Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Winfixer


  • This topic is locked This topic is locked
11 replies to this topic

#1 davestir

davestir

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 09 September 2008 - 08:01 AM

Hi there

I hope to seek yopur help before I give up and wipe the drive
I may have posted this ..but not sure if it was in the right forum

Have followed all your instructions. Panda scan, Stinger, clean up . Tried malware and several others to no avbail.
Can't seem to shake this bug.

I use firefox and Avast and ran a scan with spy bot.

Enclosed is my most recent log as per safe mode

I'm guessing your real busy so will understand if you don't get to it etc

Thanks for your help on the web here... I learned a ton of stuff regardless ( I was in a hurry and thought I was installing a flash update so I know how it happened.... bleepers...

Regards Dave Lenz of Winnipeg

davestir@mts.net

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:14 AM

Posted 09 September 2008 - 06:19 PM

Hello. I'm Extremeboy and I will be helping you with your log.

I will need some time to look over your computer's log(s). You may want to keep the link to this topic in your favorites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, to track your topic. The topics you are tracking can be found here.

Please take note of a few guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.

Important Note: For other users who are reading this topic,the instructions provided in this topic are for the original topic starter ONLY. Even if you have similar problems or even log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic and feel free to link to any relevant topics as needed.Please Do NOT follow the instructions provided for this topic.

Thanks :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:14 AM

Posted 10 September 2008 - 02:32 PM

Hi davestir and welcome to Bleepingcomputer :thumbsup:

I'm just wondering why you ran Hijackthis in Safe Mode, any particular reason, if so please specify in your next reply.
If not when I tell you to run RSIT please run it in Normal Mode.

Also do you know what this folder is: C:\Program Files\jeoptnb ?

Download and Run LSPfix

Download LSPFix and save to your desktop.
alternate download site
alternate download site
  • Go to the LSPfix file and extract (unzip) LSP-Fix into its own folder such as C:\lspfix. (Click here for information on how to do this if not sure. Win 9x/2000 users click here.
  • Open the lspfix folder and double-click on LSPFix.exe to start the program.
  • Check the "I know what I am doing" checkbox.
  • Select (highlight) all instances of ntdll64.dll in the left column under "Keep".
  • Click the arrow >> so it goes over to the right column under "Remove".
  • Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
  • Restart your computer normally and post a new RSIT log.
For instructions with screen shots, see the "Using LSP-Fix Tutorial".

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download and Run RSIT
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both:
    log.txt (<<will be maximized)
    info.txt (<<will be minimized)


For your next reply please post back with:
  • MalwareBytes Anti-Malware log
  • RSIT log<-Run this after you finish everything else.
Thanks :)

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 davestir

davestir
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 10 September 2008 - 10:08 PM

Wow

okay this will take me a bit ....I ran HJT in safe mode cause I thought that was the protocol?

Okay thanks mang

Awesome oh yes the folder C:\programs\jeoptnb has a dll file called "enchkstr.dll"


davestir

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:14 AM

Posted 11 September 2008 - 07:04 AM

No Promblem I'll wait for your reply.

I asked you do you know what C:\programs\jeoptnb <-That folder is? Did you put it there yourslef or not?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 davestir

davestir
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 13 September 2008 - 11:36 AM

Hi again

I didn't put that folder C:\programs\jeoptnb on my machine

dloaded lsp - fx but there is no ntdll64.dl listed to remove

Here are the malware and rsit logs



I wonder what you folks recommend for firewall and anti vir? I have Avast and spybot and Malwareshould I have anything else?

Thank again

Davestir

Attached Files



#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:14 AM

Posted 15 September 2008 - 03:03 PM

Hi Davestir,

dloaded lsp - fx but there is no ntdll64.dl listed to remove

Don't worry about that MBAM took care of that and I don't see it in your Hijackthis log so don't worry :thumbsup:


I wonder what you folks recommend for firewall and anti vir? I have Avast and spybot and Malwareshould I have anything else?


Avast is an Anti-virus program, and you should only have ONE Anti-virus program active at one time or it will cause some conflicts and also false positives.
I didn't want you to install a Firewall just yet because your computer was quite infected but I can offer you some free firewall that you can install. I'll give you some links in the next post as you already have a quite of things to do :)

Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case Lime Wire and U-torrent). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s). However, please refrain from using them until your computer has been declared clean.

Fix HijackThis Entries
  • Double click the HijackThis icon on your desktop.
  • Close all other open windows.
  • Select Do a System Scan Only.
  • To the left of each entry you will see a box.Put a checkmark next to the following entries:


    O4 - HKCU\..\Run: [AdmSysUi] C:\WINDOWS\system32\wtobabkb.exe
    O4 - HKCU\..\Run: [monsmart] C:\WINDOWS\system32\reropwvw.exe


    If you no longer see some of the entries, don't worry. It is possible that the uninstaller or removal tool already took care of it.
  • Close all open windows except HijackThis.
  • Click Posted Image and OK.
  • Close HijackThis.

Download and Run OTMoveIT2
  • Please download OTMoveIt2 by OldTimerto your desktop.
  • Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the quotebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    C:\Program Files\jeoptnb
    C:\WINDOWS\system32\ejgjyvsd.exe
    C:\WINDOWS\system32\wtobabkb.exe
    C:\WINDOWS\system32\reropwvw.exe

  • Return to OTMoveIt2, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Click the red Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Update Java to Version 6 Update 7

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

For your next post please provide the following:
  • OTmoveit log
  • Kaspersky online scan log
  • New RSIT log <-Run this at the end
  • Any more promblems? If so please tell me.
Thanks :)

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 davestir

davestir
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 16 September 2008 - 08:55 PM

As per

didn't do the hapersky scan as using firefox
please find enclosed logs as per

If I forgot to mention this I thank you indeed

davestir

Attached Files



#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:14 AM

Posted 17 September 2008 - 07:18 AM

Hi Daviester.

If you do not mind asking do you live in Canada Winnipeg Mts Allstream Inc, I ask because your Domain traces back there?

Run ESET Online Scan
  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start. If you see a "Security Warning" that asks if you want to install and run a file called "OnlineScanner.cab", click Yes.
  • Click Start. The online scanner will now prepare itself for running on your pc.
  • To do a full-scan, tick: Remove found threats and Scan potentially unwanted applications.
  • Press Scan. The Onlinescan will now start and scan your computer. Please be patient as this a while.
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window.
  • Click Start, then Run.... The the box that appears type with the quotes:
    "C:\Program Files\EsetOnlineScanner\log.txt"
  • The scan results will now open in Notepad
  • Click into the text area, right-click and chose select all. Right-click again and chose Copy.
  • Post back with the log.txt in your next reply.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Install Firewall

Install a third-party firewall from the following selection of excellent programsThe main reason you would prefer a third-party firewall over the Windows XP Firewall is because Windows Firewall only stops incoming signals from accessing your computer. However, it will not stop Outgoing signles (possibly ones that could intrude your privacy) from sending information to the Internet or to other networks.
After you have installed one of the above firewalls, please disable your Windows Firewall, if you had it enabled.

Please post back with:
-ESET Online Scan log
-Fresh RSIT log

Thanks :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 davestir

davestir
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 17 September 2008 - 03:59 PM

Hey again

I do you live in Canada Winnipeg Mts Allstream Inc,

I'm guessing I should not use Avast?

Here are the recent logs

Thanks

Attached Files



#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:14 AM

Posted 19 September 2008 - 03:49 PM

Hi Davestir,

I'm guessing I should not use Avast?

No. You should use Avast. I think you got confused when I told you to run that online scan.
That ESET online scan is only a scan on the internet because the scans on the internet, you still can continue to use AVAST!.

From the online scan report I saw some files/folders that could be malware related.

Do you know what those archived folders are:

C:\Documents and Settings\DAVESTIR\My Documents\Downloads\Ultra Video Joiner.rar
E:\AUDIO Unassorted\Wavelab 6\xtra patches\SFv9a.rar

If you do not know what they are or if you do not wish to keep them then you can remove them as they are possibly infected. To remove those files please follow the next step that says: Delete files/folders

If you know those folders and/or you downloaded them and you wish to keep them then obviously don't follow the instructions below that says: [Delete files/folders


Delete files/folders

Please navigate to the folder: C:\Documents and Settings\DAVESTIR\My Documents\Downloads
In the Downloads folder find Ultra Video Joiner.rar<-Delete this file

Navigate to E:\AUDIO Unassorted\Wavelab 6\xtra patches
In the xtra patches folder find SFv9a.rar<-Delete this file

After that Right click on your Recyling Bin and click Empty Recycling bin

Note: If you can't find the E:\ drive, it might be your USB flash drive or an external hard drive, so you will need to attach that in before you can delete that above folder.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Post back with:

-MBAM log
-FRESH Rsit logs
( Please post back with both log.txt and info.txt)
If they don't appear you can locate them in the folder C:\RSIT

Thanks :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:14 PM

Posted 26 September 2008 - 04:18 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending me
a PM with the address of the thread using the link here. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users