Please HELP - Think I Deleted Files Incorrectly

[femmebotte]

I have scanned twice more and twice removed Virtumonde.prx (3 entries) in the register keys.

I am restarting now to see if that makes a difference... any ideas?

[femmebotte]

I am using the IE on the infected computer and getting lots of pop-ups.

I went into the Advanced Mode of SpyBot and found this list:

1/17/2009 3:07:14 PM Allowed (based on user decision) value "CPM83b0daff" (new data: "") deleted in System Startup global entry!
1/17/2009 3:07:35 PM Denied (based on user decision) value "SpybotDeletingA9724" (new data: "command /c del "c:\windows\system32\nuyajuku.dll_old"") added in System Startup global entry!
1/17/2009 3:07:47 PM Denied (based on user decision) value "SpybotDeletingC6770" (new data: "cmd /c del "c:\windows\system32\nuyajuku.dll_old"") added in System Startup global entry!
1/17/2009 3:07:51 PM Denied (based on user decision) value "SpybotDeletingA1703" (new data: "command /c del "C:\WINDOWS\system32\kumeweva.dll_old"") added in System Startup global entry!
1/17/2009 3:10:13 PM Denied (based on user decision) value "SpybotDeletingC9617" (new data: "cmd /c del "C:\WINDOWS\system32\kumeweva.dll_old"") added in System Startup global entry!
1/17/2009 3:10:28 PM Denied (based on user decision) value "SpybotDeletingA6581" (new data: "command /c del "C:\WINDOWS\system32\venaroyu.dll_old"") added in System Startup global entry!
1/17/2009 3:10:37 PM Denied (based on user decision) value "SpybotDeletingC489" (new data: "cmd /c del "C:\WINDOWS\system32\venaroyu.dll_old"") added in System Startup global entry!
1/17/2009 3:10:42 PM Denied (based on user decision) value "SpybotDeletingB6407" (new data: "command /c del "c:\windows\system32\nuyajuku.dll_old"") added in System Startup user entry!
1/17/2009 3:10:44 PM Denied (based on user decision) value "SpybotDeletingD535" (new data: "cmd /c del "c:\windows\system32\nuyajuku.dll_old"") added in System Startup user entry!
1/17/2009 3:10:48 PM Denied (based on user decision) value "SpybotDeletingB3736" (new data: "command /c del "C:\WINDOWS\system32\kumeweva.dll_old"") added in System Startup user entry!
1/18/2009 2:38:34 PM Allowed (based on user decision) value "SpybotDeletingD834" (new data: "") deleted in System Startup user entry!
1/18/2009 2:38:38 PM Allowed (based on user decision) value "SpybotDeletingB2760" (new data: "") deleted in System Startup user entry!
1/18/2009 2:38:42 PM Allowed (based on user decision) value "SpybotDeletingD6911" (new data: "") deleted in System Startup user entry!
1/18/2009 4:05:01 PM Allowed (based on user whitelist) value "CPM83b0daff" (new data: "") deleted in System Startup global entry!
1/18/2009 4:05:10 PM Allowed (based on user decision) value "peyomaluhu" (new data: "") deleted in System Startup global entry!
1/18/2009 4:05:14 PM Allowed (based on user decision) value "peyomaluhu" (new data: "Rundll32.exe "C:\WINDOWS\system32\kumeweva.dll",s") added in System Startup global entry!
1/18/2009 5:23:03 PM Allowed (based on user whitelist) value "peyomaluhu" (new data: "") deleted in System Startup global entry!
1/18/2009 5:23:07 PM Allowed (based on user whitelist) value "peyomaluhu" (new data: "Rundll32.exe "C:\WINDOWS\system32\kumeweva.dll",s") added in System Startup global entry!
1/18/2009 6:15:13 PM Allowed (based on user whitelist) value "peyomaluhu" (new data: "") deleted in System Startup global entry!
1/18/2009 6:15:16 PM Allowed (based on user whitelist) value "peyomaluhu" (new data: "Rundll32.exe "C:\WINDOWS\system32\kumeweva.dll",s") added in System Startup global entry!

The peyomaluhu is what keeps showing up over and over and I keep getting a message when I restart staying the kumeweva.dll could not be found.

I found instructions on another site on how to disable the TeaTimer... but I did not continue and run the .bat file... I just unchecked the TeaTimer in the Advanced Mode...

Help please!

[drragostea]

Does the .dll error still occur?
And also, if you should remove Spybot-Search&Destroy it should (I'm pretty sure) that it'll remove the settings too, if not it'll just leave behind a folder with some configuration files.

To skip the technical stuff in fixing that .dll error, you might as well uninstall Spybot and install a fresh copy from here:
http://www.safer-networking.org/en/mirrors/index.html
-
Doing so, should remove your settings for TeaTimer too (seems to be a bit in a jumble) because the Virtumonde entry seems to persistently reappear.

What you'll have to do is start your own thread in the Malware Removal Forums to remove Virtumonde. A specialist with assist you to remove it (because Virtumonde is going to be persistent).
Follow the directions below and attach the required logs (just HJT will do fine) and install a fresh copy of Spybot-Search&Destroy (this time, I would really suggest you do not install TeaTimer, because you'll have to disable it when your helper assists you to prevent TeaTimer from interfering with the fixes).

Good luck (instructions below).
---
Consider posting in the Malware Removal forum and having someone take a look at your system.

If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log:

• "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance).

After you have completed the required scans and produced the requested logs, start your own thread in the Malware Removal forum, making sure to post the HijackThis log produced from the above instructions.
___