Over 1 million tech questions and answers.

Virtumundo - Spyware - and Bears, oh my

Q: Virtumundo - Spyware - and Bears, oh my

Alright, no bears. I visited a website sent from a friend whose account was hijacked. Help! As soon as I clicked it I killed my Wi-Fi connection, but it was too late.Symptoms:- Random browser popups (IE) pointing to an IP address with a 404.- SpyBot reveals Virtumundo, among others, but can't remove it, even upon reboot.- Malware Bytes reveals same issue, but can't seem to remove it, even upon reboot.- After running above, I get RundDLL errors, where it claims that a dll is not a valid windows image. Incidentally, that dll was itemized by Spybot.- Upon reboot, I tend to have to repeat the above.What I've done:- SpyBot, with latest updates - Malware Bytes, with latest updates- ComboFix - one run, with reboot.See ComboFix log below:ComboFix 09-05-31.06 - steven.landers 2009-06-01 14:03.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2883 [GMT -4:00]Running from: c:\documents and settings\Steven.Landers\Desktop\ComboFix.exe.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgmc:\documents and settings\NetworkService\Application Data\qqlhgjmmc:\documents and settings\NetworkService\Application Data\qqlhgjmm\profiles.inic:\documents and settings\NetworkService\Application Data\qqlhgjmm\Profiles\950ehnra.default\cert8.dbc:\documents and settings\NetworkService\Application Data\qqlhgjmm\Profiles\950ehnra.default\compatibility.inic:\documents and settings\NetworkService\Application Data\qqlhgjmm\Profiles\950ehnra.default\compreg.datc:\documents and settings\NetworkService\Application Data\qqlhgjmm\Profiles\950ehnra.default\cookies.sqlitec:\documents and settings\NetworkService\Application Data\qqlhgjmm\Profiles\950ehnra.default\formhistory.sqlitec:\documents and settings\NetworkService\Application Data\qqlhgjmm\Profiles\950ehnra.default\key3.dbc:\documents and settings\NetworkService\Application Data\qqlhgjmm\Profiles\950ehnra.default\localstore.rdfc:\documents and settings\NetworkService\Application Data\qqlhgjmm\Profiles\950ehnra.default\permissions.sqlitec:\documents and settings\NetworkService\Application Data\qqlhgjmm\Profiles\950ehnra.default\places.sqlite-journalc:\documents and settings\NetworkService\Application Data\qqlhgjmm\Profiles\950ehnra.default\places.sqlitec:\documents and settings\NetworkService\Application Data\qqlhgjmm\Profiles\950ehnra.default\pluginreg.datc:\documents and settings\NetworkService\Application Data\qqlhgjmm\Profiles\950ehnra.default\prefs.jsc:\documents and settings\NetworkService\Application Data\qqlhgjmm\Profiles\950ehnra.default\secmod.dbc:\documents and settings\NetworkService\Application Data\qqlhgjmm\Profiles\950ehnra.default\webappsstore.sqlitec:\documents and settings\NetworkService\Application Data\qqlhgjmm\Profiles\950ehnra.default\xpti.datc:\documents and settings\NetworkService\Local Settings\Application Data\qqlhgjmmc:\documents and settings\NetworkService\Local Settings\Application Data\qqlhgjmm\Profiles\950ehnra.default\urlclassifier3.sqlitec:\documents and settings\NetworkService\Local Settings\Application Data\qqlhgjmm\Profiles\950ehnra.default\XPC.mflc:\documents and settings\Steven.Landers\Application Data\qqlhgjmmc:\documents and settings\Steven.Landers\Application Data\qqlhgjmm\profiles.inic:\documents and settings\Steven.Landers\Application Data\qqlhgjmm\Profiles\x7hvqpgv.default\cert8.dbc:\documents and settings\Steven.Landers\Application Data\qqlhgjmm\Profiles\x7hvqpgv.default\compatibility.inic:\documents and settings\Steven.Landers\Application Data\qqlhgjmm\Profiles\x7hvqpgv.default\compreg.datc:\documents and settings\Steven.Landers\Application Data\qqlhgjmm\Profiles\x7hvqpgv.default\cookies.sqlitec:\documents and settings\Steven.Landers\Application Data\qqlhgjmm\Profiles\x7hvqpgv.default\formhistory.sqlitec:\documents and settings\Steven.Landers\Application Data\qqlhgjmm\Profiles\x7hvqpgv.default\key3.dbc:\documents and settings\Steven.Landers\Application Data\qqlhgjmm\Profiles\x7hvqpgv.default\localstore.rdfc:\documents and settings\Steven.Landers\Application Data\qqlhgjmm\Profiles\x7hvqpgv.default\permissions.sqlitec:\documents and settings\Steven.Landers\Application Data\qqlhgjmm\Profiles\x7hvqpgv.default\places.sqlite-journalc:\documents and settings\Steven.Landers\Application Data\qqlhgjmm\Profiles\x7hvqpgv.default\places.sqlitec:\documents and settings\Steven.Landers\Application Data\qqlhgjmm\Profiles\x7hvqpgv.default\pluginreg.datc:\documents and settings\Steven.Landers\Application Data\qqlhgjmm\Profiles\x7hvqpgv.default\prefs.jsc:\documents and settings\Steven.Landers\Application Data\qqlhgjmm\Profiles\x7hvqpgv.default\secmod.dbc:\documents and settings\Steven.Landers\Application Data\qqlhgjmm\Profiles\x7hvqpgv.default\webappsstore.sqlitec:\documents and settings\Steven.Landers\Application Data\qqlhgjmm\Profiles\x7hvqpgv.default\xpti.datc:\documents and settings\Steven.Landers\Local Settings\Application Data\qqlhgjmmc:\documents and settings\Steven.Landers\Local Settings\Application Data\qqlhgjmm\Profiles\x7hvqpgv.default\urlclassifier3.sqlitec:\documents and settings\Steven.Landers\Local Settings\Application Data\qqlhgjmm\Profiles\x7hvqpgv.default\XPC.mflc:\windows\9g2234wesdf3dfgjf23c:\windows\IE4 Error Log.txtc:\windows\system32\drivers\fhtyuodp.sysc:\windows\system32\drivers\jeduuvox.sysc:\windows\system32\ixwfouba.dllc:\windows\system32\prsgrc.dllc:\windows\system32\yxzzhqy.dllc:\windows\system32\zqrfzxz.dllc:\windows\Tasks\At1.job.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_FHTYUODP-------\Legacy_VSAWFQHL-------\Service_fhtyuodp-------\Service_vsawfqhl((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 ))))))))))))))))))))))))))))))).2009-06-01 13:33 . 2008-11-07 21:58 223232 ----a-w- c:\windows\system32\sqlite3.dll2009-06-01 13:33 . 2008-11-06 20:04 20480 ----a-w- c:\windows\system32\SysRestore.dll2009-06-01 13:33 . 2008-11-06 20:04 36864 ----a-w- c:\windows\system32\ascbalon.dll2009-06-01 13:33 . 2009-04-02 19:55 217088 ----a-w- c:\windows\system32\ConTest.dll2009-06-01 13:33 . 2008-11-07 21:58 86016 ----a-w- c:\windows\system32\SQLiteWrapper.dll2009-05-24 15:42 . 2009-05-24 15:42 -------- d-----w- C:\tremor2009-05-24 05:07 . 2009-05-30 17:43 -------- d-----w- C:\quarantine2009-05-23 19:00 . 2009-05-23 19:00 -------- d-----w- C:\pics2009-05-23 11:07 . 2009-05-23 11:07 2 ---h--w- c:\windows\sonce122730.dat2009-05-22 19:33 . 2009-05-22 19:33 -------- d-----w- C:\Inetpub2009-05-15 03:56 . 2009-05-15 03:56 -------- d-----w- C:\AOTS2009-05-14 18:07 . 2009-05-14 18:07 -------- d-----w- c:\program files\Microsoft2009-05-12 16:27 . 2009-05-12 16:27 -------- d-----w- c:\program files\remedy7012009-05-12 16:27 . 2009-05-12 16:27 -------- d-----w- c:\program files\Business Objects2009-05-12 16:27 . 2009-05-12 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\AOTS2009-05-08 20:37 . 2009-05-08 20:38 -------- d-----w- C:\scwcd2009-05-04 19:15 . 2009-05-04 19:15 -------- d-----w- C:\encrypter2009-05-04 16:53 . 2009-05-04 16:41 42526 ----a-w- C:\dict_en_16.bin.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-06-01 18:14 . 2009-01-22 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware2009-06-01 18:14 . 2009-01-23 14:26 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware2009-06-01 16:20 . 2005-08-30 17:54 -------- d--h--w- c:\program files\InstallShield Installation Information2009-05-30 17:41 . 2007-10-16 19:56 130720 -c--a-w- c:\windows\system32\nvModes.dat2009-05-29 02:21 . 2008-10-31 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater2009-05-28 18:43 . 2005-08-30 19:23 -------- d-----w- c:\program files\Google2009-05-27 20:42 . 2008-11-10 15:21 -------- d-----w- c:\program files\AT&T Global Network Client2009-05-27 20:14 . 2008-03-11 16:52 -------- d-----w- c:\documents and settings\Steven.Landers\Application Data\FileZilla2009-05-26 01:15 . 2008-07-29 19:30 -------- d-----w- c:\documents and settings\Steven.Landers\Application Data\OpenOffice.org22009-05-26 01:15 . 2008-11-01 17:53 -------- d-----w- c:\documents and settings\Steven.Landers\Application Data\StarOffice82009-05-26 01:14 . 2009-01-23 14:30 -------- d-----w- c:\documents and settings\Steven.Landers\Application Data\VMware2009-05-25 22:35 . 2008-12-24 05:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-05-25 22:33 . 2009-01-06 05:37 2967799 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe2009-05-23 12:01 . 2008-10-29 20:03 -------- d-----w- c:\program files\Spybot - Search & Destroy2009-05-13 18:01 . 2009-04-24 16:11 -------- d-----w- c:\program files\StarWarsGalaxies2009-05-12 16:35 . 2008-03-05 20:28 55944 ----a-w- c:\documents and settings\Steven.Landers\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2009-05-12 16:28 . 2008-11-11 14:10 -------- d--h--w- c:\program files\SELFHEAL2009-05-12 16:27 . 2008-04-15 18:11 -------- d-----w- c:\program files\Common Files\Business Objects2009-05-07 05:19 . 2008-12-19 17:02 -------- d-----w- c:\program files\AutoIt32009-05-06 19:43 . 2008-11-01 17:54 1 ----a-w- c:\documents and settings\Steven.Landers\Application Data\StarOffice8\user\uno_packages\cache\stamp.sys2009-05-04 19:33 . 2007-12-13 14:11 -------- d-----w- c:\program files\eclipse2009-04-24 16:11 . 2009-04-24 16:11 -------- d-----w- c:\program files\Sony2009-04-22 17:04 . 2009-04-22 17:04 499712 ----a-w- c:\windows\system32\msvcp71.dll2009-04-20 13:56 . 2008-10-30 14:13 -------- d-----w- c:\program files\Mozilla Firefox 1.52009-04-15 18:47 . 2009-04-15 18:47 -------- d-----w- c:\program files\Common Files\HP2009-04-15 18:09 . 2009-04-15 18:09 -------- d-----w- c:\documents and settings\cleavon.edney\Application Data\Subversion2009-04-15 18:08 . 2009-04-15 18:08 -------- d-----w- c:\documents and settings\cleavon.edney\Application Data\VMware2009-04-10 07:03 . 2009-03-04 02:02 1392304 ----a-w- c:\windows\system32\AutoPartNt.exe2009-04-09 21:05 . 2009-04-09 21:05 390664 ----a-w- c:\documents and settings\Steven.Landers\Application Data\Real\RealPlayer\Update\RealPlayer11.exe2009-04-06 19:32 . 2008-12-24 05:13 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-04-06 19:32 . 2008-12-24 05:13 15504 ----a-w- c:\windows\system32\drivers\mbam.sys2008-10-31 20:35 . 2008-10-31 20:35 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll2008-04-24 00:59 . 2008-04-24 00:59 44360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll2008-04-24 00:59 . 2008-04-24 00:59 107928 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll2007-06-21 22:38 . 2007-06-21 22:38 30280 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll2007-06-21 22:38 . 2007-06-21 22:38 79432 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll2007-06-21 22:38 . 2007-06-21 22:38 71240 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll2007-06-21 22:38 . 2007-06-21 22:38 140872 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll2007-06-21 22:39 . 2007-06-21 22:39 38472 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll2007-06-21 22:39 . 2007-06-21 22:39 46664 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll2007-06-21 22:39 . 2007-06-21 22:39 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll2007-06-21 22:39 . 2007-06-21 22:39 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll2007-06-21 22:40 . 2007-06-21 22:40 30280 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]@="{30351346-7B7D-4FCC-81B4-1E394CA267EB}"[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]2008-02-16 16:35 536576 ----a-w- c:\program files\TortoiseSVN\bin\TortoiseSVN.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]@="{30351347-7B7D-4FCC-81B4-1E394CA267EB}"[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]2008-02-16 16:35 536576 ----a-w- c:\program files\TortoiseSVN\bin\TortoiseSVN.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]@="{30351348-7B7D-4FCC-81B4-1E394CA267EB}"[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]2008-02-16 16:35 536576 ----a-w- c:\program files\TortoiseSVN\bin\TortoiseSVN.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]@="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}"[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]2008-02-16 16:35 536576 ----a-w- c:\program files\TortoiseSVN\bin\TortoiseSVN.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]@="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}"[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]2008-02-16 16:35 536576 ----a-w- c:\program files\TortoiseSVN\bin\TortoiseSVN.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]@="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}"[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]2008-02-16 16:35 536576 ----a-w- c:\program files\TortoiseSVN\bin\TortoiseSVN.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]@="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}"[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]2008-02-16 16:35 536576 ----a-w- c:\program files\TortoiseSVN\bin\TortoiseSVN.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MSConfig"="c:\windows\PCHEALTH\HELPCTR\Binaries\msconfig.exe" [2008-04-14 169984]"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-02 1392640]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-28 8429568]"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2007-04-28 81920]c:\documents and settings\Administrator\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]c:\documents and settings\cleavon.edney\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]c:\documents and settings\sipman\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]"EnableShellExecuteHooks"= 1 (0x1)"NoWelcomeScreen"= 1 (0x1)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"ForceStartMenuLogOff"= 1 (0x1)"GreyMSIAds"= 1 (0x1)"NoRecentDocsNetHood"= 1 (0x1)[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{A5949E07-8536-4625-A3D0-2DD83F559990}"= "c:\windows\system32\ShellHook.dll" [2007-02-12 46080][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]@="Service"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]@="Driver"[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Global Network Client (Set auto-proxy).lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AT&T Global Network Client (Set auto-proxy).lnkbackup=c:\windows\pss\AT&T Global Network Client (Set auto-proxy).lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AT&T Global Network Client Monitor.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AT&T Global Network Client Monitor.lnkbackup=c:\windows\pss\AT&T Global Network Client Monitor.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnkbackup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnkbackup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnkbackup=c:\windows\pss\VPN Client.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Steven.Landers^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]path=c:\documents and settings\Steven.Landers\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnkbackup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Steven.Landers^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]path=c:\documents and settings\Steven.Landers\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnkbackup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Steven.Landers^Start Menu^Programs^Startup^StarOffice 8.lnk]path=c:\documents and settings\Steven.Landers\Start Menu\Programs\Startup\StarOffice 8.lnkbackup=c:\windows\pss\StarOffice 8.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"Bonjour Service"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"="0x00000000"[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\Java\\jre1.6.0_03\\bin\\java.exe"="c:\\WTK2.5.2\\bin\\emulator.exe"="c:\\WINDOWS\\system32\\javaw.exe"="c:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"="c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"c:\\Program Files\\DNA\\btdna.exe"="c:\\Program Files\\BitTorrent\\bittorrent.exe"="c:\\Program Files\\Mercury Interactive\\QuickTest Professional\\bin\\AQTRmtAgent.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\program files\AT&T Global Network Client\NetClient.exe"= c:\program files\AT&T Global Network Client\NetClient.exe:10.0.0.0/255.0.0.0,32.70.1.0/255.255.255.0,130.1.0.0/255.255.0.0,130.2.0.0/255.254.0.0,135.0.0.0/255.0.0.0,192.20.0.0/255.255.0.0,192.128.0.0/255.255.0.0,192.151.83.0/255.255.255.0,192.205.0.0/255.255.0.0,192.206.169.0/255.255.255.0,204.159.0.0/255.255.0.0,206.121.250.0/255.255.255.0,206.121.253.0/255.255.255.0:Enabled:AT&T Global Network Client"%windir%\\system32\\drivers\\svchost.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service"135:TCP"= 135:TCP:DCOM"8316:TCP"= 8316:TCP:@xpsp2res.dll,-22009R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-08-30 58464]R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\drivers\NEOFLTR_600_12507.sys [2007-12-27 64160]R1 NEOFLTR_620_13525;Juniper Networks TDI Filter Driver (NEOFLTR_620_13525);c:\windows\system32\drivers\NEOFLTR_620_13525.sys [2008-08-28 64480]R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2008-03-26 40928]R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2008-03-26 27776]R2 agnwifi;AT&T Wi-Fi Support Driver;c:\windows\system32\drivers\agnwifi.sys [2008-11-10 19328]R2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [2008-01-18 24635]R2 GDLicenseService;GDLicenseService;c:\program files\guidancer\licenseserver\GDLicenseService.exe [2009-01-28 153088]R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [2008-08-21 11107]R3 ABVPN2K;AGN VPN Client Miniport Interface;c:\windows\system32\drivers\abvpn2k.sys [2008-11-10 164480]R3 avpnnic;AGN Virtual Network Adapter;c:\windows\system32\drivers\avpnnic.sys [2003-04-04 13952]R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-01 26624]S1 Start1Driver;Start1Driver; [x]S2 gupdate1c909f7658e26f0;Google Update Service (gupdate1c909f7658e26f0);c:\program files\Google\Update\GoogleUpdate.exe [2008-08-29 133104]S2 Start2Driver;Start2Driver; [x]S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-10-31 29744]S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2005-06-07 80384]S3 IRNVPN;Indus River Networks VPN Adapter;c:\windows\system32\DRIVERS\irndis.sys --> c:\windows\system32\DRIVERS\irndis.sys [?]S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt REG_MULTI_SZ hpqcxs08.Contents of the 'Scheduled Tasks' folder2009-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]2009-06-01 c:\windows\Tasks\Google Software Updater.job- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-04-12 21:07]2009-06-01 c:\windows\Tasks\GoogleUpdateTaskMachine.job- c:\program files\Google\Update\GoogleUpdate.exe [2008-08-29 13:19]2009-06-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-1383384898-1801674531-154959.job- c:\documents and settings\Steven.Landers\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 13:19].- - - - ORPHANS REMOVED - - - -BHO-{0590570D-4128-41F0-B9AB-2FFD303A5AEb} - c:\windows\system32\ixwfouba.dllSafeBoot-procexp90.Sys.------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/uSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000Trusted Zone: ams.com\geminiTrusted Zone: att.com\crmdev15a00.mtTrusted Zone: landersland.net\wwwHandler: qcom - {B8DBD265-42C3-43e6-B439-E968C71984C6} - c:\progra~1\COMMON~1\QUESTS~1\CODEXP~1\qcom.dllDPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cabDPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} - hxxp://gemini.ams.com/projectserver/objects/pjclient.cabDPF: {6030FA86-6D7D-44C0-8A24-A0E76FD95F23} - hxxp://crmdev15a00.mt.att.com:4780/ecrmsso/19237/applets/SiebelAx_iHelp.cabDPF: {60CD4076-F4B6-4F8B-AF3E-61B200346DD9} - hxxp://crmdev15a00.mt.att.com:4780/ecrmsso/19237/applets/SiebelAx_HI_Client.cabDPF: {973716A6-50C0-4A08-996A-3F8D0D67BF07} - hxxp://crmdev15a00.mt.att.com:4780/ecrmsso/19237/applets/SiebelAx_Test_Automation.cabDPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - hxxp://cnnp1qamerc1.turner.com/qcbin/Spider90.ocxDPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} - hxxp://gemini.ams.com/projectserver/objects/1033/pjcintl.cabDPF: {B2FC031D-8C74-46AE-8042-BCF4FC03C1EF} - hxxp://quality-center.sbc.com/qcbin/Spider91.cabFF - ProfilePath - c:\documents and settings\Steven.Landers\Application Data\Mozilla\Firefox\Profiles\fbg92nlb.default\FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: network.proxy.http - localhostFF - prefs.js: network.proxy.http_port - 7171FF - prefs.js: network.proxy.type - 4FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dllFF - plugin: c:\documents and settings\Steven.Landers\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dllFF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dllFF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\nppdf32.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\nppl3260.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\nprjplug.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\nprpjplug.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-06-01 14:16Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySQL]"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL".--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{286D4131-3821-6CBF-08770360589374C2}\{48BEB065-0DEC-1314-6E019AD5B66531AE}\{E2D4EA90-E228-BF00-D20DE2AD05099BA2}*]"S132G1JWDGAFB6YEZBFNA2R1DE1"=hex:01,00,01,00,00,00,00,00,77,ea,db,ea,e0,ab,aa, dc,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2E507E2F-8DE2-B600-388E74CEB17F3DFF}\{1B0F221A-E59F-0B42-732631A91276FA51}\{D15813DF-5A02-67D8-CCD20FCB931DE0AB}*]"S132G1JWDGAFB6YEZBFNA2R1DE1"=hex:01,00,01,00,00,00,00,00,77,ea,db,ea,e0,ab,aa, dc,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{91FA78BC-641E-4329-C41B32C9E0F96EA6}\{25E342AA-73A9-1FC4-4AC5C50BDBE96017}\{04863130-DE8E-7A09-D0B765EBFF2273E8}*]"KRDKUCCVFN25ONBVQO5A2KJGQH1"=hex:01,00,01,00,00,00,00,00,86,03,b8,af,b7,c1,db, b3,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{945169D7-C27E-315B-97A3E6913A1C7622}\{06C63AB7-5C18-FA8E-E5D32118C99A5B59}\{F7BD6AFF-A45B-6FB8-BB91AB79C0A3DA53}*]"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,6e,e0,15, e0,a1,3b,ae,96,88,68,e4,41,69,30,6d,e3,0e,86,3f,44,ff,be,9b,0f,fb,df,84,dd,\[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DD7439DE-8878-D698-3C485D80ADEA187F}\{BE3DFA66-365B-5E4A-7917DE6528C06D4A}\{FEBDC4E7-2EEE-D959-80681B5DE578BC2D}*]"S132G1JWDGAFB6YEZBFNA2R1DE1"=hex:01,00,01,00,00,00,00,00,77,ea,db,ea,e0,ab,aa, dc,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(700)c:\windows\system32\NetGina.dllc:\program files\AT&T Global Network Client\NetClient.dllc:\windows\system32\Ati2evxx.dll- - - - - - - > 'explorer.exe'(3192)c:\program files\TortoiseSVN\bin\tortoisesvn.dllc:\program files\TortoiseSVN\bin\intl3_svn.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\WLTRYSVC.EXEc:\windows\system32\BCMWLTRY.EXEc:\program files\Lavasoft\Ad-Aware\aawservice.exec:\windows\system32\scardsvr.exec:\program files\Cisco Systems\VPN Client\cvpnd.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Network Associates\VirusScan\VsTskMgr.exec:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exec:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exec:\progra~1\AT&TGL~1\NetCfgSv.EXEc:\windows\system32\nvsvc32.exec:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exec:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exec:\program files\SigmaTel\C-Major Audio\WDM\stacsv.exec:\program files\VMware\VMware Workstation\vmware-authd.exec:\program files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exec:\windows\system32\vmnat.exec:\program files\Windows Media Player\wmpnetwk.exec:\windows\system32\CCM\clicomp\RemCtrl\Wuser32.exec:\windows\system32\CCM\CcmExec.exec:\windows\system32\vmnetdhcp.exec:\program files\Citrix\ICA Client\ssonsvr.exec:\program files\TortoiseSVN\bin\TSVNCache.exec:\windows\system32\rundll32.exe.**************************************************************************.Completion time: 2009-06-01 14:26 - machine was rebootedComboFix-quarantined-files.txt 2009-06-01 18:26ComboFix2.txt 2008-12-24 07:32Pre-Run: 253,327,163,392 bytes freePost-Run: 257,298,198,528 bytes freeCurrent=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4399 --- E O F --- 2009-02-20 22:00See anything? Let me know. I can run other things (Hijack this, etc...) upon request.Thanks,Steven

RELEVANCY SCORE 200
Preferred Solution: Virtumundo - Spyware - and Bears, oh my

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Virtumundo - Spyware - and Bears, oh my

ComboFix logs should not to be posted or discussed outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.Please create a new topic in the Am I Infected forum.http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/Explain the nature of your problem. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.If needed, we will direct you to our HJT Preparation Guide.This topic is now closed. The BC Staff

Read other 1 answers
RELEVANCY SCORE 55.6

Hello,Sorry about this but I have no clue how to fix my computer. I have some spyware/trojan on my computer. I've run the Vundo and VirtuMundoBeGone free removal tools that I found on this site. Also, I have Trend Micro Antivirus Software that is up to date, but cannot remove the program(s). The pop-ups have stopped but it is still running a lot of programs that I have been turning off through taskmanager. They're not on the log, because I stopped them to run the HiJackThis tool.Some of the programs are:ctfmon.exesvchost.exespool32.exeMDM.exeand there is one that pops up right before another process would turn on and it starts with vic(I think something like that). I'm posting the log and also the VirtuMundoBeGone log. Thanks alot for all of your help.-JPLogfile of Trend Micro HijackThis v2.0.2Scan saved at 10:05:03 PM, on 2/19/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Trend Micro\Internet Security\SfCtlCom.exeC:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exeC:\Program Files\Trend Micro\BM\TMBMSRV.exeC:\Program Files\Trend Micro\... Read more

A:Believe I Have A Virtumundo Trojan Or Other Spyware

Hello jpcan, We will run ComboFix. You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. You need to disable your Trend Micro Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running. To disable Spybot's Teatimer: Run Spybot-S&D Go to the Mode menu, and make sure "Advanced Mode" is selected On the left hand side, choose Tools -> Resident Uncheck "Resident TeaTimer" and OK any prompts Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Be sure to install the Windows XP Recovery Console in case you have not installed it yet. <== IMPORTANT Post the ComboFix log.

Read other 2 answers
RELEVANCY SCORE 54.4

I'm running Windows XP, and yesterday my computer started running pretty slow, and my IE started crashing. If I have more than one browser window open at once, I get a windows message that says IE has experienced a problem and needs to be shutdown.

I ran Housecall, and it found TROJ.DLOADER.JU (which it said was non cleanable, but also said it deleted the entire file)... the file was c:\counter.cab*counter.exe*

I ran Adaware, and it comes back with 4 critical files, under VirtuMundo

I ran Spybot, and it finds ATLEvents.ATLEvents

I ran Norton, and it found
backup-20041119-155257-111.dll
catinfo.exe
ofnitac.dat
The backup one was deleted, but ofnitac.dat and catinfo.exe were both unable to be deleted.

I've almost torn out all my hair, and have resorted to banging my head onto my desk repeatedly, so any help you can offer would be greatly appreciated.

Thank you in advance!
Amber
 

A:Spyware/Virus problems (catinfo and virtumundo mostly)

Read other 6 answers
RELEVANCY SCORE 53.6

Hi Friends,
Today while browsing some site, suddenly i got a pop up message by spyware terminater which unknowingly i clicked as allow & then suddenly there were numerous pop ups but which i blocked as i found the names to be unknown, latter on it was (spyware terminator) was continuously showing as blocked c\windows/system32/bubefiya along with some other names in the bloked list such as NEVOREFA.dll all infections which are blocked are via the path C;\windows\system32\ THE INFECTION NAME & also the CPU usages shown is nearly 60% & above. I tried with the avast antivirus 7.5 version that i use, but was unable to detect & remove the infection.
Can you expert guys pls help me resolve this problem asap

Thanks in advance

Tejas

attached below is the log of DDS file

DDS (Ver_09-01-07.01) - NTFSx86
Run by Administrator at 14:45:43.84 on Sat 01/17/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.189 [GMT 5.5:30]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\... Read more

A:attacked by Virtumundo & a spyware named BUBEFIYA .DLL& nEVOREFA.DLL

You are currently receiving help here:http://www.malwarebytes.org/forums/index.p...amp;#entry48712You have also posted your log here:http://malwareremoval.com/forum/viewtopic....=11&t=38940While we appreciate that you very likely posted at multiple forums in order to ensure a response, that only serves to tie up the time of multiple helpers who could be using that time to help someone else who also has problems. Although there are many forums that handle HijackThis logs, there are not so many helpers; most of us help out at several forums. In addition, the results may not work out so well when you're following different instructions from different helpers. They may suggest different approaches for the same problem, all of which may be good; however, system conflicts may arise if different fixes for the same problem are applied simultaneously. In the future, for your sake as well as ours, please refrain from requesting help from multiple forums. Choose one, and stick with that one until they've resolved your problem.

Read other 1 answers
RELEVANCY SCORE 53.2

My spyware doctor found a virtumonde infection. so waht i did is do a vundofix scan and it said it found nothing. the next thing i did was run virtumundo be gone and eventually found the infection. (i ran the program in safe mode. and then i read the vgb.txt file that i produced. it said that it found vundo and removed it. to verify this. i ran it again in normal mode and it said that it found nothing. the next thing i did again was run a spyware doctor scan, but to my surprise it prompted me again that i was infected with vundo. i checked hjt and found no 02 and 020 dll files, which is a sign of the infection. After that i did nothing because i wanted to seek help with you guys. thanks...Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:54:48 PM, on 6/15/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Alwil Software&... Read more

A:Virtumundo Infection Not Found By Vundofix And Vgb But Foundby Spyware Doctor

Hello Gian0819 and welcome to BleepingComputer,1. * Clean your Cache and Cookies in IE:Close all instances of Outlook Express and Internet Explorer Go to Control Panel > Internet Options > General tabUnder Browsing History, click Delete. Click Delete Files, Delete cookies and Delete historyClick Close below.* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):Go to Tools > Options.Click Privacy in the menu..Click the Clear now button below.. A new window will popup what to clear.Select all and click the Clear button again.Click OK to close the Options window* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok. Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.Press OK to remove them.2. Please download Malwarebytes' Anti-Malware from Here or HereDoubleclick mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is complete... Read more

Read other 2 answers
RELEVANCY SCORE 51.2

Helping a friend with an infection of his desktop.  It has lots of viruses.  Attached is the logs from my most recent scans in Safe Mode.  Scans are coming up clean but I don't trust it.  What should I do next?
 
Automated Cleanup Engine
Starting Cleanup at 02/05/2015 - 21:19:25 GMT
 
Starting Routine> Removing c:\windows\apppatch\apppatch64\vcldr64.dll...#(PX5: E4B272B01063651C3B4804FD469D2C00ADF24910 - MD5: B6C1C50ADBE12000B62866D662A24230)...
Deleting File> c:\windows\apppatch\apppatch64\vcldr64.dll
Starting Routine> Removing c:\program files (x86)\cinemaplus-3.2cv24.04\utils.exe...#(PX5: B8B3A8A5EEE14F4D04211B2C27945E00FB44C658 - MD5: CC95BCFC967B1E5097038AD1B94AE09C)...
Deleting File> c:\program files (x86)\cinemaplus-3.2cv24.04\utils.exe
Starting Routine> Removing c:\users\shadowreaperx2\appdata\local\temp\nsi65e0.tmp...#(PX5: 7BDC821BE6ADC4FA1A5301EF10ECCF0015E16639 - MD5: 41FF7A7A605DB143C289655232FED377)...
Deleting File> c:\users\shadowreaperx2\appdata\local\temp\nsi65e0.tmp
Deleting File> C:\Users\ShadowReaperX2\AppData\Local\Temp\nsw9370.tmp
Deleting File> C:\Users\SHADOW~1\AppData\Local\Temp\nsg92C3.tmp
Deleting File> C:\Users\SHADOW~1\AppData\Local\Temp\nsg92C3.tmp
Starting Routine> Removing c:\users\shadowreaperx2\appdata\local\temp\nsr9610.tmp...#(PX5: 51158FEF2E7002E2652204E1AAC5D900FED317EC - MD5: E56E2D0E9996AFA45F6D0A72294604D8)...
Deleting File> c:\users\shadowreaperx2\appdata\local\temp\nsr96... Read more

A:Lions, viruses and bears...oh my!

Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeList Restore PointsClick Go and post the result. Please download Malwarebytes Anti-Malware (MBAM) to your desktop.NOTE. If you already have MBAM 2.0 installed scroll down.Double-click ... Read more

Read other 14 answers
RELEVANCY SCORE 51.2

Hello all,

So I'll get right down to the pertinent details and try to be as clear and concise as I can.

This is the first computer I have attempted to build on my own without semi-professional help. I bought all the parts and assembled them, and through much toil, sweat, and troubleshooting, my creation came to life. (I got Windows 7 installed and booting.)

I have had what I believe to be several separate issues that I have resolved one at a time, until this last and glaring problem of random restarts. I will be playing a game, or doing some other task on the computer and the screen will black for an instant and then present me with multicolored scrambles and the audio will stutter on a loop of the last sound. (duration ~.3 sec) The computer will then reboot.

I do have auto restarts disabled, but it usually does not present a blue screen or create a minidump. I have gotten to a blue screen occasionally and gotten a dump out of it and they are attached. All I get out of the Event Viewer is Kernel Error 41 bugcheckcode 0.

Let me tell you what I have done:

Made sure all of my drivers were up to date. (using driver cleaners to make sure the old ones were out)
Up to date BIOS.
Disabled the AMD power save equivalent on the processor. (Cool&Quiet, I think) I had heard this could sometimes cause trouble.
Scanned for viruses and malware.
Ran the memory through 20 memtest extensive cycles, no errors.
Ran checkdisk several times, no problems.
Ran sfc ... Read more

A:Restarts and crashes and bears, oh my

I have no clue but if I had no guess I'd say it's your video card. Do you have any secondary sets of hardware to test with?

Read other 6 answers
RELEVANCY SCORE 48.4

https://www.shopforcollfootball.com/LSU-Derek-Stingley-Jr

Baylor has suspended all football-related activities, saying it needs to evaluate recent positive tests for COVID-19 and perform contact tracing.
The Bears have a bye week, but their homecoming game is planned for Oct. 17 in Waco, Texas.
"We are taking all possible precautions and our focus remains playing the scheduled game with Oklahoma State at McLane Stadium," Baylor athletic director Mack B. Rhoades said.
Baylor previously had to postpone its game against Houston on Sept. 19 after Baylor did not meet the Big 12 Conference COVID-19 thresholds for playing. One of Baylor's position groups did not meet the thresholds for competition, sources said.
The Bears are 1-1 after a win over Kansas on Sept. 26 and a 27-21 loss to West Virginia on Oct. 3
More site:shopforcollfootball.com

Read other answers
RELEVANCY SCORE 37.2

I have gone though all steps that a person was having the only problem I having now is getting rid of the red box and virus I have tried running a few diffrent progs including hijackthis, i ran trendmicro.com (housecall), I run a number of diffrent removal tools and finding tools such as virtumundob and malwarebytes, spybot search and destroy but now I cant run any of the programs the stage I am back to is the red circle with the white x in the sys tray, if someone can tell me a way to get rid of this anoying adware, spyware or whatever you like to call it I would be gratefully apprieative.

Thanks
pete

A:I Cant Get Rid Off Virtumundo

Please print out and follow the instructions for using "Vundofix". -- If using Windows Vista be sure to Run As Administrator.Click the Scan for Vundo button.Once it's done scanning, click the 'Fix Vundo' button.After running VundoFix, a text file named vundofix.txt will automatically be saved to the root of the system drive, usually at C:\vundofix.txt.Please copy & paste the contents of that text file into your next reply.Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet. Please download and install SUPERAntiSpyware FreeDouble-click SUPERAntiSypware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)Under the "Configuration and Preferences", click the Preferences... button.Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate me... Read more

Read other 9 answers
RELEVANCY SCORE 37.2

Hey I have done the hijack this log..which is included at the end of this...we have had to turn off the windows firewall because it would not allow us to connect to the internet...long story..we do have norton installed and updated....this windows warning window popped up last night..when we did the scan for norton it found four but when i told it to delete..did another scan it was still there...we did the vudnofix..it did not find anything..but that window is still on my computer screen instead of the normal wallpaper...what have we gotten now? thanks for any helpO15 - Trusted Zone: http://*.mcafee.comO16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cabO16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLLO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\C... Read more

A:Is This Virtumundo Or Something Else?

Hello bailie28Welcome to the Bleeping Computer Malware Removal Forum, sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to. If you have not resolved your issue and still need assistance, post a new HJT log please as your system may have changed since your original post.If you don't have the latest version of Hijackthis you can install and run it from here, I need to see the entire Hijackthis log.Download Trendmicros Hijackthis to your desktop.Double click it to installFollow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exeOpen HJT Scan and Save a Log File, it will open in Notepad Go to Format and make sure Wordwrap is UncheckedGo to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Read other 2 answers
RELEVANCY SCORE 37.2

Hello, Symantec Endpoint Protection keeps popping up with "Virtumundo activity detected". I scanned my computer with Symantec Endpoint Protection and it found nothing! I then scanned my computer with Spybot Search & Destroy, which found Virtumundo. I then had Spybot Search & Destroy fix the exploit, however, each time that I re-boot my computer and scan with Spybot Search & Destroy it finds Virtumundo again, this has happened six or seven times today.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 18:17:24, on 07.06.2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Creative\Shared Files\CTAudSvc.exeC:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\WINDOWS\system32\svchost.exeC:\Program Files... Read more

A:Virtumundo

Hello Zulu1959,C:\Downloads\dss.exePlease delete the dss.exe you have in your downloads folder. I need to have dss.exe installed on your desktop.Please download Deckard's System Scanner (DSS) from one of the links below and save to your Desktop. Primary Mirror Secondary Mirror DSS will do the following: 1. Create a new System Restore point in Windows XP and Vista. 2. Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives. 3. Check some important areas of your system and produce a report for an analyst to review. 4. Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes. Note: You must be logged onto an account with administrator privileges when using Deckard's System Scanner. 1. Close all applications and windows. 2. Double-click on dss.exe to run it and follow the prompts. 3. If your anti-virus or firewall complains, please allow this script to run as it is not malicious. 4. When the scan is complete, two text files will open in Notepad: main.txt <-- Will be maximized extra.txt <-- Will be minimized 5. If not, they both can be found in the C:\Deckard\System Scanner folder. 6. Please copy (<Control>+C) and paste (<Control>+V) the contents of main.txt and extra.txt in your next reply. Note: When r... Read more

Read other 2 answers
RELEVANCY SCORE 37.2

My AVG AS detects this "Adware.virtumonde" and restarts after the scan to delete it but it never gets rid of it. What should I do?

Logfile of HijackThis v1.99.1
Scan saved at 3:00:58 PM, on 4/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital I... Read more

A:i got virtumundo

My computer is constantly getting infected with viruses and i think it may be causing my computer to crash very often. Any help with this would be VERY VERY much apprciated. I posted one of these the other day but I have since been infected with 3 other viruses...


Thanks!!

Logfile of HijackThis v1.99.1
Scan saved at 1:26:06 AM, on 4/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LClock\LClock.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware ... Read more

Read other 12 answers
RELEVANCY SCORE 37.2

Logfile of HijackThis v1.99.1
Scan saved at 11:06:23 AM, on 3/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\hpb2ksrv.exe
C:\WINDOWS\system32\hpbhksrv.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1136475886\ee\AOLSoftware.exe
C:\Program Files\Windows Defender\MSASCui.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\hpnra.exe
C:\WINDOWS\system32\hpstatus.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
c:\program files\common files\aol\1136475886\ee\aim6.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\HPBSPSVR.EXE
C:\WINDOWS\system32\HPBJDSNT.EXE
C:\Program Files\Outlook Express\msi... Read more

A:Virtumundo

Hi Welcome to TSG!!

I've moved your post to a thread of your own, please reply to this thread.

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

 

Read other 1 answers
RELEVANCY SCORE 37.2

Having problems deleting Virtumundo. Read previous post and tried running KillVundo.bat, but it could not find HijackThis. I could not run it manually because I coud not run any programs in Safe Mode after running KillVundo.bat, neither my desktop items or my StartUp Menu were available.

Logfile of HijackThis v1.99.1
Scan saved at 9:45:10 PM, on 10/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printe... Read more

A:Virtumundo

Read other 7 answers
RELEVANCY SCORE 37.2

Hi, I have been bugged by the irritating pop up regarding Virtumundo for days. Tried all sorts of ways to remove it but to no avail. I have my HJT log below. Kindly help me please .... Thanks!

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 00:27:03, on 27 Apr 2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\system32... Read more

A:I am hit by Virtumundo! Help pls...

Welcome to TSG

Can you please download this version of H/T

Click here to download HJTsetup.exe: http://www.thespykiller.co.uk/files/HJTSetup.exe
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

It will possibly show other issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 

Read other 2 answers
RELEVANCY SCORE 37.2

Thanks for the help!

win xp nod32 spyware doctor

Logfile of HijackThis v1.99.1
Scan saved at 14:46:00, on 27/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20627)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Easy-Hide-IP\services\EasyHideIp.exe
C:\Program Files\Easy-Hide-IP\services\EasyHideIP-Server2\Easy-Hide-IPS2.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Easy-Hide-IP\services\EasyHideIP-Server1\EasyHideIP-Server1.exe
C:\Program Files\Easy-Hide-IP\services\EasyHideIP-Server2\EasyHideIP-Server2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\syste... Read more

A:help virtumundo

help me please

Deckard's System Scanner v20071014.68
Run by Admin on 2008-02-28 02:14:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-02-28 10:15:01 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-02-27 23:42:04 UTC - RP1 - Punto de control del sistema


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Admin.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-02-28 02:17:07
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.20627)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C... Read more

Read other 2 answers
RELEVANCY SCORE 37.2

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:22:37 PM, on 12/7/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\QuickPlay\QPService.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exeC:\Program Files\COMODO\COMODO Internet Security\cfp.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\Program Files\Search Settings\SearchSettings.exeC:\Program Files\COMODO\COMODO Internet Security\cmdagent.exeC:\Program Files\Java\... Read more

A:virtumundo ?

Sorry i really did not mean to bump/spam but i wanted to add extra details...
i have upload both text files the info and log generated by RSIT program that you guys have on the pin topics... I also did an online scan with Kaspersky anti virus online scan and did not find any threats my AVG didn't find any threats .... S S&D doesn't find anything but my browser still doesn't work properly. Safe mode doesn't work properly ... it seems to reboot when im in safe mode ... HELP PLEASE

Read other 3 answers
RELEVANCY SCORE 37.2

Hi,
I recently removed a few virus' and a whole bunch of malware from a friend's computer. But now, everytime I reboot the machine (XP Home), Ad-Aware keeps finding Virtumundo registry keys in HKEY_CLASSES_ROOT:ATLEvents.ATLEvents.1\
HKEY_CLASSES_ROOT:ATLEvents.ATLEvents.1""
HKEY_CLASSES_ROOT:ATLEvents.ATLEvents\
HKEY_CLASSES_ROOT:ATLEvents.ATLEvents""
I've removed the keys with Ad-Aware as well as deleting them from the registry manually but they keep appearing in the registry after rebooting. I've also used Spybot S&D with the same results. Any ideas??? Help, PLEASE!!!
 

A:Virtumundo

Read other 8 answers
RELEVANCY SCORE 37.2

This started like three days ago, my windows security alerts kept going off and saying that, my automatic updates were turned off, and when I try to turn it back on it doesn't work. Also when I browse on IE or Firefox random spyware pages pop up and sometimes close the browser, can someone help me with this problem please.


Here's my HijackThis log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:51 PM, on 10/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:... Read more

A:Help getting rid of virtumundo please.

Hello and welcome to TSF
Download RSIT by random/random and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

=========
Logs Required
log.txt
info.txt

If there is no response to this post within 72hrs, this thread will be closed.

Read other 7 answers
RELEVANCY SCORE 37.2

Hy,

I just got an infected laptop from my sister. She claims her explorer isn't wortking properly and more slow downs en such things. She's running Vista 32bit

Now, I did allot of scans and cleaning...All with the latets definitions off course

I did a NOD32 scan...Came out with some virusses, but is now clean

I then did Spybot search and destroy. It only found the virtumonde virsu, wich couldn't be deleted... I then used a program to delete the virtumonde virus, but the program says it isn't there. LOG

then I ran Malwarebytes - Antimalware
It also gave allot of trash LOG
I ran is again LOG
And one last scan LOG
Finally clean!!!

I then ran Ad Aware
First time LOG
Second time LOG


I posted this on another forum, and they told me to run Combofix then post the log and post a hijackthis log..... I did that but got no more replys for over 3 days now, and it's pretty urgent since I'm going on holidays and my sister needs her laptop

Combofix LOG

I then finally ran Hijakthis
LOG


Upon PC startup I get this dll error, wich is also malware if I read the net
Pic

So, what more do I have to do??

thx in advance, Hope this post is complete

Read other answers
RELEVANCY SCORE 37.2

I have had SO many problems with this virus. In all I have tried 12 different programs including: PandaHouse CallBit DefenderSpy BotAd-AwareAVG anti-virusVirtumondobegoneVundo fix Zone AlarmAvira AntiVirMcAfee StingerAnd, others that I am forgetting! After I did ALL of those repeatedly, I ran most of them in safe mode as well. I can't get rid of this completely. It keeps coming back and attacking it. Here is my hijack this log file:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:52:14 AM, on 11/14/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\jre1.6.0_03 ... Read more

A:Virtumundo!

Hello imabitdizzy,Before we start, you need to realize that you are missing one important program on that computer: An antivirus. This is somewhat suicidal in today's digital world. You need to install an antivirus program as soon as you can and run a complete scan of the computer. I recommend you download the free Avast or AntiVir orAVG antivirus Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously! After you have installed the antivirus program and run a complete scan, then post a fresh Hijackthis log.

Read other 21 answers
RELEVANCY SCORE 37.2

I have been battling a virtumundo attack for the past week.I am running with Windows XP.I have Trend Micro Pc-Cillin Internet Security 12 (have for over a year) with the appropriate firewalls, scanning, anti-virus.I have and routinely run Ad-Aware 2007.I periodically run Trend Micro Housecall, although it freezes mid-way now and won't complete.Since this began I have load and run Spybot S&D, VundoFix, Virtumundobegone.Prior to running all these scans I insure that the System Restore is set to Off.I'll get hits for Win and Vundo on any and all... clean... reboot. After fixing in all softwares and rebooting the computer is fine for a while... clean scans and runs fine... and then... it's back those hideous bogus security shields.Today I loaded and ran Stinger 3.8.0 9/10/07 and Symantec Adware.virtumonde Removal Tool 1.0.3. I know have six pieces of softare telling me the computer is clean and virus free... and... I just don't know if I believe that. I've run Trend Micro's HJT. Am I still infected?Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:26:58 AM, on 11/25/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:�... Read more

A:Virtumundo

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today. Using My Computer, navigate to where you have HijackThis saved.Right-click on the HijackThis.exe file. Select "Rename", call it fluffybunny and press enter.Use fluffybunny.exe from now on.I see you have Viewpoint installed:Viewpoint Manager is considered to be foistware rather than malware, since it is installed without your approval but doesn't actually spy or do anything "bad". This will soon change, according to this article, which you may want to read: http://www.clickz.com/news/article.php/3561546I recommend that you remove the Viewpoint products. If you do decide to get rid of it, please remove all references to Viewpoint from Add/Remove Programs.Then please scan again with HijackThis and post the new log in your reply.Thanks,Charles

Read other 19 answers
RELEVANCY SCORE 37.2

Tried VirtumundoBegone to no avail.

Can't access Google search, gmail and various other sites. No pop-ups, but my browser is being plastered with ads and I fear it will only worsen. Misery, ack!

:| Help is appreciated and much love, praise and awesomenes will be bestowed on anyone who can get me out of this rut.

Log below.

Deckard's System Scanner v20071014.68
Run by Radish on 2008-06-20 21:45:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
77: 2008-06-20 12:46:04 UTC - RP263 - Deckard's System Scanner Restore Point
76: 2008-06-20 08:16:54 UTC - RP262 - Removed FOG Service
75: 2008-06-20 08:15:12 UTC - RP261 - Removed Skype? 3.5
74: 2008-06-19 14:17:10 UTC - RP260 - System Checkpoint
73: 2008-06-18 13:50:46 UTC - RP259 - System Checkpoint


-- First Restore Point --
1: 2008-06-17 11:30:43 UTC - RP187 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 503 MiB (512 MiB recommended).
System Drive C: has 3.52 GiB (less than 15%) free.


-- HijackThis (run as Radish.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:15 PM, on 6/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Int... Read more

A:Virtumundo!

I see no evidence of an AntiVirus program on your system. Why is that? Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer.

Google cache link

We will address that during the course of this fix.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery mode if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return.

Once the Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.



Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Post the log from ComboFix when you've accomplished... Read more

Read other 1 answers
RELEVANCY SCORE 37.2

Here's my HJT log:C:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\Program Files\Common Files\AOL\1151860565\ee\AOLSoftware.exeC:\Program Files\Microsoft IntelliPoint\point32.exeC:\WINDOWS\system32\fpplock.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\Winamp\winampa.exeC:\Program Files\Common Files\{A8CECA43-02B8-1033-0427-040824010001}\Update.exeC:\Program Files\AIM\aim.exeC:\PROGRA~1\COMMON~1\qqzo\qqzom.exeC:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exeC:\Program Files\LimeWire\LimeWire.exeC:\PROGRA~1\COMMON~1\qqzo\qqzoa.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Windows Media Player\wmplayer.exeC:\Documents and Settings\user\Desktop\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet... Read more

A:I Think I've Got Virtumundo

Hello AlbinoNinjaPenguin, and welcome to BleepingComputer. I will be handling your log to help you get cleaned up.Please take note of the following:1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.2. The fixes are specific to your problem and should only be used for this issue on this machine.3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.5. Please reply to this thread. Do not start a new topic.Please give me some time to look over your log and I will get back to you as soon as possible.Thanks,htv8

Read other 27 answers
RELEVANCY SCORE 37.2

Hi, when running an ad aware scan the last 4 times my virus scan picks up nnnll.dll adware-virtumundo, though it's unable to delete or clean. Here's my HJ log. thanks for any help!Logfile of HijackThis v1.99.1Scan saved at 4:56:36 PM, on 4/28/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\Explorer.EXEC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exeC:\Program Files\Network Associates\VirusScan\SHSTAT.EXEC:\Program Files\Network Associates\Common Framework\UpdaterUI.exeC:\PROGRA~1\HEWLET~1\ONE-TO~1\OneTouch.EXEC:\WINDOWS\system32\LXSUPMON.EXEC:\Program Files\QuickTime\qttask.exeC:\Program Files\eFax Messenger 4.1\J2GTray.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\WINDOWS\system32&... Read more

A:Virtumundo?

Hi I don't see any signs of Vundo, but just to be sure, let's run this tool.====Please download VundoFix.exe to your Desktop.Double-click VundoFix.exe to run it.Put a check next to Run VundoFix as a task.You will receive a message saying vundofix will close and re-open in a minute or less. Click OKWhen VundoFix re-opens, click the Scan for Vundo button.Once it's done scanning, click the Remove Vundo button.You will receive a prompt asking if you want to remove the files, click YESOnce you click yes, your desktop will go blank as it starts removing Vundo.When completed, it will prompt that it will shutdown your computer, click OK.Turn your computer back on.It will make a log in C:\vundofix.txt, I need you to post that later.====Update Ewido Anti-Malware - I see that you already have this so we'll just update it.Launch Ewido.The program will now open the main screen.You will need to update ewido to the latest definition filesOn the left hand side of the main screen click update.Then click on the Start Update button.The update will start and a progress bar will show the updates being installed.After it has finished, close Ewido, we will use it later.If you are having problems with the updater, you can use this link to manually update ewido ? Ewido manual updates.====Download ATF Cleaner Save it to your Desktop. We will use this later.====Boot into Safe Mode. Please restart your computer and before the Windows logo appear, tap F8 repeatedly. A menu should appear, select Safe... Read more

Read other 2 answers
RELEVANCY SCORE 37.2

Here we go again! Son playing on game sits has managed to pick up Virtumondo.
Running Sophos as our main antivirus software, backed up with spybot, adaware and Superantispyware. None of them can dal with it. Sophos says that it neds to be removed manually, but I'm not sure how.

Hijackthis scan rsults below; any / all help appreciated. Thanks.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:32:45, on 30/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.e... Read more

A:Virtumundo

Read other 16 answers
RELEVANCY SCORE 37.2

Hi

I can't get rid of Virtumundo in WinXP SP2. Adaware found it once and said it was gone - installed and first ran the vx2cleaner. Ran Adaware again and it said everything was clean. Then ran Microsoft Anti-spyware which found it again and removed it. Rebooted, reran MS anti-spy and it was back again.

I got Vundofix which is supposed to run in safe mode, but its safe mode is corrupted - as soon as I do anything in safemode, the desktop goes black. When I run explorer.exe again in safe mode, if it starts at all, the same thing happens - as soon as I do anything the desktop disappears after the first action.

Here is a Hijack log I ran in normal Windows mode. Run from HJack in its own subdirectory:

Logfile of HijackThis v1.99.1
Scan saved at 9:19:29 PM, on 11/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC_PowerChute\mainserv.exe
C:\PROGRA~1\CpuUsage\CpuUsage.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\... Read more

A:Virtumundo

Welcome to TSG

Have you tried this?
If you cannot get into safe mode & get a black screen that says "safe mode" in all 4 corners and no desktop appears then try this

It appears that the code in the Vundo trojan is so badly written, that many users cant go into safe mode because "explorer.exe" is occupied trying to execute these codes and occupies 100% of the CPU capacity.

Try this procedure:

When you come to the point where the black screen appears and the text "safe mode" is displayed in the corners,open the taskmanager (Ctrl+Alt+Del) and find "explorer.exe . Click on it in the list and click "Terminate". This will probably take several minutes.
Once Explorer is terminated, navigating with the mouse will be easy, however you will have a desktop without icons.

Now, remember where you installed the "VundoFix" . Open the taskmanager again, and click "File>Run" in the toolbar. Type in the filepath to the VundoFix in the scrollbar and hit enter.
The default location of the VundoFix is here :
C:\Documents and Settings\YOUR USERNAME\Desktop\VundoFix\KillVundo.bat . Replace "your username" with your actual one.
Then click "ok" and if everything work as planned, you will now be able to run the VundoFix and go on with the procedure I already posted.

Since you during this operation cant navigate via Explorer, its important that you print those instructions, both the ones here and the e... Read more

Read other 3 answers
RELEVANCY SCORE 37.2

So last night my computer was acting funny and I left my computer on for AVG 8.5 and spybot to scan my computer. I woke up AVG found nothing, and spybot found mediaplox ( i forgot or something) and Virtumundo? I removed both and powered down the computer and when I turned it back on I found nothing but this.....Spybot was running a scan upon start up, so I went to the main interface and release Virtumundo back, I don't know what happened to mediaplox, but when I canceled the Spybot scan, it was there as a threat.... I didn't release it.But anyways nothing happened after that, and then I restarted and everything was back to normal, my desktop was back.

A:Virtumundo?

Hello and welcome. Let's do these and see if there is more as I suspect. . If you have Spybot installed temporarily disable it.We need to disable Spybot S&D's "TeaTimer"TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.If prompted with a legal dialog, accept the warning.Click and then on "Advanced Mode"
You may be presented with a warning dialog. If so, press Click on Click on Uncheck this checkbox:
Close/Exit Spybot Search and DestroyNext run ATF:Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".Please download ATF Cleaner by Atribune & save it to your desktop.Double-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox browser click Firefox at the top and choose: Select AllClick the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser click Opera at the top and choose: Select AllClick the Empty Selected button.
If you would like to keep your saved passwords, ple... Read more

Read other 1 answers
RELEVANCY SCORE 37.2

Hi, I am having some serious CPU % usage issues.
I've tried a variety of fixes, but the next day it's always back up to 100% CPU.

I go into Safe Mode and run MS antiSpyware, AD-Aware. I run Norton AntiVirus and keep it up do date. I run a Registry Fix software to clean the registry.

Virtumundo always comes back the next day, but it seems there are other things there?
I downloaded HijackThis, and here is the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 10:11:50 PM, on 2/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireles... Read more

A:Virtumundo, I think?

Read other 11 answers
RELEVANCY SCORE 37.2

Please help, McAfee is having trouble getting rid of adware. This is what McAfee is telling me:

10/3/2005 2:31:57 PM Delete failed (Clean failed) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\awvuv.dll Adware-Virtumundo
10/3/2005 2:45:49 PM Delete failed (Clean failed) NT AUTHORITY\SYSTEM C:\WINDOWS\system32\awvuv.dll Adware-Virtumundo
10/3/2005 2:46:02 PM No Action Taken (Delete failed) C:\WINDOWS\system32\awvuv.dll Adware-Virtumundo
10/3/2005 2:46:05 PM Delete failed (Move failed) C:\WINDOWS\system32\awvuv.dll Adware-Virtumundo
10/3/2005 2:46:07 PM Delete failed (Clean failed) C:\WINDOWS\system32\awvuv.dll Adware-Virtumundo
10/3/2005 2:46:08 PM Delete failed (Clean failed) C:\WINDOWS\system32\awvuv.dll Adware-Virtumundo


I have so far tried to run Ad Aware SE with the Vx2 Add on, CWSHredder, SPYBOT SEARCH N DESTROY. So far, the minor files that these applications have picked up haven't resolved the primary issue. I also get a pop up box with an advertisement to some false website claming to have a download to resolve the problem. Any help would be greatly appreciated. Thanks!!!

Logfile of HijackThis v1.99.1
Scan saved at 2:42:25 PM, on 10/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evx... Read more

A:Virtumundo

This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp.exe - Install.

hjtrun.zip
From within hjtrun.zip, double-click on hjtrun.bat


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Restart your computer.
Hijackthis will open before the desktop loads, scan and fix the following entries:

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\awvuv.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O20 - Winlogon Notify: awvuv - C:\WINDOWS\system32\awvuv.dll

Then close HJT & windows will continue to load your Desktop.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tool... Read more

Read other 5 answers
RELEVANCY SCORE 37.2

I've tried numerous antivirus and antispyware apps and nothing has worked. I've run all the apps I had before running this HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:07:46 PM, on 7/7/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16473)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\program files\common files\mcafee\mna\mcnasvc.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeC:\PROGRA~1\McAfee\MSC\mcpromgr.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exec:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Program Files\NVIDIA Corpora... Read more

A:Virtumundo

Welcome to the BleepingComputer HijackThis Logs and Analysis forum jlhillman My name is Richie and i'll be helping you to fix your problems.Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause the program to freeze/hang. Also post a new Hijackthis log please.

Read other 5 answers
RELEVANCY SCORE 37.2

i have been unable to remove virtumundo from my computer completely, i have gotten rid of a couple component programs, but i cant find the last dll file. mcafee is telling me its there, but i cant find it. here is my hijack this log file

Logfile of HijackThis v1.99.1
Scan saved at 3:09:28 PM, on 3/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\MISSWA~1\LOCALS~1\Temp\UrtWebClient.exe0
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Do... Read more

A:virtumundo

Please download http://www.atribune.org/ccount/click.php?id=4 to your desktop.
Double-click VundoFix.exe to run it.
Place a check in the checkbox labeled Run VundoFix as a task.
You will receive a message stating that VundoFix will close and re-open in a minute or less.
When VundoFix reopens, click the OK button.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
===========
Add remove programs remove MyWay Search
 

Read other 3 answers
RELEVANCY SCORE 37.2

I've been trying to get rid of it for a while.

Here's my Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 8:54:37 PM, on 12/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by16fd.bay16.hotmail.msn.com...01&a=ce708773563b307a477da61053da4317&fti=yes
R1 - HKLM\Softw... Read more

A:Virtumundo help

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a warning and a list of forums to seek help at.
it should look like this
VundoFix V2.15 by Atri
By pressing enter you agree that you are using this at your own risk

Click to expand...
At this point press enter one time.
Next you will see:
Type in the filepath as instructed by the forum staff
Then Press EnterClick to expand...
At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\pmkjj.dll

Press Enter,
Next you will see:
Please type in the second filepath as instructed by the forum staff
Then Press Enter,Click to expand...
At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\system32\jjkmp.*
If you have a script blocker running, you may get a warning about a malicious script. Allow the script to run. It is not malicious.
The fix will run then HijackThis will open.
In HijackThis, please pla... Read more

Read other 1 answers
RELEVANCY SCORE 36.4

Hello again. Its been a while but I hate to inform that I need help desperetaly.Somehow, dnt ask me how I manage to let a BHO get through which then cause my laptop slowing down.Ive installed ewido, which I ran a test on, used winpfind and also vundofix and virtumundobegone, even bblbeta.I even checked on hijackthis and there r signs of it but i cant do anything since im not sure what to delete precisely even if do know what shouldnt be there.Logfile of HijackThis v1.99.1Scan saved at 22:25:34, on 24/07/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Hers hijackthis logRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Acer\eManager\anbmServ.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\Program Files\Gizmo Project\mDNSResponder.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exeC:\Program Files\RealVNC\VNC4\WinVNC4.exeC:\Program Files\Sunbelt Softwa... Read more

A:Virtumundo Problem

Hello,Just some leftovers here...* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:O2 - BHO: (no name) - {44105688-8ACE-4CE5-95B8-495050773B3E} - (no file)O20 - Winlogon Notify: winwea32 - winwea32.dll (file missing)* Click on Fix Checked when finished and exit HijackThis.Make sure your Internet Explorer is closed when you click Fix Checked!* Clean your Cache and Cookies in IE:Close all instances of Outlook Express and Internet Explorer Go to Control Panel > Internet Options > General tabClick the "Delete Cookies" buttonNext to it, Click the "Delete Files" buttonWhen prompted, place a check in: "Delete all offline content", click OK* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):Go to Tools > Options.Click Privacy in the menu on the left side of the Options window.Click the Clear button located to the right of each option (History, Cookies, Cache).Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok. Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.Press OK to remove them.Let me know in your next r... Read more

Read other 6 answers
RELEVANCY SCORE 36.4

A rough week of battling this horrible virus! Thanks to the forums here I found some relief.

I already had Ad-Aware 2007 and Trend Micro Pc-Cillin Internet Security 12 on my computer.

This week I've loaded and repeatedly used...

HiJackThis
Vundofix
Virtumundobegone
Spybot S&D
FxVMonde
Stinger

(yup, no kidding... all of them)

I've run things in and out of safe mode.

I'd get relief for maybe a day at best... then the computer would slow down and BOOM... it's back.

Finally downloaded and used AVG 7.5

Now remember... ALL the other software was run... today. I even ran Trend Micro's Housecall. AVG found 28 infected DLLs. Yup, 28. Vaulted, and wiped them.

I'm really, really hoping this is it. I just wish I hadn't taken a week to find the AVG freeware. Would have made my life easier.

A:Vundo-virtumundo

Hi Mushrabbit,I see that you have a posted a Hjt log.Please do NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven&... Read more

Read other 1 answers
RELEVANCY SCORE 36.4

Below is my logfile. McAfee keeps recognizing a PUP (Adware Virtumundo) C:\WINDOWS\system32\jkhhf.dll but cannot delete it. I know I will have to go into safe mode to fix this but the only problem is my cpu will not let me use my mouse or keyboard once i have booted up into safe mode. Please help!!!Logfile of HijackThis v1.99.1Scan saved at 1:54:49 PM, on 10/15/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exec:\program files\mcafee.com\agent\mcdetect.exec:\PROGRA~1\mcafee.com\vso\mcshield.exec:\PROGRA~1\mcafee.com\agent\mctskshd.exeC:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\WINDOWS\system32\hkcmd.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeC:\Program F... Read more

A:Adware Virtumundo

Hi ThriceIsRight and Welcome to the Bleeping Computer!Please print these instructions out for use in Safe Mode.Please download VundoFix.exe to your desktop.Double-click VundoFix.exe to extract the filesThis will create a VundoFix folder on your desktop.After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.Once in safe mode open the VundoFix folder and doubleclick on KillVundo.batYou will first be presented with a warning.
It should look like this
VundoFix V2.14 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....

At this point press enter one time.
Next you will see:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\jkhhf.dllPress Enter, then press the F6 key, then press Enter one more time to continue with the fix.
Next you will see:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\fhhkj.*
This will be the vundo filename sp... Read more

Read other 1 answers
RELEVANCY SCORE 36.4

i am having a problem getting rid of these two things. spybot finds them, says they are gone, but they come back. also the same with avg and lavasoft adaware. tried smitfraud fix. it comes back. there is a program that it installed called spyware guard 2008 that keeps popping up, and a fake security center icon in my system tray. can someone help me get rid of this stuff?

Here is my dds log:


DDS (Version 1.0) - NTFSx86
Run by me at 10:09:20.35 on Mon 12/08/2008
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.117 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\winscenter.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Photo AIO Printer 942\dlbubmon.exe
C:\Program Files\Internet Explore... Read more

A:virtumundo and smitfraud

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Download & save ComboFix to your Desktop but don't run it yet
Open NOTEPAD and copy/paste the text in the quotebox below into it:


Code:
DDS::
BHO: {3bf9b0be-896a-45ee-af15-67631748af23} - c:\WINDOWS\system32\gfwwbf.dll
BHO: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\WINDOWS\system32\ljJYSkhG.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\avgtoolbar.dll
IE: &Search - ?p=ZJ
Notify: ljJYSkhG - ljJYSkhG.dll
AppInit_DLLs: ,avgrsstx.dll gfwwbf.dll
SSODL: ieModule - {233337A0-E7C2-4558-9CCA-9BCBB724DED1} - c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\ieModule.dll
SSODL: InternetConnection - {BEE26540-51D7-42EC-A0D1-CDB9D88701FF} - c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\ylwaoysfnx.dll
SEH: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\WINDOWS\system32\ljJYSkhG.dll
Save this as "CFScript"

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt.

Read other 10 answers
RELEVANCY SCORE 36.4

Hi! Hope you can help...........

Computer behaving strangely a few days ago, so ran Panda2008. It picked up a trojan ope38.exe and, I hope, quarantined and deleted it. However, popups remain and Panda and Adaware2007 find no further problems. Spybot shows Virtumonde infection and points to iifda.dll in system32 and several registry entries. I have tried, but can not delete them permanently with Spybot or otherwise. I presume something else is refreshing them.

I give below the "Hijack this" Log.........


Logfile of HijackThis v1.99.1
Scan saved at 16:30:40, on 16/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program ... Read more

A:Virtumundo and ope38.exe

I have realised I was using an old version of "Hijack This" for the above post.
Here is the log received from the new version.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:01:26, on 17/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\APVXDWIN.EXE
C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
... Read more

Read other 2 answers
RELEVANCY SCORE 36.4

Hello.I would really need some guidance (help).Some of my antispybot progs found Win32/Vundo.gen!D and other registry changes made (virtumundo)Here's my log(s) from Deckard System Scanner:Deckard's System Scanner v20071014.68Run by Datorn on 2008-04-15 20:15:18Computer is in Normal Mode.---------------------------------------------------------------------------------- HijackThis (run as Datorn.exe) ----------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:15:21, on 2008-04-15Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\APPS\SAXO\HIDSERV.EXEC:\Program Files\Maxtor\Sync\SyncServices.exeC:\Program Files\NVIDIA Corporation\nTune\nTuneService.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\Packard Bell ... Read more

A:Virtumundo Problem

HiI don't see any problem ...You have 2 orphan registry keys ... most probably vundo leftovers, that's all ... Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-O2 - BHO: (no name) - {9B913993-5A06-47FB-8E9E-7F444261C6B1} - C:\WINDOWS\system32\geBtSIyV.dll (file missing)O20 - Winlogon Notify: jkkKeccd - C:\WINDOWS\All the scans you have run appear to have removed the malware ... if you have anything which could not be removed, or logs which show anything of concern, please post them ...steam

Read other 2 answers
RELEVANCY SCORE 36.4

[size="2"]I have had this virus for almost 2 weeks and I don't know where it came from. My computer is extremely slow, unwanted and explicit pop-ups, re-directs you to other websites, etc.. Please let me know what kind of program I can use to remove this virus PERMANENTLY!! It would be greatly appreciated!!!

A:Virtumundo Virus?

Hello! Welcome to Bleepingcomputer!Virtumundo is a nasty one. Well lets first try something that may help a little. First download Ad-Aware and try to run a scan in safe mode.http://www.download.com/Ad-Aware-2007-Free...dl&tag=top5To start up in Safe Mode, first turn off or restart your computer. Then, before the Windows logo comes up continuously press F8 untill you are prompted with a screen with multiple options should come up. Select safe mode by using the directional arrows and press enter.After that post back and tell me the results of the scan.~ xXAlphaXx

Read other 5 answers
RELEVANCY SCORE 36.4

C:/WINDOWS/Temp shows following file: Perflib_Perfdata_610. It appears to be associated with Virtumundo. I have tried deleting, renaming but to no avail as it "cannot be deleted as it is being used by another person or program. Have run the latest versions of following antivirus/antimalware: Ad-Aware, Spybot, ESET Smart Security, SuperAntiSpyware in Full Scan Mode to no avail. I am attaching the latest HiJackThis Scan. What should I do?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:24 AM, on 3/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sy... Read more

A:Possible Virtumundo infection

C:/WINDOWS/Temp now has following two files in it Perflib_Perfdata_5fc, Perflib_Perfdata_400. Can't get rid of them. Appreciate ant help on this.
 

Read other 1 answers
RELEVANCY SCORE 36.4

DDS (Version 1.1.0) - NTFSx86
Run by JettyServer at 18:54:58.31 on Thu 01/01/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2021.1168 [GMT -5:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYSTEM~1\WScheduler.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1 ... Read more

A:virtumundo, trojans, not sure exactly!

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1Link 2Link 3Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall

Read other 2 answers
RELEVANCY SCORE 36.4

Hispybot has picked up several instances of virtumundo and also microsoft security devices - disabled. It's causing all sorts of system problems, please can you help?I have downloaded, installed and run hijackthis and the log is as follows:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 08:28:33, on 20/01/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\WINDOWS\system32\bgsvcgen.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\Program Files ... Read more

A:infected - virtumundo

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results, click no to the Optional_ScanFollow the ... Read more

Read other 2 answers
RELEVANCY SCORE 36.4

My spyware (sptbot s/d) found this after my pc started acting all goofy .I would like to know how to remove it .I can find it in regedit in a few locations .I thought about just deleting those and rescanning to see if that would fix the problem but thought I'd better check with the experts on here first .Please help .
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:32 PM, on 7/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\ATT Internet Tools\blsloader.exe
C:\WINDOWS\V0330Mon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\L... Read more

A:Solved: Virtumundo.dll

Read other 16 answers
RELEVANCY SCORE 36.4

Windows defender found this infection but I followed your instruction re running those two programs and they found nothing. Perhaps the hijackthis log will help. Here it is :Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:17:12 AM, on 7/25/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:D:\WINDOWS\System32\smss.exeD:\WINDOWS\system32\winlogon.exeD:\WINDOWS\system32\services.exeD:\WINDOWS\system32\lsass.exeD:\WINDOWS\system32\svchost.exeD:\Program Files\Windows Defender\MsMpEng.exeD:\WINDOWS\System32\svchost.exeD:\WINDOWS\system32\ZONELABS\vsmon.exeD:\Program Files\Alwil Software\Avast4\aswUpdSv.exeD:\WINDOWS\Explorer.EXED:\Program Files\Alwil Software\Avast4\ashServ.exeD:\WINDOWS\system32\spoolsv.exeD:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeD:\WINDOWS\system32\crypserv.exeD:\Program Files\Executive Software\Diskeeper\DkService.exeD:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeD:\WINDOWS\System32\svchost.exeD:\Program Files\Alwil Software\Avast4\ashMaiSv.exeD:\Program Files\Alwil Software\Avast4\ashWebSv.exeD:\PROGRA~1\ALWILS~1 ... Read more

A:Virtumundo Removal

I would like to take a look at this log for you and will get back to you as soon as I can.

Thank You.

Read other 11 answers
RELEVANCY SCORE 36.4

Hello,

I was watching simpsons online and when I minimized the screen I saw my background had changed with the "Windows Warning Message". After a lot of snooping around I managed to change the background back. However, another problem still persists. I am able to search google and go to certain sites via address bar, although very limited it seems. However, when I try to click on sites through google, I am redirected. I've been trying to find a solution and ran quite a few programs including spybot, fixvundo, virtumundobegone, vundofix, and was about to try combofix. After reading about it though, I was reluctant to do it without some help. Please help

Thank you
heres my hjt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:47 AM, on 8/31/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\conime.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AVPersonal\AVG... Read more

Read other answers