Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virtumonde


  • Please log in to reply

#1
LaurelV

LaurelV

    Member

  • Member
  • PipPip
  • 12 posts
I have gone to your "go here" page before posting this message and having spent most of the day trying everything that was suggested, I am in dire need of assistance. I have downloaded ediwo and it is stopping virtumonde from redirecting me for now but I can't get rid of it. Following is the log that I just saved after running Hijack This. Any assistance that you can provide would be so much appreciated. Ediwo keeps saying that a trojan was found in c:\windows\web.cbin.dll but I can't delete that file. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 7:42:51 PM, on 9/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\TELUS Security service\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\TELUS Security service\FreeBHOR.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Web\cbin.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TELUS Security service] C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Zero Knowledge\TELUS Security service\IndexCleanerR.exe"
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Zero Knowledge\TELUS Security service\IndexCleanerR.exe"
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: cbin - C:\WINDOWS\Web\cbin.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome LaurelV to Geeks to Go!

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning and a list of forums to seek help at.
    it should look like this

    VundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk
    Please seek assistance at one of the following forums:
    http://www.atribune.org/forums
    http://www.247fixes.com/forums
    http://www.geekstogo.com/forum
    http://forums.net-integration.net

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\Web\cbin.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\Web\nibc.* This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Web\cbin.dll

    O20 - Winlogon Notify: cbin - C:\WINDOWS\Web\cbin.dll
  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#3
LaurelV

LaurelV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Oh my god, I think it's gone!! :tazz:

I followed your instructions completely but when I ran CleanUp and went into options, it wouldn't let me check "Delete Prefetch Files". It was there but it was light grey and wasn't an option. I haven't run ActiveScan but not for lack of trying, there seems to be an error on the scan page when it comes up. I will keep trying and post the results as soon as I can get them.

You have no idea how much your assistance means, I will definately be making a donation to this site, you guys/girls are amazing! Thank you sooooooooo much!


Logfile of HijackThis v1.99.1
Scan saved at 8:31:16 AM, on 9/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\TELUS Security service\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\TELUS Security service\FreeBHOR.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TELUS Security service] C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Zero Knowledge\TELUS Security service\IndexCleanerR.exe"
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Zero Knowledge\TELUS Security service\IndexCleanerR.exe"
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Vundofix.txt file, following:


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 112 'smss.exe'
Threads [108][116][120][128][124][132]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 276 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 136 'winlogon.exe'
Killing PID 136 'winlogon.exe'
Error 0x5 : Access is denied.

File Deleted sucessfully.
Files Deleted sucessfully.
  • 0

#4
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
A donation is always welcome :)

Panda moved the active scan to another page.

Panda online scan

Please run it to be sure we remove all malware. Then post me the report to check.

The HijackThis log looks clean already, weldone :tazz:
  • 0

#5
LaurelV

LaurelV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thank you for the redirect, got it to run without incident. Seems to have found a few things! I have a router on my computer and was told that I didn't need a firewall, would you agree with that? I'm thinkng that ZoneAlarm would be a good thing. Any suggestions on how to get rid of this bargainbuddy? Again, your help is appreciated.


Incident Status Location

Spyware:spyware/bargainbuddy No disinfected Windows Registry
Virus:Trj/Mitglieder.EK Disinfected Personal Folders\Deleted Items\The_reporting_of_taxes.rar[Taxes.exe]
Virus:Trj/Mitglieder.EK Disinfected Personal Folders\Sent Items\Weird email \The_reporting_of_taxes.rar[Taxes.exe]
Virus:Trj/Pakes.AV Disinfected C:\Program Files\Hijackthis\backups\backup-20050907-162819-725.dll
Virus:Trj/Pakes.AV Disinfected C:\Program Files\Hijackthis\backups\backup-20050907-163216-296.dll
  • 0

#6
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Download and run this tool.

Run Spybot S&D 1.4 and remove all items found.
Reboot.
Run AdAware SE 1.06 and remove all items found.
Reboot.

It should be gone now.

------

As for your firewall question.
A router can have a firewall build in. But that will only protect you from the outside in (incoming traffic).
A firewall will controll incoming and outgoing traffic. If a program wants to access the internet, a firewall will ask you at the first attempt if you want to allow this.
That way most malware can only phone home if you let it.
ZoneAlarm is a good and free program.
  • 0

#7
LaurelV

LaurelV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hello and sorry for the delay in posting back after all of your assistance, have been away from the computer.

I have run the Symantec virus scan and it says that I have W32.HLLW.Raleka but when I try and remove it, it says that it isnt there. I have run Spybot and Adaware and neither find anything.

Thanks again for your help! :tazz:
  • 0

#8
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please visit Microsoft to obtain a patch for this infection.

***

To use RootKit Revealer please make sure you are logged in as an Administrator to the computer.
  • Please download and unzip Rootkit Revealer to your desktop.
  • Please leave the defaults set as they are to:
    • * Hide NTFS Metadata Files: this option is on by default
      * Scan Registry: this option is on by default.
  • Launch rootkit revealer on the system and press the Scan button.
    RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. It may take a long time please disconnect from the internet and leave the PC to be scanned until it is finished.
  • The log can be very large please edit out the items in the following folders in the log : C:\RECYCLER\NPROTECT and C:\System Volume Information, if in the log, before posting it.
  • Please post the balance of the log here in this thread using Add Reply (please double check that it has all been posted as it may be too long for one post)
Can you also tell me where Symantec found the virus (full path, like c:\folder\file)
  • 0

#9
LaurelV

LaurelV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Good Morning

Have downloaded and installed the batch from Microsoft.

Here is the RootkitRevealer report:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VideoUpgradeDisplaySettings\Driver0 9/11/2005 6:12 PM 3 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VideoUpgradeDisplaySettings\Service0 9/11/2005 6:12 PM 7 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VideoUpgradeDisplaySettings\Service1 9/11/2005 6:12 PM 5 bytes Data mismatch between Windows API and raw hive data.

Symantec Security says that this file is infected:

C:\WINDOWS\SYSTEM32\down.com is infected with W32.HLLW.Raleka :tazz:
  • 0

#10
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please follow these steps:
  • Go to Start>Run, type CMD and then press the Enter key.
  • At the command prompt, type the following:
    NET STOP “Remote_Procedure_Call”
  • Press the Enter key. A message should indicate that the service has been stopped successfully.
***

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\SYSTEM32\DOWN.COM
C:\WINDOWS\SYSTEM32\NTROOTKIT.REG
C:\WINDOWS\SYSTEM32\SVCHOST.CMD
C:\WINDOWS\SYSTEM32\SVCHOST.INI

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Please go to the TrendMicro website HERE
  • Click Check my PC now
  • On the next page it will verify that Trendmicro scan can be run.
  • There should be 4 green checkmarks, if any of them stay a red X please let me know which one(s)
  • Read the agreement, then click continue with Next Step
  • Wait for the scanner to load, if you get a security warning about the Trend-Micro applet, click YES
  • It will install "Core-Packages", then please run a full system scan - let me know how many infected items it found and if any of them couldn't be cleaned/deleted and the name/location

Edited by g2i2r4, 13 September 2005 - 02:38 PM.

  • 0

Advertisements


#11
LaurelV

LaurelV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Went into Dos as instructed and received the following message,

The specified service does not exist as an installed service. :)

Then went to KillBox and did as instructed and restarted my computer. :ph34r:

Then went to Trend Micro and scanned the computer and it didn't find anything. :)

But when I search for C:\WINDOWS\SYSTEM32\DOWN.COM I can still find that file. Is it safe to delete it or should I just leave it? :tazz:

Can't find any of the others that you listed so they must be gone! :)

Thanks!
  • 0

#12
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
There's a good one and a bad one.

What does Symantec think now?
  • 0

#13
LaurelV

LaurelV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Symantec says "0" infections were found!!! :tazz:

You're amazing, thank you so much for all of the time and effort that you have put into helping me with this, I really appreciate it!

:)
  • 0

#14
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
You're welcome. You did great :tazz:

Is the computer running ok?
If so, shall I post you some tips for the future and close this topic?
  • 0

#15
LaurelV

LaurelV

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Well thank you :) but I sure couldn't have done it without you!!!

Everything on the computer seems to be running fine except for my outlook. When I click it to open it up I get a message that says:

The server containing the Global Address List is not longer available. You can reconnect to a different server by restarting Outlook or retry the operation when the server is reachable.

So I click okay and then get a window that says:

The action coould not be completed.

Then another window that says:

Microsoft Exchange server and it asks for a name of the server.

This is where I don't have a clue!!! :tazz: I don't know if this is something that happened with the malware or if it is something that I did but it is frustrating as heck.

Any tips would be much appreciated. :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP