Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virtumonde issue

Started by bigspoiltbrat , Jun 06 2008 07:54 PM

  • Please log in to reply

#1
bigspoiltbrat
Posted 06 June 2008 - 07:54 PM

bigspoiltbrat

    New Member

  • Member
  • Pip
  • 1 posts
G'day I ran a particular file the other day and didn't realise how hard to kill Virtumonde could be. Need your assistance please, I've tried everything with regular reboots.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:01 AM, on 7/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Logitech\Video\LogiTray.exe
C:\Logitech\G-series Software\LGDCore.exe
C:\Logitech\G-series Software\LCDMon.exe
C:\Logitech\G-series Software\Applets\LCDClock.exe
C:\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Logitech\G-series Software\CLDemo\stIRC.exe
C:\Logitech\G-series Software\G15 Task Manager\G15Task.exe
C:\Program Files\Google\Google Talk\googletalk.exe
D:\Unlocker\UnlockerAssistant.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
D:\AVG\avgcc.exe
D:\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\ctfmon.exe
E:\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
d:\AVG\avgamsvr.exe
D:\Adobe\Acrobat\Distillr\Acrotray.exe
d:\AVG\avgupsvc.exe
d:\AVG\avgemc.exe
E:\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
D:\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
G:\Valve\Steam\Steam.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\Nokia\Nokia PC Suite 6\PCSuite.exe
D:\Nokia\Nokia PC Suite 6\PCSync2.exe
D:\Spyware Doctor\pctsAuxs.exe
D:\Spyware Doctor\pctsSvc.exe
D:\BlueSoleil\BlueSoleil.exe
G:\Hamachi\hamachi.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclIVTBTSrv.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
D:\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\ICQToolbar\toolbaru.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\ICQToolbar\toolbaru.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [UnlockerAssistant] "D:\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AVG7_CC] d:\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools] "D:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] E:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Adobe\Acrobat\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Codecs\K-Lite Codec Pack\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Updates] c:\windows\system\Update.exe
O4 - HKLM\..\Run: [a027dceb] rundll32.exe "C:\WINDOWS\system32\euhxfmvf.dll",b
O4 - HKLM\..\Run: [ISTray] "D:\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [BMa314ef77] Rundll32.exe "C:\WINDOWS\system32\hsycklbl.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [Steam] "G:\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] "D:\AnyDVD\AnyDVD.exe"
O4 - HKCU\..\Run: [PC Suite Tray] "D:\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [Nokia.PCSync] "D:\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [Windows Updates] c:\windows\system\Update.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] d:\AVG\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: hamachi.lnk = G:\Hamachi\hamachi.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: BlueSoleil.lnk = D:\BlueSoleil\BlueSoleil.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users.WINDOWS\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Copy to Semagic - D:\Semagic\copy.htm
O8 - Extra context menu item: Semagic - D:\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC06B866-753F-417C-B62A-7D95ACFC303C}: NameServer = 203.0.178.191
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - d:\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - d:\AVG\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - d:\AVG\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 11476 bytes



And also VirtumondoBeGone seems to have done its thing correctly:

[06/07/2008, 10:09:42] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Avatar\Desktop\VirtumundoBeGone.exe" )
[06/07/2008, 10:09:49] - Detected System Information:
[06/07/2008, 10:09:49] - Windows Version: 5.1.2600, Service Pack 2
[06/07/2008, 10:09:49] - Current Username: Avatar (Admin)
[06/07/2008, 10:09:49] - Windows is in NORMAL mode.
[06/07/2008, 10:09:49] - Searching for Browser Helper Objects:
[06/07/2008, 10:09:49] - BHO 1: {056A1653-77DC-4359-A6AB-040ABF33F915} ()
[06/07/2008, 10:09:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:09:49] - Checking for HKLM\...\Winlogon\Notify\ssqQgDTn
[06/07/2008, 10:09:49] - Key not found: HKLM\...\Winlogon\Notify\ssqQgDTn, continuing.
[06/07/2008, 10:09:49] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[06/07/2008, 10:09:49] - BHO 3: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} (Winamp Toolbar BHO)
[06/07/2008, 10:09:49] - BHO 4: {25FC8D21-38F6-4D27-BE11-C91898DCDF5A} ()
[06/07/2008, 10:09:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:09:49] - Checking for HKLM\...\Winlogon\Notify\vtUkhifd
[06/07/2008, 10:09:49] - Key not found: HKLM\...\Winlogon\Notify\vtUkhifd, continuing.
[06/07/2008, 10:09:49] - BHO 5: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[06/07/2008, 10:09:49] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/07/2008, 10:09:49] - BHO 7: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[06/07/2008, 10:09:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:09:49] - No filename found. Continuing.
[06/07/2008, 10:09:49] - BHO 8: {81EA3F36-357A-435A-8741-52C27CCC9F21} ()
[06/07/2008, 10:09:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:09:49] - Checking for HKLM\...\Winlogon\Notify\fccaWMef
[06/07/2008, 10:09:49] - Found: HKLM\...\Winlogon\Notify\fccaWMef - This is probably Virtumundo.
[06/07/2008, 10:09:49] - Assigning {81EA3F36-357A-435A-8741-52C27CCC9F21} MSEvents Object
[06/07/2008, 10:09:49] - BHO list has been changed! Starting over...
[06/07/2008, 10:09:49] - BHO 1: {056A1653-77DC-4359-A6AB-040ABF33F915} ()
[06/07/2008, 10:09:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:09:49] - Checking for HKLM\...\Winlogon\Notify\ssqQgDTn
[06/07/2008, 10:09:49] - Key not found: HKLM\...\Winlogon\Notify\ssqQgDTn, continuing.
[06/07/2008, 10:09:49] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[06/07/2008, 10:09:49] - BHO 3: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} (Winamp Toolbar BHO)
[06/07/2008, 10:09:49] - BHO 4: {25FC8D21-38F6-4D27-BE11-C91898DCDF5A} ()
[06/07/2008, 10:09:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:09:49] - Checking for HKLM\...\Winlogon\Notify\vtUkhifd
[06/07/2008, 10:09:49] - Key not found: HKLM\...\Winlogon\Notify\vtUkhifd, continuing.
[06/07/2008, 10:09:49] - BHO 5: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[06/07/2008, 10:09:49] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/07/2008, 10:09:49] - BHO 7: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[06/07/2008, 10:09:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:09:49] - No filename found. Continuing.
[06/07/2008, 10:09:49] - BHO 8: {81EA3F36-357A-435A-8741-52C27CCC9F21} (MSEvents Object)
[06/07/2008, 10:09:49] - ALERT: Found MSEvents Object!
[06/07/2008, 10:09:49] - BHO 9: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/07/2008, 10:09:49] - BHO 10: {9764238B-D7BF-4BC1-AD46-4C77344B5EC6} ()
[06/07/2008, 10:09:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:09:49] - Checking for HKLM\...\Winlogon\Notify\mlJBSlLd
[06/07/2008, 10:09:49] - Key not found: HKLM\...\Winlogon\Notify\mlJBSlLd, continuing.
[06/07/2008, 10:09:49] - BHO 11: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[06/07/2008, 10:09:49] - Finished Searching Browser Helper Objects
[06/07/2008, 10:09:49] - *** Detected MSEvents Object
[06/07/2008, 10:09:49] - Trying to remove MSEvents Object...
[06/07/2008, 10:09:50] - Terminating Process: IEXPLORE.EXE
[06/07/2008, 10:09:51] - Terminating Process: RUNDLL32.EXE
[06/07/2008, 10:09:52] - Disabling Automatic Shell Restart
[06/07/2008, 10:09:52] - Terminating Process: EXPLORER.EXE
[06/07/2008, 10:09:52] - Suspending the NT Session Manager System Service
[06/07/2008, 10:09:52] - Terminating Windows NT Logon/Logoff Manager

[06/07/2008, 10:11:42] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Avatar\Desktop\VirtumundoBeGone.exe" )
[06/07/2008, 10:11:44] - Detected System Information:
[06/07/2008, 10:11:44] - Windows Version: 5.1.2600, Service Pack 2
[06/07/2008, 10:11:44] - Current Username: Avatar (Admin)
[06/07/2008, 10:11:44] - Windows is in NORMAL mode.
[06/07/2008, 10:11:44] - Searching for Browser Helper Objects:
[06/07/2008, 10:11:44] - BHO 1: {056A1653-77DC-4359-A6AB-040ABF33F915} ()
[06/07/2008, 10:11:44] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:11:44] - Checking for HKLM\...\Winlogon\Notify\ssqQgDTn
[06/07/2008, 10:11:44] - Key not found: HKLM\...\Winlogon\Notify\ssqQgDTn, continuing.
[06/07/2008, 10:11:44] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[06/07/2008, 10:11:44] - BHO 3: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} (Winamp Toolbar BHO)
[06/07/2008, 10:11:44] - BHO 4: {25FC8D21-38F6-4D27-BE11-C91898DCDF5A} ()
[06/07/2008, 10:11:44] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:11:44] - Checking for HKLM\...\Winlogon\Notify\vtUkhifd
[06/07/2008, 10:11:44] - Key not found: HKLM\...\Winlogon\Notify\vtUkhifd, continuing.
[06/07/2008, 10:11:44] - BHO 5: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[06/07/2008, 10:11:44] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/07/2008, 10:11:44] - BHO 7: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[06/07/2008, 10:11:44] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:11:44] - No filename found. Continuing.
[06/07/2008, 10:11:44] - BHO 8: {81EA3F36-357A-435A-8741-52C27CCC9F21} (MSEvents Object)
[06/07/2008, 10:11:44] - ALERT: Found MSEvents Object!
[06/07/2008, 10:11:44] - BHO 9: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/07/2008, 10:11:44] - BHO 10: {9764238B-D7BF-4BC1-AD46-4C77344B5EC6} ()
[06/07/2008, 10:11:44] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:11:44] - Checking for HKLM\...\Winlogon\Notify\mlJBSlLd
[06/07/2008, 10:11:44] - Key not found: HKLM\...\Winlogon\Notify\mlJBSlLd, continuing.
[06/07/2008, 10:11:44] - BHO 11: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[06/07/2008, 10:11:44] - Finished Searching Browser Helper Objects
[06/07/2008, 10:11:44] - *** Detected MSEvents Object
[06/07/2008, 10:11:44] - Trying to remove MSEvents Object...
[06/07/2008, 10:11:45] - Terminating Process: IEXPLORE.EXE
[06/07/2008, 10:11:45] - Terminating Process: RUNDLL32.EXE
[06/07/2008, 10:11:45] - Disabling Automatic Shell Restart
[06/07/2008, 10:11:45] - Terminating Process: EXPLORER.EXE
[06/07/2008, 10:11:46] - Suspending the NT Session Manager System Service
[06/07/2008, 10:11:46] - Terminating Windows NT Logon/Logoff Manager

[06/07/2008, 10:18:45] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Avatar\Desktop\VirtumundoBeGone.exe" )
[06/07/2008, 10:18:48] - Detected System Information:
[06/07/2008, 10:18:48] - Windows Version: 5.1.2600, Service Pack 2
[06/07/2008, 10:18:48] - Current Username: Avatar (Admin)
[06/07/2008, 10:18:49] - Windows is in NORMAL mode.
[06/07/2008, 10:18:49] - Searching for Browser Helper Objects:
[06/07/2008, 10:18:49] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[06/07/2008, 10:18:49] - BHO 2: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} (Winamp Toolbar BHO)
[06/07/2008, 10:18:49] - BHO 3: {25FC8D21-38F6-4D27-BE11-C91898DCDF5A} ()
[06/07/2008, 10:18:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:18:50] - Checking for HKLM\...\Winlogon\Notify\vtUkhifd
[06/07/2008, 10:18:50] - Key not found: HKLM\...\Winlogon\Notify\vtUkhifd, continuing.
[06/07/2008, 10:18:50] - BHO 4: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[06/07/2008, 10:18:50] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/07/2008, 10:18:50] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[06/07/2008, 10:18:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:18:50] - No filename found. Continuing.
[06/07/2008, 10:18:51] - BHO 7: {81EA3F36-357A-435A-8741-52C27CCC9F21} (MSEvents Object)
[06/07/2008, 10:18:51] - ALERT: Found MSEvents Object!
[06/07/2008, 10:18:51] - BHO 8: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/07/2008, 10:18:51] - BHO 9: {9764238B-D7BF-4BC1-AD46-4C77344B5EC6} ()
[06/07/2008, 10:18:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:18:51] - Checking for HKLM\...\Winlogon\Notify\mlJBSlLd
[06/07/2008, 10:18:51] - Key not found: HKLM\...\Winlogon\Notify\mlJBSlLd, continuing.
[06/07/2008, 10:18:51] - BHO 10: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[06/07/2008, 10:18:51] - BHO 11: {B57A4E51-9BA3-489D-98BC-496B4FDB0C2C} ()
[06/07/2008, 10:18:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:18:51] - Checking for HKLM\...\Winlogon\Notify\ssqQgDTn
[06/07/2008, 10:18:51] - Key not found: HKLM\...\Winlogon\Notify\ssqQgDTn, continuing.
[06/07/2008, 10:18:51] - Finished Searching Browser Helper Objects
[06/07/2008, 10:18:51] - *** Detected MSEvents Object
[06/07/2008, 10:18:51] - Trying to remove MSEvents Object...
[06/07/2008, 10:18:53] - Terminating Process: IEXPLORE.EXE
[06/07/2008, 10:18:57] - Terminating Process: RUNDLL32.EXE
[06/07/2008, 10:19:00] - Disabling Automatic Shell Restart
[06/07/2008, 10:19:00] - Terminating Process: EXPLORER.EXE
[06/07/2008, 10:19:00] - Suspending the NT Session Manager System Service
[06/07/2008, 10:19:02] - Terminating Windows NT Logon/Logoff Manager
[06/07/2008, 10:24:04] - Re-enabling Automatic Shell Restart
[06/07/2008, 10:24:04] - File to disable: C:\WINDOWS\system32\fccaWMef.dll
[06/07/2008, 10:24:04] - Renaming C:\WINDOWS\system32\fccaWMef.dll -> C:\WINDOWS\system32\fccaWMef.dll.vir
[06/07/2008, 10:24:04] - File successfully renamed!
[06/07/2008, 10:24:04] - Removing HKLM\...\Browser Helper Objects\{81EA3F36-357A-435A-8741-52C27CCC9F21}
[06/07/2008, 10:24:04] - Removing HKCR\CLSID\{81EA3F36-357A-435A-8741-52C27CCC9F21}
[06/07/2008, 10:24:04] - Adding Kill Bit for ActiveX for GUID: {81EA3F36-357A-435A-8741-52C27CCC9F21}
[06/07/2008, 10:24:04] - Deleting ATLEvents/MSEvents Registry entries
[06/07/2008, 10:24:04] - Removing HKLM\...\Winlogon\Notify\fccaWMef
[06/07/2008, 10:24:04] - Searching for Browser Helper Objects:
[06/07/2008, 10:24:04] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[06/07/2008, 10:24:04] - BHO 2: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} (Winamp Toolbar BHO)
[06/07/2008, 10:24:04] - BHO 3: {25FC8D21-38F6-4D27-BE11-C91898DCDF5A} ()
[06/07/2008, 10:24:04] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:24:04] - Checking for HKLM\...\Winlogon\Notify\vtUkhifd
[06/07/2008, 10:24:04] - Key not found: HKLM\...\Winlogon\Notify\vtUkhifd, continuing.
[06/07/2008, 10:24:04] - BHO 4: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[06/07/2008, 10:24:04] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/07/2008, 10:24:04] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[06/07/2008, 10:24:04] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:24:04] - No filename found. Continuing.
[06/07/2008, 10:24:04] - BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/07/2008, 10:24:04] - BHO 8: {9764238B-D7BF-4BC1-AD46-4C77344B5EC6} ()
[06/07/2008, 10:24:04] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:24:04] - Checking for HKLM\...\Winlogon\Notify\mlJBSlLd
[06/07/2008, 10:24:04] - Key not found: HKLM\...\Winlogon\Notify\mlJBSlLd, continuing.
[06/07/2008, 10:24:04] - BHO 9: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[06/07/2008, 10:24:04] - BHO 10: {B57A4E51-9BA3-489D-98BC-496B4FDB0C2C} ()
[06/07/2008, 10:24:04] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:24:04] - Checking for HKLM\...\Winlogon\Notify\ssqQgDTn
[06/07/2008, 10:24:04] - Key not found: HKLM\...\Winlogon\Notify\ssqQgDTn, continuing.
[06/07/2008, 10:24:04] - Finished Searching Browser Helper Objects
[06/07/2008, 10:24:04] - Finishing up...
[06/07/2008, 10:24:04] - A restart is needed.
[06/07/2008, 10:32:01] - Attempting to Restart via STOP error (Blue Screen!)

[06/07/2008, 10:36:32] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Avatar\Desktop\VirtumundoBeGone.exe" )
[06/07/2008, 10:36:34] - Detected System Information:
[06/07/2008, 10:36:34] - Windows Version: 5.1.2600, Service Pack 2
[06/07/2008, 10:36:34] - Current Username: Avatar (Admin)
[06/07/2008, 10:36:34] - Windows is in NORMAL mode.
[06/07/2008, 10:36:34] - Searching for Browser Helper Objects:
[06/07/2008, 10:36:34] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[06/07/2008, 10:36:34] - BHO 2: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} (Winamp Toolbar BHO)
[06/07/2008, 10:36:34] - BHO 3: {25FC8D21-38F6-4D27-BE11-C91898DCDF5A} ()
[06/07/2008, 10:36:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:36:34] - Checking for HKLM\...\Winlogon\Notify\vtUkhifd
[06/07/2008, 10:36:34] - Key not found: HKLM\...\Winlogon\Notify\vtUkhifd, continuing.
[06/07/2008, 10:36:34] - BHO 4: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[06/07/2008, 10:36:34] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/07/2008, 10:36:34] - BHO 6: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[06/07/2008, 10:36:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:36:34] - No filename found. Continuing.
[06/07/2008, 10:36:34] - BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/07/2008, 10:36:34] - BHO 8: {9764238B-D7BF-4BC1-AD46-4C77344B5EC6} ()
[06/07/2008, 10:36:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:36:34] - Checking for HKLM\...\Winlogon\Notify\mlJBSlLd
[06/07/2008, 10:36:34] - Key not found: HKLM\...\Winlogon\Notify\mlJBSlLd, continuing.
[06/07/2008, 10:36:34] - BHO 9: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[06/07/2008, 10:36:34] - BHO 10: {EBC11423-4E50-4AC4-A893-5C80FC94EAB9} ()
[06/07/2008, 10:36:34] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/07/2008, 10:36:34] - Checking for HKLM\...\Winlogon\Notify\ssqQgDTn
[06/07/2008, 10:36:34] - Key not found: HKLM\...\Winlogon\Notify\ssqQgDTn, continuing.
[06/07/2008, 10:36:34] - Finished Searching Browser Helper Objects
[06/07/2008, 10:36:34] - Finishing up...
[06/07/2008, 10:36:34] - Nothing found! Exiting...


And Vundofix never found anything. I still can't access most sites and I still frequently have ads. Strangely, Firefox seems to be frequently dying on me while IE seems to be largely okay (minus the frequent ads that come up instead of my desired webpage).
  • 0

Advertisements

#2
OldTimer
Posted 07 June 2008 - 05:55 PM

OldTimer

    Global Moderator

  • Global Moderator
  • 3,273 posts
Hello bigspoiltbrat and welcome to G2G. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP