VirtuMundo -- opnnm.dll version

I'm sure you see this a lot, but HELP! McAfee has identified a file "c:/winnt/system32/opnnm.dll" as having VirtuMundo, but it can't clean or delete it. Spyware Doctor doesn't even see it; nor do any of my other anti-spyware programs.

My browser does exhibit the symptoms of VirtuMundo: pop-up adds keep popping up, usually to supposed -- yeah, right -- anti-spyware software.

Ran HijackThis. Tried to clear the entries (it's listed as a BHO), but that didn't work. Tried to delete the file both manually and using HijackThis' delete on reboot function. That didn't work. Tried a couple other things that also failed.

The HijackThis logs are attached. Can you help me to get rid of this thing?

 

Ooops! Looks like I had an old/broken version of Ad-Adware. Running a newly downloaded/updated on now. It's found lots of SOMETHING, hoping it's the VirtuMundo. Please don't spend time in a reply until I get back.

Thanks!

PS GREAT site!

 

Been doing all that -- installed/updated all latest versions, running scans now. Not done yet. About the only thing that's popped out is BitDefender identified CCleaner as having some variant of a trojan virus (!). Is this a know goof, or is CCleaner infected? (Downloaded it from the TX site.)

Not done with all the scans yet, so no logs attached.

 

Here's what BitDefender had to say about CCleaner:

C:\Program Files\CCleaner\ccleaner.exe
Infected with: Trojan.Banker.VB.15E70689

C:\Program Files\CCleaner\ccleaner.exe
Disinfection failed

C:\Program Files\CCleaner\ccleaner.exe
Deleted

OK, now I'm afraid to re-install ccleaner and run it. The last thing I want is another problem. Help?

 

OK, ran all the steps. Notes on results are attached as "logs." (I decided that the CCleaner "infection" was a false positive and ran it as instructed in the sticky thread.)

Still having the problem. Still can't delete opnnm.dll, which McAfee still says is infected with VirtuMundo. The HijackThis log is also attached from when I ran it in safe mode. The log includes "opnnm.dll" and a BHO. Delete on reboot did not work. (I also have a copy of the log from normal mode -- will attach to next reply.)

I also have the startup log from HijackThis. Here's the BHO section:

(no name) - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - C:\WINNT\system32\opnnm.dll - {827DC836-DD9F-4A68-A602-5812EB50A834}
(no name) - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll - {B56A7D7D-6927-48C8-A975-17DF180C71AC}

If you need the whole log, from safe or normal mode, I've got it. Please help -- I'm at wit's end!

Thanks!

 

HijackThis log under normal boot mode is attached.

 

Arrrg, the adware keeps hijacking my upload window. Failed to upload the logs and hijackthis log under safe mode. Trying AGAIN (fourth time).

More AAARRRG! Can't get attachements to work now. Well, here are my notes from the various scans:

BitDefender Notes:

C:\Program Files\CCleaner\ccleaner.exe
Infected with: Trojan.Banker.VB.15E70689

C:\Program Files\CCleaner\ccleaner.exe
Disinfection failed

C:\Program Files\CCleaner\ccleaner.exe
Deleted


RAV notes:

Scan started at 9/20/2005 3:18:19 AM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Download\1st page 2000 html editor\setup.exe->(CABSfx)->\data1.cab->[ishld.445]->(SCRIPT0000) - JS/Loop* -> Infected

Scanned
============================
Objects: 69869
Directories: 6817
Archives: 8515
Size(Kb): 1781208
Infected files: 1

Found
============================
Viruses found: 1
Suspicious files: 0
Disinfected files: 0
Mail files: 154


Ad-aware SE:

Appeared to run normally, nothing detected


Spybot S & D:

Appeared to run normally, nothing detected


CWShredder:

"removed" vx2.look2me, but remained present after multiple reboots.


AboutBuster:

appeard to run normally


kill2me:

appeared to remove look2me


hsremove:

removed 8 items, but when run again, said that it again removed 8 items

 

Can't seem to do any more attachments. I have a "better" hijackthis log (more stuff shut off) as well as a hijackthis log from running under safe mode (almost no tasks running). I can post them if you need them or try to attach them again.

Sigh.

 

Um, help? Is there something else you need? Increasingly desperate here...

 

It's not Vundo.B -- at least according to Symantec's new tool here:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.b.removal.tool.html

 

KILLED IT! Yeah!!!!!

Used the KillVundo.bat -- it aced the d### thing. No more WinFixer ads!!! Whooopeeeee!!!!

Thanks for the great site, guys (and gals, if any)!!!

PS It's amazing to me that Symantec, McAfee, et al. couldn't write a tool that worked. Sheesh, what am I paying them for? LOL

Once I have some extra cash, a donation will be forthcoming.

 

Here you go. No unknown BHO's, no O20's, all my scanners (definitely have enough now, LOL) say everything is clean, and my computer is behaving properly for the first time in weeks and weeks! I not a pro, though, so I might still be missing something.

Thanks for all the help!

 

Not sure how CWShredder got on as a service. I just downloaded and ran it. Maybe it's an update? Anyway, after my last log, I killed it myself.

Will do the rest of the cleanup. Thanks for the help!

 

Actually, after I stripped it as a service, I ran it again to see what would happen. Didn't re-appear as a service.

Strange, eh?

Got a testbed somewhere that you can infect with Vundo and then run CWShredder on? Maybe that might help you figure out what's going on. Maybe Vundo or some part of it is trying to hide in a service called CWShredder as camouflage??

In any event, it doesn't seem to do any damage or harm...

 

Ooops, forgot to answer your question -- I downloaded CWShredder from the top TX (USA) major geeks link on this page: http://www.majorgeeks.com/download3019.html

--D

 

Can I e-mail you with where I *think* that I got mine? (Don't want to post it because of potential libel issues -- don't want to get sued.)