I just recently got my computer infected with one of those Trojan Win32-ish worms that we all just adore. I’ve been trying to get rid of it through Avast and Ad-Aware, always finding that I haven’t managed to. I don’t remember the virus name right now, but I just performed a scan with the Avast Patch and this is what I got:
23/05/2007, 08:57:03 p.m.
Memory scanning started…
No virus body found in memory.
Memory scanning finished (40,4s).
Files scanning started…
C:\Documents and Settings\Invitado\Local Settings\Temporary Internet Files\Content.IE5\9RFJTX8E.…tonyfitmankeo_t[1].jpg… file could not be scanned!
C:\Program Files\ArcSoft\Software Suite\PhotoBase\DibPro.dll… file could not be scanned!
C:\Program Files\ArcSoft\Software Suite\PhotoBase\FPXLIB.DLL… file could not be scanned!
C:\System Volume Information_restore{5808F9B6-96B5-4803-A039-47EB1E010CB7}\RP577\snapshot\Repository\FS\OBJECTS.DATA… file could not be scanned!
C:\WINDOWS$hf_mig$\KB912812\SP2QFE\browseui.dll… file could not be scanned!
No virus body found.
Files scanning finished (90047 files, 0 infected, 2199,4s).
Drives scanned: C:
Also, last night I ran the Ad Aware and it found like 9 critical objects but it kept freezing before it would finish the scan. I ran the Disk Defragmenter to see if that would help but it also froze in the middle of the scan. Today I ran the Ad Ware again after having updated it and it didn’t freeze. But even though I deleted the 9 critical objects it found, I know the virus is still there, latent, messing up with my computer, loading Explorer Pop Ups (Even though I navigate with Firefox) and basically making my machine painfully slow on a several basis.
If a virus is replicant (coming and coming again), you should:
Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).
Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.
Usually Antivirus programs cancel each other out, meaning that if you have more than one antivirus installed, they will not work as efficiently as if you only had one. Is this the same case for Anti Spyware programs? I already have Ad Aware. Now I’m gonna try the AVG Anti Spyware. Would I need to temporarily disable Ad Aware? And if so, how do I disable it?
Tech’s advice contains links to this information: click on your operating system in part 1) of his post to see the appropriate page.
Detections in System Restore are not active and can be temporarily ignored: when you have cleaned up the infection, just create a new, clean System Restore point and then delete all older, infected points- this way you always have a restore point to go back to if something goes wrong.
Based on your 2 Posts, I am a little concerned as to HOW you are using
Ad-Aware ; you mentioned it finding 9 "Critical Objects" . The ONLY
"Critical Objects" that can be initially "Deleted" are "Tracking Cookies"
or "Alexa"; all Others should be placed in "QUARANTINE" and the proper
"Removal Procedure" investigated. More than likely the "investigation"
should be to Request Help on the Lavasoft Ad-Aware Support Forums at
www.lavasoftsupport.com/ .
I think it is prety clear by now that I qualify as a complete newbie. I didn’t really know these specifications about Ad Aware. I’m the typical dummie who only scans, waits to hear how many “critical objects” are there and then clicks on the “delete button”, completely unaware of all these other little gadgets. I’m gonna give it a try with the AVG Ani Spyware and I’ll let you know, since the whole “Disable System Restore” thingie is coming out a little bit too complicated for me and I’m still not quite sure of what I need to do and how. I’ll keep you updated.
Oh, by the way:
Today I got two more Virus warnings. This time I decided to write down the Virus names. They are Win32-VBStat-C [Trj] and Win32-VB-TGS [Trj]
I just ran the Avg Anty Spiware and it found about 50 tracking cookies, a thing called “Installer” (I think) and now I’m getting Malware Warnings. Some of them are Exe files and others are dll files. But the strange thing is that the program recommends that I should ignore them, not clean them. Still, I decided to clean and move some of the exe files to quarantine.
I’m getting these warnings like once or twice every minute.
Make sure AVGAS and Ad-Aware are up to date and run scans in Safe Mode. (See previous post.)
Make sure you have a firewall up (run a scan at ShieldsUp!) and have no vulnerable software on your system using the Secunia Software Inspector scanner.
Post a HijackThis! log if you still have problems. It would help if you could also post the names of the malware detected and the names and locations of the detected files.
“Malware found
AVG Anti-Spyware detected a suspicious file on your computer
Name: Adware.Virtumonde
Location: C:WINDOWS/system32/qomjheb.dll
Risk: Medium
Description: Adware is any software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used. Adware is often bundled with, or integrated into, other software products.”
YES! Really!
So I am right in assuming that it isn’t normal that the AVG Antispyware is actually recommending me to ignore the virus. Well, then I guess I will keep not ignoring them.
But I’m afraid this isn’t working. The virus is still in there. The only difference is that I get AVG warnings every minute reminding me of it.
I tried rebooting the computer and hiting F8 several times so that I would get the screen that allows me to start the system in Safe Mode. I got a screen that gave me one and only one option: To start windows. In other words, the same thing.
Double-click VundoFix.exe to run it.
When VundoFix re-opens, click the Scan for Vundo button.
Once it’s done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from “Click the
Scan for Vundo button.” when VundoFix appears at reboot.
A log will be produced which you can post in your next response. It will be named VundoFix.txt in will be in c:\
If the log is too long to fit in a single post break in two and use multiple posts.
Many times when someone has a "Virtumonde" "infection", it means that
the "Java" program they have on their computer is NOT up-to-date,
which is a serious security risk. To check this possibility, I recommend
you go to www.javatester.org/version.html and tell us WHAT is says in
the box under "Method 1: Ask Java" !? Also let us know IF the info is
in pink !?
You need to install the latest version, then remove all older versions from Start>Control Panel>Add/Remove Programs.
As you have found one such out of date application, I suggest that there may be more such vulnerable applications on your computer, and that you run the Secunia scan I recommended previously which looks for any insecure software, and also gives the location of the appropriate update/download page.
Thank you guys. I’m gonna get on it right now. I’ll let you know how it went. Also if you think there’s anything else I should know, do not hesitate to post it.