virtumonde,plus unexplained error messages

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

 

Please unlock your capslock key and type messages properly. All caps or all lowere case with no punctuation are annoying to read.

I don't know what you are referring to or where. Also files cannot have files in them so I assume you mean these are folder names and inside of the folders you are seeing other files. Where are these folders located? And are the EG: and UE part of the folder name.

Now Disable Spybot's TeaTimer as requested in the READ & RUN ME

• Run Spybot and click Mode
• Select Advanced Mode.
• Then click Tools and select Resident.
• Now in the right window pane, uncheck TeaTimer.
• Also while this is open, in the left column now select IE Tweaks
• and then in the right pane make sure all the Miscellaneous locks are unchecked.
• Now quit Spybot!

Is your copy of Spyware Doctor a paid version or free trial? If free, uninstall it now.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.2_08
Microsoft AntiSpyware <-- Microsoft stop supporting this a very long time ago.

• Now click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to ewido anti-spyware 4.0 guard
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\vpioxcqy.dll (file missing)
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm035YYGB
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: vpioxcqy - vpioxcqy.dll (file missing)

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

RenV::
----a-w           106,496 2008-02-02 12:10:52  C:\WINDOWS\SiSUSBrg .exe
----a-w           249,856 2008-02-02 12:10:44  C:\WINDOWS\system32\keyhook .exe
----a-w           290,819 2008-01-25 01:24:20  C:\WINDOWS\Fonts\svchost .exe
----a-w            94,208 2008-02-02 18:56:12  C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w           563,984 2008-02-02 18:55:50  C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper .exe
----a-w            32,768 2008-02-02 18:55:06  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w         1,460,560 2008-02-02 12:15:50  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w         5,674,352 2008-02-02 18:56:10  C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w           623,856 2008-02-02 18:55:18  C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon .exe
----a-w            67,128 2008-02-02 18:56:34  C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger .exe
----a-w         2,027,792 2008-02-02 18:56:02  C:\Program Files\Logitech\QuickCam\Quickcam .exe
----a-w           159,744 2008-02-02 18:55:34  C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher .exe
----a-w            49,263 2008-02-02 18:55:12  C:\Program Files\Java\jre1.5.0_08\bin\jusched .exe
----a-w         1,103,752 2008-02-02 18:55:54  C:\Program Files\Spyware Doctor\pctsTray .exe
----a-w            61,440 2008-02-02 18:58:12  C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w            25,088 2008-02-02 18:55:22  C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont .exe
----a-w           819,262 2008-02-02 18:55:28  C:\Program Files\Trend Micro\Internet Security 2005\PccGuide .exe
----a-w           307,200 2008-02-02 18:56:06  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w           473,928 2008-02-02 18:55:32  C:\Program Files\Microsoft AntiSpyware\gcasServ .exe
 
File::
C:\WINDOWS\TEMP\scs1C.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\iss6.tmp
C:\WINDOWS\system32\vpioxcqy.dllbox
C:\WINDOWS\system32\vbzip10.dll
C:\3186.bat
C:\7072.bat
C:\services.exe
C:\7429.bat
C:\5129.bat
C:\6663.bat
C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\17PHolmes1000106.exe
C:\WINDOWS\system32\mmmbud1.exe
 
Folder::
C:\Documents and Settings\Administrator\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\WINDOWS\UEFVTCBQQVZJTkcgQkxPQ0s
C:\WINDOWS\system32\nGpxx18
C:\WINDOWS\system32\pip2
C:\WINDOWS\system32\gig5
C:\WINDOWS\system32\eck8
C:\WINDOWS\system32\86888A8F8E8991
 
Registry::
HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"=-
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome.

Okay what you should have been saying is that you have the below folders on the C drive

These are not malware. They are due to your PC have performed a scandisk or chkdsk to look for disk errors. You can just delete those folders.

You forgot to install the new Sun Java version from the link I gave you.

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN
   • Now type combofix /u in the runbox and click OK.
   • Note: The space between the X and the /U, it must be there.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
12. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
13. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Are you sure it is Spybot? Do you have Spybot's Teatimer running? Have you toggled System Restore as requested in message # 6. If not, please toggle it now. Can you post a snapshot of this popup? Also run a full scan with Spybot and save a log (right click in the scan windows). Attach the log if anything is found.

Also I just noticed you have both Spybot 1.4 and Spybot 1.5 installed. I recommend that you uninstall both versions of Spybot and then reboot. Then download follow the instructions here Spybot S&D Installing & Running for installing and updating the current version of Spybot again. See if you still have detections.

I have to inquire about something else too that seems to be appearing on a lot of PCs lately. You have Dot1XCfg.exe showing running. It loads as below seen in your HJT log:

O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe

dot1xcfg.exe is supposed to be part of Intel PRO/Wireless Network Connection Software. Does this PC have wireless capability? If not then perhaps this is a rogue process trying to hide itself under the guise of being for a wireless interface. Put this Dot1XCfg.exe into a ZIP file and attach it here.

 

On further investigation, I'm now betting that you will say you do not have a wireless interface. If this had been the valid wireless card process, it should have been located here: C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

The process you have appears to be Trojan-Downloader.Win32.Adload.pr as mentioned here: http://www.bleepingcomputer.com/startups/Dot1XCfg.exe-21482.html

If you do not have a wireless interface reinstall MGtools (if you already deleted it) so that you can do the below.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe

After clicking Fix, exit HJT.

Then reboot and delete the below folder:
C:\Program Files\Dot1XCfg


Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Uninstall Spybot now! Then reboot your PC (DO NOT SKIP the reboot). Then delete the below folders:

C:\Program Files\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

Do not reinstall Spybot at this time.

Now are you still get popups! If so which browser are they appearing in and which browser were you using when the popup occurred.

Now run the below procedure and attach the request log:

SUPERAntiSpyware - running & getting a log


Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Now attach the new C:\MGlogs.zip

Are popups still occurring? If yes, do they also occur in safe boot mode? Do they occur if no browsers are open (like using your PC for general things without surfing)?

 

You forgot to attach the log that is requested in that procedure. Please attach it.

Not yet. You should reinstall when we get to my final instructions and at that time during reinstall, uncheck the Teatimer option.

This log is incomplete and almost looks like you made it yourself. Did you run C:\MGtools\GetLogs.bat and did you allow it to run all the way to completion? Did you notice any error messages?

It is a good program. Are you using a proxy? If so, you have to tell PC Cillin your proxy information. The same is true for any program that requires getting updates.


Your logs are clean but I do suggest that you delete the below large temp file.

Code:

"C:\WINDOWS\TEMP\"
b2wahhwa.tmp  18 Feb 2008   426442752  "b2wahhwa.TMP"

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN
   • Now type combofix /u in the runbox and click OK.
   • Note: The space between the X and the /U, it must be there.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
12. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
13. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. You last logs were clean.

Yes but you need to run the READ & RUN ME on it and then post the logs in a new thread and describe any remaining issues.

 

You're welcome. Surf safely.