Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Losing The Battle With Virtumonde


  • Please log in to reply
1 reply to this topic

#1 gator34

gator34

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 03 April 2008 - 07:21 AM

Greetings and thank you for the forum opportunity. I am having trouble removing the virus on my computer after following the steps in the forum/topic 34773.

I have a list of several of the error file names:
C:\windows\inf\GETPLUSo.INF
C:\windows\system32\ynlijxuy.dll
BM731c66ff\system32\exe
rundll32.exe\system32

Here is a copy of the string after runing directions in safe mode:

[04/03/2008, 7:48:48] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Ernie Trefzer\My Documents\VirtumundoBeGone.exe" )
[04/03/2008, 7:48:51] - Detected System Information:
[04/03/2008, 7:48:51] - Windows Version: 5.1.2600, Service Pack 2
[04/03/2008, 7:48:51] - Current Username: Ernie Trefzer (Admin)
[04/03/2008, 7:48:51] - Windows is in SAFE mode.
[04/03/2008, 7:48:51] - Searching for Browser Helper Objects:
[04/03/2008, 7:48:51] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[04/03/2008, 7:48:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:51] - No filename found. Continuing.
[04/03/2008, 7:48:51] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/03/2008, 7:48:51] - BHO 3: {16B435F6-B6CE-4F24-A568-944B27ED919C} (targettedbanner.biz browser enhancer)
[04/03/2008, 7:48:51] - BHO 4: {1a104895-cc1c-4895-a4a6-533f40bd281d} ()
[04/03/2008, 7:48:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:51] - No filename found. Continuing.
[04/03/2008, 7:48:51] - BHO 5: {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} ()
[04/03/2008, 7:48:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:51] - Checking for HKLM\...\Winlogon\Notify\fcccdab
[04/03/2008, 7:48:51] - Found: HKLM\...\Winlogon\Notify\fcccdab - This is probably Virtumundo.
[04/03/2008, 7:48:51] - Assigning {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} MSEvents Object
[04/03/2008, 7:48:51] - BHO list has been changed! Starting over...
[04/03/2008, 7:48:51] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[04/03/2008, 7:48:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:51] - No filename found. Continuing.
[04/03/2008, 7:48:51] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/03/2008, 7:48:51] - BHO 3: {16B435F6-B6CE-4F24-A568-944B27ED919C} (targettedbanner.biz browser enhancer)
[04/03/2008, 7:48:51] - BHO 4: {1a104895-cc1c-4895-a4a6-533f40bd281d} ()
[04/03/2008, 7:48:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:51] - No filename found. Continuing.
[04/03/2008, 7:48:51] - BHO 5: {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} (MSEvents Object)
[04/03/2008, 7:48:52] - ALERT: Found MSEvents Object!
[04/03/2008, 7:48:52] - BHO 6: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[04/03/2008, 7:48:52] - BHO 7: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[04/03/2008, 7:48:52] - BHO 8: {62BCBFC5-465E-436C-B812-C567FBC02B1F} ()
[04/03/2008, 7:48:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:52] - No filename found. Continuing.
[04/03/2008, 7:48:52] - BHO 9: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/03/2008, 7:48:52] - BHO 10: {991970B4-6F15-404C-A19F-E91C49E2AD7A} ()
[04/03/2008, 7:48:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:52] - Checking for HKLM\...\Winlogon\Notify\pmkjg
[04/03/2008, 7:48:52] - Key not found: HKLM\...\Winlogon\Notify\pmkjg, continuing.
[04/03/2008, 7:48:52] - BHO 11: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
[04/03/2008, 7:48:52] - BHO 12: {B5CECFAF-68E0-4847-81B1-4F23C2D69AF4} ()
[04/03/2008, 7:48:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:52] - No filename found. Continuing.
[04/03/2008, 7:48:52] - BHO 13: {C39EC5DC-BFF8-47D0-821E-79B03EFCBF19} ()
[04/03/2008, 7:48:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:52] - Checking for HKLM\...\Winlogon\Notify\jkkjj
[04/03/2008, 7:48:52] - Key not found: HKLM\...\Winlogon\Notify\jkkjj, continuing.
[04/03/2008, 7:48:52] - BHO 14: {E057BAB1-81B1-4B40-9B09-85F9C7B50322} ()
[04/03/2008, 7:48:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:52] - No filename found. Continuing.
[04/03/2008, 7:48:52] - BHO 15: {E750A13E-67B9-4371-B959-318C10014068} ()
[04/03/2008, 7:48:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:52] - No filename found. Continuing.
[04/03/2008, 7:48:52] - BHO 16: {F918B6D7-6A82-43F5-95EF-B47F50B45DE6} ()
[04/03/2008, 7:48:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:52] - No filename found. Continuing.
[04/03/2008, 7:48:52] - Finished Searching Browser Helper Objects
[04/03/2008, 7:48:52] - *** Detected MSEvents Object
[04/03/2008, 7:48:52] - Trying to remove MSEvents Object...
[04/03/2008, 7:48:53] - Terminating Process: IEXPLORE.EXE
[04/03/2008, 7:48:53] - Terminating Process: RUNDLL32.EXE
[04/03/2008, 7:48:53] - Disabling Automatic Shell Restart
[04/03/2008, 7:48:53] - Terminating Process: EXPLORER.EXE
[04/03/2008, 7:48:53] - Suspending the NT Session Manager System Service
[04/03/2008, 7:48:53] - Terminating Windows NT Logon/Logoff Manager
[04/03/2008, 7:48:53] - Re-enabling Automatic Shell Restart
[04/03/2008, 7:48:53] - File to disable: C:\WINDOWS\system32\fcccdab.dll
[04/03/2008, 7:48:53] - Renaming C:\WINDOWS\system32\fcccdab.dll -> C:\WINDOWS\system32\fcccdab.dll.vir
[04/03/2008, 7:48:54] - File successfully renamed!
[04/03/2008, 7:48:54] - Removing HKLM\...\Browser Helper Objects\{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}
[04/03/2008, 7:48:54] - Removing HKCR\CLSID\{3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}
[04/03/2008, 7:48:54] - Adding Kill Bit for ActiveX for GUID: {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9}
[04/03/2008, 7:48:54] - Deleting ATLEvents/MSEvents Registry entries
[04/03/2008, 7:48:54] - Removing HKLM\...\Winlogon\Notify\fcccdab
[04/03/2008, 7:48:54] - Searching for Browser Helper Objects:
[04/03/2008, 7:48:54] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[04/03/2008, 7:48:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:54] - No filename found. Continuing.
[04/03/2008, 7:48:54] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/03/2008, 7:48:54] - BHO 3: {16B435F6-B6CE-4F24-A568-944B27ED919C} (targettedbanner.biz browser enhancer)
[04/03/2008, 7:48:54] - BHO 4: {1a104895-cc1c-4895-a4a6-533f40bd281d} ()
[04/03/2008, 7:48:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:54] - No filename found. Continuing.
[04/03/2008, 7:48:54] - BHO 5: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[04/03/2008, 7:48:54] - BHO 6: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[04/03/2008, 7:48:54] - BHO 7: {62BCBFC5-465E-436C-B812-C567FBC02B1F} ()
[04/03/2008, 7:48:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:54] - No filename found. Continuing.
[04/03/2008, 7:48:54] - BHO 8: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/03/2008, 7:48:54] - BHO 9: {991970B4-6F15-404C-A19F-E91C49E2AD7A} ()
[04/03/2008, 7:48:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:54] - Checking for HKLM\...\Winlogon\Notify\pmkjg
[04/03/2008, 7:48:54] - Key not found: HKLM\...\Winlogon\Notify\pmkjg, continuing.
[04/03/2008, 7:48:54] - BHO 10: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
[04/03/2008, 7:48:54] - BHO 11: {B5CECFAF-68E0-4847-81B1-4F23C2D69AF4} ()
[04/03/2008, 7:48:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:54] - No filename found. Continuing.
[04/03/2008, 7:48:54] - BHO 12: {C39EC5DC-BFF8-47D0-821E-79B03EFCBF19} ()
[04/03/2008, 7:48:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:54] - Checking for HKLM\...\Winlogon\Notify\jkkjj
[04/03/2008, 7:48:54] - Key not found: HKLM\...\Winlogon\Notify\jkkjj, continuing.
[04/03/2008, 7:48:54] - BHO 13: {E057BAB1-81B1-4B40-9B09-85F9C7B50322} ()
[04/03/2008, 7:48:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:54] - No filename found. Continuing.
[04/03/2008, 7:48:54] - BHO 14: {E750A13E-67B9-4371-B959-318C10014068} ()
[04/03/2008, 7:48:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:54] - No filename found. Continuing.
[04/03/2008, 7:48:54] - BHO 15: {F918B6D7-6A82-43F5-95EF-B47F50B45DE6} ()
[04/03/2008, 7:48:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:48:54] - No filename found. Continuing.
[04/03/2008, 7:48:54] - Finished Searching Browser Helper Objects
[04/03/2008, 7:48:54] - Finishing up...
[04/03/2008, 7:48:54] - A restart is needed.
[04/03/2008, 7:48:54] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[04/03/2008, 7:49:08] - Attempting to Restart via STOP error (Blue Screen!)

[04/03/2008, 7:52:31] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Ernie Trefzer\My Documents\VirtumundoBeGone.exe" )
[04/03/2008, 7:52:41] - Detected System Information:
[04/03/2008, 7:52:41] - Windows Version: 5.1.2600, Service Pack 2
[04/03/2008, 7:52:41] - Current Username: Ernie Trefzer (Admin)
[04/03/2008, 7:52:41] - Windows is in SAFE mode.
[04/03/2008, 7:52:41] - Searching for Browser Helper Objects:
[04/03/2008, 7:52:41] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} ()
[04/03/2008, 7:52:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:52:41] - No filename found. Continuing.
[04/03/2008, 7:52:41] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/03/2008, 7:52:41] - BHO 3: {16B435F6-B6CE-4F24-A568-944B27ED919C} (targettedbanner.biz browser enhancer)
[04/03/2008, 7:52:41] - BHO 4: {1a104895-cc1c-4895-a4a6-533f40bd281d} ()
[04/03/2008, 7:52:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:52:41] - No filename found. Continuing.
[04/03/2008, 7:52:41] - BHO 5: {4D6D3F8F-733C-4DA4-BF2C-13374A83B6B3} ()
[04/03/2008, 7:52:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:52:41] - Checking for HKLM\...\Winlogon\Notify\pmkjg
[04/03/2008, 7:52:41] - Key not found: HKLM\...\Winlogon\Notify\pmkjg, continuing.
[04/03/2008, 7:52:41] - BHO 6: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[04/03/2008, 7:52:41] - BHO 7: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[04/03/2008, 7:52:41] - BHO 8: {62BCBFC5-465E-436C-B812-C567FBC02B1F} ()
[04/03/2008, 7:52:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:52:41] - No filename found. Continuing.
[04/03/2008, 7:52:41] - BHO 9: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/03/2008, 7:52:41] - BHO 10: {AE7CD045-E861-484f-8273-0445EE161910} (AcroIEToolbarHelper Class)
[04/03/2008, 7:52:41] - BHO 11: {B5CECFAF-68E0-4847-81B1-4F23C2D69AF4} ()
[04/03/2008, 7:52:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:52:41] - No filename found. Continuing.
[04/03/2008, 7:52:41] - BHO 12: {C39EC5DC-BFF8-47D0-821E-79B03EFCBF19} ()
[04/03/2008, 7:52:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:52:41] - Checking for HKLM\...\Winlogon\Notify\jkkjj
[04/03/2008, 7:52:41] - Key not found: HKLM\...\Winlogon\Notify\jkkjj, continuing.
[04/03/2008, 7:52:41] - BHO 13: {E057BAB1-81B1-4B40-9B09-85F9C7B50322} ()
[04/03/2008, 7:52:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:52:41] - No filename found. Continuing.
[04/03/2008, 7:52:41] - BHO 14: {E750A13E-67B9-4371-B959-318C10014068} ()
[04/03/2008, 7:52:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:52:41] - No filename found. Continuing.
[04/03/2008, 7:52:41] - BHO 15: {F918B6D7-6A82-43F5-95EF-B47F50B45DE6} ()
[04/03/2008, 7:52:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[04/03/2008, 7:52:41] - No filename found. Continuing.
[04/03/2008, 7:52:41] - Finished Searching Browser Helper Objects
[04/03/2008, 7:52:41] - Finishing up...
[04/03/2008, 7:52:41] - Nothing found! Exiting...

I also ran a search via http:\\onecare.live.com\site\en-us with no luck or items found.

I am looking for what to do next. Any asistance would be appreciated as my computer is getting jammed on every use.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,963 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:33 AM

Posted 07 April 2008 - 10:38 PM

Hello gator34 and welcome to BC :thumbsup:

Sorry about the delayed response. We are all volunteers here and sometimes things slip past us.

In order to provide you with proper directions, we need a bit more information.

What is your operating system: Windows XP, Vista, etc.?

What security programs do you have installed? Please name them.

How is your computer operating? What is it doing if it is not operating properly?

Orange Blossom :flowers:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users