[JonnyBlazed]

I've already killed this thing once before. But I don't see it anywhere in the log this time, so I'm not sure what to use VundoFix to kill. Also, I'm curious how I got it again. What programs, sites, etc. can give you Virtumundo? Does Limewire do it?

Anyways, thanks in advance for the help!

----------------

Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 12:36:37 PM, on 10/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\mgabg.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Munchkins\Desktop\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117785866083
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123893275578
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

[Advertisements]

Hi JonnyBlazed,

Your log looks clean..where did you get virtumondo detection? Can you post the log?

[Armodeluxe]

Hi JonnyBlazed,

Your log looks clean..where did you get virtumondo detection? Can you post the log?

[JonnyBlazed]

My Microsoft Anti-Spyware picked it up:

Spyware Scan Details
Start Date: 10/26/2005 2:00:20 AM
End Date: 10/26/2005 2:12:13 AM
Total Time: 11 mins 53 secs

Detected Threats

Virtumondo Adware more information...
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.

Infected registry keys/values detected
HKEY_CLASSES_ROOT\MSEvents.MSEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1 MSEvents Object
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents\CLSID {52B1DFC7-AAFC-4362-B103-868B0683C697}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents\CurVer MSEvents.MSEvents.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents MSEvents Object
HKEY_CLASSES_ROOT\MSEvents.MSEvents\CLSID {52B1DFC7-AAFC-4362-B103-868B0683C697}
HKEY_CLASSES_ROOT\MSEvents.MSEvents\CurVer MSEvents.MSEvents.1
HKEY_CLASSES_ROOT\MSEvents.MSEvents MSEvents Object
HKEY_CLASSES_ROOT\MSEvents.MSEvents.1
HKEY_CLASSES_ROOT\MSEvents.MSEvents.1\CLSID {52B1DFC7-AAFC-4362-B103-868B0683C697}
HKEY_CLASSES_ROOT\MSEvents.MSEvents.1 MSEvents Object
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1\CLSID {52B1DFC7-AAFC-4362-B103-868B0683C697}


Detected Spyware Cookies
No spyware cookies were found during this scan.



I've since cleaned it. But as Virtumundo does, it shows up everytime I restart.

[Armodeluxe]

Yes looks like MSAS cleaned quite a few registry entries, all vundo..

I've since cleaned it. But as Virtumundo does, it shows up everytime I restart.

Can you be more specific about the message you're getting? Are you getting a message from MSAS?

Let's run a couple scans..

First, download and install CleanUp! but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Please download Ewido Security Suite (do NOT run it yet!)

• Install ewido security suite
• Launch ewido, there should be a big E icon on your desktop, double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen
• You will need to update ewido to the latest definition files.
• On the left hand side of the main screen click update
• Click on Start
• The update will start and a progress bar will show the updates being installed
• After the updates are installed, exit Ewido

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Once in Safe Mode:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

If Cleanup! asks if you want to reboot, click NO

Open Ewido

• Click on scanner
• Click Complete System Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop
• Exit Ewido

Reboot back to normal mode..

Go here to make an online scan:

http://www.pandasoft.../activescan.htm

- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Then please post the Panda results and the Ewido log along with a new HijackThis log..

[JonnyBlazed]

Hi,
Sorry... I never got an e-mail telling me someone responded.
Just happened to check it out today and noticed I got some more help. Thanks

Here are the logs you asked for:

Ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:35:51 PM, 11/12/2005
+ Report-Checksum: 6E86EF38

+ Scan result:

HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Error during cleaning
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Error during cleaning
HKU\S-1-5-21-1547161642-1935655697-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{031B6D43-CBC4-46A5-8E46-CF8B407C1A33} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-1547161642-1935655697-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-1547161642-1935655697-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7} -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-1547161642-1935655697-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DDFFA75A-E81D-4454-89FC-B9FD0631E726} -> Spyware.VX2 : Cleaned with backup
C:\Documents and Settings\Munchkins\Desktop\Downloads\ultramon.exe -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End


-----------------------------------------------------------------------------------


ActiveScan


Incident Status Location

Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Munchkins\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-31f06068-7afe38c3.zip[InstallerApplet.class]
Adware:adware/portalscan No disinfected C:\WINDOWS\system32\winupdt.008

[Armodeluxe]

I never got notified of your post either..

1. Click Start > Control Panel.

2. Double-click the Java icon (coffee cup) in the control panel. It will say "Java Plug-in" under the icon

3. Under Temporary Internet Files, click the Delete Files button.

There are three options on this window to clear the cache - leave ALL 3 checked.
1. Downloaded Applets
2. Downloaded Applications
3. Other Files

4. Click OK on Delete Temporary Files window.
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

5. Click OK to leave the Java Control Panel.

Download VirtumundoBegone and save it to your desktop.

http://secured2k.hom...mundoBeGone.exe

Reboot your computer into Safe Mode

Delete this file:

C:\WINDOWS\system32\winupdt.008


Then double click VirtumundoBeGone.exe you just downloaded and follow the instructions.

Exit when it has finished.

Please post the log it creates into your next reply

[JonnyBlazed]

I'm supremely confident I have an anomaly virus....

[11/22/2005, 16:48:40] - Starting Process...
[11/22/2005, 16:48:40] - Looking for Browser Helper Object [MSEvents Object]
[11/22/2005, 16:48:40] - 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - AcroIEHlprObj Class
[11/22/2005, 16:48:40] - 2: {53707962-6F74-2D53-2644-206D7942484F} -
[11/22/2005, 16:48:40] - WARNING: 2: {53707962-6F74-2D53-2644-206D7942484F} - BHO Name is blank.
[11/22/2005, 16:48:40] - Checking for WinLogon Notify reference. (File: C:\Program Files\Spybot - Search & Destroy\SDHelper.dll)
[11/22/2005, 16:48:40] - Couldn't find SDHelper in Winlogon Notify. Ignoring {53707962-6F74-2D53-2644-206D7942484F}.
[11/22/2005, 16:48:40] - 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper
[11/22/2005, 16:48:40] - Finished searching for [MSEvents Object]
[11/22/2005, 16:48:41] - Nothing found! Exiting.



[bleep] Virtumundo -_-

[Armodeluxe]

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning.
  It should look like this
  

  VundoFix V2.15 by Atri
  By using VundoFix you agree that you are doing so at your own risk
  Press enter to continue....
  
  

• At this point press enter one time.
  
• Next you will see:
  

  Please Type in the filepath as instructed by the forum staff
  and then press enter:

• Just press Enter without typing anything

[*]Press Enter to continue with the fix.
[*] Next you will see:

Please type in the second filepath as instructed by the forum
staff then press enter:

[*]Again press Enter without typing anything.
[/list][*]Press Enter to continue with the fix.
[*]The fix will run then HijackThis will open. Close HijackThis.
[*]Press enter to exit the program then manually reboot your computer.[/list]
Please post the vundofix.txt file from the vundofix folder into this topic.

[JonnyBlazed]

Armo, I followed your steps but it never opened Hijackthis nor did it make a vundofix.txt file.

[Armodeluxe]

Well we used all the tools available but because all you've got is leftover registry entries and no files I guess they are not working..

You can instruct MSAS and Ewido to ignore those entries, as they are harmless..

However if you want to get rid of them badly, make a new scan with MSAS and Ewido and post the results here and let's try to get rid of them with a regfix..

[JonnyBlazed]

Well my real concern is how they keep coming back.

I've deleted these entries time and time again and they always return :\

[Armodeluxe]

Maybe MSAS is just trying to delete them but cannot just like Ewido..

Post the logs (from safe mode) and let's try a regfix..

[JonnyBlazed]

wow... i feel stupid.

watever entered those keys in my registry set em so i dont have permissions. so i couldnt manually delete em

i got it though, we'll see if they stay off for good... thanks for your help armo

[Armodeluxe]

Ok, let me know..I'll keep the topic open for a while..

[JonnyBlazed]

Nothing Armo!

I think it worked... Thanks for your help, really appreciate it. It was your suggestion for a regfix that made me think to check permissions on the entries