Please Help Me! i Cant Get Rid of A Virus!

Hi my computer caught a virus called JOKWMP.DLL TROJAN.VIRTUMOND and it continually directs me to web pages trying to sell antivirus software plus it has also slowed down my computer heaps. i tryed NAV and spydoctor but both didnt remove it. iam really desperate to fix it because i need my computer for work. i dont know much about computers so if someone could explain wat to do in simple terms that would be great. thanks

let's try a quick help. download avira anti virus and S&D for spy ware, update and run full scan in safe mode.

http://www.free-av.com/
http://www.safer-networking.org/en/index.html

[Malware Removal Specialist]

Follow the steps in this post. Once we have the logs we can determine what to do next.

ok so i followed your intructions and found that there were two suspicious programs in add remove program called ANIWZCS2 service and ANIO Service im not sure if they are good or bad  but i cannot uninstall them through add remove programs or cc cleaner. i then ran cc cleaner followed by super anti spyware, ESET Nod32 Online Scanner, deleted a old version of java and kept the Java 6 Update 3 version and hijack this. the virus is still on my comp 

[Malware Removal Specialist]

We need the logs.

ok here are all the log files

[saving disk space - old attachment deleted by admin]

[Malware Removal Specialist]

And a HijackThis log

sorry mate here it is

[saving disk space - old attachment deleted by admin]

[Malware Removal Specialist]

Open HijackThis and select "Do a system scan only"

Place a check mark next to:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O21 - SSODL: rmvgor - {B0F1A5EF-AE0F-4EAC-857A-63BE540A7B85} - C:\WINDOWS\rmvgor.dll
O21 - SSODL: sapnet - {EE538701-E473-44CF-BF64-26595693CEBE} - C:\WINDOWS\sapnet.dll
O21 - SSODL: msmhost - {D5798D9B-6A06-4B02-9DE7-F8395BB6BB52} - C:\WINDOWS\msmhost.dll (file missing)
O21 - SSODL: msmdev - {B1BE01C9-0B08-4667-9237-50F1FA04254E} - C:\WINDOWS\msmdev.dll (file missing)
O22 - SharedTaskScheduler: andropogon - {655560a9-3ca8-4509-9632-6abbef21426b} - (no file)
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Close all windows and click "Fix checked"

==========

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note: process.exe ( which is used by SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

=====

Next post please attach
rapport.txt

Rapport

[saving disk space - old attachment deleted by admin]

[Malware Removal Specialist]

PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

You may want print out these instructions or copy and paste them to notepad and save it to the desktop as you will not be able to see this page in safe mode

Please reboot your computer in Safe Mode by tapping the F8 key just before Windows starts to load and selecting Safe Mode.

Open the SmitfraudFix Folder on your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
The program will start cleaning your computer and go through a series of cleanup processes. Wait for the tool to complete and disk cleanup to finish. This process can take some time depending on your computer, so please be patient. When it is complete, it will close automatically and you should continue with next step.

You will be prompted: "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone? answer Y (yes) and hit Enter to delete trusted zone.

Now reboot into normal mode and attach this new rapport.txt in the next post.

WARNING Running this option on a non infected computer will remove the desktop background. So only run it once!

=====

Next post attach
rapport.txt
New HijackThis log

ok here they are mate

[saving disk space - old attachment deleted by admin]

[Malware Removal Specialist]

We are getting close, just one entry that looks like trouble. 

Please download Vundofix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Please let Vundo finish, sometimes it can take multiple passes

==========

Next post attach
vundofix.txt
Another NEW HijackThis log.

ok so i downloaded vundofix and i couldnt see any box to tick about run as task so it just opened  up and i clicked on scan. once it scanned my computer it said there were no files found. here is the hijack log though

[saving disk space - old attachment deleted by admin]

[Malware Removal Specialist]

OK, we will try this.

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
2. When finished, it will produce a log for you.
3. Attach that log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause your computer to stall


Next post
combofix log
new hijackthis log

ok done

[saving disk space - old attachment deleted by admin]

so is it all good now?

[Malware Removal Specialist]

Almost there.

Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

Folder::
C:\VundoFix Backups

File::
C:\WINDOWS\system32\fwgogyjf.ini

* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang.

Next post
New combofix log
Another new Hijackthis log

k

[saving disk space - old attachment deleted by admin]

[Malware Removal Specialist]

Open HijackThis and select "Do a system scan only"

Place a check mark next to
O4 - HKLM\..\Run: [10bfcfd3] "rundll32.exe" "C:\WINDOWS\system32\fjygogwf.dll",b

Click "Fix checked"

=====

Enable Viewing Of Hidden System Files & Folders

1. Right Click Start.
2. Select Control Panel.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading select Show hidden files and folders.
6. Uncheck the Hide extensions for known file types option.
7. Uncheck the Hide protected operating system files (recommended) option.
8. Click Apply.
9. Click OK.

Now go to C:\WINDOWS\system32\fjygogwf.dll and delete the file/folder (if found)

=====

Go to Start > Run and copy and paste next command in the field:

ComboFix /u



Make sure there's a space between Combofix and /
Then hit Enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

=====

Delete any logs and programs like smitfraud and vundofix from the desktop.

=====

Run HijackThis and look for the C:\WINDOWS\system32\fjygogwf.dll entry. If it is still there let us know.

Other than that the logs are clean.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Let us know if anything else comes up.

Nah cant find it. all looks good. the computers working fine. Thankyou so much for helping me

[Malware Removal Specialist]

Sounds good!

Safe surfing.....