Hi Chandra - In response to a similar post in a different newsgroup,
'Retired' posted the following:
"The mvps hosts file contains the following entries:
# [Innovative Marketing][Adware.VirtuMonde]
[...]
127.0.0.1 download.winfixer.com
127.0.0.1 secure.winfixer.com
127.0.0.1
www.winfixer.com
Symantec has two security responses:
http://securityresponse.symantec.com/avcenter/venc/data/a
dware.virtumonde.html
http://securityresponse.symantec.com/avcenter/venc/data/t
rojan.vundo.html
Good luck!
--
Sired, Squired, Hired, RETIRED."
The second of these referenced Symantec pages contains links to a dedicated
removal tool that you might want to try. If that doesn't work, you'll
probably need some help from one of the HiJackThis forums. The following is
in part from my Blog, Defending Your Machine, addy in my Signature below:
#########IMPORTANT#########
Before you try to remove spyware using any of the programs below, download
both a copy of LSPFIX here:
http://www.cexx.org/lspfix.htm
AND a copy of Winsockfix for W95, W98, and ME
http://www.tacktech.com/pub/winsockfix/WinsockFix.zip
Directions here:
http://www.tacktech.com/display.cfm?ttid=257
or here for Win2k/XP
http://files.webattack.com/localdl834/WinsockxpFix.exe
Info and download here:
http://www.spychecker.com/program/winsockxpfix.html
Directions here:
http://www.iup.edu/house/resnet/winfix.shtm
The process of removing certain malware may kill your internet connection.
If this should occur, these programs, LSPFIX and WINSOCKFIX, will enable you
to regain your connection.
NOTE: It is reported that in XP SP2, the Run command
netsh winsock reset
will fix this problem without the need for these programs. (You can also try
this if you're on XP SP1. There has also been one, as yet unconfirmed,
report that this also works there.) Also, one MS technician suggested the
following sequence:
netsh int reset all
ipconfig /flushdns
See also:
http://windowsxp.mvps.org/winsock.htm for additional XPSP2
info/approaches using the netsh command.
An alternative approach with necessary .reg files which will often work even
when the above doesn't is defined here, courtesy of Bob Cerelli:
http://www.onecomputerguy.com/ie_tips.htm#winsock_fix Recommended.
Remember - you need to do any downloads ahead of time BEFORE you do any
malware cleaning.
#########IMPORTANT#########
#########IMPORTANT#########
Show hidden files and run all of the following removal tools from Safe mode
or a "Clean Boot" when possible, logged on as an Administrator. BEFORE
running these tools, be sure to clear all Temp files and your Temporary
Internet Files (TIF)(including offline content.) Reboot and test if the
malware is fixed after using each tool.
HOW TO Enable Hidden Files
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339
Clean Boot - General Win2k/XP procedure, but see below for links for other
OS's (This for Win2k w/msconfig - you can obtain msconfig for Win2k here:
http://www.3feetunder.com/files/win2K_msconfig_setup.exe ):
1. StartRun enter msconfig.
2. On the General tab, click Selective Startup, and then clear the 'Process
System.ini File', 'Process Win.ini File', and 'Load Startup Items' check
boxes. Leave the 'boot.ini' boxes however they are currently set.
3. In the Services tab, check the "Hide All Microsoft Services" checkbox,
and then click the "Disable All" button. If you use a third party firewall
then re-check (enable) it. For example, if you use Zone Alarm, re-check the
True Vector Internet Monitor service (and you may also want to re-check
(enable) the zlclient on the Startup tab.) Equivalent services exist for
other third party firewalls. An alternative to this for XP users is to
enable at this time the XP native firewall (Internet Connection Firewall -
ICF). Be sure to turn it back off when you re-enable your non-MS services
and Startup tab programs and restore your normal msconfig configuration
after cleaning your machine.
4. Click OK and then reboot.
For additional information about how to clean boot your operating system,
click the following article links to view the articles in the Microsoft
Knowledge Base:
310353 How to Perform a Clean Boot in Windows XP
http://support.microsoft.com/kb/310353
281770 How to Perform Clean-Boot Troubleshooting for Windows 2000
http://support.microsoft.com/kb/281770/EN-US/
267288 How to Perform a Clean Boot in Windows Millennium Edition
http://support.microsoft.com/kb/267288/EN-US/
192926 How to Perform Clean-Boot Troubleshooting for Windows 98
http://support.microsoft.com/kb/192926/EN-US/
243039 How to Perform a Clean Boot in Windows 95
http://support.microsoft.com/kb/243039/EN-US/
#########IMPORTANT#########
? Sometimes the tools below will find files which they are unable to delete
because they are in use.
A program called Copylock, here,
http://noeld.com/programs.asp?cat=misc can
aid in the process of "replacing, moving, renaming or deleting one or many
files which are currently in use (e.g. system files like comctl32.dll, or
virus/trojan files.)"
Another is Killbox, here:
http://www.downloads.subratam.org/KillBox.zip
A third which is a bit different but often very useful is Delete Invalid
File, here:
http://www.purgeie.com/delinv.htm which handles invalid/UNC
file/folder name deleting, rather than the in use problem.
A fourth useful program is Unlocker, here:
..
http://ccollomb.free.fr/unlocker/ " Simply right click the folder or file
and select Unlocker. If the folder or file is locked, a window listing of
lockers will appear. Simply select the lockers and click Unlock and you are
done!" Works as advertised and is particularly helpful in identifying
malware components which are 'protecting' each other.
? Either run on-line at the first link or download (thus saving for future
use) and run the Microsoft Malicious Software Removal Tool, here:
http://www.microsoft.com/security/malwareremove/default.mspx and here:
http://www.microsoft.com/security/malwareremove/families.mspx
This tool addresses a number of the worst virus and worm families/variants
including a number of the Hacker Defender rootkits. It is updated on the
second Tuesday of the month and should be re-downloaded and re-run then each
time as well as when you suspect problems.
? Download and run a FRESH COPY of Stinger.exe, here:
http://download.nai.com/products/mcafee-avert/stinger.exe or from the link
on this page:
http://vil.nai.com/vil/stinger/ (McAfee has recently started
renaming Stinger to protect against certain malware, so the first link may
not work - if so, then download from the appropriate link on the second
page.)
? Download and run a FRESH COPY of the Damage Cleanup Engine / Template,
here:
http://www.trendmicro.com/ftp/products/tsc/tsc.zip Unzip to a
dedicated folder at root, for example, C:\tsc. Run with Show Hidden Files
enabled (as above) and from Safe mode or from a Clean Boot (as above).
? Boot to Safe mode with Network Support (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)
or a Clean Boot as above.
Download sysclean.com , from Trend Micro, here:
http://www.trendmicro.com/download/dcs.asp along with the latest released
pattern file, here:
http://www.trendmicro.com/download/pattern.asp Be sure
to read the "How-to" info here:
http://www.trendmicro.com/ftp/products/tsc/readme.txt
You might also want to get Art's updater, SYS-UP.Zip, here for future
updating of these:
http://bilder.informationsarchiv.net/Nikitas_Tools/SYS-UP.ZIP). (If you
download and use the updater from the beginning, it will automatically
handle downloading the other files.)
An alternative automatic updater which adds some capabilities to Art's
updater, such as restarting in Safe mode to run, etc., SYSCLEAN_FE , is
available here:
http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe.
There's a brief description here:
http://www.ik-cs.com/more_information.htm.
I would recommend that you use Clean Boot with either updater, however.
NOTE: You can get a somewhat more current interim pattern file, the
Controlled Pattern Release, here and manually unzip it to your SysClean
folder:
http://www.trendmicro.com/download/pattern-cpr-disclaimer.asp Look
for the lptxxx.zip file after you agree to the terms. (Sorry, but the
Updaters won't go get this one for you. However, if you manually download
the CPR first and then use one of the updaters, SysClean will automatically
use these CPR definitions when it starts.)
Place them in a dedicated folder after appropriate unzipping.
Show hidden and system files (HowTo here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339)
If you're using WindowsME or WindowsXP, SysClean (and the other cleaning
tools below) may find infections within Restore Points which it will be
unable to clean. You may choose to disable Restore if you're on XP or ME
(directions here:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm) which will
eliminate ALL previous Restore Points, or alternatively, you can wait until
cleaning is completed and then use the procedure within the *********'s
below to delete all older, possibly infected Restore Points and save a new,
clean one. This approach is in the sprit of "keep what you've got" so that
you can recover to an at least operating albeit infected system if you
inadvertently delete something vital, and is the approach I recommend that
you take.
Read tscreadme.txt carefully, then do a complete scan of your system and
clean or delete anything it finds EXCEPT EMAIL DATABASES OR FILES. These
need special handling. See here:
http://www.ik-cs.com/virus-emaildatabase.htm
Reboot and re-run SysClean and continue this procedure until you get a clean
scan or nothing further can be cleaned/removed.
Now reboot to normal mode and re-run the scan again.
This scan may take a long time, as Sysclean is VERY extensive and thorough.
For example, one user reported that Sysclean found 69 hits that an
immediately prior Norton AV v. 11.0.2.4 run had missed.
Note that sometimes you need to make a judgement call about what the
programs below report as spyware. See here, for example:
http://www.imilly.com/alexa.htm They can also sometimes generate "false
positives" so look carefully before you delete things. There's a good list
of categorized "unknown, safe, optional, spyware/adware, virus" programs to
check against here:
http://www.pcpitstop.com/spycheck/SWList.asp There's an
online test of possible malware components available here:
http://virusscan.jotti.org/
? Download and run the free or trial version of A2 Personal, here:
http://www.emsisoft.com/en/ UPDATE, then run from a Clean Boot or Safe Mode
with Show Hidden Files enabled as above.
Then:
Download HijackThis, free, here:
http://209.133.47.200/~merijn/files/HijackThis.exe (Always download a new
fresh copy of HijackThis [and CWShredder also] - It's UPDATED frequently.)
You may also get it here if that link is blocked:
http://www.majorgeeks.com/downloadget.php?id=3155&file=3&evp=3304750663b552982a8baee6434cfc13
There's a good "How-to-Use" tutorial here:
http://computercops.biz/HijackThis.html
In Windows Explorer, click on Tools|Folder Options|View and check "Show
hidden files and folders" and uncheck "Hide protected operating system
files". (You may want to restore these when you're all finished with
HijackThis.)
Place HijackThis.exe or unzip HijackThis.zip into its own dedicated folder
at the root level such as C:\HijackThis (NOT in a Temp folder or on your
Desktop), reboot to Safe mode, start HT then press Scan. Click on SaveLog
when it's finished which will create hijackthis.log. Now click the Config
button, then Misc Tools and click on Generate StartupList.log which will
create Startuplist.txt
Then go to one of the following forums:
Spyware and Hijackware Removal Support, here:
http://forums.spywareinfo.com/
or Net-Integration here:
http://www.net-integration.net/cgi-...86d536d57b5f65b6e40c55365e;act=ST;f=27;t=6949
or Tom Coyote here:
http://forums.tomcoyote.org/index.php?act=idx
or Jim Eshelman's site here:
http://forum.aumha.org/
or Bleepingcomputer here:
http://www.bleepingcomputer.com/
or Computer Cops here:
http://www.computercops.biz/forums.html
Register if necessary, then sign in and READ THE DIRECTIONS at the beginning
of the particular site's HiJackThis forum, then copy and paste both files
into a message asking for assistance, Someone will answer with detailed
instructions for the removal of your parasite(s). Be sure you include at
the beginning of your post a description of "What specific
problem(s)/symptoms you're trying to solve" and "What steps you've already
taken."
*******
ONLY IF you've successfully eliminated the malware, you can now make a new,
clean Restore Point and delete any previously saved (possibly infected)
ones. The following suggested approach is courtesy of Gary Woodruff: For XP
you can run a Disk Cleanup cycle and then look in the More Options tab. The
System Restore option removes all but the latest Restore Point. If there
hasn't been one made since the system was cleaned you should manually create
one before dumping the old possibly infected ones. To create a new "Restore
Point":
Start Run then type %SystemRoot%\System32\restore\rstrui.exe
You'll find full directions here:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/xpsysrst.mspx
*******
? You might want to consider installing Eric Howes' IESpyAds, SpywareBlaster
and SpywareGuard here to help prevent this kind of thing from happening in
the future:
IESPYAD -
https://netfiles.uiuc.edu/ehowes/www/resource.htm "IE-SPYAD adds a
long list of sites and domains associated with known advertisers, marketers,
and crapware pushers to the Restricted sites zone of Internet Explorer. Once
you merge this list of sites and domains into the Registry, the web sites
for these companies will not be able to use cookies, ActiveX controls, Java
applets, or scripting to compromise your privacy or your PC while you surf
the Net. Nor will they be able to use your browser to push unwanted pop-ups,
cookies, or auto-installing programs on your PC." Read carefully. Tutorials
here:
http://www.bleepingcomputer.com/forums/tutorial53.html
http://www.javacoolsoftware.com/spywareblaster.html (Prevents malware Active
X installs, blocks spyware/tracking cookies, and restricts the actions of
potentially dangerous sites) (BTW, SpyWareBlaster is not memory resident ...
no CPU or memory load - but keep it UPDATED) The latest version as of this
writing will prevent installation or prevent the malware from running if it
is already installed, and, additionally, it provides information about and
fixit-links for a variety of parasites. Tutorial here:
http://www.bleepingcomputer.com/forums/tutorial49.html One additional
feature of SpywareBlaster is the ability to add your own supplemental Custom
Blocking CLSIDs. Some directions for manually adding these can be found
here:
http://www.wilderssecurity.com/showthread.php?t=13684 A good source
for a pre-compiled list of these as well as directions for adding them can
be found here at dak's site:
http://customblockinglist.cjb.net/ This list is
irregularly updated, so you should check on it ever-so-often or use the
ChangeDetection service, mentioned below.
IMPORTANT NOTE: A good additional source of preventive blocking for ActiveX
components is the Blocking List available here:
http://www.spywareguide.com/blockfile.php While smaller than the
SpywareBlaster list, it contains some different malware CLSIDs and appears
to be updated with new threats more frequently. Strongly Recommended as a
supplement to SpywareBlaster. Read all of the instructions in the Expert
package download carefully. You might want to consider using:
http://www.changedetection.com/monitor.html to monitor and notify you of
changes/updates to this list and/or to dak's Custom Blocking list (or other
programs, for that matter, including this Blog which is updated fairly
frequently).
http://www.javacoolsoftware.com/spywareguard.html (Monitors for attempts to
install malware) Keep it UPDATED. Tutorial here:
http://www.bleepingcomputer.com/forums/tutorial50.html
All three Very Highly Recommended
? IESPYAD and SpywareBlaster (and the other malware-ActiveX blocking lists)
are probably the best preventive tools currently available, expecially if
supplemented by using the Immunize function in SpyBot S&D and a good HOSTS
file (see next).
? Next, install and keep updated a good HOSTS file. It can help you avoid
most adware/malware. See here:
http://www.mvps.org/winhelp2002/hosts.htm (Be
sure it's named/renamed HOSTS - all caps, no extension) Additional tutorials
here:
http://www.spywarewarrior.com/viewtopic.php?t=410 (overview) and here:
http://www.bleepingcomputer.com/forums/tutorial51.html (detailed)
? Lastly, with regards to cookies: The following overview of the approach I
recommend is courtesy of Mel's Spyware Tools: XML-Menu for IE6 -
(
https://netfiles.uiuc.edu/ehowes/www/main.htm, click on IE6 Tools on
website)
"This package contains a full menu of custom Import XML files that can be
used to manipulate IE6's handling of cookies in the Internet and Trusted
zones (the Privacy tab controls only the Internet zone). The files are
divided into three sets: one "short list" of recommended files, and two
"advanced" lists containing a wide range of possible Privacy configurations.
The ReadMe covers the basics of using custom XML Import files and details
all the files that are available. A .REG file that can be used to restore
the default Privacy tab settings is included."
This is the technique that I use and, while I do very infrequently have to
override on some sites that don't have a Privacy Policy in place, I've found
it almost infallible in stopping bad cookies (I use 1-e, BTW) FWIW, MVP Eric
Howes' site, above, is one of the very best on the net with regard to
anything having to do with security. Very Highly Recommended.