so much! you guys are the best!

ever since you helped me get rid of most of the bad files, things have been going GREAT. even though that ccvsm.dat file was still there, i didn't experience any problems. anyways, i just want to conclude by saying THANK YOU so much for putting up with me for a week. i appreciate that you both took your precious time to help me out. those popups and virtual memory problems were killing me =] anyways, time to go reset my settings.

forever in your gratitude - spam.

 

Glad that did the trick! Let us know if it pops up again!

PP

 

You should see this article on How to Protect yourself from malware!