Virtumundo virus infection. (repair virus?)

Welcome to MGs!

The fix is mentioned in the READ & RUN ME sticky. It points you to the Special Removal Procedures sticky which has the below link:

Virtumonde aka Trojan Vundo Removal

Run this procedure and attach your VundoFix log. Then tell us how things are working.

 

It means you need to post the results of what VundoFIx finds. Attach means add the log file to your message as an attachment. Info on how to attach files is in the below link:

HOW TO: Attach Items To Your Post

You must run VundoFix exactly as indicated in that link I gave you or it will not work. Try again and attach the log results. We need to see them.

 

You need to follow the directions we give you or we will not be able to help you.

Attach the log from VundoFix. And then if you are still having any kind of malware issues you need to follow the directions in the below. I repeat we cannot help you if you cannot help us to help you by following the directions.

It sounds like in addition to Virtumonde that you have an HSA or about:blank hijacker present. (that is based on the file names you mentioned.)

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis


When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

• Bitdefender
• Panda Scan
• HijackThis

.

 

Please follow the steps in my previous message! HJT is the last step not the first. Complete all the other steps first.

Did you install SafeguardProtect shield? Goto Add/Remove programs and look for an uninstall and uninstall it.

You also did not attach the VundoFix log!

 

Okay! It now continue with the rest of the steps from the READ & RUN ME sticky thread given in message number 9 and attach the Bitdefender, Panda, and HijackThis logs that were requested. Also answer my question from message # 11.

 

You do not need to do anything with System Restore yet! Just read and follow all the steps in the READ & RUN ME sticky thread. They explain what to download and install and when to run it. And what logs to attach here when finished.

 

We do not ask for an Ad-Aware log anywhere but we do ask for two logs in step 6 from BitDefender and Panda. Those are the two I still need.

Also look in Add/Remove programs for PCShield, if found uninstall. Tell me what you find.
Also look in Add/Remove programs for SafeGuardProtect and/or Popup Defence Updater, if found uninstall. Tell me what you find.

If you installed Ad-Aware SE like the below indicates, uninstall it and then install it in the proper default folder suggested while installing. You also do not need to run it at startup.
O4 - HKLM\..\RunOnce: [AAW] "C:\Spyware Tools\Ad-Aware.exe" "+b1"


Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to McAfee SecurityCenter Update Manager (if that is not found, look for the short name: mcupdmgr.exe)... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the about stop and disable for the following service: Symantec Network Drivers Service

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

mcupdmgr.exe

Now repeat the Delete NT Service steps for:SNDSrvc

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.
Make sure viewing of hidden files is enabled (per the tutorial).
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - Default URLSearchHook is missing
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll (file missing)
O2 - BHO: CATLEvents Object - {13589181-4F0D-4553-B9F8-B4B72172C139} - C:\DOCUME~1\TEMP\LOCALS~1\Temp\sasys.dat
O2 - BHO: CATLEvents Object - {446CF8A5-617E-4D91-95AE-AE78CE0D06AF} - C:\DOCUME~1\TEMP\LOCALS~1\Temp\vrdagv.dat (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B8EF9194-0607-47A4-9FD8-5B62E4D4EC6f} - C:\WINDOWS\system32\flhxgjqd.dll
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_1d1a.dll"
O4 - HKLM\..\Run: [*sysas] C:\WINDOWS\system32\RAS\sysas.exe
O4 - HKLM\..\RunOnce: [*sysas] C:\WINDOWS\system32\RAS\sysas.exe rerun
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_1d1a.dll"
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
O20 - Winlogon Notify: maindisk - C:\DOCUME~1\TEMP\LOCALS~1\Temp\ksidniam.dat (file missing)
O20 - Winlogon Notify: sysas - C:\DOCUME~1\TEMP\LOCALS~1\Temp\sasys.dat

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
Do you really have a User Account named Temp?????? It may be best just to delete that account!
C:\Documents and Settings\TEMP\Local Settings\Temp\sasys.dat <-- DELETE ALL FILE in the Local Settings\Temp folder
C:\Documents and Settings\TEMP\Local Settings\Temp\vrdagv.dat
C:\Documents and Settings\TEMP\Local Settings\Temp\ksidniam.dat
C:\Program Files\AWS <--- the whole folder
C:\WINDOWS\system32\flhxgjqd.dll
C:\WINDOWS\System32\pdfupd.dll
C:\WINDOWS\system32\RAS <--- the whole folder
C:\WINDOWS\System32\sfg_1d1a.dll
c:\counter.cab
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.