BleepingComputer.com > Vundo Virus

BleepingComputer.com > Security > Am I infected? What do I do?

robertybob

Jul 7 2008, 06:46 PM

I'm infected with the virtumonde virus. I've tried the two generally recommended programs to deal with it (vundofix and virtumundobegone) but to no avail. I'm a real amateur in these matters. Can you help me please.
Here's what VBG log says:

[07/07/2008, 23:44:42] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Bob\Desktop\VirtumundoBeGone.exe" )
[07/07/2008, 23:44:49] - Detected System Information:
[07/07/2008, 23:44:49] - Windows Version: 5.1.2600, Service Pack 2
[07/07/2008, 23:44:49] - Current Username: Bob (Admin)
[07/07/2008, 23:44:49] - Windows is in SAFE mode with Networking.
[07/07/2008, 23:44:49] - Searching for Browser Helper Objects:
[07/07/2008, 23:44:49] - BHO 1: {06D3D88A-1406-4024-9D21-26EED59A20BC} ()
[07/07/2008, 23:44:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/07/2008, 23:44:49] - Checking for HKLM\...\Winlogon\Notify\efcYPjIy
[07/07/2008, 23:44:49] - Key not found: HKLM\...\Winlogon\Notify\efcYPjIy, continuing.
[07/07/2008, 23:44:49] - BHO 2: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[07/07/2008, 23:44:49] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/07/2008, 23:44:49] - BHO 4: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[07/07/2008, 23:44:49] - BHO 5: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)
[07/07/2008, 23:44:49] - BHO 6: {C5F8EC28-8F68-4397-B050-0F644DFD0789} ()
[07/07/2008, 23:44:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/07/2008, 23:44:49] - Checking for HKLM\...\Winlogon\Notify\jkkJbcDU
[07/07/2008, 23:44:49] - Key not found: HKLM\...\Winlogon\Notify\jkkJbcDU, continuing.
[07/07/2008, 23:44:49] - BHO 7: {C6EA321D-EE5F-4ED5-B1FF-3A87F9D81ABF} ()
[07/07/2008, 23:44:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/07/2008, 23:44:49] - Checking for HKLM\...\Winlogon\Notify\byXnOhee
[07/07/2008, 23:44:49] - Found: HKLM\...\Winlogon\Notify\byXnOhee - This is probably Virtumundo.
[07/07/2008, 23:44:49] - Assigning {C6EA321D-EE5F-4ED5-B1FF-3A87F9D81ABF} MSEvents Object
[07/07/2008, 23:44:49] - BHO list has been changed! Starting over...
[07/07/2008, 23:44:49] - BHO 1: {06D3D88A-1406-4024-9D21-26EED59A20BC} ()
[07/07/2008, 23:44:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/07/2008, 23:44:50] - Checking for HKLM\...\Winlogon\Notify\efcYPjIy
[07/07/2008, 23:44:50] - Key not found: HKLM\...\Winlogon\Notify\efcYPjIy, continuing.
[07/07/2008, 23:44:50] - BHO 2: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[07/07/2008, 23:44:50] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/07/2008, 23:44:50] - BHO 4: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[07/07/2008, 23:44:50] - BHO 5: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)
[07/07/2008, 23:44:50] - BHO 6: {C5F8EC28-8F68-4397-B050-0F644DFD0789} ()
[07/07/2008, 23:44:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/07/2008, 23:44:50] - Checking for HKLM\...\Winlogon\Notify\jkkJbcDU
[07/07/2008, 23:44:50] - Key not found: HKLM\...\Winlogon\Notify\jkkJbcDU, continuing.
[07/07/2008, 23:44:50] - BHO 7: {C6EA321D-EE5F-4ED5-B1FF-3A87F9D81ABF} (MSEvents Object)
[07/07/2008, 23:44:50] - ALERT: Found MSEvents Object!
[07/07/2008, 23:44:50] - BHO 8: {E6CCF330-8F00-47DC-A3FA-5CF2A7D49A48} ()
[07/07/2008, 23:44:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/07/2008, 23:44:50] - Checking for HKLM\...\Winlogon\Notify\urqRJcDs
[07/07/2008, 23:44:50] - Key not found: HKLM\...\Winlogon\Notify\urqRJcDs, continuing.
[07/07/2008, 23:44:50] - BHO 9: {e7eccff8-02b8-49be-9900-47f6bfebb21f} ()
[07/07/2008, 23:44:50] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/07/2008, 23:44:50] - Checking for HKLM\...\Winlogon\Notify\oyxojy
[07/07/2008, 23:44:50] - Key not found: HKLM\...\Winlogon\Notify\oyxojy, continuing.
[07/07/2008, 23:44:50] - Finished Searching Browser Helper Objects
[07/07/2008, 23:44:50] - *** Detected MSEvents Object
[07/07/2008, 23:44:50] - Trying to remove MSEvents Object...
[07/07/2008, 23:44:51] - Terminating Process: IEXPLORE.EXE
[07/07/2008, 23:44:51] - Terminating Process: RUNDLL32.EXE
[07/07/2008, 23:44:51] - Disabling Automatic Shell Restart
[07/07/2008, 23:44:51] - Terminating Process: EXPLORER.EXE
[07/07/2008, 23:44:52] - Suspending the NT Session Manager System Service
[07/07/2008, 23:44:52] - Terminating Windows NT Logon/Logoff Manager
[07/07/2008, 23:44:52] - Re-enabling Automatic Shell Restart
[07/07/2008, 23:44:52] - File to disable: C:\WINDOWS\system32\byXnOhee.dll
[07/07/2008, 23:44:52] - Renaming C:\WINDOWS\system32\byXnOhee.dll -> C:\WINDOWS\system32\byXnOhee.dll.vir
[07/07/2008, 23:44:52] - File successfully renamed!
[07/07/2008, 23:44:52] - Removing HKLM\...\Browser Helper Objects\{C6EA321D-EE5F-4ED5-B1FF-3A87F9D81ABF}
[07/07/2008, 23:44:52] - Removing HKCR\CLSID\{C6EA321D-EE5F-4ED5-B1FF-3A87F9D81ABF}
[07/07/2008, 23:44:52] - Adding Kill Bit for ActiveX for GUID: {C6EA321D-EE5F-4ED5-B1FF-3A87F9D81ABF}
[07/07/2008, 23:44:52] - Deleting ATLEvents/MSEvents Registry entries
[07/07/2008, 23:44:52] - Removing HKLM\...\Winlogon\Notify\byXnOhee
[07/07/2008, 23:44:52] - Searching for Browser Helper Objects:
[07/07/2008, 23:44:52] - BHO 1: {06D3D88A-1406-4024-9D21-26EED59A20BC} ()
[07/07/2008, 23:44:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/07/2008, 23:44:52] - Checking for HKLM\...\Winlogon\Notify\efcYPjIy
[07/07/2008, 23:44:52] - Key not found: HKLM\...\Winlogon\Notify\efcYPjIy, continuing.
[07/07/2008, 23:44:52] - BHO 2: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[07/07/2008, 23:44:52] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[07/07/2008, 23:44:52] - BHO 4: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[07/07/2008, 23:44:52] - BHO 5: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)
[07/07/2008, 23:44:52] - BHO 6: {C5F8EC28-8F68-4397-B050-0F644DFD0789} ()
[07/07/2008, 23:44:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/07/2008, 23:44:52] - Checking for HKLM\...\Winlogon\Notify\jkkJbcDU
[07/07/2008, 23:44:52] - Key not found: HKLM\...\Winlogon\Notify\jkkJbcDU, continuing.
[07/07/2008, 23:44:52] - BHO 7: {E6CCF330-8F00-47DC-A3FA-5CF2A7D49A48} ()
[07/07/2008, 23:44:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/07/2008, 23:44:52] - Checking for HKLM\...\Winlogon\Notify\urqRJcDs
[07/07/2008, 23:44:52] - Key not found: HKLM\...\Winlogon\Notify\urqRJcDs, continuing.
[07/07/2008, 23:44:52] - BHO 8: {e7eccff8-02b8-49be-9900-47f6bfebb21f} ()
[07/07/2008, 23:44:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[07/07/2008, 23:44:52] - Checking for HKLM\...\Winlogon\Notify\oyxojy
[07/07/2008, 23:44:52] - Key not found: HKLM\...\Winlogon\Notify\oyxojy, continuing.
[07/07/2008, 23:44:52] - Finished Searching Browser Helper Objects
[07/07/2008, 23:44:52] - Finishing up...
[07/07/2008, 23:44:52] - A restart is needed.
[07/07/2008, 23:45:01] - Attempting to Restart via STOP error (Blue Screen!)

Budapest

Jul 7 2008, 10:19 PM

Run a full system scan with SuperAntiSpyware in Safe Mode.

How to start Windows in Safe Mode

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.