Virtumonde, non-running software, and a frustrated novice.

wraith264 · Nov 22, 2008

Hi there guys, I'm having quite a time with my laptop at the moment. I came here after unsuccessfully dealing with Ad-aware and Spyhunter. I ave been attempting to run through your guide to cleaning Windows XP, all the general guidlines and things but I have run into a problem.

When I get the programs installed I get one of two things. The first is that I simply cannot get the program to run despite repeated install/uninstall sessions. The second is that I manage to get a scan to complete and I tell the computer to remove the viruses. The program removes a few and then informs me that it must reboot in order to remove the rest. I say ok, computer restarts and I am no farther in getting the system running. It remains slow, and when I rerun the virus program, it finds the same viruses on the machine. This has happened with malware bytes, ad-aware, Spybot, Spyhunter, and Super-Anti Spyware. I am simply at my wits end and I would appreciate greatly any wisdom that you may be able to impart. Thank you.

TimW · Nov 22, 2008

Until you attach the requested logs ( those that you can finish), we have no idea what is happening on your system.

wraith264 · Nov 23, 2008

I got MGtools to run and that's it. Everytime I try to install Antispyware it says there has been an error and shuts down. Spybot brings the process up in the task manager and then it dissappears but it is able to scan single files. Malwarebytes simply does not start to run or install. Anyway, Here's the process list from MG.

TimW · Nov 23, 2008

I need the entire C:\MGLogs.zip

In the meantime:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {6e54d7d5-6f45-4d2e-9caa-fec44886d414} - C:\WINDOWS\system32\rasawofu.dll
O2 - BHO: (no name) - {7ADEEF9F-A379-4604-8AA5-2C744ABFB3EA} - C:\WINDOWS\system32\mlJCTKBS.dll
O2 - BHO: (no name) - {9e91ef7b-6846-45c3-a8ab-67cf7c900783} - C:\WINDOWS\system32\xXPFWPig.dll
O4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\Josh\LOCALS~1\Temp\winlogin.exe
O4 - HKLM\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - HKLM\..\Run: [zemajekoge] Rundll32.exe "C:\WINDOWS\system32\semasema.dll",s
O4 - HKLM\..\Run: [IUpd721] C:\Documents and Settings\Josh\Application Data\NI.GSCNS\IUpd721.exe
O4 - HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\Josh\LOCALS~1\Temp\winlogin.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Josh\LOCALS~1\Temp\csrssc.exe
O20 - AppInit_DLLs: rhnjsa.dll pgkunh.dll wrhlpj.dll ybqtdu.dll hvfeoi.dll frxbxu.dll,C:\WINDOWS\system32\gilavofi.dll veekog.dll
O20 - Winlogon Notify: xxpfwpig - C:\WINDOWS\SYSTEM32\xXPFWPig.dll
Click to expand...

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Files to delete:
C:\WINDOWS\SYSTEM32\xXPFWPig.dll
C:\DOCUME~1\Josh\LOCALS~1\Temp\csrssc.exe
C:\DOCUME~1\Josh\LOCALS~1\Temp\winlogin.exe
C:\WINDOWS\system32\semasema.dll
C:\WINDOWS\System32\rs32net.exe
C:\DOCUME~1\Josh\LOCALS~1\Temp\winlogin.exe
C:\WINDOWS\system32\xXPFWPig.dll
C:\WINDOWS\system32\mlJCTKBS.dll
C:\WINDOWS\system32\rasawofu.dll

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
Click to expand...

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\%username%\Local Settings\Temp

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Log in or Sign up

Virtumonde, non-running software, and a frustrated novice.

wraith264 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

wraith264 Private E-2

Attached Files:

hijackthis.log

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member