Spyware, Viruses, & Security forum

General discussion

HELP

by 01pussycat / April 13, 2007 9:27 AM PDT

For the last 3 days and nights I have been trying to clear the mess my son has made of the pc after he managed to download a whole host of probs from a hijacked site whilst on msn messenger.I came across downloader.adload.jm,backdoor.msnmaker.ag,smitfraud-c.Toolbar888,but worst of all virtumonde.I managed to get rid of the others with spybot,avg antivirus and adaware.I have scanned with counterspy,which detected virtumonde,supposedly deleted it,but when i rebooted it was still there.Iknow it is there because when i start up Spyguard tells me a bho has been added and do i want to remove it,i say i do and it says it has been removed,but as soon as i click on ok,it brings up the same alert and it is just a vicious circle,until i finally close the spyware guard alert as it just cant get rid of it.I have scanned with vundofix twice, and again supposedly removes it but when i start up again,yes its still there.I have scanned with avast but it doesnt find it,I have used the symantec scan removal tool and it scans,but says my pc isnt infected!,but those pop up ads just keep on coming!I have tried to download a lavasoft tool,but i keep getting an error and it wont run and adaware doesnt find it and i have also tried to download spywarebot.net but my system wont let me. I have the free version of spyware doctor and this finds it but i have to purchase the full version before it will get rid of it.I would gladly purchase the full version if i thought it would clear it for good,but i just dont think anything can clean it off my pc.Also,sometimes when i start up the pc avast warns me that it has stopped a trojan horse and that i must abort the connection,which i do.It seems this vortumonde comes in many guises and the last scan i did with spyware doc showed i had 9 vortumonde infections in registry keys,registry value,process file and start up program.I have tried scanning with counterspy again but it no longer detects it and says the pc is clean.This thing just doesnt seem to want to go.If you thing purchasing spyware doc will do the trick,i will do so but i would really appreciate some help here,
Thanks

Discussion is locked
You are posting a reply to: HELP
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: HELP
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Vundo
by Donna Buenaventura / April 13, 2007 9:35 AM PDT
In reply to: HELP
Collapse -
Title of my reply should be SmithFraud but the link is
by Donna Buenaventura / April 13, 2007 9:37 AM PDT
In reply to: Vundo

correct.

Collapse -
Sorry
by 01pussycat / April 13, 2007 9:45 AM PDT

I have scanned with avg spyware and it didnt find it,i have already rid myself of smitfraud with spybot,i couldnt see any info re virtumonde on the link you just gave me,only smitfraud?

Collapse -
Link
by Donna Buenaventura / April 13, 2007 9:59 AM PDT
In reply to: Sorry
Collapse -
Good Thing System Blocked Spywarebot, It's a ROGUE!!!
by tobeach / April 13, 2007 4:29 PM PDT
In reply to: HELP

You might try running some scans in Safe Mode (AVG AS & S&D?).
You might do a search on your hard drive for the name "antispyware" +or-(.com)(another company name associated w/ spywarebot)(.com or .net). Perhaps something got in from just visiting the site (exploit) despite your not being able to download/install the program.

Are you running Spybot in "Advanced Mode"? (Opening page S&D upper left>Mode). If you switch to Advanced you'll see 2 new items lower left:
Tools & settings.

Open the "tools" and check mark BHO's and double left click. You should see a list of ALL Browser Helper Objects including trouble one(s).

NOTE: the no name one ending in : 424484F is Spybots own BHO!! Do Not Disable this one!


By highlighting each you should see their names legit/not & path where they're located. This might help you to find where "mystery" one is hiding. Once highlighted, at top you'll have option to "toggle off" or "Remove" each item.

Donna's a great expert so follow her advice very carefully.

Last thought: Be PHYSICALLY DISCONNECTED from the net during all removal attempts (except on-line scan/removals) to prevent instant re-infection. Good Luck! Happy

Collapse -
1 More Idea: It Might Not Hurt to Run a Root Kit Scan....
by tobeach / April 13, 2007 4:46 PM PDT

It only takes a minute or two and might show something. You can get a free one to download (save to my docs and just double left click to activate:off-line)if you can, from:

http://www.f-secure.com/blacklight/

&/or from: http://free.grisoft.com/freeweb.php

Note: IF it reports finding anything, don't remove yet. Write down exactly any info given & check back for further advice or direction.
Good Luck!! Grin

Collapse -
More advice please!
by 01pussycat / April 14, 2007 12:55 AM PDT

Thanks a lot for the help so far.I did use virtumondebegone,however didnt read full instructions in my eagerness to be rid of this thing and didnt actually do in safe mode.However it seemed to do the trick and when rebooted i didnt get the warning from avast or spyware guard that my browser had been hijacked,and ive had no more pop ups.I did download avg rootkit like you suggested and did 2 different scans with this and they found nothing.My only problem is when I scan with spyware doctor,it no longer says i have 9 infections of virtumonde like it did before virtumondebegone,but it still says i have 2 infections in my registry keys as follows,both entries begin:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Explorer\Browser Helper,then one entry is followed by:Ob...(9241B4C5_BF4C_4754_BBF3_A5C1F6AC9678)and the other entry is followed by:O...\97B24AB9_86C0_4601_B2A5_660A4B05346A). So do I need to run virtumonebegone in safe mode to try to get rid of these entries or should I try something else?
Thanks again
Fran

Collapse -
Yes Fran
by Donna Buenaventura / April 14, 2007 1:47 AM PDT
In reply to: More advice please!

Run in the tool in safe mode.

Collapse -
Donna/tobeach
by 01pussycat / April 14, 2007 7:38 AM PDT
In reply to: Yes Fran

I have used virtumondebegone in safe mode and it hasnt found anything,so when I came back to normal mode I did a scan again with spyware doctor and again it found these two registry keys with virtumonde.So I then read again what tobeach advised and have gone into spybot advanced and looked at the bho's and sure enough the paths with the big long numbers that I posted earlier from the spyware doc scan were there.They have a green tick against them but when you highlight them it shows the long name as exactly the same code that spyware guard was originally warning me on before.So should I now go ahead and remove them completely from spyware bot?Never done anything in advanced before so just want to check im doing the right thing!Also tobeach said to be physically disconnected from internet before I remove anything,which is fine,but am I ok to do it in normal mode or does it have to be in safe mode?
Thanks again,I feel like Im actually getting near the end now!
Fran

Collapse -
As long as
by Donna Buenaventura / April 14, 2007 9:33 AM PDT
In reply to: Donna/tobeach

there is no running processes of an infected file, in the background you can always do it in normal mode.

Close IE and other open Windows before you will do that using Spyware Search and destroy.

Collapse -
Not sure
by 01pussycat / April 14, 2007 9:49 AM PDT
In reply to: As long as

whether I should 'toggle off' or 'remove' the entries,what would you normally advise?

Collapse -
Remove :-)
by Donna Buenaventura / April 14, 2007 10:14 AM PDT
In reply to: Not sure

Since you've identified a bad entry, it's recommended to remove it.

Collapse -
You're Doing Just Fine! Definately Remove as Donna ...
by tobeach / April 14, 2007 3:00 PM PDT
In reply to: HELP

suggested.

Don't be afraid of Spybot in advanced mode. With very few exceptions, most of what you do there is reversible. I wouldn't use reg cleaning (Sys Internals) or Winsock as a beginner. Most of the rest can be of help.

Start-up will list everything that loads at boot. A large number of these don't need to and can be called upon as/when needed by clicking Icon on your desktop (example Media player & Adobe Player). These along with printer will start automatically if called for by a site or your clicking "print". It will just take 2 or 3 seconds longer which you'll have gained back 10 fold each time you boot.

Myself, out of 20 (plus system ..ini's) entries listed there, have "toggled off" all but 3 (AVG AV (2)& Spybot Tea Timer & system .ini's.
This cut boot times from 1 3/4 minutes to 45 seconds plus faster overall performance.
If you use your cursor to "grab & drag" to the left part way, the end of the gray top bar (command line)(just at top of Up/Down slider an area will appear to the right of slider. Highlight any item listed and a description of what it is & if needed will appear there (if listed as known). Use this to guide you to toggle off or not. You can always toggle back on.
Under "Browser pages" you can set (leave) just 1 Home Page and 1 Search page (I use about:blank & http:www.Google.com) and can get rid of others by highlighting each and click change and just "delete" it out of existence.

Under "IE Tweaks" click lock hosts files as read only (protection against browser hijackers).

Under "Resident (if you use IE) you can click(check mark) SD Helper download blocker to protect you from known bad sites doing drive by & other auto downloads.

Tea Timer (locks system overall settings) can be checked IF you don't have other background spy guards running. The 2 might conflict.

There's more for you to explore & enjoy protection of. (You can tell I love my little Spybot?). Here's a tutorial (mostly for set up & first run but still clear info on use):
http://www.bleepingcomputer.com/tutorials/tutorial43.html

Enough for my pet rant.. hopefully you're "clean" by now so enjoy! Grin

Collapse -
Thanks so much,
by 01pussycat / April 14, 2007 10:16 PM PDT

tobeach and Donna.Ive been into spybot and removed the two entries,just run a scan again with spyware doctor and virtumonde has gone!
Dont know what I would have done without all your help,it is greatly appreciated.
Thanks again
Fran

Collapse -
(NT) You're welcome Fran. We're happy to help :-)
by Donna Buenaventura / April 15, 2007 2:43 AM PDT
In reply to: Thanks so much,
Collapse -
(NT) So Pleased We Could Be of Help. Good Work on Your Part! :D
by tobeach / April 15, 2007 2:49 PM PDT
In reply to: Thanks so much,
Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?