Virtumonde and winlogon

**NastyHabits** · 2008-12-03, 03:26

I have a friend's laptop that needed help. It was a mess. I finally was able to install and run Spybot S&D. Following instructions, it got rid of all but two problems (virtuemonde). I ran an anti-virus program (Avira), which got rid several problems, and now I can only logon in safe mode.

Normally, I would just wipe the disk and reload XP, but my friend has software she paid for and no longer has the disks.

Thanks in advance.

Here's the hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:09 PM, on 12/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB5000] command /c del "C:\Program Files\ASpyC\ASpyC.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4484] cmd /c del "C:\Program Files\ASpyC\ASpyC.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8591] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6017] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7398] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1022] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR"
O4 - HKCU\..\RunOnce: [SpybotDeletingB611] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2722] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2977] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9002] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4097] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD707] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9072] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3201] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2056] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2861] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5266] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1887] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2040] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE"
O4 - HKCU\..\RunOnce: [SpybotDeletingD809] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5351] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7856] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7756] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5857] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5981] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2066] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7341] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5731] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7207] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8983] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB705] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9350] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB498] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD379] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3331] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1285] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4076] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2276] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB810] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4275] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8110] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6474] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2325] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5416] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9800] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2820] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3899] command /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7444] cmd /c del "C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7665] command /c del "c:\resycled\boot.com"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6783] cmd /c del "c:\resycled\boot.com"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1129] command /c del "C:\WINDOWS\system32\kdfgt.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD422] cmd /c del "C:\WINDOWS\system32\kdfgt.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0D81775-BD8E-4854-8E4D-0A37CBBCA850}: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: fkvryc.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11435 bytes

**ken545** · 2008-12-03, 06:57

Hello NastyHabits

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your personal data before starting any clean up procedure.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.

Now try booting into normal windows and post the Malwarebytes log and new HJT log please

Thread: Virtumonde and winlogon

Thread Tools

Display

Virtumonde and winlogon

Posting Permissions