Fail to delete the virus "Virtumode.I".

[Guest]

Recently Windows defender keeps alerting me with the virus "Virtumode.I"
detected! From the log file, it seems that the file
C:\Windows\System32\awtqp.dll is infected.

Every time, after I attempt to repair or delete the infected file with
Windows defender, Windows defender reminds me to reboot my system. However,
the virus alert still pops out after reboot. I also use Norton to scan the
file "awtqp.dll", however, no virus found.

Any one can help me to clean the virus?

Thanks in advance,

Tom

 

[Guest]

Hello Tom,

You can run in safe mode with networking, fwiw.
http://www.ewido.net/en

This is a AndyManchesta at (e-mail address removed)
or Ron Kinner at (e-mail address removed) case beacuse I cannot find any good advice
within any forum without using HijackThis and to be carefully guided.
Get HijackThis.exe from
http://tomcoyote.org/hjt/hjt199//HijackThis.exe
http://computercops.biz/HijackThis.html

Save it to C:\hjt (new folder) then Open it and select Scan and Save Log.
Note where you saved the log then send it to him as an attachment. Put
Hijack in the subject so he'll know it's not spªm.

Alternatively you can post it on the Dell Forum ªt:

http://forums.us.dell.com/supportforums/board?board.id=si_hijack

Put Ron in the subject so he will see it. You do not need to have a Dell to
post but you will need to register.

Ron Kinner at (e-mail address removed)
Microsoft MVP 2004 & 2005

AndyManchesta at (e-mail address removed)

Feel free to mention that I sent you.

For the benefit of the community reading this post, please rate the pºst.

I hope this post is helpful.

Let us know how it works ºut.

Еиçеl

 

[Tom Emmelot]

Hi Tom

Try these:

http://housecall.trendmicro.com/
http://www.trendmicro.com/cwshredder/
Or download 90 day's test version:
http://nl.trendmicro-europe.com/ent...=4&family=42&id=188&rightnav=0,5&related_id=0
http://www.ewido.net/en/onlinescan/
http://www.pandasoftware.com/produc...5D4-4DA2-B310-B1DBEC2971F2}&NRCACHEHINT=Guest
http://www.bitdefender.com/scan8/ie.html
http://support.f-secure.com/enu/home/ols.shtml
http://www.spywareguide.com/onlinescan.php
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
http://www.kaspersky.com/virusscanner
http://www.windowsecurity.com/trojanscan/
http://onlinescan.avast.com/
http://safety.live.com/site/en-US/default.htm


Regards >*< TOM >*<

Tom schreef:

 

[Guest]

Maybe I'm missing something. I don't understand why WD should have to run in
safe mode to delete a "dll". Another post in this forum indicated that WD
could not delete some identified dlls, yet other anti-malware products could
(and did not require safe mode). Granted, I have read some manual removal
procedures posted on the Internet and there are occasions where they ask to
run in safe mode. However, on a cursory level, it appears that WD has some
kind of shortcoming in it's removal procedures. Additionally, if WD truly
requires safe mode to complete its task, WD should say so explicity.

 

[Guest]

Tom this might be wide but have you checked your restore. I ran into a
problem like that and then I deleted all the restore points and then rebooted
and that took care of it. Take it for what it is worth.
Bill

 

[Larry Gardner]

Check this:

1. Open Regedit
2. Check for key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}

If that is present, check to see if you have any of the following files:

C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\system32\mljge.dll

There are many examples on Google on how to remove, but first, have you
tried running Microsoft MRT application (Malicious Removal Technician)?
Try Start Menu | Run and enter mrt and click OK.

 

[Guest]

Bill, thanks for reply. sorry what do you mean "restore", how can I check it.

Tom

 

[Larry Gardner]

Bill is mentioning that the offending file maybe in a System Restore restore
point. I've run into this, but Defender told me that the file was in System
Information/_restore....

If the file was in the restore point, and you deleted from the system area,
then did a restore for that restore point, it would but it all back.

Your problem is telling you that you have a Virus in C:\Windows\System32\...
, not from a restore point.

 

[Guest]

Larry, thanks for help. I didn't find
\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}, but I do find
C:\WINDOWS\system32\awtqp.dll. I also tried to scan \system32 using MRT,
however no infected files found. Any further suggestion?

Tom

 

[Larry Gardner]

Don't know what happened to previous posts in this forum. It's like
something deleted all past posts.

this is what I'd try:

1. Reboot system in Safe Mode Command prompt
2. CD C:\windows\system32
3. MOVE awtqp.dll awtqp.old
4. Reboot system in normal mode
5. Check to see if anyone put the awtqp.dll back in c:\windows\system32
6. Rerun Windows Defender Scan (make sure you have the most up-to-date
Windows Defender Beta 2 - I just found out they updated recently - in the
last 3 months).

 

[Bill Sanderson MVP]

You'll probably find that you need to reset the group and re-download all
messages. There was an event of some (bad) sort at the server end
yesterday.

--

 

[Larry Gardner]

I've done that multiple times ... and all I get is 27 messages, 16 unread.
They are done ... I've reset the list, resubscribe, ....

They are gone...........

 

[Larry Gardner]

Maybe I should turn off ... delete news 5 days after downloaded.

 

[Bill Sanderson MVP]

Theres a setting to only download 300 messages at a time somewhere--that's
what I'd turn off, I think. I've got every group with messages going back
to December 2005 at this point--so I think things are stable and the
messages are all there.

--

 

[Dave M]

Hi Larry;

Try again... Mine is back to 10K posts in the General Group as of right
now.
Right click the newsgroup > Select properties > Local file > Reset
A sync should bring all back if you have All messages selected in your
Synchronization Settings ... hope you have Broadband!

 

[Randy Knobloch]

Larry, thanks for help. I didn't find
\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}, but I do find
C:\WINDOWS\system32\awtqp.dll. I also tried to scan \system32 using MRT,
however no infected files found. Any further suggestion?

My best information is that the above CLSID;
*{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}* > ( is)
(http://castlecops.com/tk19581-MSEvents_Object.html)
a Vundo.B variant.
Follow the instructions detailed in the below URL, if you cannot or wish not
to implement these complex tools, seek help at same Forum.
Please mention my "screen name" Siljaline...
http://www.bleepingcomputer.com/forums/topic18610.html

Good luck!

Randy

--
siljaline

MS - MVP Windows (IE/OE) & Windows Security, AH-VSOP

Security Tools Updates
http://aumha.net/viewforum.php?f=31

Reply to group, as return address is invalid that we may all benefit.

 

[Guest]

Randy

Many thans for help. I did try Norton to scan the virus, however, Norton
failed to detect it.

Tom

 

[Guest]

Larry, many thanks. I am going to try your solution. BTW, I found that Norton
failed to detect the virus. Do you know what the virus usually damages?
Actually the thing really bothering me is the window defender, which keeps
alerting me with messages like "virus found, removing the virus and
restarting your system"

Tom

 

[Randy Knobloch]

Randy

Many thans for help. I did try Norton to scan the virus, however, Norton
failed to detect it.

I'm assuming that you did not follow my instructions/recommendations?
Which were:
<quote>
Follow the instructions detailed in the below URL, if you cannot or wish not
to implement these complex tools, seek help at same Forum.
Please mention my "screen name" Siljaline...
http://www.bleepingcomputer.com/forums/topic18610.html
</quote>

Randy

--
siljaline

MS - MVP Windows (IE/OE) & Windows Security, AH-VSOP

Security Tools Updates
http://aumha.net/viewforum.php?f=31

Reply to group, as return address is invalid that we may all benefit.