Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde.dll- I Can't Get Rid Of It.


  • Please log in to reply
21 replies to this topic

#1 quinnteq

quinnteq

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Buffalo New York
  • Local time:07:21 PM

Posted 23 March 2008 - 09:34 AM

OK for a few days i have been getting strange errors like my control panel options not working (windows tells me that the parameter is incorrect and gives me the path to rundll32.exe), and I have noticed that there are two entries of rundll32.exe running in the background when I dont have anything open. I thought that was kinda strange, so I ran spybot S&D and it found virtumonde.dll. When i try to clean out the entries it wont... It tells me "Out of Memory" and "Failed to load C:\program files\spybot - search_destroy\DelZip179.exe.

I have no clue how to get rid of it now... I have used Iolo system mechanic 7 to remove the strange startup entries but, i still keep getting strange errors when I use my control panel options and even when kill the rundll32.exe processes, they come back after a few minutes or whenever i restart.

BC AdBot (Login to Remove)

 


#2 dmndmn

dmndmn

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 23 March 2008 - 09:49 AM

You might want to tell the moderators about your OS build version and stuff like that. And i think it is better that you get SUPERantispyware from the net. It is free , download that, Scan and post the log here. Hope this helps mate. Good luck.

#3 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:06:21 PM

Posted 23 March 2008 - 10:17 AM

Hello and welcome quinnteq

Have a look Here podt the vundofix txt back here please,

Also

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


#4 quinnteq

quinnteq
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Buffalo New York
  • Local time:07:21 PM

Posted 23 March 2008 - 12:22 PM

ok I scanned, rebooted and heres the log.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/23/2008 at 01:13 PM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 00:19:27

Memory items scanned : 538
Memory threats detected : 1
Registry items scanned : 3879
Registry threats detected : 13
File items scanned : 16430
File threats detected : 21

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\MLJJH.DLL
C:\WINDOWS\SYSTEM32\MLJJH.DLL

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{1D01B647-6CE4-447F-B36B-E30401F61916}
HKCR\CLSID\{1D01B647-6CE4-447F-B36B-E30401F61916}
HKCR\CLSID\{1D01B647-6CE4-447F-B36B-E30401F61916}\InprocServer32
HKCR\CLSID\{1D01B647-6CE4-447F-B36B-E30401F61916}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1D01B647-6CE4-447F-B36B-E30401F61916}

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{2427C92A-A888-4939-9406-0470C692A5BA}
HKCR\CLSID\{2427C92A-A888-4939-9406-0470C692A5BA}
HKCR\CLSID\{2427C92A-A888-4939-9406-0470C692A5BA}\InprocServer32
HKCR\CLSID\{2427C92A-A888-4939-9406-0470C692A5BA}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTSQO.DLL
HKLM\Software\Classes\CLSID\{4E7B8867-6762-4870-ADAB-4F3425E2A78D}
HKCR\CLSID\{4E7B8867-6762-4870-ADAB-4F3425E2A78D}
HKCR\CLSID\{4E7B8867-6762-4870-ADAB-4F3425E2A78D}\InprocServer32
HKCR\CLSID\{4E7B8867-6762-4870-ADAB-4F3425E2A78D}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTSQQ.DLL

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP29\A0002469.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP33\A0010817.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP33\A0010849.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP33\A0010850.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP33\A0010851.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP33\A0010854.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP33\A0010856.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP33\A0010858.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP33\A0010859.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP33\A0010862.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP33\A0012293.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP33\A0012294.DLL

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP33\A0010863.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP33\A0012290.DLL

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\HJJLM.INI
C:\WINDOWS\SYSTEM32\OQSTV.INI
C:\WINDOWS\SYSTEM32\OQSTV.INI2
C:\WINDOWS\SYSTEM32\QQSTV.INI

#5 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:06:21 PM

Posted 23 March 2008 - 12:30 PM

were you able to run vundofix ?

I would like to see the log from that please you will be looking for
C:\vundofix.txt

#6 quinnteq

quinnteq
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Buffalo New York
  • Local time:07:21 PM

Posted 23 March 2008 - 02:26 PM

vundofix kept hanging during the scan, so I tried the other program "VirtumundoBeGone" here is the log from that program.


[03/23/2008, 15:20:27] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Quinton\Desktop\VirtumundoBeGone.exe" )
[03/23/2008, 15:20:38] - Detected System Information:
[03/23/2008, 15:20:38] - Windows Version: 5.1.2600, Service Pack 2
[03/23/2008, 15:20:38] - Current Username: Quinton (Admin)
[03/23/2008, 15:20:38] - Windows is in SAFE mode.
[03/23/2008, 15:20:38] - Searching for Browser Helper Objects:
[03/23/2008, 15:20:38] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/23/2008, 15:20:38] - BHO 2: {0948C1C8-E565-4DCA-807D-FE8269CDDC4C} ()
[03/23/2008, 15:20:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/23/2008, 15:20:38] - Checking for HKLM\...\Winlogon\Notify\jkkji
[03/23/2008, 15:20:38] - Key not found: HKLM\...\Winlogon\Notify\jkkji, continuing.
[03/23/2008, 15:20:38] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/23/2008, 15:20:38] - BHO 4: {9D94B6D5-A31F-4B5D-856A-A04291CD8E77} ()
[03/23/2008, 15:20:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/23/2008, 15:20:38] - Checking for HKLM\...\Winlogon\Notify\mljjh
[03/23/2008, 15:20:38] - Key not found: HKLM\...\Winlogon\Notify\mljjh, continuing.
[03/23/2008, 15:20:38] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[03/23/2008, 15:20:38] - BHO 6: {E9383002-FC55-4330-B9C9-67E03BC5C840} ()
[03/23/2008, 15:20:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/23/2008, 15:20:38] - Checking for HKLM\...\Winlogon\Notify\tuvuuro
[03/23/2008, 15:20:38] - Found: HKLM\...\Winlogon\Notify\tuvuuro - This is probably Virtumundo.
[03/23/2008, 15:20:38] - Assigning {E9383002-FC55-4330-B9C9-67E03BC5C840} MSEvents Object
[03/23/2008, 15:20:38] - BHO list has been changed! Starting over...
[03/23/2008, 15:20:38] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/23/2008, 15:20:38] - BHO 2: {0948C1C8-E565-4DCA-807D-FE8269CDDC4C} ()
[03/23/2008, 15:20:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/23/2008, 15:20:38] - Checking for HKLM\...\Winlogon\Notify\jkkji
[03/23/2008, 15:20:38] - Key not found: HKLM\...\Winlogon\Notify\jkkji, continuing.
[03/23/2008, 15:20:38] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/23/2008, 15:20:38] - BHO 4: {9D94B6D5-A31F-4B5D-856A-A04291CD8E77} ()
[03/23/2008, 15:20:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/23/2008, 15:20:38] - Checking for HKLM\...\Winlogon\Notify\mljjh
[03/23/2008, 15:20:38] - Key not found: HKLM\...\Winlogon\Notify\mljjh, continuing.
[03/23/2008, 15:20:38] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[03/23/2008, 15:20:38] - BHO 6: {E9383002-FC55-4330-B9C9-67E03BC5C840} (MSEvents Object)
[03/23/2008, 15:20:38] - ALERT: Found MSEvents Object!
[03/23/2008, 15:20:38] - Finished Searching Browser Helper Objects
[03/23/2008, 15:20:38] - *** Detected MSEvents Object
[03/23/2008, 15:20:38] - Trying to remove MSEvents Object...
[03/23/2008, 15:20:39] - Terminating Process: IEXPLORE.EXE
[03/23/2008, 15:20:40] - Terminating Process: RUNDLL32.EXE
[03/23/2008, 15:20:40] - Disabling Automatic Shell Restart
[03/23/2008, 15:20:40] - Terminating Process: EXPLORER.EXE
[03/23/2008, 15:20:40] - Suspending the NT Session Manager System Service
[03/23/2008, 15:20:40] - Terminating Windows NT Logon/Logoff Manager
[03/23/2008, 15:20:40] - Re-enabling Automatic Shell Restart
[03/23/2008, 15:20:40] - File to disable: C:\WINDOWS\system32\tuvuuro.dll
[03/23/2008, 15:20:40] - Renaming C:\WINDOWS\system32\tuvuuro.dll -> C:\WINDOWS\system32\tuvuuro.dll.vir
[03/23/2008, 15:20:40] - File successfully renamed!
[03/23/2008, 15:20:40] - Removing HKLM\...\Browser Helper Objects\{E9383002-FC55-4330-B9C9-67E03BC5C840}
[03/23/2008, 15:20:40] - Removing HKCR\CLSID\{E9383002-FC55-4330-B9C9-67E03BC5C840}
[03/23/2008, 15:20:40] - Adding Kill Bit for ActiveX for GUID: {E9383002-FC55-4330-B9C9-67E03BC5C840}
[03/23/2008, 15:20:40] - Deleting ATLEvents/MSEvents Registry entries
[03/23/2008, 15:20:40] - Removing HKLM\...\Winlogon\Notify\tuvuuro
[03/23/2008, 15:20:40] - Searching for Browser Helper Objects:
[03/23/2008, 15:20:40] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/23/2008, 15:20:40] - BHO 2: {0948C1C8-E565-4DCA-807D-FE8269CDDC4C} ()
[03/23/2008, 15:20:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/23/2008, 15:20:40] - Checking for HKLM\...\Winlogon\Notify\jkkji
[03/23/2008, 15:20:40] - Key not found: HKLM\...\Winlogon\Notify\jkkji, continuing.
[03/23/2008, 15:20:40] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/23/2008, 15:20:40] - BHO 4: {9D94B6D5-A31F-4B5D-856A-A04291CD8E77} ()
[03/23/2008, 15:20:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/23/2008, 15:20:40] - Checking for HKLM\...\Winlogon\Notify\mljjh
[03/23/2008, 15:20:40] - Key not found: HKLM\...\Winlogon\Notify\mljjh, continuing.
[03/23/2008, 15:20:40] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[03/23/2008, 15:20:40] - Finished Searching Browser Helper Objects
[03/23/2008, 15:20:40] - Finishing up...
[03/23/2008, 15:20:40] - A restart is needed.
[03/23/2008, 15:20:40] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[03/23/2008, 15:20:48] - Attempting to Restart via STOP error (Blue Screen!)


Thank you for your help so far

#7 quinnteq

quinnteq
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Buffalo New York
  • Local time:07:21 PM

Posted 23 March 2008 - 03:45 PM

I ran superspyware again, and this is the resulting log... i cant seem to get these few entries out of my system it seems.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/23/2008 at 04:30 PM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 00:29:08

Memory items scanned : 521
Memory threats detected : 1
Registry items scanned : 3879
Registry threats detected : 10
File items scanned : 16453
File threats detected : 3

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\JKKJI.DLL
C:\WINDOWS\SYSTEM32\JKKJI.DLL

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{9D94B6D5-A31F-4B5D-856A-A04291CD8E77}
HKCR\CLSID\{9D94B6D5-A31F-4B5D-856A-A04291CD8E77}
HKCR\CLSID\{9D94B6D5-A31F-4B5D-856A-A04291CD8E77}\InprocServer32
HKCR\CLSID\{9D94B6D5-A31F-4B5D-856A-A04291CD8E77}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MLJJH.DLL
HKLM\Software\Classes\CLSID\{9FD1C533-CB36-49D2-B289-57017B621BE9}
HKCR\CLSID\{9FD1C533-CB36-49D2-B289-57017B621BE9}
HKCR\CLSID\{9FD1C533-CB36-49D2-B289-57017B621BE9}\InprocServer32
HKCR\CLSID\{9FD1C533-CB36-49D2-B289-57017B621BE9}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D94B6D5-A31F-4B5D-856A-A04291CD8E77}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9FD1C533-CB36-49D2-B289-57017B621BE9}

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP34\A0013401.DLL

#8 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:06:21 PM

Posted 23 March 2008 - 08:20 PM

Could you run Superantispyware in SAFE MODE please.
After your back into normal mode post the log back here for me please

#9 quinnteq

quinnteq
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Buffalo New York
  • Local time:07:21 PM

Posted 23 March 2008 - 09:00 PM

OK, so I finally got VundoFix to complete the scan while i was out... i soppose i didnt wait long enough... theres no progress bar, i just figured it froze. Anyway, heres the log.


VundoFix V7.0.3

Scan started at 1:33:08 PM 3/23/2008

Listing files found while scanning....


VundoFix V7.0.3

Scan started at 3:12:27 PM 3/23/2008

Listing files found while scanning....


Beginning removal...

VundoFix V7.0.3

Scan started at 7:24:53 PM 3/23/2008

Listing files found while scanning....

C:\Program Files\PowerISO\PWRISOSH.DLL

Beginning removal...

Attempting to delete C:\Program Files\PowerISO\PWRISOSH.DLL
C:\Program Files\PowerISO\PWRISOSH.DLL Has been deleted!

Performing Repairs to the registry.
Done!


Ill wait for your reply to see if i need to do anything else. Thank you so much for your support! Really, i thank you!

#10 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:06:21 PM

Posted 23 March 2008 - 09:24 PM

yes please run superantispyware in safe mode please

#11 quinnteq

quinnteq
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Buffalo New York
  • Local time:07:21 PM

Posted 23 March 2008 - 11:29 PM

I ran it one last time, and it detected nothing.

heres the log anyhow...

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/24/2008 at 00:20 AM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 01:06:53

Memory items scanned : 166
Memory threats detected : 0
Registry items scanned : 3873
Registry threats detected : 0
File items scanned : 16445
File threats detected : 0


I hope thats all...

#12 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:06:21 PM

Posted 24 March 2008 - 05:58 AM

Excellent :thumbsup:

Lets run one more to be sure nothing else is hiding,
Please do an online scan with Kaspersky WebScanner

Click on Accept Button

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#13 quinnteq

quinnteq
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Buffalo New York
  • Local time:07:21 PM

Posted 24 March 2008 - 05:41 PM

Monday, March 24, 2008 6:41:05 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/03/2008
Kaspersky Anti-Virus database records: 659498
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 78766
Number of viruses found 4
Number of infected objects 22
Number of suspicious objects 0
Duration of the scan process 00:48:12

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Quinton\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Quinton\Local Settings\Application Data\ATI\ACE\Log\MOM-0.log Object is locked skipped
C:\Documents and Settings\Quinton\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Quinton\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Quinton\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Quinton\Local Settings\Temp\fb_316.lck Object is locked skipped
C:\Documents and Settings\Quinton\Local Settings\Temp\Perflib_Perfdata_13c.dat Object is locked skipped
C:\Documents and Settings\Quinton\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Quinton\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Quinton\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Flock\flock\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\SmitfraudFix\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\SmitfraudFix\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\SmitfraudFix\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\RECYCLER\S-1-5-21-515967899-484763869-839522115-1004\Dc10.535u\Fixed Patch\keygen.exe/data0000.cab/is151740.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-515967899-484763869-839522115-1004\Dc10.535u\Fixed Patch\keygen.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-515967899-484763869-839522115-1004\Dc10.535u\Fixed Patch\keygen.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP30\A0002595.exe/WISE0025.BIN Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\System Volume Information\_restore{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP30\A0002595.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP30\A0004622.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\System Volume Information\_restore{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP33\A0010853.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP33\A0010855.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP33\A0010860.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP33\A0010861.dll Infected: not-a-virus:AdWare.Win32.Agent.asj skipped
C:\System Volume Information\_restore{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP33\A0012292.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP34\A0013386.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP34\A0013493.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP34\A0013493.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP34\A0013493.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{ACD11A7F-D01C-464F-BD0F-5B960FF70222}\RP35\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\pmnkihe.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\tuvuuro.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6d4.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

#14 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:06:21 PM

Posted 24 March 2008 - 10:35 PM

Nearly there just one more vundo file hanging in there the rest of what Kaspersky is finding is quarantined items, infected retsore point which we will clean out when we are done and smitfraud fix is throwing up some false positives but we will get all that sorted

Please download VundoFix.exe to your desktop if you don't already have it.
  • Open a new notepad window
  • Paste the list of files from the quote box below into the notepad window.

    C:\WINDOWS\system32\pmnkihe.dll

  • Save this as vundofix.vft and Save as type "all files".
  • Double-click VundoFix.exe to run it.
  • Drag vundofix.vft onto the listbox (white box) of VundoFix.
  • Click the "Remove Vundo" button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting

#15 quinnteq

quinnteq
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Location:Buffalo New York
  • Local time:07:21 PM

Posted 25 March 2008 - 08:02 PM

Ok, done... heres the old log, with the new stuff at the bottom, figured id copy it all in case i missed something.



VundoFix V7.0.3

Scan started at 1:33:08 PM 3/23/2008

Listing files found while scanning....


VundoFix V7.0.3

Scan started at 3:12:27 PM 3/23/2008

Listing files found while scanning....


Beginning removal...

VundoFix V7.0.3

Scan started at 7:24:53 PM 3/23/2008

Listing files found while scanning....

C:\Program Files\PowerISO\PWRISOSH.DLL

Beginning removal...

Attempting to delete C:\Program Files\PowerISO\PWRISOSH.DLL
C:\Program Files\PowerISO\PWRISOSH.DLL Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pmnkihe.dll
C:\WINDOWS\system32\pmnkihe.dll Has been deleted!

Performing Repairs to the registry.
Done!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users