Malware, Virtumonde?

Hello,
I believe my problem is Virtumonde and I got it during Windows update. I have Zone Alarm, Spybot, Avast and Adaware and ZoneAlarm and Avast run all the time. The computer was acting up so I ran Spybot, Avast and Adaware. Spybot found Virtumonde, Web Trends and Statcounter and I thought removed them. Adaware found Virtumonde and 81 cookies (way more than usual) and said it removed them. And at the beginning Avast found malware and moved it to the chest. I cannot access Avast, Zonealarm, adaware or spybot via the internet for updates although my versions although they are all pretty current. I also tried to look at other spyware or antivirus internet addresses and it won’t let me.

I just ran the programs in SAFE mode and now Adaware only showed 11 cookies. Spybot waited for a reply for C:Program Files/Spybot_Destroy\Includes\Trojans.spi and said to see inlude errors.log but after that didn’t find any malware.
Avast showed no virus’s but were unable to scan three:

Disk C Boot Record - unable to scan, no more data is available.
C:\Documents and Settings\All Users\Application Data\Spybot-Search & Destroy\Recovery\Virtumonde.zip\removalfile.bat
and
C:\Documents and Settings\All Users\Application Data\Spybot-Search & Destroy\Recovery\Virtumonde.zip\sbRecovery.ini
and both are showing unable to scan archive is password protected.

I had looked at Kim Komando and it said to turn on the Windows Firewall (which was off), so I did.

Any suggestions? It is hiding in there somewhere and I am not very computre oriented.

Thanks,
Su

do not worry about spybots recovery files
can you create a folder C:\suspicious
can you go to the avast chest and copy the spyware (not the system- leave-em alone) files to C:\suspicious
then go online to virustotal and upload the files ?
post the results

since I cannot tell which sites are blocked or whatever I’ll post up some choices

Spybot is a good choice for Virtumond but there are a lot of variants

can you download Malware Bytes Anti Malware, update, scan and click REMOVE on any hits
if that works also run MAlware Bytes Rogue Remover
post up the logs if any hits

http://www.superantispyware.com/download… (do not install the AV or BHO Toolbar)

?? does AD-Aware automatically run the Ad-Aware Virtumond removal tool or is that an option??
If an option run it

http://www.symantec.com/security_response/writeup.jsp?docid=2004-112210-3747-99

Windows defender if you have it installed
http://www.microsoft.com/athome/security

if the general purpose tools listed above are not available
http://www.geekstogo.com/forum/How-to-remove-Winfixer-Virtumonde-Msevents-Trojan-vundo-ATLDistrib-t91765.html

print out the instructions if your internet is down and download to a pendrive or burn a cd somewhere
but post back HERE :slight_smile:

be sure to get the latest version directly from
http://www.atribune.org/

yes-no- either way
read the stickie at the top of this forum and post a HJT

lot of crap phoney antixxx say they remove virtumond BVVC

I can’t get to anything you asked me to try. I either get “not a valid Win32 application” or a can not display page. I could copy the Avast chest onto a c:Suspicious file by running a scan but I can’t email out stuff although I can receive emails. I did try getting to the websites in different ways (ie through dogpile or through a mirrror download site or whatever they call them. Sometimes I could get to the first website page but once I pick download I couldn’t download. Any other suggestions? Thanks for all your help.

Su

OK we’ll have to work with what we have

If ad-aware works could you see if the remover is included or optional- I do not know with new ad-aware
even in safe mode

I think the best thing to is to download VUNDOFIX on a friends computer and either copy to a pen drive or burn a CD It’s only 116kb so it would fit on a floppy

Can you see the instructions on line?

http://vundofix.atribune.org/
the advantage of this is that it does not require an “install” or an “update”
and is ready for the latest nasty versions of Vundo

If you can get the hits into C:\suspicious you do NOT have to email
go to Virus total and use the search button to navigate to your folder

Perhaps polonus is lurking and will have another idea

I take it none of the online AV scanners work or have you tried any
try Dr Web Cure It

Definition file downloads (to keep yourself up to date):

–From Softpedia:
Avast! http://www.softpedia.com/get/Others/Signatures-Updates/avast-Virus-Definitions.shtml
Ad-Aware (2007/ 2008, you didn’t mention which version :wink: ) http://www.softpedia.com/get/Others/Signatures-Updates/Ad-aware-Definitions-File.shtml
Ad-Aware SE http://www.softpedia.com/get/Others/Signatures-Updates/Adaware-SE-referencefile.shtml
Spybot http://www.softpedia.com/get/Others/Signatures-Updates/Spybot-Search-and-Destroy-Detection-Update.shtml

Post back ASAP.

(wyrmrider, have you suggested her get HiJackThis? I think its a good idea at this point.)

HJT would be excellent if she can get to it
otherwise
SuZam
read the stickie about hjt at the top of this forum
download to your cd or pen drive and instll from there -but not to a TEMP file or desktop
Create a new folder C:\SuZamHJT and download there

Happy-Dude is giving you links to the complete update files which you could DL to a CD or pen drive and do manual updates
let’s hope vundofix works
then/ or
Post a HJT scan only- DO NOT FIX anything

I see you ran Ad-aware in safe mode
did you try a safe mode Spybot scan? It looks as if you did

Do not run HJT in safe mode unless that’s the only way it will run

Sorry it took a while. I couldn’t do anything on Wyrmrider post 3, or Happy-Dude post 4, I could run my hijack and email it to myself and look at it on another computer…so here it is:
Logfile of HijackThis v1.99.1
Scan saved at 10:09:09 PM, on 08/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PhatNoise Music Manager\PNAgent.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\dlbxcoms.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\dxdiag.exe
C:\WINDOWS\system32\sigverif.exe
C:\Documents and Settings\All\Desktop\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com

Here’s the rest of it:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM..\Run: [MMTray] “C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe”
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [dlbxmon.exe] “C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe”
O4 - HKLM..\Run: [DLBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16
O4 - HKLM..\Run: [mmtask] “C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [PNAgent] “C:\Program Files\PhatNoise Music Manager\PNAgent.exe”
O4 - HKLM..\Run: [DVDLauncher] “C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe”
O4 - HKLM..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132547065421
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147797953984
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlbx_device - Dell - C:\WINDOWS\system32\dlbxcoms.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

It looks messy and I am sure I don’t need most of it but I never knew what to delete.

Also this means that I could probably email the avast virus chest to myself and then check it with that website so I will do that now.

Thanks,
Su

Your HJT version is out of date you also don’t have HJT installed in its own folder but dumped in the desktop folder. Download the latest version and install that in its own folder, the installation file should do that for you and remove the old version.

Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.

I have just had a quick look at your HJT log and this is the most obvious

Suspect - See below:
C:\WINDOWS\system32\dxdiag.exe - see, http://www.liutilities.com/products/wintaskspro/processlibrary/dxdiag/

HJT ACTIONS (note not to be done until you have the latest version installed and removed old version)
Suspect: Upload the file/s to VirusTotal, Send a sample to avast if multiple detections at VT and Fix in HJT (see below)

Check the suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here in the topic.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.

Run HJT again (close any other windows except HJT), tick the box to the left of the suspect entry you wish to fix, click the Fix Selected Button.

Sorry it took a while. I couldn't do anything on Wyrmrider post 3, or Happy-Dude post 4, I could run my hijack and email it to myself and look at it on another computer....so here it is: Logfile of HijackThis v1.99.1
Your HJT version is out of date you also don't have HJT installed in its own folder but dumped in the desktop folder. Download the latest version and install that in its own folder, the installation file should do that for you and remove the old version.

DavidR, I don’t think she can actually DL stuff … ? Looks like she’s having problems with it …

Think someone can use 7-zip, compress the package to be less than 200 KB, and upload it to the forums ?

If that is correct:

It would be better if she could phone a friend so to speak and have them download to CD possibly better than a flash drive if the system is infected we want to avoid the risk of infecting the flash drive and the friends system.

The file types are limited, .txt and .log so the file type would have to be changed from .zip or .7z, etc. That however would still technically require a ‘download’ from the forums ???

HiSuZam,

To bring that dl possibility back temporarily:

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from here:
http://cid-6aaab341ce47c5c2.skydrive.live.com/self.aspx/Public/FixPolicies.exe
* Double-click FixPolicies.exe.
* Click the “Install” button on the bottom toolbar of the box that will open.
* The program will create a new Folder called FixPolicies.
* Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
* A black box will briefly appear and then close.
* This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

After running FixPolicies, logoff and restart system, and try logging in to normal mode. Let me know if you can.

Download MBAM from here: http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
update it, and do a full scan and post the report of it as a txt attachment next,

polonus

Kind of a Chicken and Egg scenario, first ‘download’ a file to fix your ‘download’ problem.

So if there were a manual means of applying the fix that would be better.

We’ll we have everyone working on this now
which is good
DavidR will read the whole post
Polonus will look at the HJT
V1.99 works just fine on the things it works on so do the Fix
if you can get a v2.02 to your machine create a folder
I use C:\HJT but the auto installer puts in program files
repeated use of hjt from the desktop will pollute your desktop with back-up files
Whatever you do not install to TEMP as back up files may be “cleaned up”

Hi DavidR,

It is a good practice to first try and get the right policies back on the infected computer, and this was an advised proposal from an advanced helper’s site. The tools we use will vary according to the malware at hand, and the trend at this moment is that we have need of a tool like this. If you are not familiar with a particular phase in the cleansing routine, you should not doubt it. Anti-malware tools and I mean the reliable ones were developed for a reason.
I give you an example Smitfraud tool fix works in case of the following malware:
It is a limited list:

AdwarePunisher
AdwareSheriff
AlphaCleaner
AntispywareSoldier
AntiVermeans
AntiVermins
AntiVerminser
AntiVirGear
AntivirusGolden
AVGold
Brain Codec
BraveSentry
DirectAccess
DirectVideo
EliteCodec
eMedia Codec
EZVideo
FreeVideo
Gold Codec
HQ Codec
iCodecPack
IE Defender
Image ActiveX Object
Image Add-on
iMediaCodec
IntCodec
iVideoCodec
JPEG Encoder
Key Generator
MalwaresWipeds
MalwareWipe
MalwareWiped
MalwareWipePro
MalwareWiper
Media-Codec
MediaCodec
MMediaCodec
MovieCommander
MPCODEC
My Pass Generator
Online Image Add-on
Online Video Add-on
PCODEC
Perfect Codec
PestCapture
PestTrap
PornMag Pass
PornPass Manager
PowerCodec
PrivateVideo
PSGuard
QualityCodec
quicknavigate.com
Registry Cleaner
Security iGuard
Silver Codec
SiteEntry
SiteTicket
Smitfraud
SoftCodec
SpyAxe
SpyCrush
SpyDown
SpyFalcon
SpyGuard
SpyHeal
SpyHeals
SpyLocked
SpyMarshal
SpySheriff
SpySoldier
Spyware Soft Stop
Spyware Vanisher
SpywareKnight
SpywareLocked
SpywareQuake
SpywareSheriff
SpywareStrike
Startsearches.net
strCodec
Super Codec
TitanShield Antispyware
TrueCodec
Trust Cleaner
UpdateSearches.com
VidCodecs
Video Access ActiveX Object
Video ActiveX Object
Video Add-on
VideoAccess
VideoBox
VideoCompressionCodec
VideoKeyCodec
VideosCodec
Virtual Maid
Virus Protect
Virus Protect Pro
VirusBlast
VirusBurst
VirusRay
Win32.puper
WinAntiSpyPro
WinHound
WinMediaCodec
X Password Generator
X Password Manager
ZipCodec

It is an ever evolving battle. At the moment MBAM cleans Virtumondo, but sometimes you need a way to get it working on an infected machine. That is what we are doing here.

polonus

Okay, I read everything although I didn’t understand it all :slight_smile:
I am going to be gone for 3 hours and don’t want to start my computer until I have time.
But then, I am going to start it, make sure zone alarm comes up (it doesn’t always), check and make sure Windows Firewall is on (it keeps turning off) and then try Polonus’s short term thing to allow downloads.
Then I need to ???Download Hijack This?
Thanks,
Su

Hi SuZam,

Yes, and we will hear how that all goes,

polonus

"make sure zone alarm comes up (it doesn’t always), check and make sure Windows Firewall is on (it keeps turning off) "

turn either zone alarm or windows firewall off while we work on this
keep whichever one is working best
they will conflict big time
with some OS windows will turn off the windows firewall automatically, with some it will not

read Polonus HJT stickie at the top of the page
the first most important thing is not to install on a temp file (by clicking “open”)
do not save to your desktop
create a folder (where you can find it) if the downloader does not do it for you

second most important thing is to close all browser windows- including this one

cheers