Hey, Ive tried everything to get rid of virtumonde bu spybot s&d keeps bringing it up please help. Here is hijack this log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:31:38 AM, on 7/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)
O23 - Service: Zune Network Sharing Service (ZuneNetworkSvc) - Unknown owner - C:\Program Files\Zune\ZuneNss.exe (file missing)

--
End of file - 1596 bytes

Hello mazumashi :)

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Please open this folder C:\Program Files\Trend Micro\HijackThis and once its open, right click on the HJT icon and rename it to Scanner.exe. Then post a new log, do it this way please as your current log does not look complete.


Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread.

Ty ken :) Here is that new log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:56:53 PM, on 7/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)
O23 - Service: Zune Network Sharing Service (ZuneNetworkSvc) - Unknown owner - C:\Program Files\Zune\ZuneNss.exe (file missing)

--
End of file - 1721 bytes

mazumashi,

There is something very odd about your log, its like bits and pieces are missing.

As far as this log, I see no Vundo infection present. By renaming HJT, if Vundo was present it would have showed up.


Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O18 - Filter hijack: text/html - (no CLSID) - (no file)


Lets try a different version of HJT and see what comes up. Rename it also to Scanner.exe

Hijackthis 1.99.1 (http://www.thespykiller.co.uk/files/HJTsetup.exe)
Its important that Hijackthis is installed in its own permanent folder for backup purposes.


Go to where you currently have HJT installed and delete the whole folder.
Use the link above to download HJT 1.99.1 setup to your desktop
Double Click on the Setup icon and by defaut it will unzip to C:\Program Files\Hijackthis

Thank you for your patience. This is what came up.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:57 PM, on 7/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\Notepad.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)
O23 - Service: Zune Network Sharing Service (ZuneNetworkSvc) - Unknown owner - C:\Program Files\Zune\ZuneNss.exe (file missing)

--
End of file - 2200 bytes

Very strange. Ever since i fixed that one thing you told me to. Nothing is picking up signs on vundo anymore. Ty:eek:

Hello Again,

You still ran the Trendmicro version of HJT instead of the one I linked you too, but I think it really doesn't make any difference.

You should only have one firewall installed and I believe Windows One Care as most other Anti Virus programs will turn the windows firewall off by default.


You can read these links for Spybot, that may give you information related to the Windows Security Center. Always make sure Spybot is up to date before you run any scans.

You can post in one of these forums if you like to gain more info about Spybot and all the features it has.
http://forums.spybot.info/forumdisplay.php?f=3


These links are related to the Windows Security Center that will explain more about the Firewall Issue.

http://forums.spybot.info/showthread.php?t=250
http://www.safer-networking.org/en/faq/46.html

Here are some additional links to help keep you safe on the internet.

How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
Tom Coyote (http://forums.tomcoyote.org/index.php?showtopic=48151)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Glad things are better, if you feel you still have problems by all means post back.


Ken :)