Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan:Win32/Vundo.gen!D


  • Please log in to reply

#1
twicedamc

twicedamc

    New Member

  • Member
  • Pip
  • 1 posts
Just started to pop up day before yesterday. I am running Windows Live One Care, and I keep having the program "Clean" this up each time I see the message. I'm sure it has taken hold in my Registry, so it keeps on coming back.

I have run VundoFix.exe, and it found nothing.

I then ran VirtumundoBeGone.exe
Here is my log for this :


[03/13/2008, 19:15:43] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\My Documents\Downloads\VirtumundoBeGone.exe" )
[03/13/2008, 19:15:48] - Detected System Information:
[03/13/2008, 19:15:48] - Windows Version: 5.1.2600, Service Pack 2
[03/13/2008, 19:15:48] - Current Username: Owner (Admin)
[03/13/2008, 19:15:48] - Windows is in NORMAL mode.
[03/13/2008, 19:15:48] - Searching for Browser Helper Objects:
[03/13/2008, 19:15:48] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/13/2008, 19:15:48] - BHO 2: {67568304-1FAC-4811-8FBE-A3E6F3475659} ()
[03/13/2008, 19:15:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/13/2008, 19:15:48] - Checking for HKLM\...\Winlogon\Notify\pmkhf
[03/13/2008, 19:15:48] - Key not found: HKLM\...\Winlogon\Notify\pmkhf, continuing.
[03/13/2008, 19:15:48] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/13/2008, 19:15:48] - BHO 4: {E9383002-FC55-4330-B9C9-67E03BC5C840} ()
[03/13/2008, 19:15:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/13/2008, 19:15:48] - Checking for HKLM\...\Winlogon\Notify\vtuvuvu
[03/13/2008, 19:15:48] - Found: HKLM\...\Winlogon\Notify\vtuvuvu - This is probably Virtumundo.
[03/13/2008, 19:15:48] - Assigning {E9383002-FC55-4330-B9C9-67E03BC5C840} MSEvents Object
[03/13/2008, 19:15:48] - BHO list has been changed! Starting over...
[03/13/2008, 19:15:48] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/13/2008, 19:15:48] - BHO 2: {67568304-1FAC-4811-8FBE-A3E6F3475659} ()
[03/13/2008, 19:15:48] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/13/2008, 19:15:48] - Checking for HKLM\...\Winlogon\Notify\pmkhf
[03/13/2008, 19:15:48] - Key not found: HKLM\...\Winlogon\Notify\pmkhf, continuing.
[03/13/2008, 19:15:48] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/13/2008, 19:15:48] - BHO 4: {E9383002-FC55-4330-B9C9-67E03BC5C840} (MSEvents Object)
[03/13/2008, 19:15:48] - ALERT: Found MSEvents Object!
[03/13/2008, 19:15:48] - Finished Searching Browser Helper Objects
[03/13/2008, 19:15:48] - *** Detected MSEvents Object
[03/13/2008, 19:15:48] - Trying to remove MSEvents Object...
[03/13/2008, 19:15:49] - Terminating Process: IEXPLORE.EXE
[03/13/2008, 19:15:49] - Terminating Process: RUNDLL32.EXE
[03/13/2008, 19:15:49] - Disabling Automatic Shell Restart
[03/13/2008, 19:15:49] - Terminating Process: EXPLORER.EXE
[03/13/2008, 19:15:50] - Suspending the NT Session Manager System Service
[03/13/2008, 19:15:50] - Terminating Windows NT Logon/Logoff Manager
[03/13/2008, 19:15:50] - Re-enabling Automatic Shell Restart
[03/13/2008, 19:15:50] - File to disable: C:\WINDOWS\system32\vtuvuvu.dll
[03/13/2008, 19:15:50] - Renaming C:\WINDOWS\system32\vtuvuvu.dll -> C:\WINDOWS\system32\vtuvuvu.dll.vir
[03/13/2008, 19:15:50] - File successfully renamed!
[03/13/2008, 19:15:50] - Removing HKLM\...\Browser Helper Objects\{E9383002-FC55-4330-B9C9-67E03BC5C840}
[03/13/2008, 19:15:50] - Removing HKCR\CLSID\{E9383002-FC55-4330-B9C9-67E03BC5C840}
[03/13/2008, 19:15:50] - Adding Kill Bit for ActiveX for GUID: {E9383002-FC55-4330-B9C9-67E03BC5C840}
[03/13/2008, 19:15:50] - Deleting ATLEvents/MSEvents Registry entries
[03/13/2008, 19:15:50] - Removing HKLM\...\Winlogon\Notify\vtuvuvu
[03/13/2008, 19:15:50] - Searching for Browser Helper Objects:
[03/13/2008, 19:15:50] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/13/2008, 19:15:50] - BHO 2: {67568304-1FAC-4811-8FBE-A3E6F3475659} ()
[03/13/2008, 19:15:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/13/2008, 19:15:50] - Checking for HKLM\...\Winlogon\Notify\pmkhf
[03/13/2008, 19:15:50] - Key not found: HKLM\...\Winlogon\Notify\pmkhf, continuing.
[03/13/2008, 19:15:50] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/13/2008, 19:15:51] - Finished Searching Browser Helper Objects
[03/13/2008, 19:15:51] - Finishing up...
[03/13/2008, 19:15:51] - A restart is needed.
[03/13/2008, 19:15:51] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[03/13/2008, 19:16:02] - Attempting to Restart via STOP error (Blue Screen!)



Here is my most recent HTJ log, ran after the above was ran :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:27 AM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare

Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare

Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare

Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP

Pro.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = http://qwest.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page

= http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = http://qwest.live.com
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search

Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page

= http://qwest.live.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window

Title = Windows Internet Explorer provided by Qwest
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {67568304-1FAC-4811-8FBE-A3E6F3475659} -

C:\WINDOWS\system32\pmkhf.dll (file missing)
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft

Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare

Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media

Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program

Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program

Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program

Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: Qwest Live -

{B2176FD5-67D1-402F-8E9D-E8A5F42B1076} - http://qwest.live.com

(file missing) (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://www.update.mi.../v6/V5Controls/

en/x86/client/wuweb_site.cab?1186960664091
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://www.update.mi.../v6/V5Controls/

en/x86/client/muweb_site.cab?1186960656685
O23 - Service: LightScribeService Direct Disc Labeling Service

(LightScribeService) - Hewlett-Packard Company - C:\Program

Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 4570 bytes



Any help is appreciated!

Thanks,
Jay
  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,540 posts
Only replying because this has become a popular topic. The OneCare team has acknowledged this as a false positive.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP