Infected with Virtumonde

**cali01** · 2007-11-19, 21:14

I had used VundoFix.exe and FxVMonde.exe while trying to remove this myself. Neither removed it, as S&D is still detecting it when I scan.

So here is the VundoFix log, the results from the first scan are there, also. Today it said that it didn't detect anything.

VundoFix V6.6.1

Checking Java version...

Scan started at 9:01:48 AM 11/14/2007

Listing files found while scanning....

C:\WINDOWS\system32\dgjlm.bak1
C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\dgjlm.tmp
C:\windows\SYSTEM32\jbnubuql.dll
C:\WINDOWS\system32\mljgd.dll
C:\windows\SYSTEM32\ufpjhjeh.dll
C:\WINDOWS\system32\xxyvsss.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dgjlm.bak1
C:\WINDOWS\system32\dgjlm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\dgjlm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\dgjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\dgjlm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgjlm.tmp
C:\WINDOWS\system32\dgjlm.tmp Has been deleted!

Attempting to delete C:\windows\SYSTEM32\jbnubuql.dll
C:\windows\SYSTEM32\jbnubuql.dll Has been deleted!

Attempting to delete C:\windows\SYSTEM32\ufpjhjeh.dll
C:\windows\SYSTEM32\ufpjhjeh.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.1

Checking Java version...

Scan started at 9:16:03 AM 11/14/2007

Listing files found while scanning....

VundoFix V6.6.1

Checking Java version...

Scan started at 9:20:16 AM 11/14/2007

Listing files found while scanning....

C:\WINDOWS\system32\mljgd.dll

VundoFix V6.6.1

Checking Java version...

Scan started at 9:43:17 AM 11/14/2007

Listing files found while scanning....

No infected files were found.

VundoFix V6.6.2

Checking Java version...

Scan started at 1:50:56 PM 11/19/2007

Listing files found while scanning....

No infected files were found.

**cali01** · 2007-11-19, 21:23

I cannot post a new Hijackthis log. It is still not saving the log files. I tried uninstalling it and deleting the .exe file manualling, then reinstalling, but it is still doing the same thing.

**Mr_JAk3** · 2007-11-20, 17:51

Ok we'll continue

Please remove any old versions of VundoFix.

Please download VundoFix.exe to your desktop

Open a new notepad window
Paste the list of files from the quote box below into the notepad window.

C:\WINDOWS\SYSTEM32\ilovqdov.dll
C:\WINDOWS\SYSTEM32\pirtvbpe.dll
C:\WINDOWS\SYSTEM32\astavpis.dll
C:\WINDOWS\SYSTEM32\joiljwpj.dll
C:\WINDOWS\SYSTEM32\elyoqnri.dll
C:\WINDOWS\SYSTEM32\rohhicav.dll
C:\WINDOWS\SYSTEM32\ktckqvok.dll
C:\WINDOWS\SYSTEM32\injpapnb.dll
C:\WINDOWS\SYSTEM32\rqcgtxor.dll
C:\WINDOWS\SYSTEM32\foxvrsch.dll
C:\WINDOWS\SYSTEM32\ejjkrfef.dll
C:\WINDOWS\SYSTEM32\kfcqscqn.dll
C:\WINDOWS\SYSTEM32\dpgnkbmp.dll
C:\WINDOWS\SYSTEM32\lgalcdrs.dll
C:\WINDOWS\SYSTEM32\udheqyim.dll
C:\WINDOWS\SYSTEM32\pstshqpu.dll
C:\WINDOWS\SYSTEM32\qicifnqc.dll
C:\WINDOWS\SYSTEM32\qlqmlajv.dll
C:\WINDOWS\SYSTEM32\yljovueq.dll
C:\WINDOWS\SYSTEM32\glildbgh.dll
C:\WINDOWS\SYSTEM32\agewokpr.dll
C:\WINDOWS\SYSTEM32\jofkonww.dll
C:\WINDOWS\SYSTEM32\jlkkj.bak1
C:\WINDOWS\SYSTEM32\jlkkj.bak2
C:\WINDOWS\SYSTEM32\jlkkj.ini2
C:\WINDOWS\System32\ogytiis.dll
C:\WINDOWS\system32\ilovqdov.dll
C:\WINDOWS\System32\jkklj.dll
C:\WINDOWS\system32\pirtvbpe.dll
C:\Documents and Settings\scale2\Start Menu\Programs\Startup\TA_Start.lnk
C:\WINDOWS\pss\TA_Start.lnkStartup
C:\WINDOWS\system32\dwgehlpp.dll
C:\WINDOWS\cfg32.exe
C:\WINDOWS\system32\owinkndt.exe
C:\WINDOWS\system32\nvxbiufd.dll
C:\WINDOWS\system32\abxnppdv.dll
C:\WINDOWS\System32\Oplmsb01.exe
C:\WINDOWS\system32\sodvujgd.dll
C:\WINDOWS\pyzssagA.exe
Save this as vundofix.vft and Save as type "all files".
Double-click VundoFix.exe to run it.
Drag vundofix.vft onto the listbox (white box) of VundoFix.
Click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting

Backup Your Registry with ERUNT:

Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.

Note: to restore your registry, go to the backup folder and start ERDNT.exe

Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3cbc28b6-9131-4f6f-be73-891643e159bc}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8339f5f5-14ec-473f-a2f9-dba3294a9701}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92AC9027-B90A-46E9-B67A-FF60396AAE49}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"b40c341c"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfgddb]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyvsss]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^scale2^Start Menu^Programs^Startup^TA_Start.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b40c341c]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageMonitor]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pyzssagA]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]

Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Restart the computer.

Please post the contents of C:\vundofix.txt and a new HiJackThis log (if working now) in a reply to this thread.

**cali01** · 2007-11-20, 18:23

Hijackthis is still not saving log file. From vundofix:

Beginning removal...

Attempting to delete C:\WINDOWS\pss\TA_Start.lnkStartup
C:\WINDOWS\pss\TA_Start.lnkStartup Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\agewokpr.dll
C:\WINDOWS\SYSTEM32\agewokpr.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\astavpis.dll
C:\WINDOWS\SYSTEM32\astavpis.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\dpgnkbmp.dll
C:\WINDOWS\SYSTEM32\dpgnkbmp.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ejjkrfef.dll
C:\WINDOWS\SYSTEM32\ejjkrfef.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\foxvrsch.dll
C:\WINDOWS\SYSTEM32\foxvrsch.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\glildbgh.dll
C:\WINDOWS\SYSTEM32\glildbgh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ilovqdov.dll
C:\WINDOWS\system32\ilovqdov.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\injpapnb.dll
C:\WINDOWS\SYSTEM32\injpapnb.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\jlkkj.bak1
C:\WINDOWS\SYSTEM32\jlkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\jlkkj.bak2
C:\WINDOWS\SYSTEM32\jlkkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\jlkkj.ini2
C:\WINDOWS\SYSTEM32\jlkkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\kfcqscqn.dll
C:\WINDOWS\SYSTEM32\kfcqscqn.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\ktckqvok.dll
C:\WINDOWS\SYSTEM32\ktckqvok.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\lgalcdrs.dll
C:\WINDOWS\SYSTEM32\lgalcdrs.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\Oplmsb01.exe
C:\WINDOWS\System32\Oplmsb01.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\pirtvbpe.dll
C:\WINDOWS\system32\pirtvbpe.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\rohhicav.dll
C:\WINDOWS\SYSTEM32\rohhicav.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\rqcgtxor.dll
C:\WINDOWS\SYSTEM32\rqcgtxor.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\udheqyim.dll
C:\WINDOWS\SYSTEM32\udheqyim.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\yljovueq.dll
C:\WINDOWS\SYSTEM32\yljovueq.dll Has been deleted!

Performing Repairs to the registry.
Done!

**Mr_JAk3** · 2007-11-20, 19:20

Okay let's try with an older version of HijacKThis...

Please post a HijackThis log to here:

Click here to download HijackThis.exe
Save HijackThis.exe to your desktop.
Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
Run HijackThis.exe
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

**cali01** · 2007-11-20, 19:48

It is doing the same thing. I downloaded the version you linked, moved it into the new folder on the desktop which I named hijackthis, then opened the program. I clicked on "do a system scan and save a log file" and got the message "Cannot find the C:\Program Files\Trend Micro\Hijackthis\Hijackthis.log file. Do you want to create a new file?" If I select yes it creates a new text document named hijackthis, but the document is blank and the file size is 0 KB. If I select no, it deletes this blank file and nothing is there. Then, I tried to run hijackthis by selecting "do a system scan only" and then after scanning, selecting "save log." This brings up the Save logfile window, I click save and I again get "Cannot find the C:\Program Files\Trend Micro\Hijackthis\Hijackthis.log file. Do you want to create a new file?" and the same thing happens.

**cali01** · 2007-11-20, 20:08

Another thing...as I have been trying to run hijackthis and save a log file, Norton Antivirus keeps popping up saying that its blocking Bloodhound.Exploit.6.

**Mr_JAk3** · 2007-11-21, 19:31

Hi again

Ok that wasn't old enough, sorry.

Please try this version instead -> HijackThis 1.99.1

**cali01** · 2007-11-21, 20:01

Logfile of HijackThis v1.99.1
Scan saved at 1:01:12 PM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WasteWORKS\wwwin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\scale2\Desktop\HIJACKTHIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {3cbc28b6-9131-4f6f-be73-891643e159bc} - C:\WINDOWS\System32\ogytiis.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Sonic\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {1079a492-3abd-9f2a-f374-ce415f5f9338} - {8339f5f5-14ec-473f-a2f9-dba3294a9701} - C:\WINDOWS\system32\ilovqdov.dll (file missing)
O2 - BHO: (no name) - {92AC9027-B90A-46E9-B67A-FF60396AAE49} - C:\WINDOWS\System32\jkklj.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1182528679234
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtend.net/code/chm/xpre.chm::/xpreload.ocx
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

**Mr_JAk3** · 2007-11-22, 16:31

Ok good

Only a few leftovers. How is the computer running?

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {3cbc28b6-9131-4f6f-be73-891643e159bc} - C:\WINDOWS\System32\ogytiis.dll (file missing)
O2 - BHO: {1079a492-3abd-9f2a-f374-ce415f5f9338} - {8339f5f5-14ec-473f-a2f9-dba3294a9701} - C:\WINDOWS\system32\ilovqdov.dll (file missing)
O2 - BHO: (no name) - {92AC9027-B90A-46E9-B67A-FF60396AAE49} - C:\WINDOWS\System32\jkklj.dll (file missing)
Restart the computer and run a new scan with HijackThis. The entries you just fixed should be gone. Let me know if they're not.

You can now remove the tools we used.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:

Clear your system restore
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file
This prevents your computer from connecting to harmful sites.
Use Firefox browser
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date
Visit Windows Update regularly. How to enable Automatic Updates?
Keep your antivirus and firewall up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein
So how did I get infected in the first place?
Stand Up and Be Counted !
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Stay clean and be safe

Thread: Infected with Virtumonde

Thread Tools

Display

Posting Permissions