Virtumonde

RusDWrench · 2008-07-19, 22:36

Good day & pls help me out. Here is a copy of the logfile you request as a prerequisite. Thx.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:15:31, on 19/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca/
O2 - BHO: (no name) - {3A649CCA-631D-4511-BEEA-FCF79EB0E19F} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {A0FC5EE3-7584-4264-B372-295B126567FB} - (no file)
O2 - BHO: (no name) - {BB448A87-9502-4D04-AF34-B1A6976B5804} - C:\WINDOWS\system32\jkkIBUnn.dll
O2 - BHO: (no name) - {CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013} - C:\WINDOWS\system32\wvUlMeCs.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA7671] command /c del "C:\WINDOWS\system32\wvUlMeCs.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2395] cmd /c del "C:\WINDOWS\system32\wvUlMeCs.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA472] command /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7995] cmd /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Desktop Search.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupda...31/CTSUEng.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} -
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120447395039
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1120589756218
O16 - DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} (SelfProvisioning.Wizard) - http://dsp02.eastlink.ca/SelfProvisioning.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} -
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupda...5034/CTPID.cab
O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll
O20 - Winlogon Notify: wvUlMeCs - C:\WINDOWS\SYSTEM32\wvUlMeCs.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

--
End of file - 7550 bytes

**random/random** · 2008-07-20, 22:41

Please download show-vundo.vbs to your desktop

Double-click show-vundo.vbs to run it.
When completed, it will open a notepad window
Copy and paste the contents of that window as a reply to this topic

RusDWrench · 2008-07-21, 03:01

Here is the requested data. Plz help.
=================================================
Relatório | BHOs, Winlogon Notify e AppInit_DLLs
=================================================
AppInit_DLLs
-------------------------------------------------

[Vazia]

-------------------------------------------------
Authentication Packages
-------------------------------------------------

[1] msv1_0
[2] C:\WINDOWS\system32\hgGaxyAs

-------------------------------------------------
Security Providers
-------------------------------------------------

msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

-------------------------------------------------
Explorer Execute Hooks
-------------------------------------------------

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="shell32.dll"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="C:\PROGRA~1\WIFD1F~1\MpShHook.dll"
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"
"{CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013}"="C:\WINDOWS\system32\wvUlMeCs.dll"

-------------------------------------------------
Browser Helper Objects
-------------------------------------------------

[HKLM\SOFTWARE\Classes\CLSID\{1410DD64-BA2C-4EAD-A069-A95C6AA5EE9C}\]
[Indefinido] | [Indefinido]
[Indefinido]

[HKLM\SOFTWARE\Classes\CLSID\{18798A15-1D35-4E1E-BA70-F298077059AB}\]
[Indefinido] | [Indefinido]
C:\WINDOWS\system32\jkkIBUnn.dll

[HKLM\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\]
Spybot-S&D IE Protection | [Indefinido]
C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKLM\SOFTWARE\Classes\CLSID\{586CC0C7-6BC2-4FCA-A115-C680BC55D170}\]
[Indefinido] | [Indefinido]
[Indefinido]

[HKLM\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\]
SSVHelper Class | [Indefinido]
C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

[HKLM\SOFTWARE\Classes\CLSID\{BFE6CA9C-19A4-4F27-ABF8-8696211DE190}\]
[Indefinido] | [Indefinido]
C:\WINDOWS\system32\hgGaxyAs.dll

[HKLM\SOFTWARE\Classes\CLSID\{C0C027D6-C2EC-48D7-BE35-29B351A50795}\]
[Indefinido] | [Indefinido]
[Indefinido]

[HKLM\SOFTWARE\Classes\CLSID\{CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013}\]
[Indefinido] | [Indefinido]
C:\WINDOWS\system32\wvUlMeCs.dll

-------------------------------------------------
Winlogon Notify
-------------------------------------------------

[Nova] AtiExtEvent : Ati2evxx.dll

[Padrão] cryptnet : cryptnet.dll

[Nova] dimsntfy : %SystemRoot%\System32\dimsntfy.dll

[Padrão] Schedule : wlnotify.dll

[Padrão] sclgntfy : sclgntfy.dll

[Nova] WgaLogon : WgaLogon.dll

[Padrão] wlballoon : wlnotify.dll

[Nova] wvUlMeCs : wvUlMeCs.dll

Esta NÃO É uma lista de arquivos maliciosos!

**random/random** · 2008-07-21, 13:31

Backup Your Registry with ERUNT

Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Copy the contents of the following codebox to a notepad window

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013}"=-

Save it to the desktop as fix.reg, making sure save as type is set to all files

Download UnDLL by ESET from here
Unzip/extact it to a folder on the desktop
Double click on UNDLL.EXE to start UnDLL
Click on Select infected DLL
Locate and select this file:
C:\WINDOWS\system32\jkkIBUnn.dll
Click Open
UnDLL will now attempt to delete the DLL file
If asked to restart your PC, click No

Repeat the above steps for the following files:

Code:

C:\WINDOWS\system32\wvUlMeCs.dll
C:\WINDOWS\SYSTEM32\winmfu32.dll

Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt
Once you have used UnDLL on all the files, restart your PC manually

Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt

Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).

O2 - BHO: (no name) - {3A649CCA-631D-4511-BEEA-FCF79EB0E19F} - (no file)
O2 - BHO: (no name) - {A0FC5EE3-7584-4264-B372-295B126567FB} - (no file)
O2 - BHO: (no name) - {BB448A87-9502-4D04-AF34-B1A6976B5804} - C:\WINDOWS\system32\jkkIBUnn.dll
O2 - BHO: (no name) - {CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013} - C:\WINDOWS\system32\wvUlMeCs.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} -
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} -
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} -
O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll
O20 - Winlogon Notify: wvUlMeCs - C:\WINDOWS\SYSTEM32\wvUlMeCs.dll

Then close all windows except HijackThis and click Fix Checked.

Run show-vundo.vbs again and post the log, along with a new HijackThis log.

RusDWrench · 2008-07-22, 01:07

Vundo-bho file:
=================================================
Relatório | BHOs, Winlogon Notify e AppInit_DLLs
=================================================
AppInit_DLLs
-------------------------------------------------

[Vazia]

-------------------------------------------------
Authentication Packages
-------------------------------------------------

[1] msv1_0
[2] C:\WINDOWS\system32\hgGaxyAs

-------------------------------------------------
Security Providers
-------------------------------------------------

msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

-------------------------------------------------
Explorer Execute Hooks
-------------------------------------------------

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="shell32.dll"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="C:\PROGRA~1\WIFD1F~1\MpShHook.dll"
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"
"{CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013}"="C:\WINDOWS\system32\wvUlMeCs.dll"

-------------------------------------------------
Browser Helper Objects
-------------------------------------------------

[HKLM\SOFTWARE\Classes\CLSID\{1410DD64-BA2C-4EAD-A069-A95C6AA5EE9C}\]
[Indefinido] | [Indefinido]
[Indefinido]

[HKLM\SOFTWARE\Classes\CLSID\{18798A15-1D35-4E1E-BA70-F298077059AB}\]
[Indefinido] | [Indefinido]
[Indefinido]

[HKLM\SOFTWARE\Classes\CLSID\{1d766ce3-2a33-4f05-844a-fd48491d14e8}\]
[Indefinido] | {8e41d194-84df-a448-50f4-33a23ec667d1}
C:\WINDOWS\system32\dbzlvp.dll

[HKLM\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\]
Spybot-S&D IE Protection | [Indefinido]
C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKLM\SOFTWARE\Classes\CLSID\{586CC0C7-6BC2-4FCA-A115-C680BC55D170}\]
[Indefinido] | [Indefinido]
[Indefinido]

[HKLM\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\]
SSVHelper Class | [Indefinido]
C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

[HKLM\SOFTWARE\Classes\CLSID\{903ACF82-258A-4772-8D72-556D8B75D66B}\]
[Indefinido] | [Indefinido]
C:\WINDOWS\system32\hgGaxyAs.dll

[HKLM\SOFTWARE\Classes\CLSID\{BFE6CA9C-19A4-4F27-ABF8-8696211DE190}\]
[Indefinido] | [Indefinido]
[Indefinido]

[HKLM\SOFTWARE\Classes\CLSID\{C0C027D6-C2EC-48D7-BE35-29B351A50795}\]
[Indefinido] | [Indefinido]
[Indefinido]

[HKLM\SOFTWARE\Classes\CLSID\{CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013}\]
[Indefinido] | [Indefinido]
C:\WINDOWS\system32\wvUlMeCs.dll

-------------------------------------------------
Winlogon Notify
-------------------------------------------------

[Nova] AtiExtEvent : Ati2evxx.dll

[Padrão] cryptnet : cryptnet.dll

[Nova] dimsntfy : %SystemRoot%\System32\dimsntfy.dll

[Padrão] Schedule : wlnotify.dll

[Padrão] sclgntfy : sclgntfy.dll

[Nova] WgaLogon : WgaLogon.dll

[Padrão] wlballoon : wlnotify.dll

[Nova] wvUlMeCs : wvUlMeCs.dll

Esta NÃO É uma lista de arquivos maliciosos!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:06:05, on 21/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Russ Darrach\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
O2 - BHO: (no name) - {1410DD64-BA2C-4EAD-A069-A95C6AA5EE9C} - (no file)
O2 - BHO: (no name) - {18798A15-1D35-4E1E-BA70-F298077059AB} - (no file)
O2 - BHO: {8e41d194-84df-a448-50f4-33a23ec667d1} - {1d766ce3-2a33-4f05-844a-fd48491d14e8} - C:\WINDOWS\system32\dbzlvp.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {586CC0C7-6BC2-4FCA-A115-C680BC55D170} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {903ACF82-258A-4772-8D72-556D8B75D66B} - C:\WINDOWS\system32\hgGaxyAs.dll
O2 - BHO: (no name) - {BFE6CA9C-19A4-4F27-ABF8-8696211DE190} - (no file)
O2 - BHO: (no name) - {C0C027D6-C2EC-48D7-BE35-29B351A50795} - (no file)
O2 - BHO: (no name) - {CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013} - C:\WINDOWS\system32\wvUlMeCs.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [BMd35567c0] Rundll32.exe "C:\WINDOWS\system32\desgbdxq.dll",s
O4 - HKLM\..\Run: [d066545c] rundll32.exe "C:\WINDOWS\system32\qfvumkmu.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" -turbo -autostart -NOREBOOT
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Desktop Search.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupda...31/CTSUEng.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120447395039
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1120589756218
O16 - DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} (SelfProvisioning.Wizard) - http://dsp02.eastlink.ca/SelfProvisioning.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupda...5034/CTPID.cab
O20 - Winlogon Notify: wvUlMeCs - C:\WINDOWS\SYSTEM32\wvUlMeCs.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

--
End of file - 8398 bytes

**random/random** · 2008-07-22, 01:15

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

RusDWrench · 2008-07-23, 03:29

I have downloaded Malwarebytes' Anti-Malware software & ran it. It picked up 29 items & could not remove all with out restart. I restarted & reran, it picked up 4 more items. I was thinking that this wasn't going to work either. I rebooted again & reran once more - 0 items found. I then reconnected to the internet & found that there was an update. I have installed the update & am re-running Malwarebytes' Anti-Malware once again. It has passed the point of its scan where it previously picked up traces of Malware. I have enclosed the three logfiles for your records. I will post the (hopefully) last logfile in the morning. Should a person run this Anti-Malware program once a week as a preventative with Spybot, Ad-Aware, Windows Defender & F-Prot Anti-virus? Thank you for your prompt & very helpful advice in removing this very stubborn and tricky Trojen.

Malwarebytes' Anti-Malware 1.22
Database version: 976
Windows 5.1.2600 Service Pack 3

6:58:17 AM 22/07/2008
mbam-log-7-22-2008 (06-58-17).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 123528
Time elapsed: 2 hour(s), 42 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\hgGaxyAs.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\wvUlMeCs.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\dbzlvp.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1d766ce3-2a33-4f05-844a-fd48491d14e8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1d766ce3-2a33-4f05-844a-fd48491d14e8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{90b9b683-eaee-4f5c-b1e9-625c1fa88bb3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{90b9b683-eaee-4f5c-b1e9-625c1fa88bb3} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvulmecs (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\DRam prosessor (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggaxyas -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggaxyas -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dbzlvp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hgGaxyAs.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\sAyxaGgh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sAyxaGgh.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\loasckhm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mhkcsaol.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qfvumkmu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\umkmuvfq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUlMeCs.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Russ Darrach\Desktop\backups\backup-20080721-185908-291.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\RegCleaner\Backups\JkkIBUnn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\WinRAR\Default.SFX (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F6D4FB3A-D8FB-43C9-A462-229603E48F6C}\RP509\A0121290.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F6D4FB3A-D8FB-43C9-A462-229603E48F6C}\RP509\A0121316.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F6D4FB3A-D8FB-43C9-A462-229603E48F6C}\RP511\A0122742.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F6D4FB3A-D8FB-43C9-A462-229603E48F6C}\RP514\A0123086.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F6D4FB3A-D8FB-43C9-A462-229603E48F6C}\RP518\A0126274.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ooidshuk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\avpojlhd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMd35567c0.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMd35567c0.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.22
Database version: 976
Windows 5.1.2600 Service Pack 3

6:52:01 PM 22/07/2008
mbam-log-7-22-2008 (18-52-01).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 123598
Time elapsed: 1 hour(s), 33 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\hgGaxyAs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sAyxaGgh.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sAyxaGgh.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUlMeCs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.22
Database version: 976
Windows 5.1.2600 Service Pack 3

9:07:23 PM 22/07/2008
mbam-log-7-22-2008 (21-07-23).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 123691
Time elapsed: 1 hour(s), 33 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

RusDWrench · 2008-07-23, 13:34

Here is the scan with the updated Malwarebytes' Anti-Malware as i had mentioned in previous post. Is there anything else that i should do to ensure computer is clean?

Malwarebytes' Anti-Malware 1.22
Database version: 980
Windows 5.1.2600 Service Pack 3

6:52:21 AM 23/07/2008
mbam-log-7-23-2008 (06-52-21).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 123822
Time elapsed: 1 hour(s), 32 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**random/random** · 2008-07-23, 20:17

It looks like it might be gone.

Post a new HijackThis log and we'll see if there is anything left.

RusDWrench · 2008-07-24, 00:45

Here is a copy of the latest HijackThis Log. I have noticed that i cannot update windows. It states 'Could not start the Automatic Updates service on Local Computer. Error 1058: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it'. As well not all the items are being immuned in Spybot. I noticed in the HijackThis Log that 020 - Winlogon Notify:wvUlMeCs - C:\WINDOWS\ is still present. I will wait for your reply before i attempt to remove it via previous methods. Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:36:04, on 23/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Russ Darrach\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
O2 - BHO: (no name) - {1410DD64-BA2C-4EAD-A069-A95C6AA5EE9C} - (no file)
O2 - BHO: (no name) - {18798A15-1D35-4E1E-BA70-F298077059AB} - (no file)
O2 - BHO: (no name) - {1d766ce3-2a33-4f05-844a-fd48491d14e8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {586CC0C7-6BC2-4FCA-A115-C680BC55D170} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {90B9B683-EAEE-4F5C-B1E9-625C1FA88BB3} - (no file)
O2 - BHO: (no name) - {BFE6CA9C-19A4-4F27-ABF8-8696211DE190} - (no file)
O2 - BHO: (no name) - {C0C027D6-C2EC-48D7-BE35-29B351A50795} - (no file)
O2 - BHO: (no name) - {CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013} - (no file)
O2 - BHO: (no name) - {ECBA93A7-B0B2-44FB-A5CA-662A48B28A5B} - (no file)
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Desktop Search.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupda...31/CTSUEng.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120447395039
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1120589756218
O16 - DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} (SelfProvisioning.Wizard) - http://dsp02.eastlink.ca/SelfProvisioning.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} -
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupda...5034/CTPID.cab
O20 - Winlogon Notify: wvUlMeCs - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

--
End of file - 8351 bytes

2008-07-19, 22:36	#1
RusDWrench Junior Member Join Date: Jul 2008 Posts: 8	Virtumonde Good day & pls help me out. Here is a copy of the logfile you request as a prerequisite. Thx. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:15:31, on 19/07/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\CTHELPER.EXE C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe C:\Program Files\InterVideo\Common\Bin\WinRemote.exe C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ca/ O2 - BHO: (no name) - {3A649CCA-631D-4511-BEEA-FCF79EB0E19F} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {A0FC5EE3-7584-4264-B372-295B126567FB} - (no file) O2 - BHO: (no name) - {BB448A87-9502-4D04-AF34-B1A6976B5804} - C:\WINDOWS\system32\jkkIBUnn.dll O2 - BHO: (no name) - {CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013} - C:\WINDOWS\system32\wvUlMeCs.dll O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe" O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKLM\..\RunOnce: [SpybotDeletingA7671] command /c del "C:\WINDOWS\system32\wvUlMeCs.dll" O4 - HKLM\..\RunOnce: [SpybotDeletingC2395] cmd /c del "C:\WINDOWS\system32\wvUlMeCs.dll" O4 - HKLM\..\RunOnce: [SpybotDeletingA472] command /c del "C:\WINDOWS\SchedLgU.Txt" O4 - HKLM\..\RunOnce: [SpybotDeletingC7995] cmd /c del "C:\WINDOWS\SchedLgU.Txt" O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Windows Desktop Search.lnk.disabled O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupda...31/CTSUEng.cab O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} - O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120447395039 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1120589756218 O16 - DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} (SelfProvisioning.Wizard) - http://dsp02.eastlink.ca/SelfProvisioning.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326 O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupda...5034/CTPID.cab O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll O20 - Winlogon Notify: wvUlMeCs - C:\WINDOWS\SYSTEM32\wvUlMeCs.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe -- End of file - 7550 bytes

2008-07-20, 22:41	#2
random/random Security Expert Join Date: Jul 2007 Posts: 698	Please download show-vundo.vbs to your desktop Double-click show-vundo.vbs to run it. When completed, it will open a notepad window Copy and paste the contents of that window as a reply to this topic

2008-07-21, 03:01	#3
RusDWrench Junior Member Join Date: Jul 2008 Posts: 8	Virtumonde - vundo Here is the requested data. Plz help. ================================================= Relatório \| BHOs, Winlogon Notify e AppInit_DLLs ================================================= AppInit_DLLs ------------------------------------------------- [Vazia] ------------------------------------------------- Authentication Packages ------------------------------------------------- [1] msv1_0 [2] C:\WINDOWS\system32\hgGaxyAs ------------------------------------------------- Security Providers ------------------------------------------------- msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll ------------------------------------------------- Explorer Execute Hooks ------------------------------------------------- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="shell32.dll" "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="C:\PROGRA~1\WIFD1F~1\MpShHook.dll" "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook" "{CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013}"="C:\WINDOWS\system32\wvUlMeCs.dll" ------------------------------------------------- Browser Helper Objects ------------------------------------------------- [HKLM\SOFTWARE\Classes\CLSID\{1410DD64-BA2C-4EAD-A069-A95C6AA5EE9C}\] [Indefinido] \| [Indefinido] [Indefinido] [HKLM\SOFTWARE\Classes\CLSID\{18798A15-1D35-4E1E-BA70-F298077059AB}\] [Indefinido] \| [Indefinido] C:\WINDOWS\system32\jkkIBUnn.dll [HKLM\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\] Spybot-S&D IE Protection \| [Indefinido] C:\PROGRA~1\SPYBOT~1\SDHelper.dll [HKLM\SOFTWARE\Classes\CLSID\{586CC0C7-6BC2-4FCA-A115-C680BC55D170}\] [Indefinido] \| [Indefinido] [Indefinido] [HKLM\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\] SSVHelper Class \| [Indefinido] C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [HKLM\SOFTWARE\Classes\CLSID\{BFE6CA9C-19A4-4F27-ABF8-8696211DE190}\] [Indefinido] \| [Indefinido] C:\WINDOWS\system32\hgGaxyAs.dll [HKLM\SOFTWARE\Classes\CLSID\{C0C027D6-C2EC-48D7-BE35-29B351A50795}\] [Indefinido] \| [Indefinido] [Indefinido] [HKLM\SOFTWARE\Classes\CLSID\{CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013}\] [Indefinido] \| [Indefinido] C:\WINDOWS\system32\wvUlMeCs.dll ------------------------------------------------- Winlogon Notify ------------------------------------------------- [Nova] AtiExtEvent : Ati2evxx.dll [Padrão] cryptnet : cryptnet.dll [Nova] dimsntfy : %SystemRoot%\System32\dimsntfy.dll [Padrão] Schedule : wlnotify.dll [Padrão] sclgntfy : sclgntfy.dll [Nova] WgaLogon : WgaLogon.dll [Padrão] wlballoon : wlnotify.dll [Nova] wvUlMeCs : wvUlMeCs.dll Esta NÃO É uma lista de arquivos maliciosos!

2008-07-21, 13:31	#4
random/random Security Expert Join Date: Jul 2007 Posts: 698	Backup Your Registry with ERUNT Please use the following link and scroll down to ERUNT and download it. http://aumha.org/freeware/freeware.php For version with the Installer: Use the setup program to install ERUNT on your computer For the zipped version: Unzip all the files into a folder of your choice. Click Erunt.exe to backup your registry to the folder of your choice. Note: to restore your registry, go to the folder and start ERDNT.exe Copy the contents of the following codebox to a notepad window Code: REGEDIT4 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013}"=- Save it to the desktop as fix.reg, making sure save as type is set to all files Download UnDLL by ESET from here Unzip/extact it to a folder on the desktop Double click on UNDLL.EXE to start UnDLL Click on Select infected DLL Locate and select this file: C:\WINDOWS\system32\jkkIBUnn.dll Click Open UnDLL will now attempt to delete the DLL file If asked to restart your PC, click No Repeat the above steps for the following files: Code: C:\WINDOWS\system32\wvUlMeCs.dll C:\WINDOWS\SYSTEM32\winmfu32.dll Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt Once you have used UnDLL on all the files, restart your PC manually Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt Run HijackThis. Click on Do a system scan only. Place a checkmark next to these lines (if still present). O2 - BHO: (no name) - {3A649CCA-631D-4511-BEEA-FCF79EB0E19F} - (no file) O2 - BHO: (no name) - {A0FC5EE3-7584-4264-B372-295B126567FB} - (no file) O2 - BHO: (no name) - {BB448A87-9502-4D04-AF34-B1A6976B5804} - C:\WINDOWS\system32\jkkIBUnn.dll O2 - BHO: (no name) - {CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013} - C:\WINDOWS\system32\wvUlMeCs.dll O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} - O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll O20 - Winlogon Notify: wvUlMeCs - C:\WINDOWS\SYSTEM32\wvUlMeCs.dll Then close all windows except HijackThis and click Fix Checked. Run show-vundo.vbs again and post the log, along with a new HijackThis log.

2008-07-22, 01:07	#5
RusDWrench Junior Member Join Date: Jul 2008 Posts: 8	Virtumonde still here Vundo-bho file: ================================================= Relatório \| BHOs, Winlogon Notify e AppInit_DLLs ================================================= AppInit_DLLs ------------------------------------------------- [Vazia] ------------------------------------------------- Authentication Packages ------------------------------------------------- [1] msv1_0 [2] C:\WINDOWS\system32\hgGaxyAs ------------------------------------------------- Security Providers ------------------------------------------------- msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll ------------------------------------------------- Explorer Execute Hooks ------------------------------------------------- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="shell32.dll" "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="C:\PROGRA~1\WIFD1F~1\MpShHook.dll" "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook" "{CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013}"="C:\WINDOWS\system32\wvUlMeCs.dll" ------------------------------------------------- Browser Helper Objects ------------------------------------------------- [HKLM\SOFTWARE\Classes\CLSID\{1410DD64-BA2C-4EAD-A069-A95C6AA5EE9C}\] [Indefinido] \| [Indefinido] [Indefinido] [HKLM\SOFTWARE\Classes\CLSID\{18798A15-1D35-4E1E-BA70-F298077059AB}\] [Indefinido] \| [Indefinido] [Indefinido] [HKLM\SOFTWARE\Classes\CLSID\{1d766ce3-2a33-4f05-844a-fd48491d14e8}\] [Indefinido] \| {8e41d194-84df-a448-50f4-33a23ec667d1} C:\WINDOWS\system32\dbzlvp.dll [HKLM\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\] Spybot-S&D IE Protection \| [Indefinido] C:\PROGRA~1\SPYBOT~1\SDHelper.dll [HKLM\SOFTWARE\Classes\CLSID\{586CC0C7-6BC2-4FCA-A115-C680BC55D170}\] [Indefinido] \| [Indefinido] [Indefinido] [HKLM\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\] SSVHelper Class \| [Indefinido] C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [HKLM\SOFTWARE\Classes\CLSID\{903ACF82-258A-4772-8D72-556D8B75D66B}\] [Indefinido] \| [Indefinido] C:\WINDOWS\system32\hgGaxyAs.dll [HKLM\SOFTWARE\Classes\CLSID\{BFE6CA9C-19A4-4F27-ABF8-8696211DE190}\] [Indefinido] \| [Indefinido] [Indefinido] [HKLM\SOFTWARE\Classes\CLSID\{C0C027D6-C2EC-48D7-BE35-29B351A50795}\] [Indefinido] \| [Indefinido] [Indefinido] [HKLM\SOFTWARE\Classes\CLSID\{CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013}\] [Indefinido] \| [Indefinido] C:\WINDOWS\system32\wvUlMeCs.dll ------------------------------------------------- Winlogon Notify ------------------------------------------------- [Nova] AtiExtEvent : Ati2evxx.dll [Padrão] cryptnet : cryptnet.dll [Nova] dimsntfy : %SystemRoot%\System32\dimsntfy.dll [Padrão] Schedule : wlnotify.dll [Padrão] sclgntfy : sclgntfy.dll [Nova] WgaLogon : WgaLogon.dll [Padrão] wlballoon : wlnotify.dll [Nova] wvUlMeCs : wvUlMeCs.dll Esta NÃO É uma lista de arquivos maliciosos! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:06:05, on 21/07/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\CTHELPER.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Russ Darrach\Desktop\hijackthis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm O2 - BHO: (no name) - {1410DD64-BA2C-4EAD-A069-A95C6AA5EE9C} - (no file) O2 - BHO: (no name) - {18798A15-1D35-4E1E-BA70-F298077059AB} - (no file) O2 - BHO: {8e41d194-84df-a448-50f4-33a23ec667d1} - {1d766ce3-2a33-4f05-844a-fd48491d14e8} - C:\WINDOWS\system32\dbzlvp.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {586CC0C7-6BC2-4FCA-A115-C680BC55D170} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {903ACF82-258A-4772-8D72-556D8B75D66B} - C:\WINDOWS\system32\hgGaxyAs.dll O2 - BHO: (no name) - {BFE6CA9C-19A4-4F27-ABF8-8696211DE190} - (no file) O2 - BHO: (no name) - {C0C027D6-C2EC-48D7-BE35-29B351A50795} - (no file) O2 - BHO: (no name) - {CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013} - C:\WINDOWS\system32\wvUlMeCs.dll O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe" O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe O4 - HKLM\..\Run: [BMd35567c0] Rundll32.exe "C:\WINDOWS\system32\desgbdxq.dll",s O4 - HKLM\..\Run: [d066545c] rundll32.exe "C:\WINDOWS\system32\qfvumkmu.dll",b O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" -turbo -autostart -NOREBOOT O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Windows Desktop Search.lnk.disabled O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupda...31/CTSUEng.cab O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120447395039 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1120589756218 O16 - DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} (SelfProvisioning.Wizard) - http://dsp02.eastlink.ca/SelfProvisioning.cab O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326 O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupda...5034/CTPID.cab O20 - Winlogon Notify: wvUlMeCs - C:\WINDOWS\SYSTEM32\wvUlMeCs.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe -- End of file - 8398 bytes

2008-07-22, 01:15	#6
random/random Security Expert Join Date: Jul 2007 Posts: 698	Please download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform full scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > *log-date.txt*

2008-07-23, 03:29	#7
RusDWrench Junior Member Join Date: Jul 2008 Posts: 8	Virtumonde gone ?? I have downloaded Malwarebytes' Anti-Malware software & ran it. It picked up 29 items & could not remove all with out restart. I restarted & reran, it picked up 4 more items. I was thinking that this wasn't going to work either. I rebooted again & reran once more - 0 items found. I then reconnected to the internet & found that there was an update. I have installed the update & am re-running Malwarebytes' Anti-Malware once again. It has passed the point of its scan where it previously picked up traces of Malware. I have enclosed the three logfiles for your records. I will post the (hopefully) last logfile in the morning. Should a person run this Anti-Malware program once a week as a preventative with Spybot, Ad-Aware, Windows Defender & F-Prot Anti-virus? Thank you for your prompt & very helpful advice in removing this very stubborn and tricky Trojen. Malwarebytes' Anti-Malware 1.22 Database version: 976 Windows 5.1.2600 Service Pack 3 6:58:17 AM 22/07/2008 mbam-log-7-22-2008 (06-58-17).txt Scan type: Full Scan (C:\\|F:\\|) Objects scanned: 123528 Time elapsed: 2 hour(s), 42 minute(s), 35 second(s) Memory Processes Infected: 0 Memory Modules Infected: 3 Registry Keys Infected: 12 Registry Values Infected: 1 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 21 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\hgGaxyAs.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINDOWS\system32\wvUlMeCs.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINDOWS\system32\dbzlvp.dll (Trojan.Vundo) -> Unloaded module successfully. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1d766ce3-2a33-4f05-844a-fd48491d14e8} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{1d766ce3-2a33-4f05-844a-fd48491d14e8} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{90b9b683-eaee-4f5c-b1e9-625c1fa88bb3} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{90b9b683-eaee-4f5c-b1e9-625c1fa88bb3} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wvulmecs (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\WakeNet (Trojan.Adware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\DRam prosessor (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggaxyas -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\hggaxyas -> Delete on reboot. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\dbzlvp.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\hgGaxyAs.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\sAyxaGgh.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sAyxaGgh.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\loasckhm.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mhkcsaol.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\qfvumkmu.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\umkmuvfq.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wvUlMeCs.dll (Trojan.Vundo) -> Delete on reboot. C:\Documents and Settings\Russ Darrach\Desktop\backups\backup-20080721-185908-291.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Program Files\RegCleaner\Backups\JkkIBUnn.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Program Files\WinRAR\Default.SFX (Rogue.Installer) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{F6D4FB3A-D8FB-43C9-A462-229603E48F6C}\RP509\A0121290.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{F6D4FB3A-D8FB-43C9-A462-229603E48F6C}\RP509\A0121316.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{F6D4FB3A-D8FB-43C9-A462-229603E48F6C}\RP511\A0122742.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{F6D4FB3A-D8FB-43C9-A462-229603E48F6C}\RP514\A0123086.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{F6D4FB3A-D8FB-43C9-A462-229603E48F6C}\RP518\A0126274.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ooidshuk.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\avpojlhd.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\BMd35567c0.xml (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\BMd35567c0.txt (Trojan.Vundo) -> Quarantined and deleted successfully. Malwarebytes' Anti-Malware 1.22 Database version: 976 Windows 5.1.2600 Service Pack 3 6:52:01 PM 22/07/2008 mbam-log-7-22-2008 (18-52-01).txt Scan type: Full Scan (C:\\|F:\\|) Objects scanned: 123598 Time elapsed: 1 hour(s), 33 minute(s), 15 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\hgGaxyAs.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sAyxaGgh.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\sAyxaGgh.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wvUlMeCs.dll (Trojan.Vundo) -> Quarantined and deleted successfully. Malwarebytes' Anti-Malware 1.22 Database version: 976 Windows 5.1.2600 Service Pack 3 9:07:23 PM 22/07/2008 mbam-log-7-22-2008 (21-07-23).txt Scan type: Full Scan (C:\\|F:\\|) Objects scanned: 123691 Time elapsed: 1 hour(s), 33 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

2008-07-23, 13:34	#8
RusDWrench Junior Member Join Date: Jul 2008 Posts: 8	MalwareBytes' Scan Log Here is the scan with the updated Malwarebytes' Anti-Malware as i had mentioned in previous post. Is there anything else that i should do to ensure computer is clean? Malwarebytes' Anti-Malware 1.22 Database version: 980 Windows 5.1.2600 Service Pack 3 6:52:21 AM 23/07/2008 mbam-log-7-23-2008 (06-52-21).txt Scan type: Full Scan (C:\\|F:\\|) Objects scanned: 123822 Time elapsed: 1 hour(s), 32 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

2008-07-23, 20:17	#9
random/random Security Expert Join Date: Jul 2007 Posts: 698	It looks like it might be gone. Post a new HijackThis log and we'll see if there is anything left.

2008-07-24, 00:45	#10
RusDWrench Junior Member Join Date: Jul 2008 Posts: 8	Maybe still here Here is a copy of the latest HijackThis Log. I have noticed that i cannot update windows. It states 'Could not start the Automatic Updates service on Local Computer. Error 1058: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it'. As well not all the items are being immuned in Spybot. I noticed in the HijackThis Log that 020 - Winlogon Notify:wvUlMeCs - C:\WINDOWS\ is still present. I will wait for your reply before i attempt to remove it via previous methods. Thank you. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:36:04, on 23/07/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\CTHELPER.EXE C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe C:\Program Files\InterVideo\Common\Bin\WinRemote.exe C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Russ Darrach\Desktop\hijackthis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm O2 - BHO: (no name) - {1410DD64-BA2C-4EAD-A069-A95C6AA5EE9C} - (no file) O2 - BHO: (no name) - {18798A15-1D35-4E1E-BA70-F298077059AB} - (no file) O2 - BHO: (no name) - {1d766ce3-2a33-4f05-844a-fd48491d14e8} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {586CC0C7-6BC2-4FCA-A115-C680BC55D170} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {90B9B683-EAEE-4F5C-B1E9-625C1FA88BB3} - (no file) O2 - BHO: (no name) - {BFE6CA9C-19A4-4F27-ABF8-8696211DE190} - (no file) O2 - BHO: (no name) - {C0C027D6-C2EC-48D7-BE35-29B351A50795} - (no file) O2 - BHO: (no name) - {CDA46C9C-A772-4F9C-B9F3-7C7A86EE0013} - (no file) O2 - BHO: (no name) - {ECBA93A7-B0B2-44FB-A5CA-662A48B28A5B} - (no file) O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe" O4 - HKLM\..\Run: [WINREMOTE] "C:\Program Files\InterVideo\Common\Bin\WinRemote.exe" O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Windows Desktop Search.lnk.disabled O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupda...31/CTSUEng.cab O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} - O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5036.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120447395039 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1120589756218 O16 - DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} (SelfProvisioning.Wizard) - http://dsp02.eastlink.ca/SelfProvisioning.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/...dsolutions.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?326 O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupda...5034/CTPID.cab O20 - Winlogon Notify: wvUlMeCs - C:\WINDOWS\ O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe -- End of file - 8351 bytes

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode