K98king
2007-07-01, 17:56
Hello,
Read believe I executed all information in the BEFORE POSTING file
Recently removed Norton AnitVirus & INternet Security 2005 as they were expired and ComCast offered a Free Mcaffe Suite. ComCast site would not allow the download file to run. Their technical support said it was their server having an issue, to try later.....that was over a week ago...
So my PC got sick.........
Here is my issue, the following two files will not delete:
C:\Windows\System32\byxvtur.dll
C:\Windows\System32\khfde.dll
I know they are Virtumonde virus files.
SpyBot is updated, runs finds it, but cannot not remove and kill Virtumonde.
Downloaded the paid version of SpyWare Doctor, it ran initially but did not delete it and now it will not start at all. Just keeps looping saying "Engine starting in...." . Their techical support (?) has not been able to resolve the issue in 5 days now! I have currently removed it and just have the file on the desktop. I'm thinking refund.
Then I tried several items from your forum. Vundo Fix cannot delete the two dll's and also comes up with a edthk.ini file also. Cannot kill them on reboot either.
So I downloaded the ComboFix, it cannot kill them either.
Here is two out of the log that state deleted but still show up in HJT (Sell HJT log below):
C:\Program Files\Common Files\stem32~1\wuauboot.exe
C:\Program Files\Plus!\xuxeqoj.html
HiJack This V2 shows the following log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:02:11 AM, on 07/01/2001
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Kemper\Desktop\HiJackThis_v2.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {868865EC-0295-4C7D-B25D-9F65314145E9} - C:\WINDOWS\system32\byxvtur.dll
O2 - BHO: (no name) - {AC67670E-8FC2-420C-B5D4-6BAE3F13054C} - C:\WINDOWS\system32\khfde.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Kemper\Desktop\vundofix.exe"
O4 - HKCU\..\Run: [Dinhejbr] "C:\Documents and Settings\Kemper\My Documents\F?nts\w?auboot.exe"
O4 - HKCU\..\Run: [Mpcu] "C:\PROGRA~1\COMMON~1\STEM32~1\wuauboot.exe" -vt ndrv
O4 - HKUS\S-1-5-20\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: byxvtur - C:\WINDOWS\SYSTEM32\byxvtur.dll
O20 - Winlogon Notify: khfde - C:\WINDOWS\system32\khfde.dll
O20 - Winlogon Notify: wmvsnw - C:\WINDOWS\SYSTEM32\wmvsnw.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Plus!\xuxeqoj.html
--
End of file - 4019 bytes
I have tried to run fix on the following files with no sucess:
O2 - BHO: (no name) - {868865EC-0295-4C7D-B25D-9F65314145E9} - C:\WINDOWS\system32\byxvtur.dll
O2 - BHO: (no name) - {AC67670E-8FC2-420C-B5D4-6BAE3F13054C} - C:\WINDOWS\system32\khfde.dll
O20 - Winlogon Notify: byxvtur - C:\WINDOWS\SYSTEM32\byxvtur.dll
O20 - Winlogon Notify: khfde - C:\WINDOWS\system32\khfde.dll
O20 - Winlogon Notify: wmvsnw - C:\WINDOWS\SYSTEM32\wmvsnw.dll
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Plus!\xuxeqoj.html
Any additional information needed?
Please tell me what I am missing to rid myself of this plague before I have to replace the F8 key on my keyboard.........."If it bleeds, we can kill it"
Thanks in Advance.
Read believe I executed all information in the BEFORE POSTING file
Recently removed Norton AnitVirus & INternet Security 2005 as they were expired and ComCast offered a Free Mcaffe Suite. ComCast site would not allow the download file to run. Their technical support said it was their server having an issue, to try later.....that was over a week ago...
So my PC got sick.........
Here is my issue, the following two files will not delete:
C:\Windows\System32\byxvtur.dll
C:\Windows\System32\khfde.dll
I know they are Virtumonde virus files.
SpyBot is updated, runs finds it, but cannot not remove and kill Virtumonde.
Downloaded the paid version of SpyWare Doctor, it ran initially but did not delete it and now it will not start at all. Just keeps looping saying "Engine starting in...." . Their techical support (?) has not been able to resolve the issue in 5 days now! I have currently removed it and just have the file on the desktop. I'm thinking refund.
Then I tried several items from your forum. Vundo Fix cannot delete the two dll's and also comes up with a edthk.ini file also. Cannot kill them on reboot either.
So I downloaded the ComboFix, it cannot kill them either.
Here is two out of the log that state deleted but still show up in HJT (Sell HJT log below):
C:\Program Files\Common Files\stem32~1\wuauboot.exe
C:\Program Files\Plus!\xuxeqoj.html
HiJack This V2 shows the following log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:02:11 AM, on 07/01/2001
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Kemper\Desktop\HiJackThis_v2.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {868865EC-0295-4C7D-B25D-9F65314145E9} - C:\WINDOWS\system32\byxvtur.dll
O2 - BHO: (no name) - {AC67670E-8FC2-420C-B5D4-6BAE3F13054C} - C:\WINDOWS\system32\khfde.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Kemper\Desktop\vundofix.exe"
O4 - HKCU\..\Run: [Dinhejbr] "C:\Documents and Settings\Kemper\My Documents\F?nts\w?auboot.exe"
O4 - HKCU\..\Run: [Mpcu] "C:\PROGRA~1\COMMON~1\STEM32~1\wuauboot.exe" -vt ndrv
O4 - HKUS\S-1-5-20\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: byxvtur - C:\WINDOWS\SYSTEM32\byxvtur.dll
O20 - Winlogon Notify: khfde - C:\WINDOWS\system32\khfde.dll
O20 - Winlogon Notify: wmvsnw - C:\WINDOWS\SYSTEM32\wmvsnw.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Plus!\xuxeqoj.html
--
End of file - 4019 bytes
I have tried to run fix on the following files with no sucess:
O2 - BHO: (no name) - {868865EC-0295-4C7D-B25D-9F65314145E9} - C:\WINDOWS\system32\byxvtur.dll
O2 - BHO: (no name) - {AC67670E-8FC2-420C-B5D4-6BAE3F13054C} - C:\WINDOWS\system32\khfde.dll
O20 - Winlogon Notify: byxvtur - C:\WINDOWS\SYSTEM32\byxvtur.dll
O20 - Winlogon Notify: khfde - C:\WINDOWS\system32\khfde.dll
O20 - Winlogon Notify: wmvsnw - C:\WINDOWS\SYSTEM32\wmvsnw.dll
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Plus!\xuxeqoj.html
Any additional information needed?
Please tell me what I am missing to rid myself of this plague before I have to replace the F8 key on my keyboard.........."If it bleeds, we can kill it"
Thanks in Advance.