Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Think I Am Infected With Virtumonde


  • Please log in to reply
9 replies to this topic

#1 Salina

Salina

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 05 June 2008 - 09:07 PM

I think that I am infected with virtumonde. I used spybot search and destoy to try and clean it off. My computer was getting stuck so I used control-alt delete and closed things that were being run by me and not the system or network. But I think I messed things up because now I do not have a bottom tool bar and I have to use the windows task manager to open programs. I would appreciate if someone could help me to recover my bottom bar and to clean my computer of any infections.
Thank you I would be thankful for any help.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:53 PM

Posted 05 June 2008 - 11:45 PM

Hi and welcome ,please tell us your Operating system.

Then use the instructions in our self help tutorial.
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo

The 2 possible scanlogs are located at
VundoFix: scan report is saved at C:\vundofix.txt

VirtumundoBeGone
When finished it will create a log named VBG.TXT on your desktop.

Please post the contents of C:\vundofix.txt and VBG.TXT in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Salina

Salina
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 06 June 2008 - 07:00 PM

I have a Dell M1210 and Windows XP Home Edition


VBG


[06/06/2008, 19:22:11] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Salina\Desktop\VirtumundoBeGone.exe" )
[06/06/2008, 19:22:17] - Detected System Information:
[06/06/2008, 19:22:17] - Windows Version: 5.1.2600, Service Pack 2
[06/06/2008, 19:22:17] - Current Username: Salina (Admin)
[06/06/2008, 19:22:17] - Windows is in SAFE mode.
[06/06/2008, 19:22:17] - Searching for Browser Helper Objects:
[06/06/2008, 19:22:17] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[06/06/2008, 19:22:17] - BHO 2: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} ()
[06/06/2008, 19:22:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/06/2008, 19:22:17] - Checking for HKLM\...\Winlogon\Notify\NppBho
[06/06/2008, 19:22:17] - Key not found: HKLM\...\Winlogon\Notify\NppBho, continuing.
[06/06/2008, 19:22:17] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[06/06/2008, 19:22:17] - BHO 4: {539E522B-D1B9-4B30-B979-A5ACFAC53DC5} ()
[06/06/2008, 19:22:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/06/2008, 19:22:17] - No filename found. Continuing.
[06/06/2008, 19:22:17] - BHO 5: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[06/06/2008, 19:22:17] - BHO 6: {7344CB51-2C35-49A9-AF21-90C49E8311D5} ()
[06/06/2008, 19:22:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/06/2008, 19:22:17] - Checking for HKLM\...\Winlogon\Notify\ssqoOFyy
[06/06/2008, 19:22:17] - Key not found: HKLM\...\Winlogon\Notify\ssqoOFyy, continuing.
[06/06/2008, 19:22:17] - BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/06/2008, 19:22:17] - BHO 8: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[06/06/2008, 19:22:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/06/2008, 19:22:17] - No filename found. Continuing.
[06/06/2008, 19:22:17] - BHO 9: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/06/2008, 19:22:17] - BHO 10: {A35D567D-7BBC-4EA3-9917-279D2A403A68} ()
[06/06/2008, 19:22:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/06/2008, 19:22:17] - Checking for HKLM\...\Winlogon\Notify\qoMccbBt
[06/06/2008, 19:22:17] - Key not found: HKLM\...\Winlogon\Notify\qoMccbBt, continuing.
[06/06/2008, 19:22:17] - BHO 11: {A7327C09-B521-4EDB-8509-7D2660C9EC98} (Viewpoint Toolbar BHO)
[06/06/2008, 19:22:17] - BHO 12: {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} (TwcToolbarBhoApp Class)
[06/06/2008, 19:22:17] - BHO 13: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[06/06/2008, 19:22:17] - BHO 14: {B3B32460-6ED1-4217-8648-7ECC7393C43B} ()
[06/06/2008, 19:22:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/06/2008, 19:22:17] - No filename found. Continuing.
[06/06/2008, 19:22:17] - BHO 15: {CA6319C0-31B7-401E-A518-A07C3DB8F777} (CBrowserHelperObject Object)
[06/06/2008, 19:22:17] - BHO 16: {E23136A1-1AC4-4D1B-926F-5D537CFFF359} ()
[06/06/2008, 19:22:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/06/2008, 19:22:17] - No filename found. Continuing.
[06/06/2008, 19:22:17] - Finished Searching Browser Helper Objects
[06/06/2008, 19:22:17] - Finishing up...
[06/06/2008, 19:22:17] - Nothing found! Exiting...


VundoFix


VundoFix V7.0.5

Scan started at 6:31:59 PM 6/6/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:53 PM

Posted 06 June 2008 - 07:10 PM

Would you try turning off teatimer if it's running and doing a scan with MBAM please, let it fix anything it finds and post the log please

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062
Chewy

No. Try not. Do... or do not. There is no try.

#5 Salina

Salina
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 06 June 2008 - 08:15 PM

Malwarebytes' Anti-Malware 1.14
Database version: 800

9:05:27 PM 6/6/2008
mbam-log-6-6-2008 (21-05-27).txt

Scan type: Quick Scan
Objects scanned: 38229
Time elapsed: 7 minute(s), 10 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe (Adware.Hotbar) -> Failed to unload process.

Memory Modules Infected:
C:\Program Files\The Weather Channel FW\Framework\wxfw.dll (Adware.Hotbar) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj (Worm.OnlineG) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DW4 (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe (Adware.Hotbar) -> Delete on reboot.
C:\Program Files\The Weather Channel FW\Framework\wxfw.dll (Adware.Hotbar) -> Delete on reboot.

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:53 PM

Posted 06 June 2008 - 08:27 PM

How's the computer running?

Your data base and version are out of date

Always let MBAM update before a scan

they are up to 1.15 and 836
Chewy

No. Try not. Do... or do not. There is no try.

#7 Salina

Salina
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 07 June 2008 - 01:45 PM

It would not let me update so I used the link under where I downloaded it because it said to use that link to update if you could not through the program. I guess it was not the most recent update. Now where I start my computer or try to open the program it says "the database you are using is not supported by this version of Malwarebytes' Anti-Malware. Download the latest version of the program" Where can I do that?

My computer seems to be working fine now. Thank you.

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:53 PM

Posted 07 June 2008 - 04:43 PM

Teatimer can interfer with program updates, are you using it?

Otherwise you could uninstall MBAM and reboot and then reinstall

http://www.malwarebytes.org/mbam.php

Edited by DaChew, 07 June 2008 - 04:44 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#9 Salina

Salina
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 07 June 2008 - 07:33 PM

Ok I have the most updated version now.
Should I not be using Teatimer?
Should I get rid of Spybot search and destoy?
When I use MBAM do I always need to use safe mode?

#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:53 PM

Posted 07 June 2008 - 09:41 PM

teatimer is powerful protection, but it stops good programs the same as bad ones

If you are installing a good program or trying to fix something it's best turned off

if you go into advanced mode with spybot >tools>resident it can be turned off for a while

rightclicking and unload removes it from the system tray but it come back at reboot, if your fix involves a reboot then teatimer can interfer

I use spybot myself for it's other features, I do not use teatimer

MBAM was intended to be run in normal mode when it's strongest
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users