Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ms Juan And Vundo


  • Please log in to reply
4 replies to this topic

#1 davemendoza

davemendoza

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 25 August 2008 - 01:35 AM

Hi guys,
Having issues with pop up ads in ie 7, spy shredder prompts, antivirus 2008 and general slow running pc. I've run adaware, spybot and spynomore with no effective end to the problem, although the reoccuring issue is virtumonde/vundo/msjuan.
Have looked up other posts namely here and followed Thunder's advice in points 1 and 2. Could you please look at my hijackthis and malwarebytes logs and offer any more advice on how to remove this stuff for good please?
Thanks
DM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:08 PM, on 25/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {01E5D31B-54CA-4483-A82A-3758CB975638} - (no file)
O2 - BHO: (no name) - {42D78F0C-C076-4EA1-8432-66AC026D55BA} - (no file)
O2 - BHO: (no name) - {43C7E917-2946-4B2E-9FC6-1FC35127B931} - (no file)
O2 - BHO: (no name) - {48F13C14-F82D-4B17-A5EA-A59A2F1704C7} - (no file)
O2 - BHO: (no name) - {78FCC154-D884-44D3-B95E-E4870E81585E} - (no file)
O2 - BHO: (no name) - {896cadcf-2aea-404f-9c43-e5ee3fc9fa76} - (no file)
O2 - BHO: (no name) - {AC09FD28-C562-48DB-A667-594EE8C38E0F} - (no file)
O2 - BHO: (no name) - {d7010272-28e1-41c7-8103-0ed9e0a0c09e} - (no file)
O2 - BHO: (no name) - {ede93fe5-dae6-47a0-a455-910df365e9ce} - (no file)
O2 - BHO: Browser protection - {FB9FFB4B-9680-4256-8178-5ECDB2C19B23} - C:\PROGRA~1\SPYNOM~1\SNMIEG~1.DLL
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Svchost2] c:\Windows\Temp\SecurityHackers2.exe
O4 - HKLM\..\Run: [DelayedLoad] C:\DOCUME~1\Dave\LOCALS~1\Temp\atmadm2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKLM\..\Run: [50e0b4d6] rundll32.exe "C:\WINDOWS\system32\tnfoguuw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcherLive] "C:\Program Files\Weather Watcher Live\ww.exe"
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm265YYAU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://cvserver/connectcomputer/nshelp.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = centennialvineyards.local
O17 - HKLM\Software\..\Telephony: DomainName = centennialvineyards.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = centennialvineyards.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = centennialvineyards.local
O20 - AppInit_DLLs: brgpqe.dll xcggsm.dll bemize.dll lintqo.dll rhqeco.dll phdjnx.dll mxfdzn.dll hdrrme.dll
O20 - Winlogon Notify: byXRlLBT - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8171 bytes

Malwarebytes' Anti-Malware 1.25
Database version: 1086
Windows 5.1.2600 Service Pack 2


3:04:27 PM 25/08/2008
mbam-log-08-25-2008 (15-04-21).txt

Scan type: Quick Scan
Objects scanned: 69903
Time elapsed: 8 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 9
Registry Keys Infected: 25
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 75

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\bsbxmdlt.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\pmnliHWM.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\bemize.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\lintqo.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\rhqeco.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\phdjnx.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mxfdzn.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\pmdwvuev.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\hdrrme.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ab30cb4b-dc8e-4711-9867-fbf214f3f551} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ab30cb4b-dc8e-4711-9867-fbf214f3f551} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{e0c66222-143f-4b94-8e17-a45461a98cd2} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ad3b755c-ebd2-48fa-81b7-02298fb9d3b9} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{70f3c7e4-58ad-4524-bb65-7a0f9b499fe7} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{9eb941d3-6968-4186-82eb-e9929cf8974f} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{82bf4e4c-3da6-479d-b7a5-7bdba233fe72} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{16a55896-4620-4b9e-9003-0f3eb040a2e7} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{570d4e66-1599-4755-a9f9-fc837741c298} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{2fcf643c-bde2-42e2-ab02-1242ed7c9493} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\USLst (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\USS (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USS_is1 (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uss_{826f15bf-1a4c-4290-bfd1-794af7a2cb8f}_is1 (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uss_{ec572088-91c7-4293-93f9-93d40b0e0b36}_is1 (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\50e0b4d6 (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uss (Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\pmnlihwm -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmnlihwm -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\pmnliHWM.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\MWHilnmp.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\MWHilnmp.ini2 (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\alolmvgw.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\wgvmlola.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\bedrqitn.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ntiqrdeb.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\bsbxmdlt.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\tldmxbsb.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\elauaupd.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\dpuauale.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\jfoqysvm.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mvsyqofj.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mvimnlky.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\yklnmivm.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\pqedlrjj.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\jjrldeqp.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\qlgwfoeg.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\geofwglq.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\rbrhtqay.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\yaqthrbr.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\vehmfehs.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\shefmhev.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\wgjccqpm.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mpqccjgw.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\wypvrawi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\iwarvpyw.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\bemize.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\lintqo.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\rhqeco.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\phdjnx.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mxfdzn.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\pmdwvuev.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\hdrrme.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\bfpjid.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\byXRlLBT.dll.vir (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\chtwxjts.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\dzkrkd.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\fnvdqbrh.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\gsdxbcqf.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\hgoxusdp.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\hikuep.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\iihcsa.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ivphfiqv.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\klaioo.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\leoondxv.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\llwnnx.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ltrfdv.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\nwropx.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ogmccgsm.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ohpvgz.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\pelklg.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\qoploiae.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\rdabghcs.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\rxrbvqwx.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\sbioldoi.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\sfwgjqin.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\sgacgkll.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\tdbwfraa.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\thudlivq.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\tyleymor.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wglumutj.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wtgqdd.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\xwguylrk.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ydiiamjl.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\zfqdcz.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\zhqlom.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\iaeewvhw.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wptxoz.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\gibhskmh.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\gkpmmyjr.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\govyym.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> No action taken.
C:\WINDOWS\cookies.ini (Malware.Trace) -> No action taken.
C:\END (Trojan.FakeAlert) -> No action taken.

Then the new malwarebytes log after reboot and rescan...

Malwarebytes' Anti-Malware 1.25
Database version: 1086
Windows 5.1.2600 Service Pack 2


4:12:23 PM 25/08/2008
mbam-log-08-25-2008 (16-12-23).txt

Scan type: Quick Scan
Objects scanned: 70059
Time elapsed: 12 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\50e0b4d6 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uss (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

BC AdBot (Login to Remove)

 


m

#2 davemendoza

davemendoza
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 25 August 2008 - 11:33 PM

Hello to everyone,

One of our PC's has been infected with virtumonde and I need to bring in the heavy guns. If anyone can help, it'd be much appreciated.

Here goes...

Symptoms are very slow running speed, low virtual memory warnings, pop up ads in IE7, occasional spyshredder sales pitches, occasional antivirus 2008 sales pitches.
virtumonde and vundo picked up by spynomore, removed, then after reboot, more pop ads in IE7.

My PC is connected to a work server, but because we are small business we don't have a administrator as such, I've been lumped with the job. I've got a little experience and know how, but would love any advice from experts.

I've had a look at other posts and have now downloaded hijackthis and cleared IE temporary files. Here's the log:

Please help!
Thanks
CC

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:48 PM, on 26/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {01E5D31B-54CA-4483-A82A-3758CB975638} - (no file)
O2 - BHO: (no name) - {42D78F0C-C076-4EA1-8432-66AC026D55BA} - (no file)
O2 - BHO: (no name) - {43C7E917-2946-4B2E-9FC6-1FC35127B931} - (no file)
O2 - BHO: (no name) - {48F13C14-F82D-4B17-A5EA-A59A2F1704C7} - (no file)
O2 - BHO: (no name) - {78FCC154-D884-44D3-B95E-E4870E81585E} - (no file)
O2 - BHO: (no name) - {896cadcf-2aea-404f-9c43-e5ee3fc9fa76} - (no file)
O2 - BHO: (no name) - {AC09FD28-C562-48DB-A667-594EE8C38E0F} - (no file)
O2 - BHO: (no name) - {d7010272-28e1-41c7-8103-0ed9e0a0c09e} - (no file)
O2 - BHO: (no name) - {ede93fe5-dae6-47a0-a455-910df365e9ce} - (no file)
O2 - BHO: Browser protection - {FB9FFB4B-9680-4256-8178-5ECDB2C19B23} - C:\PROGRA~1\SPYNOM~1\SNMIEG~1.DLL
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Svchost2] c:\Windows\Temp\SecurityHackers2.exe
O4 - HKLM\..\Run: [DelayedLoad] C:\DOCUME~1\Dave\LOCALS~1\Temp\atmadm2.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKLM\..\Run: [50e0b4d6] rundll32.exe "C:\WINDOWS\system32\tnfoguuw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherWatcherLive] "C:\Program Files\Weather Watcher Live\ww.exe"
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = C:\Program Files\Common Files\Sonic Shared\CineTray.exe
O8 - Extra context menu item: &Search - ?p=ZUxdm265YYAU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://cvserver/connectcomputer/nshelp.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = centennialvineyards.local
O17 - HKLM\Software\..\Telephony: DomainName = centennialvineyards.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = centennialvineyards.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = centennialvineyards.local
O20 - AppInit_DLLs: brgpqe.dll xcggsm.dll bemize.dll lintqo.dll rhqeco.dll phdjnx.dll mxfdzn.dll hdrrme.dll
O20 - Winlogon Notify: byXRlLBT - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8312 bytes

Edited by Orange Blossom, 26 August 2008 - 04:57 PM.
Merged topics. ~ OB


#3 dark messenger

dark messenger

  • Members
  • 1,741 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Auckland NZ
  • Local time:06:46 AM

Posted 04 September 2008 - 04:59 PM

Hello :thumbsup:

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
DM

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:46 PM

Posted 16 September 2008 - 08:41 AM

Hello davemendoza :thumbsup: ,

Dark Messenger is having Internet problems and asked if someone would take over the logs he is working. I will be taking over this one is it is OK with you.

Since there has not been any activity lately can you please advise me whether or not you still need assistance?


Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:46 PM

Posted 18 September 2008 - 08:32 AM

Hello again, :thumbsup:


Checking to see if you are still in need of assistance?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users