Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Virtuemonde infection [CLOSED]

Started by jem22 , May 07 2008 05:33 PM

This topic is locked

#1
jem22

Posted 07 May 2008 - 05:33 PM

New Member

Member
3 posts

Hello, my computer's been infected with virtuemonde for some time and it's getting worse. I've tried lots of things but there's no way to get rid of it but it always keeps coming back. Spybot detects it and removes it, but not permanently. Is there a way to completely remove it? Also i get a warning from my Kaspersky antivirus about something called Troj.Moder.gen. It's trying to get into my computer all the time.
I'd appreciate lots any help with this. Thank you for your time.

Here's the Vundofix log:

Beginning removal...

VundoFix V7.0.3

Scan started at 2:03:08 07/05/2008

Listing files found while scanning....

No infected files were found.

Kaspersky log:

Web Anti-Virus : running
------------------------
Total scanned: 6831
Detected: 11
Start time: 06/05/2008 22:40:53
Duration: 11:05:22

Detected
--------
Status Object
------ ------
detected: Trojan program Trojan.Win32.Monder.gen URL: http://89.188.16.50/...99D01//PE_Patch
detected: Trojan program Trojan.Win32.Monder.gen URL: http://89.188.16.50/...90501//PE_Patch
detected: Trojan program Trojan.Win32.Monder.gen URL: http://89.188.16.50/...93601//PE_Patch
detected: Trojan program Trojan.Win32.Monder.gen URL: http://89.188.16.50/...98701//PE_Patch
detected: Trojan program Trojan.Win32.Monder.gen URL: http://89.188.16.50/...96E01//PE_Patch
detected: Trojan program Trojan.Win32.Monder.gen URL: http://89.188.16.50/...93F01//PE_Patch
detected: Trojan program Trojan.Win32.Monder.gen URL: http://89.188.16.50/...96701//PE_Patch
detected: Trojan program Trojan.Win32.Monder.gen URL: http://89.188.16.50/...95901//PE_Patch
detected: Trojan program Trojan.Win32.Monder.gen URL: http://89.188.16.50/...9BC01//PE_Patch
detected: Trojan program Trojan.Win32.Monder.gen URL: http://89.188.16.50/...97601//PE_Patch
detected: Trojan program Trojan.Win32.Monder.gen URL: http://89.188.16.50/...9AB01//PE_Patch

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:50, on 08/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\a-squared Free\a2service.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\KWorld Multimedia\DVB-T PLUS\DTVR\Scheduled.exe
C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe
C:\Archivos de programa\TuneUp Utilities 2007\MemOptimizer.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\KWorld Multimedia\DVB-T 100 Utilities\DVBTRCtl.EXE
C:\Archivos de programa\Last.fm\LastFMHelper.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\Windows Live\Messenger\usnsvc.exe
C:\Archivos de programa\Winamp\winamp.exe
C:\Archivos de programa\Last.fm\LastFM.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\ARCHIV~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Trend Micro\HijackThis\newname.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {0F5CCA45-50A4-4618-889F-28D76BB23E47} - C:\WINDOWS\system32\ddcYpqrQ.dll (file missing)
O2 - BHO: (no name) - {3D16888B-C09C-4E3E-81B3-4C05C21C3018} - C:\WINDOWS\system32\urqNFYol.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56AAD84D-B596-4206-99C0-4E66EA22F211} - C:\WINDOWS\system32\cbXNEWpn.dll (file missing)
O2 - BHO: (no name) - {5C060FE2-B3CA-47DD-B68E-BD1A6E297226} - C:\WINDOWS\system32\opnnnoMg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9D0F509F-49EF-46A9-ADB4-871396521A42} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DTVR Agent] C:\Archivos de programa\KWorld Multimedia\DVB-T PLUS\DTVR\Scheduled.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [7ce389e1] rundll32.exe "C:\WINDOWS\system32\gvgsedmt.dll",b
O4 - HKLM\..\Run: [BM7fd0ba7d] Rundll32.exe "C:\WINDOWS\system32\vfxuwsqy.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Archivos de programa\TuneUp Utilities 2007\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Archivos de programa\Last.fm\LastFMHelper.exe
O4 - Global Startup: Remote Control.lnk = C:\Archivos de programa\KWorld Multimedia\DVB-T 100 Utilities\DVBTRCtl.EXE
O8 - Extra context menu item: Add to Anti-Banner - C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O20 - AppInit_DLLs: C:\ARCHIV~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: opnnnoMg - C:\WINDOWS\SYSTEM32\opnnnoMg.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Archivos de programa\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Archivos de programa\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Archivos de programa\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe

--
End of file - 7764 bytes

#2
Maiestas

Posted 07 May 2008 - 06:17 PM

eh...

Retired Staff
1,481 posts

Welcome to Geeks to Go,

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

#3
jem22

Posted 08 May 2008 - 05:07 AM

New Member

Topic Starter
Member
3 posts

Thanks for your reply. Here are the logs:

Vundofix log:

Beginning removal...

VundoFix V7.0.3

Scan started at 11:54:20 08/05/2008

Listing files found while scanning....

No infected files were found.

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:20, on 08/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\a-squared Free\a2service.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\KWorld Multimedia\DVB-T PLUS\DTVR\Scheduled.exe
C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe
C:\Archivos de programa\TuneUp Utilities 2007\MemOptimizer.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\KWorld Multimedia\DVB-T 100 Utilities\DVBTRCtl.EXE
C:\Archivos de programa\Last.fm\LastFMHelper.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\ESET\ESET Smart Security\ekrn.exe
C:\Archivos de programa\ESET\ESET Smart Security\egui.exe
C:\Archivos de programa\Trend Micro\HijackThis\newname.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {0ECFB294-2284-4A55-BB46-45312E83B258} - C:\WINDOWS\system32\pmnkHWpM.dll (file missing)
O2 - BHO: (no name) - {0F5CCA45-50A4-4618-889F-28D76BB23E47} - C:\WINDOWS\system32\ddcYpqrQ.dll (file missing)
O2 - BHO: (no name) - {3D16888B-C09C-4E3E-81B3-4C05C21C3018} - C:\WINDOWS\system32\urqNFYol.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56AAD84D-B596-4206-99C0-4E66EA22F211} - C:\WINDOWS\system32\cbXNEWpn.dll (file missing)
O2 - BHO: (no name) - {5C060FE2-B3CA-47DD-B68E-BD1A6E297226} - C:\WINDOWS\system32\opnnnoMg.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9D0F509F-49EF-46A9-ADB4-871396521A42} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Archivos de programa\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DTVR Agent] C:\Archivos de programa\KWorld Multimedia\DVB-T PLUS\DTVR\Scheduled.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Archivos de programa\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [7ce389e1] rundll32.exe "C:\WINDOWS\system32\gvgsedmt.dll",b
O4 - HKLM\..\Run: [BM7fd0ba7d] Rundll32.exe "C:\WINDOWS\system32\vfxuwsqy.dll",s
O4 - HKLM\..\Run: [egui] "C:\Archivos de programa\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Archivos de programa\TuneUp Utilities 2007\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Archivos de programa\Last.fm\LastFMHelper.exe
O4 - Global Startup: Remote Control.lnk = C:\Archivos de programa\KWorld Multimedia\DVB-T 100 Utilities\DVBTRCtl.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O20 - Winlogon Notify: opnnnoMg - C:\WINDOWS\
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Archivos de programa\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Archivos de programa\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Archivos de programa\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Servicio del iPod (iPod Service) - Apple Inc. - C:\Archivos de programa\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Archivos de programa\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe

--
End of file - 7092 bytes

#4
Maiestas

Posted 08 May 2008 - 07:48 AM

eh...

Retired Staff
1,481 posts

Re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {0ECFB294-2284-4A55-BB46-45312E83B258} - C:\WINDOWS\system32\pmnkHWpM.dll (file missing)
O2 - BHO: (no name) - {0F5CCA45-50A4-4618-889F-28D76BB23E47} - C:\WINDOWS\system32\ddcYpqrQ.dll (file missing)
O2 - BHO: (no name) - {3D16888B-C09C-4E3E-81B3-4C05C21C3018} - C:\WINDOWS\system32\urqNFYol.dll (file missing)

O2 - BHO: (no name) - {56AAD84D-B596-4206-99C0-4E66EA22F211} - C:\WINDOWS\system32\cbXNEWpn.dll (file missing)
O2 - BHO: (no name) - {5C060FE2-B3CA-47DD-B68E-BD1A6E297226} - C:\WINDOWS\system32\opnnnoMg.dll (file missing)

O2 - BHO: (no name) - {9D0F509F-49EF-46A9-ADB4-871396521A42} - (no file)

O4 - HKLM\..\Run: [7ce389e1] rundll32.exe "C:\WINDOWS\system32\gvgsedmt.dll",b
O4 - HKLM\..\Run: [BM7fd0ba7d] Rundll32.exe "C:\WINDOWS\system32\vfxuwsqy.dll",s

O20 - Winlogon Notify: opnnnoMg - C:\WINDOWS\

Now close all windows and browsers other than HiJackThis, then click Fix Checked.
Close hijackthis.

Then, please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\vfxuwsqy.dll
C:\WINDOWS\system32\gvgsedmt.dll
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Then please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Next, download AVG Anti-Spyware from HERE and save that file to your desktop.

Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan along with a new hijackthis log.

#5
Maiestas

Posted 08 May 2008 - 07:52 AM

eh...

Retired Staff
1,481 posts

Also,

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

#6
jem22

Posted 08 May 2008 - 08:11 AM

New Member

Topic Starter
Member
3 posts

The link to AVG Anti-Spyware doesnt work, could you post it again, please? thank you for your help!

#7
Maiestas

Posted 08 May 2008 - 11:49 AM

eh...

Retired Staff
1,481 posts

Sorry about that. Forget the AVG scan, we'll use another one.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

#8
Maiestas

Posted 29 May 2008 - 07:08 PM

eh...

Retired Staff
1,481 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.