Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

ViruMonde Wont go Away

Started by antonio770 , Dec 15 2008 03:46 PM

  • Please log in to reply

#1
antonio770
Posted 15 December 2008 - 03:46 PM

antonio770

    New Member

  • Member
  • Pip
  • 3 posts
I have a Dell Optiplex 755 running Xp, and I cannot get the virtumonde malware off of it. I also cannot change my settings to get Windows updates because I believe the malware is stopping it by changing the automatic update settings. It will only start up in safe mode. When it starts up in normal mode, it sometimes freezes at the welcome screen and other times it makes it to the desktop, but shuts down after about 30 seconds or less. In safemode I have run lavasoft's adaware, spybot, and only adaware detects it, however, it says that it deletes it, but on a reboot, it comes back up again. I have tried the Semantic removal tool, Fixvundo tool, and the VirtumundoBeGone tool. Nothing has removed it. The log for the VirtumundoBeGone is as follows:


[12/15/2008, 15:07:58] - VirtumundoBeGone v1.5 ( "E:\VirtumundoBeGone.exe" )
[12/15/2008, 15:08:06] - Detected System Information:
[12/15/2008, 15:08:06] - Windows Version: 5.1.2600, Service Pack 3
[12/15/2008, 15:08:06] - Current Username: Administrator (Admin)
[12/15/2008, 15:08:06] - Windows is in SAFE mode with Networking.
[12/15/2008, 15:08:06] - Searching for Browser Helper Objects:
[12/15/2008, 15:08:06] - BHO 1: {053F9267-DC04-4294-A72C-58F732D338C0} (HP Print Clips)
[12/15/2008, 15:08:06] - BHO 2: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} ()
[12/15/2008, 15:08:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/15/2008, 15:08:06] - Checking for HKLM\...\Winlogon\Notify\ljJBsQkH
[12/15/2008, 15:08:06] - Found: HKLM\...\Winlogon\Notify\ljJBsQkH - This is probably Virtumundo.
[12/15/2008, 15:08:06] - Assigning {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} MSEvents Object
[12/15/2008, 15:08:06] - BHO list has been changed! Starting over...
[12/15/2008, 15:08:06] - BHO 1: {053F9267-DC04-4294-A72C-58F732D338C0} (HP Print Clips)
[12/15/2008, 15:08:06] - BHO 2: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} (MSEvents Object)
[12/15/2008, 15:08:06] - ALERT: Found MSEvents Object!
[12/15/2008, 15:08:06] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/15/2008, 15:08:06] - BHO 4: {77AB59B4-55A3-4737-9FD5-B93C6430BF78} ()
[12/15/2008, 15:08:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/15/2008, 15:08:06] - Checking for HKLM\...\Winlogon\Notify\dnrqprna
[12/15/2008, 15:08:06] - Key not found: HKLM\...\Winlogon\Notify\dnrqprna, continuing.
[12/15/2008, 15:08:06] - BHO 5: {F9209B2E-9129-4CFD-B2A7-9DDCC9D75B2D} ()
[12/15/2008, 15:08:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/15/2008, 15:08:06] - Checking for HKLM\...\Winlogon\Notify\byXPjGWo
[12/15/2008, 15:08:06] - Key not found: HKLM\...\Winlogon\Notify\byXPjGWo, continuing.
[12/15/2008, 15:08:06] - Finished Searching Browser Helper Objects
[12/15/2008, 15:08:06] - *** Detected MSEvents Object
[12/15/2008, 15:08:06] - Trying to remove MSEvents Object...
[12/15/2008, 15:08:07] - Terminating Process: IEXPLORE.EXE
[12/15/2008, 15:08:07] - Terminating Process: RUNDLL32.EXE
[12/15/2008, 15:08:07] - Disabling Automatic Shell Restart
[12/15/2008, 15:08:07] - Terminating Process: EXPLORER.EXE
[12/15/2008, 15:08:08] - Suspending the NT Session Manager System Service
[12/15/2008, 15:08:08] - Terminating Windows NT Logon/Logoff Manager
[12/15/2008, 15:08:08] - Re-enabling Automatic Shell Restart
[12/15/2008, 15:08:08] - File to disable: C:\WINDOWS\system32\ljJBsQkH.dll
[12/15/2008, 15:08:08] - Renaming C:\WINDOWS\system32\ljJBsQkH.dll -> C:\WINDOWS\system32\ljJBsQkH.dll.vir
[12/15/2008, 15:08:08] - File successfully renamed!
[12/15/2008, 15:08:08] - Removing HKLM\...\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
[12/15/2008, 15:08:08] - Removing HKCR\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
[12/15/2008, 15:08:08] - Adding Kill Bit for ActiveX for GUID: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
[12/15/2008, 15:08:08] - Deleting ATLEvents/MSEvents Registry entries
[12/15/2008, 15:08:08] - Removing HKLM\...\Winlogon\Notify\ljJBsQkH
[12/15/2008, 15:08:08] - Searching for Browser Helper Objects:
[12/15/2008, 15:08:08] - BHO 1: {053F9267-DC04-4294-A72C-58F732D338C0} (HP Print Clips)
[12/15/2008, 15:08:08] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/15/2008, 15:08:08] - BHO 3: {77AB59B4-55A3-4737-9FD5-B93C6430BF78} ()
[12/15/2008, 15:08:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/15/2008, 15:08:08] - Checking for HKLM\...\Winlogon\Notify\dnrqprna
[12/15/2008, 15:08:08] - Key not found: HKLM\...\Winlogon\Notify\dnrqprna, continuing.
[12/15/2008, 15:08:08] - BHO 4: {F9209B2E-9129-4CFD-B2A7-9DDCC9D75B2D} ()
[12/15/2008, 15:08:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/15/2008, 15:08:08] - Checking for HKLM\...\Winlogon\Notify\byXPjGWo
[12/15/2008, 15:08:08] - Key not found: HKLM\...\Winlogon\Notify\byXPjGWo, continuing.
[12/15/2008, 15:08:08] - Finished Searching Browser Helper Objects
[12/15/2008, 15:08:08] - Finishing up...
[12/15/2008, 15:08:08] - A restart is needed.
[12/15/2008, 15:08:08] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[12/15/2008, 15:08:36] - Attempting to Restart via STOP error (Blue Screen!)

Edited by antonio770, 15 December 2008 - 03:47 PM.

  • 0

Advertisements

#2
ourwilly
Posted 16 December 2008 - 11:53 AM

ourwilly

    Trusted Helper

  • Retired Staff
  • 768 posts
Hello antonio770,

Please Click Here to download HijackThis and save it onto your system.
Once installed, reopen and Select "Do a system scan and save a logfile" and post the results back to me.
  • 0

#3
antonio770
Posted 16 December 2008 - 05:00 PM

antonio770

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Here is the log "ourwilly',...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:57:07, on 12/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6080716
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.threatfir...torial/?lang=en
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [58c91489] rundll32.exe "C:\WINDOWS\system32\nivionfo.dll",b
O4 - HKCU\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
O4 - HKCU\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1229296951296
O20 - AppInit_DLLs: lkvnli.dll ykvtjv.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

--
End of file - 4311 bytes
  • 0

#4
ourwilly
Posted 17 December 2008 - 09:44 AM

ourwilly

    Trusted Helper

  • Retired Staff
  • 768 posts
Hello antonio770

Please download MalwareBytes Anti-malware (MBAM) from one of the following links:
http://www.majorgeek...ware_d5756.html
http://www.besttechi.../mbam-setup.exe

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

Reboot your system, then re-scan with HijackThis..

Please post the new HijackThis log and the MalwareBytes results.
  • 0

#5
antonio770
Posted 18 December 2008 - 07:25 AM

antonio770

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks Ourwill,..I am still trying to get this done. been really busy. Will get back to u tonight.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP