I've been infected with Trojan.Vundo. As many other prople have said, Norton Antivirus is useless. I ran their scan did everything they said to do but no luck. I researched it on your site and installed VundoFix. I ran it in safe mode and it found the file but could not delete it...even after the reboot. i THEN TRIED VirtumundoBeGone. Didn't work either.
Now I have started to get popups in Internet Explorer and my system is extremely slow.
I do hope that you could help me because I am at my wits end!!
Thanks in advance,
I have enclosed the HJT log as well as the VBG log.
Here they are:
VBG
[04/11/2007, 20:06:11] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Dira\Desktop\VirtumundoBeGone.exe" )
[04/11/2007, 20:06:15] - Detected System Information:
[04/11/2007, 20:06:15] - Windows Version: 5.1.2600, Service Pack 2
[04/11/2007, 20:06:15] - Current Username: Dira (Admin)
[04/11/2007, 20:06:15] - Windows is in SAFE mode.
[04/11/2007, 20:06:15] - Searching for Browser Helper Objects:
[04/11/2007, 20:06:15] - BHO 1: {00C6482D-C502-44C8-8409-FCE54AD9C208} (SnagIt Toolbar Loader)
[04/11/2007, 20:06:15] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/11/2007, 20:06:15] - BHO 3: {21CEBE6B-DFF5-45EF-956C-715C336D7540} ()
[04/11/2007, 20:06:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/11/2007, 20:06:15] - Checking for HKLM\...\Winlogon\Notify\mllmm
[04/11/2007, 20:06:15] - Found: HKLM\...\Winlogon\Notify\mllmm - This is probably Virtumundo.
[04/11/2007, 20:06:15] - Assigning {21CEBE6B-DFF5-45EF-956C-715C336D7540} MSEvents Object
[04/11/2007, 20:06:15] - BHO list has been changed! Starting over...
[04/11/2007, 20:06:15] - BHO 1: {00C6482D-C502-44C8-8409-FCE54AD9C208} (SnagIt Toolbar Loader)
[04/11/2007, 20:06:15] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/11/2007, 20:06:15] - BHO 3: {21CEBE6B-DFF5-45EF-956C-715C336D7540} (MSEvents Object)
[04/11/2007, 20:06:15] - ALERT: Found MSEvents Object!
[04/11/2007, 20:06:15] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/11/2007, 20:06:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/11/2007, 20:06:15] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/11/2007, 20:06:15] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/11/2007, 20:06:15] - BHO 5: {600A6BDC-C72B-4DE8-A117-995141471E39} ()
[04/11/2007, 20:06:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/11/2007, 20:06:15] - Checking for HKLM\...\Winlogon\Notify\fccdebx
[04/11/2007, 20:06:15] - Key not found: HKLM\...\Winlogon\Notify\fccdebx, continuing.
[04/11/2007, 20:06:15] - BHO 6: {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} ()
[04/11/2007, 20:06:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/11/2007, 20:06:15] - Checking for HKLM\...\Winlogon\Notify\jcqeewdy
[04/11/2007, 20:06:15] - Key not found: HKLM\...\Winlogon\Notify\jcqeewdy, continuing.
[04/11/2007, 20:06:15] - BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/11/2007, 20:06:15] - BHO 8: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[04/11/2007, 20:06:15] - BHO 9: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[04/11/2007, 20:06:15] - Finished Searching Browser Helper Objects
[04/11/2007, 20:06:15] - *** Detected MSEvents Object
[04/11/2007, 20:06:15] - Trying to remove MSEvents Object...
[04/11/2007, 20:06:16] - Terminating Process: IEXPLORE.EXE
[04/11/2007, 20:06:16] - Terminating Process: RUNDLL32.EXE
[04/11/2007, 20:06:16] - Disabling Automatic Shell Restart
[04/11/2007, 20:06:16] - Terminating Process: EXPLORER.EXE
[04/11/2007, 20:06:17] - Suspending the NT Session Manager System Service
[04/11/2007, 20:06:17] - Terminating Windows NT Logon/Logoff Manager
[04/11/2007, 20:06:17] - Re-enabling Automatic Shell Restart
[04/11/2007, 20:06:17] - File to disable: C:\WINDOWS\system32\mllmm.dll
[04/11/2007, 20:06:17] - Renaming C:\WINDOWS\system32\mllmm.dll -> C:\WINDOWS\system32\mllmm.dll.vir
[04/11/2007, 20:06:17] - File successfully renamed!
[04/11/2007, 20:06:17] - Removing HKLM\...\Browser Helper Objects\{21CEBE6B-DFF5-45EF-956C-715C336D7540}
[04/11/2007, 20:06:17] - Removing HKCR\CLSID\{21CEBE6B-DFF5-45EF-956C-715C336D7540}
[04/11/2007, 20:06:17] - Adding Kill Bit for ActiveX for GUID: {21CEBE6B-DFF5-45EF-956C-715C336D7540}
[04/11/2007, 20:06:17] - Deleting ATLEvents/MSEvents Registry entries
[04/11/2007, 20:06:17] - Removing HKLM\...\Winlogon\Notify\mllmm
[04/11/2007, 20:06:17] - Searching for Browser Helper Objects:
[04/11/2007, 20:06:17] - BHO 1: {00C6482D-C502-44C8-8409-FCE54AD9C208} (SnagIt Toolbar Loader)
[04/11/2007, 20:06:17] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/11/2007, 20:06:17] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/11/2007, 20:06:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/11/2007, 20:06:17] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/11/2007, 20:06:17] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/11/2007, 20:06:17] - BHO 4: {600A6BDC-C72B-4DE8-A117-995141471E39} ()
[04/11/2007, 20:06:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/11/2007, 20:06:17] - Checking for HKLM\...\Winlogon\Notify\fccdebx
[04/11/2007, 20:06:17] - Key not found: HKLM\...\Winlogon\Notify\fccdebx, continuing.
[04/11/2007, 20:06:17] - BHO 5: {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} ()
[04/11/2007, 20:06:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/11/2007, 20:06:17] - Checking for HKLM\...\Winlogon\Notify\jcqeewdy
[04/11/2007, 20:06:17] - Key not found: HKLM\...\Winlogon\Notify\jcqeewdy, continuing.
[04/11/2007, 20:06:17] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/11/2007, 20:06:17] - BHO 7: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[04/11/2007, 20:06:17] - BHO 8: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[04/11/2007, 20:06:17] - Finished Searching Browser Helper Objects
[04/11/2007, 20:06:17] - Finishing up...
[04/11/2007, 20:06:17] - A restart is needed.
[04/11/2007, 20:06:32] - Attempting to Restart via STOP error (Blue Screen!)
[04/11/2007, 20:08:11] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Dira\Desktop\VirtumundoBeGone.exe" )
[04/11/2007, 20:08:16] - Detected System Information:
[04/11/2007, 20:08:16] - Windows Version: 5.1.2600, Service Pack 2
[04/11/2007, 20:08:16] - Current Username: Dira (Admin)
[04/11/2007, 20:08:16] - Windows is in NORMAL mode.
[04/11/2007, 20:08:16] - Searching for Browser Helper Objects:
[04/11/2007, 20:08:16] - BHO 1: {00C6482D-C502-44C8-8409-FCE54AD9C208} (SnagIt Toolbar Loader)
[04/11/2007, 20:08:16] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/11/2007, 20:08:16] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/11/2007, 20:08:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/11/2007, 20:08:17] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/11/2007, 20:08:17] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/11/2007, 20:08:17] - BHO 4: {600A6BDC-C72B-4DE8-A117-995141471E39} ()
[04/11/2007, 20:08:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/11/2007, 20:08:17] - Checking for HKLM\...\Winlogon\Notify\fccdebx
[04/11/2007, 20:08:17] - Key not found: HKLM\...\Winlogon\Notify\fccdebx, continuing.
[04/11/2007, 20:08:17] - BHO 5: {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} ()
[04/11/2007, 20:08:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/11/2007, 20:08:17] - Checking for HKLM\...\Winlogon\Notify\jcqeewdy
[04/11/2007, 20:08:17] - Key not found: HKLM\...\Winlogon\Notify\jcqeewdy, continuing.
[04/11/2007, 20:08:17] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/11/2007, 20:08:17] - BHO 7: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[04/11/2007, 20:08:17] - BHO 8: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[04/11/2007, 20:08:17] - Finished Searching Browser Helper Objects
[04/11/2007, 20:08:17] - Finishing up...
[04/11/2007, 20:08:17] - Nothing found! Exiting...
[04/11/2007, 22:54:07] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Dira\Desktop\VirtumundoBeGone.exe" )
[04/11/2007, 22:54:09] - Detected System Information:
[04/11/2007, 22:54:10] - Windows Version: 5.1.2600, Service Pack 2
[04/11/2007, 22:54:10] - Current Username: Dira (Admin)
[04/11/2007, 22:54:10] - Windows is in NORMAL mode.
[04/11/2007, 22:54:10] - Searching for Browser Helper Objects:
[04/11/2007, 22:54:10] - BHO 1: {00C6482D-C502-44C8-8409-FCE54AD9C208} (SnagIt Toolbar Loader)
[04/11/2007, 22:54:10] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/11/2007, 22:54:10] - BHO 3: {0AAD203D-7709-49CA-BB65-4B1DAA9B83E7} ()
[04/11/2007, 22:54:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/11/2007, 22:54:10] - Checking for HKLM\...\Winlogon\Notify\ddabb
[04/11/2007, 22:54:10] - Key not found: HKLM\...\Winlogon\Notify\ddabb, continuing.
[04/11/2007, 22:54:10] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} ()
[04/11/2007, 22:54:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/11/2007, 22:54:10] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[04/11/2007, 22:54:10] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[04/11/2007, 22:54:10] - BHO 5: {600A6BDC-C72B-4DE8-A117-995141471E39} ()
[04/11/2007, 22:54:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/11/2007, 22:54:10] - Checking for HKLM\...\Winlogon\Notify\fccdebx
[04/11/2007, 22:54:10] - Key not found: HKLM\...\Winlogon\Notify\fccdebx, continuing.
[04/11/2007, 22:54:10] - BHO 6: {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} ()
[04/11/2007, 22:54:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/11/2007, 22:54:10] - Checking for HKLM\...\Winlogon\Notify\jcqeewdy
[04/11/2007, 22:54:10] - Key not found: HKLM\...\Winlogon\Notify\jcqeewdy, continuing.
[04/11/2007, 22:54:10] - BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/11/2007, 22:54:10] - BHO 8: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[04/11/2007, 22:54:10] - BHO 9: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[04/11/2007, 22:54:10] - Finished Searching Browser Helper Objects
[04/11/2007, 22:54:10] - Finishing up...
[04/11/2007, 22:54:10] - Nothing found! Exiting...
Here's the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:38:20 PM, on 11/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Dira\Desktop\VundoFix.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /systrayIcon:on
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.h...SWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1168708220390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1168793907562
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)
Edited by mtl_grrl, 11 April 2007 - 08:56 PM.