mjs26
2007-06-15, 10:20
Hi, I have a really tough computer virus on my computer that I CANNOT get rid of. Here's the details I have:
*
Its a variant of virtumundo. However, of all the fixes that are supposed to work that I've read on other boards, I can't get rid of this one. All the spyware I've tried detects it, but is unable to delete it. To make matters worse, it's actually closing out windows that I open, such as firefox and HijackThis and other antispyware programs. Under command prompt/safe mode I was unable to remove the virus, but able to run the programs enough to get logs, which I will post below. My computer is basically useless at the moment. In normal and safe mode, antivirus programs wouldn't even stay open...they were closed out right away. The offending DLL's that the programs said were viruses (but unable to remove) were: ayvdsgjfvola.dll and xkwjfvdwhnns.dll.
*
Programs I have tried: AdAware, SpyBot, VirtumundoBeGone, FixVundo, DrWeb-CureIt, ZoneAlarm, SpySweeper, CWShredder- all in safe mode. They all notice something isn't right, but are all unable to physically remove the file. I even went in and deleted the registry logs, but on reboot they were right back there giving me pop up windows and basically rendering my computer useless. So, I have log files from a few programs posted below. I am hoping someone might have some idea to help out on this one..... any advice is most appreciated!
*
----For VirtumundoBeGone.......
[06/14/2007, 21:29:52] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe" )
[06/14/2007, 21:29:54] - Detected System Information:
[06/14/2007, 21:29:54] -* Windows Version: 5.1.2600, Service Pack 2
[06/14/2007, 21:29:54] -* Current Username: Owner (Admin)
[06/14/2007, 21:29:54] -* Windows is in SAFE mode.
[06/14/2007, 21:29:54] - Searching for Browser Helper Objects:
[06/14/2007, 21:29:54] -* BHO 1: {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} ()
[06/14/2007, 21:29:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/14/2007, 21:29:54] -* Checking for HKLM\...\Winlogon\Notify\dyahkufj
[06/14/2007, 21:29:54] -* Key not found: HKLM\...\Winlogon\Notify\dyahkufj, continuing.
[06/14/2007, 21:29:54] -* BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/14/2007, 21:29:54] - Finished Searching Browser Helper Objects
[06/14/2007, 21:29:54] - Finishing up...
[06/14/2007, 21:29:54] - Nothing found! Exiting...
*
----Logfile from FixVundo....
Symantec Trojan.Vundo Removal Tool 1.5.0
Trojan.Vundo has not been found on your computer.
*
----Logfile of HijackThis v1.99.1
Scan saved at 9:46:04 PM, on 6/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
*
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Owner\Desktop\sadf\sadfasdfasdf.exe
*
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\gjfqunqo.dll",realset
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ayvdsgjfvola - C:\WINDOWS\system32\ayvdsgjfvola.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O20 - Winlogon Notify: xkwjfvdwhnns - C:\WINDOWS\system32\xkwjfvdwhnns.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: COM+ System Application Manage (COM+ System Manager) - Unknown owner - C:\Program Files\Common Files\System\Dllhost.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Mozy Backup Service (mozybackup) - Unknown owner - C:\Program Files\Mozy\mozybackup.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation* - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
*
Please, any help would be great...I'm stuck on this one and my computer is basically useless right now! If anyone needs additional logs from other programs, I can do that, but it will take me a day or so ( I have to download it on another computer, then move it over to my computer and hope I can install it ).
-Mike
*
Its a variant of virtumundo. However, of all the fixes that are supposed to work that I've read on other boards, I can't get rid of this one. All the spyware I've tried detects it, but is unable to delete it. To make matters worse, it's actually closing out windows that I open, such as firefox and HijackThis and other antispyware programs. Under command prompt/safe mode I was unable to remove the virus, but able to run the programs enough to get logs, which I will post below. My computer is basically useless at the moment. In normal and safe mode, antivirus programs wouldn't even stay open...they were closed out right away. The offending DLL's that the programs said were viruses (but unable to remove) were: ayvdsgjfvola.dll and xkwjfvdwhnns.dll.
*
Programs I have tried: AdAware, SpyBot, VirtumundoBeGone, FixVundo, DrWeb-CureIt, ZoneAlarm, SpySweeper, CWShredder- all in safe mode. They all notice something isn't right, but are all unable to physically remove the file. I even went in and deleted the registry logs, but on reboot they were right back there giving me pop up windows and basically rendering my computer useless. So, I have log files from a few programs posted below. I am hoping someone might have some idea to help out on this one..... any advice is most appreciated!
*
----For VirtumundoBeGone.......
[06/14/2007, 21:29:52] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe" )
[06/14/2007, 21:29:54] - Detected System Information:
[06/14/2007, 21:29:54] -* Windows Version: 5.1.2600, Service Pack 2
[06/14/2007, 21:29:54] -* Current Username: Owner (Admin)
[06/14/2007, 21:29:54] -* Windows is in SAFE mode.
[06/14/2007, 21:29:54] - Searching for Browser Helper Objects:
[06/14/2007, 21:29:54] -* BHO 1: {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} ()
[06/14/2007, 21:29:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/14/2007, 21:29:54] -* Checking for HKLM\...\Winlogon\Notify\dyahkufj
[06/14/2007, 21:29:54] -* Key not found: HKLM\...\Winlogon\Notify\dyahkufj, continuing.
[06/14/2007, 21:29:54] -* BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/14/2007, 21:29:54] - Finished Searching Browser Helper Objects
[06/14/2007, 21:29:54] - Finishing up...
[06/14/2007, 21:29:54] - Nothing found! Exiting...
*
----Logfile from FixVundo....
Symantec Trojan.Vundo Removal Tool 1.5.0
Trojan.Vundo has not been found on your computer.
*
----Logfile of HijackThis v1.99.1
Scan saved at 9:46:04 PM, on 6/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
*
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Owner\Desktop\sadf\sadfasdfasdf.exe
*
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\gjfqunqo.dll",realset
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ayvdsgjfvola - C:\WINDOWS\system32\ayvdsgjfvola.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O20 - Winlogon Notify: xkwjfvdwhnns - C:\WINDOWS\system32\xkwjfvdwhnns.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: COM+ System Application Manage (COM+ System Manager) - Unknown owner - C:\Program Files\Common Files\System\Dllhost.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Mozy Backup Service (mozybackup) - Unknown owner - C:\Program Files\Mozy\mozybackup.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation* - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
*
Please, any help would be great...I'm stuck on this one and my computer is basically useless right now! If anyone needs additional logs from other programs, I can do that, but it will take me a day or so ( I have to download it on another computer, then move it over to my computer and hope I can install it ).
-Mike