A Slow System? Now Easily Cleaner It!
Powered by MaxBlogPress  
Skip to content

How to Remove vundo Variant,NewJuan,WinFixer,Virtumonde

Lots of people have inflected The Vundo family of Trojans which will bring popups that usually advertise rogue antispyware programs.Users are normally targeted by false positives, and warning of infection an example of this could be popups alerting users they are infected with a blackworm virus.

Nowadays,the vundo Variant,NewJuan/VM,Virtumonde and winfixer are the same scam above.

Symptons from a Hijackthis log:

Below is an example of a Vundo infection, though there are many different random filenames.

O2 - BHO: (no name) - {AB6BFAD6-3AAC-46E9-98E6-BD56DE7ED97c} - C:\WINDOWS\system32\wluaivlv.dll
O2 - BHO: (no name) - {CA2CFBDE-0F94-491B-9286-00C60C553954} - C:\WINDOWS\system32\ssqpmkk.dll
O2 - BHO: (no name) - {EF9A7BD4-4B5D-4481-9A58-06B5030B4B56} - C:\WINDOWS\system32\vtsqp.dll

O20 - Winlogon Notify: ssqpmkk - C:\WINDOWS\SYSTEM32\ssqpmkk.dll
O20 - Winlogon Notify: vtsqp - C:\WINDOWS\system32\vtsqp.dll
O20 - Winlogon Notify: vturr - C:\WINDOWS\system32\vturr.dll

more random dll files that caused by vundo variant or Virtumonde:
jkkjj.dll
vtsqp.dll
ssqpq.dll
Virtumonde.dll
AWVVU.DLL
DDCCC.DLL

How To Remove Those Vundo variant,Virtumonde,NewJuan??

An easy way is using specialised tools,just like Vundo Fix,or VirtumundoBegone

Simply Download it ,and Scan for Vundo,then get rid of Vundo variant.

If the infection is still present and you can’t remove Vundo variant ,it may be that you have a new variant that the tools cannot yet remove, or you have a stubborn infection.

Now let me help you to remove the Vundo variant Manually !

1.download SREng:
http://www.kztechs.com/sreng/sreng2.zip

2.Extract it to the Desktop
Double click SREng.exe to run it

3. Select: Smart Scan
Then, click the [Scan] buttonWhen finished, click on the [Save Reports] button

4. Save the log to the Desktop,and send me a email with the log as Attachment.mailto:egomoo#gmail.com

I would be glad to help you to removal it.

Written on 26 June 2008 by admin under PUP, Trojan with No Comments
Tagged with , , , , , , , , , , ,

How to Get rid of Cpmsky

Recently lots of people have infected the spyware called cpmsky or cpmsky.biz.
the sounds asking for help similarly like this:

How can I removed cpmsky.biz from my pc and what is it?
HELP! RUNDLL ERROR windows system32 cpmsky.dll always appear upon pc start up?
I have been hit by cpmsky. Cann you help me fix it?
How to get rid of cpmsky.dll?

the commond feature of the computer with cpmsky spyware in their Hijachthis log:

O2 - BHO: cpmsky browser optimizer - {b9c57b8d-cf96-63cf-2299-33cfc675999d} - C:\WINDOWS\system32\{5b00464b-3760-e7c5-c29f-24599b358526}.dll
O4 - HKLM\..\Run: [{eb74667a-959f-eb38-45e2-9c77928cd111}] C:\WINDOWS\System32\Rundll32.exe “C:\WINDOWS\system32\{5b00464b-3760-e7c5-c29f-24599b358526}.dll” DllInit

O2 - BHO: cpmsky browser optimizer - {c778c5b3-faea-0b98-9c5b-94fead140c0a} - C:\WINDOWS\system32\{103503c1-b5dc-c646-cf0a-d8236937decc}.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [{f511bb53-c3b2-07eb-c9d4-dff16797a703}] C:\WINDOWS\System32\Rundll32.exe “C:\WINDOWS\system32\{103503c1-b5dc-c646-cf0a-d8236937decc}.dll” DllInit

O2 - BHO: cpmsky browser optimizer - {0a00e8ae-330a-ff4e-ea83-ef87ac32b286} - C:\Windows\system32\{de6a4f84-c2aa-8541-0173-d79c83c7315d}.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [{805ba053-d864-d9ea-8de4-4d01cf66f379}] C:\Windows\System32\Rundll32.exe “C:\Windows\system32\{de6a4f84-c2aa-8541-0173-d79c83c7315d}.dll” DllInit

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe “C:\WINDOWS\system32\{2e078b9e-52cf-da35-0006-e039d4be5175}.dll” DllInit
O2 - BHO: cpmsky browser optimizer - {b9c57b8d-cf96-63cf-2299-33cfc675999d} - C:\WINDOWS\system32\{5b00464b-3760-e7c5-c29f-24599b358526}.dll

You may find something above

the key malware file is:
1. C:\WINDOWS\system32\{5b00464b-3760-e7c5-c29f-24599b358526}.dll
—it is a random dll in your system folder
2. ALCMTR.EXE

Both of them has autostart on your system startup,you just only remove the entry like this

1.) Reboot into Safe Mode by presing F8 during boot.
2.) Download and run HiJackThis, looking for and deleting an entry along the lines of:

O4 - HKLM\..\Run: [PostSetupCheck] C:\WINDOWS\System32\Rundll32.exe “C:\WINDOWS\system32\cpmsky.dll” DllStart
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O2 - BHO: cpmsky browser optimizer - {0a00e8ae-330a-ff4e-ea83-ef87ac32b286} - C:\Windows\system32\{de6a4f84-c2aa-8541-0173-d79c83c7315d}.dll
O4 - HKLM\..\Run: [{eb74667a-959f-eb38-45e2-9c77928cd111}] C:\WINDOWS\System32\Rundll32.exe “C:\WINDOWS\system32\{5b00464b-3760-e7c5-c29f-24599b358526}.dll” DllInit

3.) Browse to C:\Windows\System32 and delete the file cpmsky.dll (if found).
4.) Click on Fix Checked when finished and exit HijackThi,Reboot back into Normal Mode and verify the problem is resolved.

For farther scan to removal other spyware ,Recommend The Official Spyware Remover!

If you feel computer is slow,you can do registry cleaner using RegistrySmart

Written on 16 June 2008 by admin under Trojan with 1 Comment
Tagged with , , , , , , ,

ntos.exe wsnpoem\video.dll wsnpoem\audio.dll removal

ntos.exe wsnpoem\video.dll wsnpoem\audio.dll removal

C:\windows\system32\wsnpoem\video.dll
C:\windows\system32\wsnpoem\audio.dll
C:\windows\system32\wsnpoem

Logfile of Trend Micro HijackThis v2.0.2
….
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User ‘SYSTEM’)
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User ‘Default user’)

Written on 27 April 2008 by admin under Worm with No Comments
Tagged with , , , , ,

 Powered by Max Banner Ads