Answer» Hi my computer caught a virus called JOKWMP.DLL TROJAN.VIRTUMOND and it continually directs me to web pages trying to sell antivirus software plus it has also slowed down my computer heaps. i tryed NAV and spydoctor but both didnt remove it. iam really desperate to fix it because i need my computer for work. i dont know much about computers so if someone could explain wat to do in simple terms that would be great. thankslet's try a quick help. download avira anti virus and S&D for spy ware, update and run full scan in safe mode.
http://www.free-av.com/ http://www.safer-networking.org/en/index.html Follow the steps in this post. Once we have the logs we can determine what to do next.ok so i followed your intructions and found that there were two suspicious programs in add remove program called ANIWZCS2 service and ANIO Service im not sure if they are good or bad but i cannot uninstall them through add remove programs or cc cleaner. i then ran cc cleaner followed by super anti spyware, ESET Nod32 Online Scanner, deleted a old version of java and kept the Java 6 Update 3 version and hijack this. the virus is still on my comp
We need the logs.ok here are all the LOG files
[saving disk space - old attachment deleted by admin]And a HijackThis logsorry mate here it is
[saving disk space - old attachment deleted by admin]Open HijackThis and select "Do a system scan only"
Place a check mark next to:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O21 - SSODL: rmvgor - {B0F1A5EF-AE0F-4EAC-857A-63BE540A7B85} - C:\WINDOWS\rmvgor.dll O21 - SSODL: sapnet - {EE538701-E473-44CF-BF64-26595693CEBE} - C:\WINDOWS\sapnet.dll O21 - SSODL: msmhost - {D5798D9B-6A06-4B02-9DE7-F8395BB6BB52} - C:\WINDOWS\msmhost.dll (file missing) O21 - SSODL: msmdev - {B1BE01C9-0B08-4667-9237-50F1FA04254E} - C:\WINDOWS\msmdev.dll (file missing) O22 - SharedTaskScheduler: andropogon - {655560a9-3ca8-4509-9632-6abbef21426b} - (no file) O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
Close all windows and click "Fix checked"
==========
Download SmitfraudFix (by S!Ri) to your Desktop.
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd Select option #1 - Search by typing 1 and press Enter This program will scan large AMOUNTS of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.
Note: process.exe ( which is used by SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/processutil/processutil.htm
=====
Next post please attach rapport.txt Rapport
[saving disk space - old attachment deleted by admin]PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.
You may want print out these instructions or copy and paste them to notepad and save it to the desktop as you will not be ABLE to see this page in safe mode
Please reboot your computer in Safe Mode by tapping the F8 key just before Windows starts to load and selecting Safe Mode.
Open the SmitfraudFix Folder on your Desktop, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter. The program will start cleaning your computer and go through a series of cleanup processes. Wait for the tool to complete and disk cleanup to finish. This process can take some time depending on your computer, so please be patient. When it is complete, it will close automatically and you should continue with next step.
You will be prompted: "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Optional: To restore Trusted and Restricted site zone, select 3 and hit Enter. You will be prompted: Restore Trusted Zone? answer Y (yes) and hit Enter to delete trusted zone.
Now reboot into normal mode and attach this new rapport.txt in the next post.
WARNING Running this option on a non infected computer will remove the desktop background. So only run it once!
=====
Next post attach rapport.txt New HijackThis logok here they are mate
[saving disk space - old attachment deleted by admin]We are getting close, just one entry that looks like trouble.
Please download Vundofix.exe to your desktop.
* Double-click VundoFix.exe to run it. * Put a check next to Run VundoFix as a task. * You will RECEIVE a message saying vundofix will close and re-open in a minute or less. Click OK * When VundoFix re-opens, click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will shutdown your computer, click OK. * Turn your computer back on. * Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
Please let Vundo finish, sometimes it can take multiple passes
==========
Next post attach vundofix.txt Another NEW HijackThis log.ok so i downloaded vundofix and i couldnt see any box to tick about run as task so it just opened up and i clicked on scan. once it scanned my computer it said there were no files found. here is the hijack log though
[saving disk space - old attachment deleted by admin]OK, we will try this.
Please download Combofix by sUBs from EITHER here or here
Save Combofix.exe to your your Desktop.
1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter) 2. When finished, it will produce a log for you. 3. Attach that log in your next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause your computer to stall
Next post combofix log new hijackthis log
|