How To Repair Multiple Infections - Virtumonde; Winantivirus; Winfixer; Astakiller; Etc. (Solved)

Home > Multiple Infections > Multiple Infections - Virtumonde; Winantivirus; Winfixer; Astakiller; Etc.

Multiple Infections - Virtumonde; Winantivirus; Winfixer; Astakiller; Etc.

It's definitely better to be sure and safe than sorry.***************************************Please download VundoFix.exe to your desktopDouble-click VundoFix.exe to run it.Click the Scan for Vundo button.Once it's done scanning, click the Remove Vundo I guess you are dealing with Navipromo (a dialer).Let's deal with the leftovers first..* Start HijackThis, close all open windows leaving only HijackThis running. Sysprotect also showed up.In addition to posting my hijackthis log, I've also posted the results of the other tools. Ran spybot again, it seemed to pass over the files, at least i saw it listed as spybot ran. http://p2pzone.net/multiple-infections/multiple-infections-virtumonde.html

If we have ever helped you in the past, please consider helping us. downloaded hijackthis and ran it. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Examples of older versions in Add or Remove Programs:
Java 2 Runtime Environment, SE Attempting to delete C:\WINDOWS\SYSTEM32\qtvwa.bak2C:\WINDOWS\SYSTEM32\qtvwa.bak2 Has been deleted! https://www.bleepingcomputer.com/forums/t/63508/multiple-infections-virtumonde;-winantivirus;-winfixer;-astakiller;-etc/?view=getlastpost

Below is my hijackthis log; I hope an expert from here can comment on it and tell me what to do:

--------

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13:11:28, on Tried the online scan with Housecall again about two hours ago and my browser was shut down again. Then click the "Start Update" button.When you receive the "Update successful" prompt, close Ewido.Note: If you have any problems with the updater, you can Update Ewido Manually.Do not Scan with this

Up to that point, Norton never picked up a thing while I was logged in.Popups started in earnest yesterday. Attempting to delete C:\WINDOWS\SYSTEM32\qtvwa.bak1C:\WINDOWS\SYSTEM32\qtvwa.bak1 Has been deleted! HJT and Panda Log.


Hi and welcome to TSF.

I am currently reviewing your log. Attempting to delete C:\WINDOWS\SYSTEM32\qtvwa.iniC:\WINDOWS\SYSTEM32\qtvwa.ini Has been deleted!

The popups usually have to do with WinAntivirus, Errorsafe, etc.

I am running Microsoft XP. Started by tk1 , Aug 28 2006 12:23 AM Please log in to reply 9 replies to this topic #1 tk1 tk1 Members 5 posts OFFLINE Local time:12:14 PM Posted Attempting to delete C:\WINDOWS\SYSTEM32\mtcbvebc.exeC:\WINDOWS\SYSTEM32\mtcbvebc.exe Has been deleted! https://forums.spybot.info/archive/index.php/f-23-p-32.html Back to top #7 tk1 tk1 Topic Starter Members 5 posts OFFLINE Local time:12:14 PM Posted 30 August 2006 - 10:51 AM Below are the requested logs.

I ran Panda Anti-Virus and Bit Defender. Attempting to delete C:\WINDOWS\SYSTEM32\yowkwtsy.exeC:\WINDOWS\SYSTEM32\yowkwtsy.exe Has been deleted! Read more 21 more replies Relevance 72.16% Question: Drivecleaner, Errorsafe,winfixer,winantivirus Ok, these annoyin popups saying found problems like drivecleaner, errorsafe, etc, it seems they rotate taking turns to popup, I have Do NOT post the ComboFix-quarantined-files.txt unless I ask.Now go to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exeRight click on Hijackthis.exe and select 'Rename', rename it to abc.batDouble click on abc.bat(which is still Hijackthis.exe),post that log

HiJackThis log looks like this:Logfile of HijackThis v1.99.1Scan saved at 9:19:22 PM, on 2/17/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.5730.0011)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS&#... Read more

see this here I hit "fix" button and it seemed okay. Hi! I have run Mcafee and Vundofix and neither found anything.

It would supposedly delete everything but the malware would re-appear. http://p2pzone.net/multiple-infections/multiple-infections-please-help.html ran spybot again, saw file as it scann (WinAntiVirus pro 2007 & ErrorSafe.) but spybot did not list the files as cookies as it did before to fix. Please post that log in your next reply.Important Note - Do not mouseclick combofix's window whilst it's running. O4 - Global Startup: Wireless 802.11g USB Adapter.lnk = C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra

I hit "fix" button and it seemed okay. I went to Microsoft and followed instructions per this link http://www.xp-vista.com/spyware-remo...l-instructions I did not find any of the files the link... I then followed advice on these forums to remove Virtumonde using VundoFix followed by VirtumundoBeGone still witout success. http://p2pzone.net/multiple-infections/multiple-infections-smitfraud-virtumonde-downloader-risktool-etc.html When it's finished it will produce a log.

Click the Remove or Change/Remove button. A case like this could easily cost hundreds of thousands of dollars. That may cause the program to freeze/hang.

Answer:MALWARE PROBLEM- errorsafe/winantivirus pro VIRUS- PLEASE HELP 8 more replies Relevance 71.34% Question: WinAntivirus Popup 2007 & Errorsafe plz help removeing this Hello guys...

Note: Do not mouseclick combofix's window while it's running. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. O4 - Global Startup: Wireless 802.11g USB Adapter.lnk = C:\Program Files\Wireless 802.11g USB Adapter\ZDWlan.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra Click OKWhen VundoFix re-opens, click the Scan for Vundo button.Once it's done scanning, click the Remove Vundo button.You will receive a prompt asking if you want to remove the files, click

Accept the agreement and click OK.Click the Scan button to begin. Attempting to delete C:\WINDOWS\SYSTEM32\fljhhhkq.exeC:\WINDOWS\SYSTEM32\fljhhhkq.exe Has been deleted! Close any programs you may have running - especially your web browser. Check This Out left for work.

This is somewhat suicidal in today's digital world.You need to install an antivirus program as soon as you can and run a complete scan of the computer. However, every time I scan/quarantine/delete, 100% of the unwanted programs return, and the popups hardly seem to pause for a moment.

So far I've run Adaware (in SafeMode and out) Here's the content---------------------------------------------------------------------------------------------------------------------------VundoFix V6.5.0Checking Java version...Sun Java not detectedScan started at 06:22:52 2007-06-16Listing files found while scanning....C:\windows\system32\efcccdb.dllC:\windows\system32\iifgeda.dllC:\windows\system32\lkmoq.iniC:\WINDOWS\system32\onnpo.bak1C:\WINDOWS\system32\onnpo.bak2C:\WINDOWS\system32\onnpo.iniC:\WINDOWS\system32\opnno.dllC:\windows\system32\opnomjg.dllC:\windows\system32\qomkl.dllC:\windows\system32\sqmvrmlf.dllC:\windows\system32\viagsmvt.dllBeginning removal...Beginning removal... Utilisation option 1 Recherche : Double clique sur smitfraudfix.cmd Sélectionne 1 pour créer un rapport des fichiers responsables de l'infection.

Double click on combofix.exe and follow the prompts. My McAfee Spyware scan and AdAware (all updated definitions) had caught nothing either. ran that. Jump to content Sign In Create Account Search Advanced Search section: This topic Forums Members Help Files Calendar View New Content Forum Rules BleepingComputer.com Forums Members Tutorials Startup List

How's it look?Logfile of HijackThis v1.99.1Scan saved at 10:43:56 AM, on 8/31/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\CTsvcCDA.exeC:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\MsPMSPSv.exeC:\WINDOWS\System32\HPZipm12.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\DSentry.exeC:\Program Files\Dell\Media Repeat as many times as necessary to remove each Java versions. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Read more Answer:Infected With Virtumonde And Winantivirus And Errorsafe Hello and welcome Please run your computer on normal mode all the time, only do steps in Safe Mode if I ask

The other file deleted fine. Attempting to delete C:\WINDOWS\SYSTEM32\wqenubcn.exeC:\WINDOWS\SYSTEM32\wqenubcn.exe Has been deleted! i am unable to go into the net without it getting out of the website im into and redirecting me to its websites. Haven't restarted yet, nor did I restart in between.

Place a check against each of the following:R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =O2 - BHO: (no name) - @A?07962-6F74-2D53-2644-206D7942484F} - (no file)O2 - As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged Attempting to delete C:\WINDOWS\SYSTEM32\ojwaenhk.exeC:\WINDOWS\SYSTEM32\ojwaenhk.exe Has been deleted! Leave the PC idle while the scan takes place.When it has completed, click the Close button.A text file, fsbl-date/time, will be saved in the Blacklight folder, copy and paste this into

again, it came up w/ winAntiVirus 2007 and ErrorSafe. Scroll down to where it says "Java Runtime Environment (JRE) 6u2". The page will refresh.