Help me completely clean Virumonde please

[Ube_Astard]

My girlfriends computer caught the virumonde virus (not sure if its because I turned off the VirginPCGuard or if it would have anyway) and ive been trying to get rid of it for about 4 days now. I eventually found this forum and have followed all these procedures:http://www.computerhope.com/forum/index.php?PHPSESSID=aa3682949031225763026acd4ae535ed&/topic,46313.0.html

and now wish for someone to advise me further.
We can now use IE or Mozilla with no problems.
Here are the logs requested.

Thank you very much in advance.



[recovering disk space -- attachment deleted by admin]

[kpac]

Don't lose hope just yet.

A malware specialist will be along shortly.

[Ube_Astard]

Thanks guys. You are time and system savers.

[evilfantasy]

Please do the following:

1. Download this diagnostics tool MGADiag.exe and save this to your Desktop.
2. Double-click on MGADiag.exe and click Continue
3. When the program has finished, click on Copy
4. Post the results in your next reply.

[Jenny]

I downloaded MGA DIAG - clicked on copy and don't know how to get it to you from there.  So I closed it, clicked on the desktop symbol - send to-
and it threw up a  Outlook Express wizard.  Don't use OE - so where do
I go from here.

(The status line on the first page said:  WGA unsupported software)
Is that the diagnosis of my problem -- that something I recently downloaded (which would be Jarte word)  is unsupported and thus
causing all my current problems?

Thanks for your help - I'm halfway through a book manuscript and being
stopped every-which-away I turn.

[kpac]

Which one of you are we helping? Have you two forum accounts?

[Ube_Astard]

Please do the following:

1. Download this diagnostics tool MGADiag.exe and save this to your Desktop.
2. Double-click on MGADiag.exe and click Continue
3. When the program has finished, click on Copy
4. Post the results in your next reply.

Its all worked! Thank you very much and I'm virus free now.

[evilfantasy]

Platform: Windows XP SP1

Why are you not running XP SP2?

Is this a legal copy of Windows?

[Ube_Astard]

Updates had been turned off. Back on now and all updates downloaded.

[evilfantasy]

Post a new HijackThis log so we can clean you the rest of the way up.

[Ube_Astard]

Thanks. This is the new file log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:04:47, on 17/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ngen.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://english.icrfast.com/index.php?rvs=hompag
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {D7D5FA32-995F-438E-B6BD-681A8F4E3CA1} - C:\WINDOWS\System32\jkkJaaBU.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2BB6257-7F6D-405F-B056-F655F70B0AFB}: NameServer = 194.168.1.254,194.168.4.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{A2BB6257-7F6D-405F-B056-F655F70B0AFB}: NameServer = 194.168.1.254,194.168.4.100
O17 - HKLM\System\CS4\Services\Tcpip\..\{A2BB6257-7F6D-405F-B056-F655F70B0AFB}: NameServer = 194.168.1.254,194.168.4.100
O20 - AppInit_DLLs: MsgPlusLoader.dll gymxvk.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 4812 bytes


Regards

[evilfantasy]

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with HijackThis fixes. Please disable TeaTimer for now until you are clean.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.

----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {D7D5FA32-995F-438E-B6BD-681A8F4E3CA1} - C:\WINDOWS\System32\jkkJaaBU.dll (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll gymxvk.dll

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[Ube_Astard]

OK. Heres done and thanks again.



[recovering disk space -- attachment deleted by admin]

[evilfantasy]

Create An Uninstall List

• Start HijackThis
  
• Click on the Open the Misc Tools section
  
• Click on the Open Uninstall Manager button.
  
• Click on the Save list button and specify where you would like to save this file and click Save.
  • When you press Save button a notepad will open with the contents of that file.
• Copy and paste that list in your reply.

.
----------

Also how is the PC running now?

[Ube_Astard]

Acronis True Image Home
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Ares 2.0.9
ATI Display Driver
Bonjour
Camera RAW Plug-In for EPSON Creativity Suite
CX4300_5500_DX4400 manual
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON Web-To-Page
ESET Smart Security
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Java(TM) 6 Update 2
Java(TM) 6 Update 7
Messenger Plus! 3 & Sponsor
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.1)
Mozilla Thunderbird (2.0.0.16)
MP3 Player
MSXML 4.0 SP2 (KB936181)
Nero 8 Micro 8.3.6.0
neroxml
OpenOffice.org 2.3
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Spybot - Search & Destroy
Update for Windows XP (KB951072-v2)
Virgin Broadband advisor 1.5.10
Virgin Broadband PCguard
Windows XP Service Pack 3
WinRAR


There.
Puters running fine btw. I also installed SP3 overnight.
Thanks again