Virtumundo HELP -- I'm Very Lost

So I've read probably almost all the threads on here about getting rid of this virtumundo spyware, however I still cannot get rid of it. I haven't gone into a safemode or anything for fear of deleting things that shouldn't be deleted because in all honesty, I really don't know what I'd be doing in there. I have included a Hijackthis log (as that seems to be the thing to do) and was hoping someone could really give me a nice step by step method of getting rid of this thing! I'm running on XP, have McAfee and run sybot/adaware every few days and to my knowledge, virtumundo is the only spyware left on my computer...I could really use the help getting rid of this! Thanks for the help!

 

Hi tragik,

You still have a number of different malware issues on your machine. inetadpt.dll is the only Virtumundo-related item that I noticed and we need a special tool to deal with that one.

You should also look in Add/Remove programs for 180Solutions and remove it.

Please download this tool : LSP - Fix


Now, run LSP-Fix

Check the Box labeled "I know what I'm doing" and then click on the inetadpt.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move inetadpt.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.


Then, please relocate HijackThis to a SAFER folder - C:\Program Files\HijackThis.

Now, rescan with HJT - note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray. Last time, there were a couple IE windows open. Attach that log and we'll deal with the rest of the malware on your machine. Also, let me know haow you fared with the above instructions.
I will try to check back when time permits.

Best luck
PP

 

Hey, thanks for the help I really appreciate it. Anyways, I did all that and hopefully that will help/solve some of the problems I'm having with my computer. Anyways, I have attached an updated HJT file so whenever you get the chance, please take a look and let me know what else I can do to fix it! Thanks again!

 

I'll run through your log and post a fix - Probably in the wee hours tonight.

In the meantime, please move HijackThis to a SAFER folder - C:\Program Files\ HijackThis

I also suggest Uninstalling P2P Networking as this will only invite more of the same problems.

Were you able to find 180Solutions and remove it?

PP

 

Hi Tragik,

Please look in Add or Remove Programs for the following and Uninstall them if found:

P2P Networking
180 Solutions

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and try to END it if possible:

P2P Networking.exe

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} –
C:\Windows\nem219.dll (file missing)
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\Windows\systb.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - (no file)

O4 - HKLM\..\Run: [P2P Networking] C:\Windows\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [bkzszjtanuyh] C:\Windows\System32\szbpfg.exe
O4 - HKLM\..\Run: [conscorr] C:\Windows\conscorr.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [dytab] C:\WINDOWS\dytab.exe

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.140/code/PWActiveXImgCtl.CAB

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\SideFind ---> The Folder
C:\WINDOWS\dytab.exe
c:\program files\180solutions ---> The Folder
C:\Windows\System32\P2P Networking ---> The Folder
C:\Windows\System32\szbpfg.exe
C:\Windows\conscorr.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP

 

ok i did all that. hopefully that should clean things up a bit. i attached the log, please take a look when you get a chance and let me know! thanks a million!

 

Hi Tragik,

Things look OK.

You can fix this with HJT:
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

Please take a peek at Chaslang's suggestions: How to protect against malware

PP