virtumonde and possibly some others! Help!

Please read the announcement and sticky threads. HJT logs should only be posted when requested and then they must be attachments to your message. Please run the steps below.

- See the Virtumundo sticky thread: READ ME: Virtumundo Problems/Resolution Threads and run the Symantec tools

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem, boot into normal mode and make sure you follow these directions:


- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

I don't understand why you are saying you cannot get rid of HijackThis. It is just tool we use to find and fix problems. You can just delete the file and reinstall as requested. Or you can just move the file from c:\hijackthis.exe to c:\program files\hjt\hijackthis.exe after creating the folder.

If the steps in my previous post did not help (and assuming the Virtumundo infection has not mutated) follow the below steps:

Okay let's start by downloading two tools we will need:

- Process Explorer 9.2

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of bakimg.dll once and then click the kill button. After you have killed all of the bakimg.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of bakimg.dll then click the kill button. Once you have done that click ok again. (If you do not find the dll, just continue on.)

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\SRCHASST\bakimg.dll
O20 - Winlogon Notify: bakimg - C:\WINDOWS\SRCHASST\bakimg.dll


Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.
In Killbox - put a check next to "Delete on Reboot"
Copy & paste the following line in bold into the "Full Path of File To Delete" box:

C:\WINDOWS\SRCHASST\bakimg.dll

Then click the red button with the X and allow Killbox to reboot then post a new HijackThis log. If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

Please do not post logs inline. They must be attached per the instructions I gave you.

You never ran the ALL the steps in the READ ME FIRST.

It looks like you just ran my fix for Virtumundo and it looks like it fixed it. You did not say!!

 

Yes and I already said in message # 4 the below:

Also this does not explain why you are not attaching the logs instead of copying and pasting them inline. This has nothing to do with the installation.

And this has nothing to do with why you are not running the READ ME FIRST as required before posting a HijackThis log.

You knew you had Virtumundo the first time. Why wouldn't you be able to tell it was gone by the same methods that found it to begin with?

 

It is pretty simple. Just create the folder and extract or copy the HijackThis.exe file into the folder and when you run it, run it from that folder.

To get hijackthis.exe extracted from the ZIP File into the location we requested do the following. The below will work for WinXP based system since it can deal with ZIP files.

You need to create the C:\Program Files\HJT folder. Do the following:
- Click START and select Explore.
- Select the drive where Windows is installed (normally C
- Navigate to the C:\Program Files folder and select it.
- Now click the on the top menu where it says File and then select New.
- Then select Folder
- A new folder is created and highlighted.
- Just type HJT to overwrite the default name (New Folder)

To extract hijackthis.exe:
- locate the HijackThis.zip file you downloaded and right click on it
- Select Extract All and click Next
- Browse your way to the C:\Program Files\HJT folder created above
- Select the folder and click Next

No we do not!

 

What trojans did you find and how did you find them?

Your log is now clean! Are you having any other malware problems?

 

You did not answer my question as to who/what was finding the problems and exactly where they were found. You only said where pskavs.dll was found.

pskavs.dll is a file that belongs to the active scan (online scanner) from panda antivirus.
Some antivirus programs (like Avast) have a big problem with all the files from panda software that contains virus signature detection. This can cause a false positive.

You may need to add this file to your AV's exclusion (or ignore) list.