Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with virtumonde


  • This topic is locked This topic is locked
2 replies to this topic

#1 docmkii

docmkii

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 17 October 2008 - 03:26 AM

i followed all the instructions in the before you post area and then downloaded the two apps and this is what I got.

Please help us improve HijackThis by reporting this error

Click 'Yes' to submit

Error Details:

An unexpected error has occurred at procedure: modRegistry_IniGetString(sFile=win.ini, sSection=windows, sValue=load)
Error #5 - Invalid procedure call or argument

Windows version: Windows NT 5.01.2600
MSIE version: 7.0.5730.11
HijackThis version: 2.0.2

I also got this.

[10/16/2008, 23:18:32] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Stephanie Smelcer\Desktop\PC Tools for scanning and protection\VirtumundoBeGone.exe" )
[10/16/2008, 23:18:39] - Detected System Information:
[10/16/2008, 23:18:39] - Windows Version: 5.1.2600, Service Pack 3
[10/16/2008, 23:18:39] - Current Username: Stephanie Smelcer (Admin)
[10/16/2008, 23:18:39] - Windows is in SAFE mode with Networking.
[10/16/2008, 23:18:39] - Searching for Browser Helper Objects:
[10/16/2008, 23:18:39] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} ()
[10/16/2008, 23:18:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/16/2008, 23:18:39] - No filename found. Continuing.
[10/16/2008, 23:18:39] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[10/16/2008, 23:18:39] - BHO 3: {54A8264B-AFFB-4614-95FE-0234817EA282} ()
[10/16/2008, 23:18:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/16/2008, 23:18:39] - Checking for HKLM\...\Winlogon\Notify\nnnnOGxY
[10/16/2008, 23:18:39] - Found: HKLM\...\Winlogon\Notify\nnnnOGxY - This is probably Virtumundo.
[10/16/2008, 23:18:39] - Assigning {54A8264B-AFFB-4614-95FE-0234817EA282} MSEvents Object
[10/16/2008, 23:18:39] - BHO list has been changed! Starting over...
[10/16/2008, 23:18:39] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} ()
[10/16/2008, 23:18:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/16/2008, 23:18:39] - No filename found. Continuing.
[10/16/2008, 23:18:39] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[10/16/2008, 23:18:39] - BHO 3: {54A8264B-AFFB-4614-95FE-0234817EA282} (MSEvents Object)
[10/16/2008, 23:18:40] - ALERT: Found MSEvents Object!
[10/16/2008, 23:18:40] - BHO 4: {5C8BA5A9-7487-4508-A4F3-A7DAD9A7024D} ()
[10/16/2008, 23:18:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/16/2008, 23:18:40] - Checking for HKLM\...\Winlogon\Notify\pmnmjGwt
[10/16/2008, 23:18:40] - Key not found: HKLM\...\Winlogon\Notify\pmnmjGwt, continuing.
[10/16/2008, 23:18:40] - BHO 5: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[10/16/2008, 23:18:40] - BHO 6: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[10/16/2008, 23:18:40] - BHO 7: {DD476786-9C30-4F4B-97C3-B20AB1654A61} ()
[10/16/2008, 23:18:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/16/2008, 23:18:40] - Checking for HKLM\...\Winlogon\Notify\nnnoMDUO
[10/16/2008, 23:18:40] - Key not found: HKLM\...\Winlogon\Notify\nnnoMDUO, continuing.
[10/16/2008, 23:18:40] - Finished Searching Browser Helper Objects
[10/16/2008, 23:18:40] - *** Detected MSEvents Object
[10/16/2008, 23:18:40] - Trying to remove MSEvents Object...
[10/16/2008, 23:18:41] - Terminating Process: IEXPLORE.EXE
[10/16/2008, 23:18:42] - Terminating Process: RUNDLL32.EXE
[10/16/2008, 23:18:42] - Disabling Automatic Shell Restart
[10/16/2008, 23:18:42] - Terminating Process: EXPLORER.EXE
[10/16/2008, 23:18:42] - Suspending the NT Session Manager System Service
[10/16/2008, 23:18:43] - Terminating Windows NT Logon/Logoff Manager
[10/16/2008, 23:18:43] - Re-enabling Automatic Shell Restart
[10/16/2008, 23:18:43] - File to disable: C:\WINDOWS\system32\nnnnOGxY.dll
[10/16/2008, 23:18:43] - Renaming C:\WINDOWS\system32\nnnnOGxY.dll -> C:\WINDOWS\system32\nnnnOGxY.dll.vir
[10/16/2008, 23:18:43] - File successfully renamed!
[10/16/2008, 23:18:43] - Removing HKLM\...\Browser Helper Objects\{54A8264B-AFFB-4614-95FE-0234817EA282}
[10/16/2008, 23:18:43] - Removing HKCR\CLSID\{54A8264B-AFFB-4614-95FE-0234817EA282}
[10/16/2008, 23:18:44] - Adding Kill Bit for ActiveX for GUID: {54A8264B-AFFB-4614-95FE-0234817EA282}
[10/16/2008, 23:18:44] - Deleting ATLEvents/MSEvents Registry entries
[10/16/2008, 23:18:44] - Removing HKLM\...\Winlogon\Notify\nnnnOGxY
[10/16/2008, 23:18:44] - Searching for Browser Helper Objects:
[10/16/2008, 23:18:44] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} ()
[10/16/2008, 23:18:44] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/16/2008, 23:18:44] - No filename found. Continuing.
[10/16/2008, 23:18:44] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[10/16/2008, 23:18:44] - BHO 3: {5C8BA5A9-7487-4508-A4F3-A7DAD9A7024D} ()
[10/16/2008, 23:18:44] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/16/2008, 23:18:44] - Checking for HKLM\...\Winlogon\Notify\pmnmjGwt
[10/16/2008, 23:18:44] - Key not found: HKLM\...\Winlogon\Notify\pmnmjGwt, continuing.
[10/16/2008, 23:18:44] - BHO 4: {9ECB9560-04F9-4bbc-943D-298DDF1699E1} (CNisExtBho Class)
[10/16/2008, 23:18:45] - BHO 5: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[10/16/2008, 23:18:45] - BHO 6: {DD476786-9C30-4F4B-97C3-B20AB1654A61} ()
[10/16/2008, 23:18:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/16/2008, 23:18:45] - Checking for HKLM\...\Winlogon\Notify\nnnoMDUO
[10/16/2008, 23:18:45] - Key not found: HKLM\...\Winlogon\Notify\nnnoMDUO, continuing.
[10/16/2008, 23:18:45] - Finished Searching Browser Helper Objects
[10/16/2008, 23:18:45] - Finishing up...
[10/16/2008, 23:18:45] - A restart is needed.
[10/16/2008, 23:18:45] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[10/16/2008, 23:18:59] - Attempting to Restart via STOP error (Blue Screen!)

I have spybot search and destroy and when i scan i still have virtumonde virus/trojan please help me.

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:59 AM

Posted 17 October 2008 - 05:43 AM

Hello docmkii

Welcome to BleepingComputer :thumbsup:
========================
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:59 AM

Posted 11 November 2008 - 07:46 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users