Repair Solved: Need Help In Removing Trojan Virtumonde - Imgrun.dll Tutorial=

Home > Solved Need > Solved: Need Help In Removing Trojan Virtumonde - Imgrun.dll

Solved: Need Help In Removing Trojan Virtumonde - Imgrun.dll

Opened IE, all these popups with bogus virus scanner sites/ads started coming up, and my computer started going nuts. Reload and its still there, I have ran Hijack this,spy bot, avg, Spy sweeper and KASPERSKY. Ad-aware SE Any assistance would be greatly appreciated. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.If there is anything you don't understand, please ask BEFORE proceeding with the fixes.Please ensure that Check This Out

C:\Documents and Settings\Philip Green\Local Settings\Temporary Internet Files\Content.IE5\XZSV0FFM\expuk[1].gif moved successfully. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:51:57 PM, on 8/24/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\NavNT\defwatch.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\NavNT\rtvscan.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\wltrysvc.exeC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\MsgSys.EXEC:\WINDOWS\Explorer.EXEC:\Program I killed them.Below is my HijackThis log:Logfile of HijackThis v1.99.1Scan saved at 11:11:09 AM, on 11/13/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\Program Files\Sophos\Remote Update\cachemgr.exeC:\MATLAB6p5\webserver\bin\win32\matlabserver.exeC:\Program Files\Sophos SWEEP dsk635, Nov 14, 2005 #6 MFDnNC Joined: Sep 7, 2004 Messages: 49,014 That is in restore points Turn off restore points, boot, turn them back on – here’s how XP

WebRep) - block: primaryControls 2 - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software) O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - block: primaryControls 1 - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O3 - HKLM\..\Toolbar: Save the results from the scan! =========== DL EasyCleaner Use the clear files and Unnecessary files buttons - I do not recommend using the Duplicates files button as many dupes Reports: · Posted 8 years ago Top ScottW Posts: 6609 This post has been reported. Thanks, -DK dsk635, Nov 13, 2005 #1 Sponsor MFDnNC Joined: Sep 7, 2004 Messages: 49,014 Please print these instructions out for use in Safe Mode.

If it's gone, it's probably thanks to Spy Sweeper.Still, my PC's running slow and IE search results link to a new window with ads.Also, I'm still getting "A critical error could Glad about that FMZ. Let me know whether this is an virus infection or some problem with windows registry. Read more Answer:Solved: Trojan virus and virtumonde 13 more replies Relevance 52.07% Question: Solved: trojan AOY and possibly virtumonde my computer started to not letting me open firefox and other programs

AVG tries to quaratine it but everytime I restart its back...Moreover on starting my PC lots of IE windows open up by themselves (but they say cannot find server/page) and IE I wouldn't say I'm the most computer saavy kid in the world but I can generally keep away from spyware or clean it up by following the steps here on the Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra Registry value HKEY_USERS\S-1-5-21-746137067-287218729-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\ block: useful_searches 5 deleted successfully.

Any help would be greatly appreciated.Logfile of HijackThis v1.99.1Scan saved at 7:53:58 PM, on 7/11/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16473)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Trend At this point please type the following file path (make sure to enter it exactly as below!): C:\WINDOWS\AppPatch\nurgmi.* If you have a script blocker running, you may get a warning about I did some reading on this trojan, of course, and it appears that the same damn people that created this trojan are the ones offering this "spyware removal program", even though They show up in Task Manager, though.

Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocxO2 - BHO: Bho - {07AEC75B-A1F4-44cd-A6E0-7A5326977451} - C:\WINDOWS\system32\kkftdvbo.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - navigate to this website Disable or password-protect file sharing, or set the shared files to Read Only, before reconnecting the computers to the network or to the Internet. I am therefore posting my hijack this log on this forum. Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\Jump to...4\ deleted successfully.

Note for network administrators: If you are running MS Exchange 2000 Server, we recommend that you exclude the M drive from the scan by running the tool from a command line, his comment is here Please download ATF Cleaner by Atribune. Under Main choose: Select All Click the Empty Selected button. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ block: useful_searches 7\ deleted successfully. I can still get new files onto it via USB drive, though.I've tried running some anti-spyware (Multi Virus Cleaner, Ad-Aware SE Personal, and SUPERAntispyware) but nothing seems to be working. Some of these spyware scams will create a false positive virus in order to try to get you to pay for a removal product. Any help you could give would be greatly appreciated!

C:\Documents and Settings\Philip Green\Local Settings\Temporary Internet Files\Content.IE5\Q4HEFK0G\105052-active-internet-explorer-randomly-closing-2[1].html moved successfully. First I ran SmitFraudFix (for trojan.agent), this removed a good part of the problem, after that I ran FixIEDef.exe by ShadowPuterDude(for IEDefender), this website was suggested by ScottW (;start= ) and Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ end block: useful_searches 3\ not found.

Then a new value started (6DD0BC06-4719-4BA3-BEBC-FBAE6A448152) and went on for about 2 hours before stopping.

I tried deleting this dll from the path but it said that it cannot be deleted as other users are using it !! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe O4 - Global I killed them. The /EXCLUDE switch will only work with one path, not multiple.

In the unnecessary button I check the top 4 entries Fix these with HJT – mark them, close IE, click fix checked R3 - Default URLSearchHook is missing O2 - BHO: For things that you do recognize, you can decide if you want them to run or not. For IE 7 users, simply click the "Reset all zones to default level" button. I cleaned my computer, ran the adaware, and spy bot (which found the virus but couldn't delete it).

Trojan.agent is too vague. C:\Documents and Settings\Philip Green\Local Settings\Temporary Internet Files\Content.IE5\GXQTDQM7\xd_arbiter[1].htm moved successfully. On Monday, after doing nothing out of the ordinary, my computer suddenly slowed down. AVG tries to quaratine it but everytime I restart its back...Moreover on starting my PC lots of IE windows open up by themselves (but they say cannot find server/page) and IE

This may not include all the folders on the remote computer, which can lead to missed detections. Copyright © 2006-2017 How-To Geek, LLC All Rights Reserved

Sign In / Register Hi My Account Log Out United States PRODUCTS Threat Protection Information Protection Cyber Security Services Website Now download The Avenger by Swandog46, and save it to your Desktop. The scan will begin and "Scan in progress" will show at the top.

I'll wait for further instructions. How to download and run the tool Important: You must have administrative rights to run this tool on Windows NT 4.0, Windows 2000, or Windows XP. is completely free, paid for by advertisers and donations. how do I post the report for your review?

It will create a log (FSS.txt) in the same directory the tool is run. Then click the Programs tab and then click "Reset Web Settings". Post that log in your next reply.Note:Do not mouseclick combofix's window whilst it's running. I saw the name Win32/e404 pop up a few times running scans lately, and I can say for sure I have/had Fotomoto/Virtumonde.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\ end block: useful_searches 2\ deleted successfully. Check Scan archives Click Start ESET will then download updates for itself, install itself, and begin scanning your computer. It is not malicious. Click Apply.