Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Several Viruses


  • This topic is locked This topic is locked
8 replies to this topic

#1 MiNdWaRp

MiNdWaRp

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 26 November 2007 - 07:53 AM

Hi there!

It appears I've become infected with several viruses and I'm having a great deal of trouble getting them to go away. I've run several programs in attempt to remove them, but they just won't stay off. I've made a short list of the ones that pop up in NOD32 and my other real-time protection programs:

Win32/BHO.G trojan
Win32/Adware.Ezula
Win32/Adware.Virtumonde
Win32/Adware.SecToolbar
Win32/TrojanDownloader.Tiny.ID
BHO - C:\WINDOWS\system32\mllmj.dll

Any help with removal of these problems would be much appreciated.

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,204 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:43 PM

Posted 26 November 2007 - 09:37 AM

Install Super Antispyware free. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Use the vundofix tool in the link below.
http://vundofix.atribune.org/

How to Start Windows in Safe Mode:
http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 MiNdWaRp

MiNdWaRp
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 26 November 2007 - 11:53 AM

Thanks for the reply.

I did as you instructed and it didn't seem to do anything at all. The same popups all appear upon startup.

I also ensured my System Restore was off to prevent files from being locked on there.

#4 buddy215

buddy215

  • Moderator
  • 13,204 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:43 PM

Posted 26 November 2007 - 12:16 PM

Post a Hijack This Log in the Hijack This Forum by following the directions in the link below. DO NOT post a log in this forum. http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:43 PM

Posted 26 November 2007 - 12:17 PM

Please post the log created by Vundofix. It can be located at C:\vundofix.txt.
If you have the SAS log, you can post that too.

I also ensured my System Restore was off to prevent files from being locked on there

Disabling System Restore as the first step when attempting to clean or scan for malware is not advisable as you will loose all previously stored restore points. Unfortunately, some anti-virus vendors still recommend doing this before attempting malware removal and many folks follow that advice. This is really not a good practice when dealing with infected computer systems. Turning System Restore off and then turning it back on has some risk associated with it since that feature does not always work as intended. Further, there is always a possibility of something going wrong during the malware removal process and you end up with more problems. Without a restore point to fall back on, you are then stuck with a limited means of restoring your system such as a Repair Install or Reformat. Although System Restore is not 100% guaranteed to work all the time, it at least gives you another option.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 MiNdWaRp

MiNdWaRp
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 27 November 2007 - 10:05 AM

Here's the VundoFix.txt:

VundoFix V6.5.11

Checking Java version...

Scan started at 7:31:02 AM 05/11/2007

Listing files found while scanning....

C:\WINDOWS\system32\psvpgjgt.dll

Beginning removal...

 Attempting to delete C:\WINDOWS\system32\psvpgjgt.dll
C:\WINDOWS\system32\psvpgjgt.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.11

Checking Java version...

Scan started at 7:38:02 AM 05/11/2007

Listing files found while scanning....


VundoFix V6.5.11

Checking Java version...

Scan started at 7:51:12 AM 05/11/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.11

Checking Java version...

Scan started at 11:43:45 AM 26/11/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Here's the SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/26/2007 at 11:37 AM

Application Version : 3.9.1008

Core Rules Database Version : 3350
Trace Rules Database Version: 1349

Scan type	   : Complete Scan
Total Scan Time : 00:34:57

Memory items scanned	  : 181
Memory threats detected   : 1
Registry items scanned	: 3740
Registry threats detected : 13
File items scanned		: 20680
File threats detected	 : 10

Adware.Vundo Variant
	C:\WINDOWS\SYSTEM32\MLLMJ.DLL
	C:\WINDOWS\SYSTEM32\MLLMJ.DLL
	HKLM\Software\Classes\CLSID\{ABA83A0D-DBF0-44E3-BCF8-A5A278C70693}
	HKCR\CLSID\{ABA83A0D-DBF0-44E3-BCF8-A5A278C70693}
	HKCR\CLSID\{ABA83A0D-DBF0-44E3-BCF8-A5A278C70693}\InprocServer32
	HKCR\CLSID\{ABA83A0D-DBF0-44E3-BCF8-A5A278C70693}\InprocServer32#ThreadingModel
	HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ABA83A0D-DBF0-44E3-BCF8-A5A278C70693}

Adware.Vundo-Variant/Small-A
	HKLM\Software\Classes\CLSID\{764892a4-a0c3-40ca-876b-bb45d5aad6af}
	HKCR\CLSID\{764892A4-A0C3-40CA-876B-BB45D5AAD6AF}
	HKCR\CLSID\{764892A4-A0C3-40CA-876B-BB45D5AAD6AF}\InprocServer32
	HKCR\CLSID\{764892A4-A0C3-40CA-876B-BB45D5AAD6AF}\InprocServer32#ThreadingModel
	C:\WINDOWS\SYSTEM32\GESMEXCO.DLL
	HKLM\Software\Classes\CLSID\{ba4bc8bd-404e-4fa8-8aa0-c5364686ee05}
	HKCR\CLSID\{BA4BC8BD-404E-4FA8-8AA0-C5364686EE05}
	HKCR\CLSID\{BA4BC8BD-404E-4FA8-8AA0-C5364686EE05}\InprocServer32
	HKCR\CLSID\{BA4BC8BD-404E-4FA8-8AA0-C5364686EE05}\InprocServer32#ThreadingModel
	C:\WINDOWS\SYSTEM32\BNVXBMRA.DLL
	C:\WINDOWS\SYSTEM32\XICTHRVH.DLL

Adware.Tracking Cookie
	C:\Documents and Settings\Administrator\Cookies\administrator@www.popundersupply[2].txt

Trojan.Downloader-Gen/HPBX
	C:\AEYRMMN.EXE

Adware.Vundo Variant/Rel
	C:\WINDOWS\SYSTEM32\JMLLM.BAK1
	C:\WINDOWS\SYSTEM32\JMLLM.BAK2
	C:\WINDOWS\SYSTEM32\JMLLM.INI

Trojan.XPDX-Rootkit
	C:\WINDOWS\SYSTEM32\XPDX.SYS


#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 PM

Posted 27 November 2007 - 10:18 AM

Did you run the SuperAntiSpyware scan in Safe Mode? If not, please run it again in Safe Mode.

How to start Windows in Safe Mode
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 MiNdWaRp

MiNdWaRp
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 27 November 2007 - 11:14 AM

Yes I did...

I made a post in HijackThis forum as requested.
http://www.bleepingcomputer.com/forums/t/118539/infected-by-several-viruses-including-virtumonde/

Edited by MiNdWaRp, 27 November 2007 - 01:05 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:43 PM

Posted 27 November 2007 - 05:07 PM

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

IMPORTANT NOTE: One or more of the identified infections was a nasty rootkit. When someone comes to assist you, give them a link to this thread and advise that a rootkit was found on your system.

Rootkits are very dangerous because they use advanced techniques as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use them as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect your computer from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Thanks for your cooperation and good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users