Help - virtumonde.dll - virus?

Bill9966

Help!!

Yesterday while I was on the internet Nod32 gave me a message that it
had quarantined a trojan. I did a succesful virus scan and then ran
Spybot Search & Destroy. S&D detected some spyware I hadn't seen
before - Virtumonde and Virtumonde.dll . It then required me to
restart my computer to eliminate Virtumonde. dll.

Now whenever I start my computer, Search&Destroy starts immediately
and eventually detects the same 2 programs which I then remove.

S&D also gives me the following message:
"System startup global entry value deleted"

If I cancel the scan, the message says a global entry value was
"changed" .

The change is:

old data: c:\windows\system32\pkmbqwqt.dll
new data: c:\windows\system32\crdulkka.dll

Windows XP also gives me a messagethat there is an error error
loading c:\windows\system32\pkmbqwqt.dll

In addition the following is happening:

1- AntiSpywareMaster.com popup ads appear saying I have 12 viruses.

2- My browers (IE and Firefox) cannot do any Google searches. The
Yahoo site can not even be accessed.

3-Windows "automatic update" has to be turned back on everytime I
start the computer.

4- While browsing to other sites I have always gone to before without
trouble (even secure sites) I get directed to other sites- namely
internet dating sites.

Any help would be appreciated.

Bill

David H. Lipman

From: "Bill9966" <>

| Help!!
|
| Yesterday while I was on the internet Nod32 gave me a message that it
| had quarantined a trojan. I did a succesful virus scan and then ran
| Spybot Search & Destroy. S&D detected some spyware I hadn't seen
| before - Virtumonde and Virtumonde.dll . It then required me to
| restart my computer to eliminate Virtumonde. dll.
|
| Now whenever I start my computer, Search&Destroy starts immediately
| and eventually detects the same 2 programs which I then remove.
|
| S&D also gives me the following message:
| "System startup global entry value deleted"
|
| If I cancel the scan, the message says a global entry value was
| "changed" .
|
| The change is:
|
| old data: c:\windows\system32\pkmbqwqt.dll
| new data: c:\windows\system32\crdulkka.dll
|
| Windows XP also gives me a messagethat there is an error error
| loading c:\windows\system32\pkmbqwqt.dll
|
| In addition the following is happening:
|
| 1- AntiSpywareMaster.com popup ads appear saying I have 12 viruses.
|
| 2- My browers (IE and Firefox) cannot do any Google searches. The
| Yahoo site can not even be accessed.
|
| 3-Windows "automatic update" has to be turned back on everytime I
| start the computer.
|
| 4- While browsing to other sites I have always gone to before without
| trouble (even secure sites) I get directed to other sites- namely
| internet dating sites.
|
| Any help would be appreciated.
|
| Bill

You are still infected thus the Pop-Ups for a rogue ant malware utility.

You can look into the Registry at the Winlogon/Notify key and find the name of the DLL then
remove power from the PC. Reboot in the Recovery Console and logon as the administrator.

Then delete the DLL from c:\windows\system32

Reboot the PC in Normal Mode and run SpyBot and other anti spyware/trojan removers.

If you don't understand what I just related...



1. Download and execute HiJack This! (HJT)


2. Disable Notepad's word wrap:
In Notepad.exe; Format --> uncheck; "Word wrap"

3. Download/run Deckard's System Scanner:


4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post in one of the below
expert forums...


{ Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }

Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System Scanner
Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:


Suggested secondary:




Suggested tertiary:



















--
Dave

Multi-AV -

praveenpj

Billy , i will give you a better solution for this issue.. from your description i understand that you have Trojan and Spyware infection in your system.
Dont worry Buddy..

Just try this... Download combofix from www.c007.notlong.com
Save it to your Desktop .. Run it from there by double clicking on it ..
Just click on OK or Yes if you get 2 prompts..
Please note that you should close all applications while doing this...
Your PC may get restarted as a part of the cleaning process..
But im sure this will fix the issue.. :-)

Dave Budd

In article <.com>, says...
>
> 1- AntiSpywareMaster.com popup ads appear saying I have 12 viruses.

AntiSpywareMaster is a rogue application.
If you follow David Lipman's advice, at some point one of the scans will
remove part of AntiSpywareMaster, effectively disabling it. You might
want to take its entry out of the Startup section in Start->Run->
MSConfig and delete its shortcut from your desktop as well.
--
Snob? Were I a snob, I wouldn't be talking to you.

Lolo

any idea where you got infected?

thanks

"Dave Budd" <.ku> wrote in message
news: t...
> In article <.com>, says...
>>
>> 1- AntiSpywareMaster.com popup ads appear saying I have 12 viruses.
>
> AntiSpywareMaster is a rogue application.
> If you follow David Lipman's advice, at some point one of the scans will
> remove part of AntiSpywareMaster, effectively disabling it. You might
> want to take its entry out of the Startup section in Start->Run->
> MSConfig and delete its shortcut from your desktop as well.
> --
> Snob? Were I a snob, I wouldn't be talking to you.

Bill9966

On Mon, 19 May 2008 23:47:59 GMT, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: "Bill9966" <>
>
>| Help!!
>|
>| Yesterday while I was on the internet Nod32 gave me a message that it
>| had quarantined a trojan. I did a succesful virus scan and then ran
>| Spybot Search & Destroy. S&D detected some spyware I hadn't seen
>| before - Virtumonde and Virtumonde.dll . It then required me to
>| restart my computer to eliminate Virtumonde. dll.
>|
>| Now whenever I start my computer, Search&Destroy starts immediately
>| and eventually detects the same 2 programs which I then remove.
>|
>| S&D also gives me the following message:
>| "System startup global entry value deleted"
>|
>| If I cancel the scan, the message says a global entry value was
>| "changed" .
>|
>| The change is:
>|
>| old data: c:\windows\system32\pkmbqwqt.dll
>| new data: c:\windows\system32\crdulkka.dll
>|
>| Windows XP also gives me a messagethat there is an error error
>| loading c:\windows\system32\pkmbqwqt.dll
>|
>| In addition the following is happening:
>|
>| 1- AntiSpywareMaster.com popup ads appear saying I have 12 viruses.
>|
>| 2- My browers (IE and Firefox) cannot do any Google searches. The
>| Yahoo site can not even be accessed.
>|
>| 3-Windows "automatic update" has to be turned back on everytime I
>| start the computer.
>|
>| 4- While browsing to other sites I have always gone to before without
>| trouble (even secure sites) I get directed to other sites- namely
>| internet dating sites.
>|
>| Any help would be appreciated.
>|
>| Bill
>
>You are still infected thus the Pop-Ups for a rogue ant malware utility.
>
>You can look into the Registry at the Winlogon/Notify key and find the name of the DLL then
>remove power from the PC. Reboot in the Recovery Console and logon as the administrator.
>
>Then delete the DLL from c:\windows\system32
>
>Reboot the PC in Normal Mode and run SpyBot and other anti spyware/trojan removers.
>
>If you don't understand what I just related...
>
>
>
>1. Download and execute HiJack This! (HJT)
>
>
>2. Disable Notepad's word wrap:
>In Notepad.exe; Format --> uncheck; "Word wrap"
>
>3. Download/run Deckard's System Scanner:
>
>
>4. Save the scan results (Main.txt and Extra.txt)
>
>5. And then post the contents of Main.txt and Extra.txt in your post in one of the below
>expert forums...
>
>
>{ Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }
>
>Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System Scanner
>Logs.
>
>NOTE: Registration is REQUIRED in any of the below before posting a log
>
>Suggested primary:
>
>
>Suggested secondary:
>
>
>
>
>Suggested tertiary:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>--
>Dave
>
>Multi-AV -

Thanks David

I use Windows XP and am a novice at this stuff. To make matters worse
I'm disabled (quadriplegic) so am slow at the keyboard.

I have 2 questions

1- Couldn't I just reset the registry to an earlier date and avoid
having to do all this?

2- If not could you explain the following more

>You can look into the Registry at the Winlogon/Notify key and find the name of the DLL then
>remove power from the PC. Reboot in the Recovery Console and logon as the administrator.

Thanks so much,
Bill

David H. Lipman

From: "Bill9966" <>

| On Mon, 19 May 2008 23:47:59 GMT, "David H. Lipman"
| <DLipman~nospam~@Verizon.Net> wrote:

>>From: "Bill9966" <>

>>| Help!!
>>|
>>| Yesterday while I was on the internet Nod32 gave me a message that it
>>| had quarantined a trojan. I did a succesful virus scan and then ran
>>| Spybot Search & Destroy. S&D detected some spyware I hadn't seen
>>| before - Virtumonde and Virtumonde.dll . It then required me to
>>| restart my computer to eliminate Virtumonde. dll.
>>|
>>| Now whenever I start my computer, Search&Destroy starts immediately
>>| and eventually detects the same 2 programs which I then remove.
>>|
>>| S&D also gives me the following message:
>>| "System startup global entry value deleted"
>>|
>>| If I cancel the scan, the message says a global entry value was
>>| "changed" .
>>|
>>| The change is:
>>|
>>| old data: c:\windows\system32\pkmbqwqt.dll
>>| new data: c:\windows\system32\crdulkka.dll
>>|
>>| Windows XP also gives me a messagethat there is an error error
>>| loading c:\windows\system32\pkmbqwqt.dll
>>|
>>| In addition the following is happening:
>>|
>>| 1- AntiSpywareMaster.com popup ads appear saying I have 12 viruses.
>>|
>>| 2- My browers (IE and Firefox) cannot do any Google searches. The
>>| Yahoo site can not even be accessed.
>>|
>>| 3-Windows "automatic update" has to be turned back on everytime I
>>| start the computer.
>>|
>>| 4- While browsing to other sites I have always gone to before without
>>| trouble (even secure sites) I get directed to other sites- namely
>>| internet dating sites.
>>|
>>| Any help would be appreciated.
>>|
>>| Bill

>>You are still infected thus the Pop-Ups for a rogue ant malware utility.

>>You can look into the Registry at the Winlogon/Notify key and find the name of the DLL
>>then
>>remove power from the PC. Reboot in the Recovery Console and logon as the
>>administrator.

>>Then delete the DLL from c:\windows\system32

>>Reboot the PC in Normal Mode and run SpyBot and other anti spyware/trojan removers.

>>If you don't understand what I just related...



>>1. Download and execute HiJack This! (HJT)
>>

>>2. Disable Notepad's word wrap:
>>In Notepad.exe; Format --> uncheck; "Word wrap"

>>3. Download/run Deckard's System Scanner:
>>

>>4. Save the scan results (Main.txt and Extra.txt)

>>5. And then post the contents of Main.txt and Extra.txt in your post in one of the
>>below
>>expert forums...


>>{ Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }

>>Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System
>>Scanner
>>Logs.

>>NOTE: Registration is REQUIRED in any of the below before posting a log

>>Suggested primary:
>>

>>Suggested secondary:
>>
>>
>>

>>Suggested tertiary:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>


>>--
>>Dave
>>
>>Multi-AV -

| Thanks David

| I use Windows XP and am a novice at this stuff. To make matters worse
| I'm disabled (quadriplegic) so am slow at the keyboard.

| I have 2 questions

| 1- Couldn't I just reset the registry to an earlier date and avoid
| having to do all this?

| 2- If not could you explain the following more

>>You can look into the Registry at the Winlogon/Notify key and find the name of the DLL
>>then
>>remove power from the PC. Reboot in the Recovery Console and logon as the
>>administrator.

| Thanks so much,
| Bill

Bill:

Then I suggest posting in an Epert forum where you will get asssited, personal, help.

--
Dave

Multi-AV -

Russg

Above is a quick Google search, which may be
helpful. You can try it (Spyhunter).

Virtumonde has many versions and can be very
difficult to remove.

I don't know any more expert about malware
removal than Mr. Lipman.

Your question, can you restore your registry
to an earlier, uninfected, state. That probably
wouldn't work, as Virtumonde has changed
a lot more than your registry. Of course,
and I recommend it, if you made a complete
image backup of your computer, you could
format the drive and restore that. Such image
backup software is Nero Backitup and Symantec
Ghost. I believe XP Pro has backup software.

Good Luck

Russg

"Russg" sticks his 2 cents in.

Spyhunter is a try and buy anti-spyware.
It will do a free scan, certainly find stuff, then
require buying to get rid of the problems it finds.

I don't know if it is any good or not, but I'm sorry
I pointed to it.

Good and free anti-spy are Spybot Search and Destroy and Ad-Aware SE
personal.

I don't know if those two are still free and any
good.

I was hoping to find a free scan and removal
tool that would work on Virtumonde.
It could well be that you need to do the
Highjack This and the other tool that
David recommends and go to one of the
expert sites he recommends.

David H. Lipman

From: "Russg" <>

| Above is a quick Google search, which may be
| helpful. You can try it (Spyhunter).


NO !

SpyHunter and affiliates have a BAD reputation for spamming Expert Forums.







Finally an important read...





Enigma is not a good company!



--
Dave

Multi-AV -