PDA

View Full Version : dll messages after spybot clears Virtumonde?



Wildhunt
2008-08-16, 10:04
I am on my laptop as my main PC is being scanned by Spybot (again)

I have two questions:

When spybot is running it suggests I should reboot and scan again when it gets to the Virtumonde infection. If I say yes, it continues with the scan, if I say no, it continues with the scan. Is this part of the infection? Advice?

Also, when Spybot finishes and removes/fixes the Virtumonde infection I immediately get both Spybot and Win Patrol asking me to chose whether to allow BM178fd987.dll or qoMeEwvt.dll. I am now so confused that I am wondering it is SHOULD allow these? I have been saying no and they are supposedly on my black list. I am losing my mind here....

TIA,
Sally

Wildhunt
2008-08-16, 10:16
OH noooooooo

Spybot kicked in as the PC was loading. It has now finished scanning and removed 3 Virtumonde entires, but the computer is not continuing to load. I don't want to touch ANYTHING without help.

What do I do?

This is horrible,
Sally

drragostea
2008-08-17, 04:26
When spybot is running it suggests I should reboot and scan again when it gets to the Virtumonde infection. If I say yes, it continues with the scan, if I say no, it continues with the scan. Is this part of the infection? Advice?

Hello Sally. If you chose 'Yes', then Spybot-SD will schedule a scan during the next reboot. If you chose 'No' then Spybot will just continue the scan as it is, no scan during bootup. I don't think Spybot gave you a confirmation about the next bootup.

If the Virtumonde trojan is successfully removed, then it's files are removed along with it (randomly generated in most cases). If TeaTimer is asking you about the file... 'BM178fd987.dll' for example was removed or deleted you can Allow it.

Have you ticked 'Remember my Decision'? Also what are the 'files' listed under for both TeaTimer and WinPatrol (BHO, Startup, Homepage, etc.)?

Wildhunt
2008-08-17, 18:48
Thanks for the explanations - it all helps!

I'll explain what is happening today. Last night I deleted some obvious files in winpatrol - I selected delete on start up.

Spybot is now picking up 2 Virtumonde (it was three, so something has changed!) and advises contacting support.

These are the two:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowserHelperObjects\FA1EDBD4-8003-4BBC-A1F1-E93A0FAC31BB

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLS1D\{FA1EDBD4-8003-4BBC-A1F1-E93A0FAC31BB}

The end is the same in both examples.

Spybot "fixes" the problem and I see two DOS Command windows appear briefly. At which point, I restart and do it all again!

I don't use Explorer although it is on my machine. I use Firefox with no scripts, but I don't want to do anything on the PC until I have dealt with this problem. I know exactly how I got it - a downloaded Pokemon DS game! It looked weird so I scanned it with both Norton and Spybot before opening it..... Next time I will go with my gut.

What do I do next?
Thanks in advance,
Sally

drragostea
2008-08-17, 18:58
Okay. Was those entries detected by Spybot-SD itself (program scanning) or TeaTimer? If it was TeaTimer saying:
--The entries were added I would suggest you 'Deny' it.
--If the entries you gave were deleted/removed then I would suggest you 'Allow' it for the time being.

Virtumonde seems persistent to remove. If this continues, your best bet may be to visit the Malware Forums :sad:. I remember I've successfully removed Virtumonde on a relative's Windows XP. Just took some dozens of scans and fixes (you don't have the time to do that :laugh:).

The problem here might be the "Poke'mon" game you downloaded. Was it from a unknown source like 'torrents'?

If Virtumonde is still detected even after scan on reboot, make a trip to the Malware Forums.
--
Consider posting in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum and having someone take a look at your system.

If you decide to have an experienced malware removal specialist assist you, please follow the procedure in this link to run scans and produce a HijackThis log: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) ( http://forums.spybot.info/showthread.php?t=288).
--
Better safe than sorry.

Safe surfing.

Wildhunt
2008-08-17, 20:09
Sorry.... forgot to mention

Should I allow this:


Spybot S & D has detected an important registry entry that has been changed
Category System Start Up User Entry
Change Value deleted
Entry - SpybotDeleting B3415
old data: command/C del "C:\WINDOWS\system32\spyicroy.dll_old

If I allow - should I check remember decision?

Cheers,
Sally

Wildhunt
2008-08-17, 20:14
Sorry again - I missed your reply as I was on the infected PC copying the data I just posted!

I think I will take a trip to the Malware forum - I am truly out of my depth here.

I don't have Hijack This - is it safe to download it to the infected PC?

TIA,
Sally

drragostea
2008-08-17, 20:26
For the TeaTimer prompt, yes, you can safely Allow it. Why? Because the Spybot-SD value for the attempt to remove Virtuemonde was successful thus Spybot does not need to start up again, unless the fix was unsuccessful or was halted, you might receive the same prompt.

HiJack This will produce a log which you will submit along with your threadi in the Malware Forums.

If you can access the Internet on the infected PC, then do so if it is possible. So then you can produce the log and access the forum at the same time.

Also, if you plan to backup your data (just a quick tip), after backing it up and transferring it to a uninfected PC, run a scan on the data with a anti-virus program.

:santa:

Wildhunt
2008-08-18, 12:37
I can't use Google on my infected PC - it times out so I can't link to download HijackThis.

Can you post a link that I can enter in the URL and try to get it that way?

Norton just bloacked and attack on the PC. Scary stuff!

TIA,
Sally

spybotsandra
2008-08-18, 18:55
Hello,

You can get Hijackthis (http://fileforum.betanews.com/sendfile/1071179190/1/HiJackThis_v2.exe) here.

Best regards
Sandra
Team Spybot

drragostea
2008-08-18, 21:53
Just a recap:
http://forums.spybot.info/showpost.php?p=224651&postcount=2
--
But it seems that you started a thread already, so it's fine.

Just be extra careful of what you download. :sad:. Norton may be scary and complex, but so is torrents, just even more malicious and gargantuan.

tashi
2008-08-19, 09:09
Wildhunt's malware forum thread: http://forums.spybot.info/showthread.php?p=224753