Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Virtumonde Removal Need Help

  • Please log in to reply
2 replies to this topic

#1 mtijjm


  • Members
  • 2 posts
  • Local time:02:04 AM

Posted 06 August 2007 - 06:46 AM

here is the hjt log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:52 AM, on 8/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\?ssembly\wucrtupd.exe

O2 - BHO: (no name) - {01892ED4-D397-45F3-8613-B10232FF6954} - \
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15F12912-DE8D-457E-90C0-C40389A2D72D} - \
O2 - BHO: (no name) - {168cf242-6cd7-4526-a9f9-1637b0ab13cb} - C:\WINDOWS\system32\glgglns.dll
O2 - BHO: (no name) - {28AF159E-3B69-475B-8B2E-1F39453E6F9F} - \
O2 - BHO: (no name) - {4781E99A-2130-453E-84F0-8C0C4B61D2EA} - \
O2 - BHO: (no name) - {488883C3-320F-46A8-7879-4FB60C48F0B8} - C:\WINDOWS\system32\ssidsx.dll
O2 - BHO: (no name) - {4CDF82C2-320C-48F8-2D79-4FB60C48F1BE} - C:\WINDOWS\system32\xixafx.dll
O2 - BHO: (no name) - {53136DCE-B7EC-4482-8645-5C5A3E02CB37} - \
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\JJM\Desktop\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67142B60-D294-4977-AA5F-582205F7A45C} - \
O2 - BHO: (no name) - {70789ee5-bd07-4e0a-a84f-052fe9906a10} - C:\WINDOWS\system32\licide.dll
O2 - BHO: (no name) - {7D7156DE-0860-4A67-AD92-8F0D771FC934} - \
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O2 - BHO: (no name) - {8BB84647-912E-4B30-947A-09F74821FC2B} - \
O2 - BHO: (no name) - {99B2D268-D751-424C-BA10-9E25B6F17152} - \
O2 - BHO: (no name) - {B0B30D9B-9BF2-4C12-A0CE-419C3C66AE5D} - \
O2 - BHO: (no name) - {B0F1E599-6986-4ED5-8177-D075A6F26177} - \
O2 - BHO: (no name) - {B5028E4F-46EA-40EE-AF13-9601A7630173} - C:\Program Files\Online Services\hokeso83122.dll
O2 - BHO: (no name) - {B855DDDA-BD1F-43BC-8B6C-028C40D95132} - \
O2 - BHO: (no name) - {C11EBBE2-355C-4B57-A586-485D78B6EDE7} - \
O2 - BHO: (no name) - {C24DDB81-410A-4B90-BCAC-1C2C5666F807} - \
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tmp9F.tmp.dll
O2 - BHO: (no name) - {CB501D9A-2A9C-4271-96D7-9F26C3A3561D} - \
O2 - BHO: (no name) - {E1F93F4F-EF25-4B5E-AA17-CBD842D8A7AB} - \
O2 - BHO: (no name) - {E4C305C0-5ACE-4AFF-BC76-31CE6A1F391A} - \
O2 - BHO: 0 - {E4F62376-97FB-4508-A19C-3649F204818B} - C:\Program Files\MSN\lavumafe292.dll
O2 - BHO: (no name) - {FD35C6DD-D423-4148-902C-0D7900D3B803} - \
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [wyssxqsA] C:\WINDOWS\wyssxqsA.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\jkkllk.dll",forkonce
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Eoas] "C:\WINDOWS\ICROSO~2\explorer.exe" -vt yazb
O4 - HKCU\..\Run: [ccleaner] "C:\SPYWARE ELIMINATORS\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [Uutc] "C:\WINDOWS\system32\DOBE~1\rundll32.exe" -vt yazb
O4 - HKCU\..\Run: [Rftkvbw] "C:\Program Files\?ssembly\wucrtupd.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [nLite] %systemroot%\inf\nlite.cmd (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nLite] %systemroot%\inf\nlite.cmd (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1141507647015
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O20 - AppInit_DLLs: c:\windows\system32\sstqrqq.dll
O20 - Winlogon Notify: licide - C:\WINDOWS\SYSTEM32\licide.dll
O20 - Winlogon Notify: Lvdlnr - C:\WINDOWS\SYSTEM32\Lvdlnr.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qwerty12.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

End of file - 5730 bytes

BC AdBot (Login to Remove)


#2 RichieUK


    Malware Assassin

  • Malware Response Team
  • 13,614 posts
  • Local time:07:04 AM

Posted 06 August 2007 - 01:49 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum mtijjm :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.

It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


Download Combofix and save to your desktop:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log.
Posted Image
Posted Image

#3 mtijjm

  • Topic Starter

  • Members
  • 2 posts
  • Local time:02:04 AM

Posted 10 August 2007 - 01:22 PM

when i run vundo fix it says none found but when i run spybot it finds virtumonde so its on my computer in a system 32 file

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users