Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection


  • Please log in to reply
6 replies to this topic

#1 Bradega

Bradega

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 09 November 2006 - 11:23 AM

This infection started out with spyheal, which I thought I removed thanks to online guides, but there are still files on my computer (vtstq.dll, and pretty sure a file called byxyxvw.dll has got something to do with it too) which I just can't seem to remove. I've tried following the instructions of guides on here and other sites, and they all want me to use either VundoFix or virtumondebegone. Now, this would all be fine and dandy, if it wasn't for those programs not working for me. They just kill all other processes, and then nothing happens (can't open up task manager or anything after that)! So... I need all the help I can get. Thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 16:35:57, on 2006-11-09
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program\CACHEM~1\CachemanXP.exe
C:\Program\DAEMON Tools\daemon.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\VIAudioi\SBADeck\ADeck.exe
C:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\HijackThis\Monkey.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.actuality.fr.tc
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=
O1 - Hosts: 65.54.239.80 dp.msnmessenger.skadns.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program\VSAdd-in\VSAdd-in.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {A2C170AE-C6FD-4BD5-8049-7E1F1BC90663} - C:\WINDOWS\System32\vtstq.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - blank (file missing)
O2 - BHO: MSEvents Object - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\System32\byxyxvw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Tweak UI] "RUNDLL32.EXE" TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AudioDeck] "C:\Program\VIAudioi\SBADeck\ADeck.exe" 1
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_07\bin\ssv.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - (no file)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - (no file)
O20 - Winlogon Notify: byxyxvw - C:\WINDOWS\SYSTEM32\byxyxvw.dll
O20 - Winlogon Notify: vtstq - C:\WINDOWS\System32\vtstq.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\Program\CACHEM~1\CachemanXP.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program\SiSoftware\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program\SiSoftware\RpcSandraSrv.exe

BC AdBot (Login to Remove)

 


#2 Koc

Koc

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In a very Dark Place
  • Local time:10:40 PM

Posted 09 November 2006 - 12:26 PM

Hello Bradega, and welcome to BleepingComputer. I will be handling your log to help you get cleaned up.

Please take note of the following:
1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.
4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Thanks

#3 Koc

Koc

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In a very Dark Place
  • Local time:10:40 PM

Posted 09 November 2006 - 01:59 PM

Hello!

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Please run hijackthis and place a check next to these entries:

O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program\VSAdd-in\VSAdd-in.dll (file missing)
O2 - BHO: (no name) - {A2C170AE-C6FD-4BD5-8049-7E1F1BC90663} - C:\WINDOWS\System32\vtstq.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - blank (file missing)
O2 - BHO: MSEvents Object - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\System32\byxyxvw.dll
O20 - Winlogon Notify: byxyxvw - C:\WINDOWS\SYSTEM32\byxyxvw.dll
O20 - Winlogon Notify: vtstq - C:\WINDOWS\System32\vtstq.dll


Please close all windows and browsers except Hijackthis and click "Fix Checked"

Reboot

Find and delete these Files/folders:
C:\WINDOWS\SYSTEM32\byxyxvw.dll
C:\WINDOWS\System32\vtstq.dll

Reboot and post a new Hijackthis log and a log with Vundofix.txt :thumbsup:

#4 Bradega

Bradega
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 09 November 2006 - 02:33 PM

Logfile of HijackThis v1.99.1
Scan saved at 20:25:35, on 2006-11-09
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program\CACHEM~1\CachemanXP.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\DAEMON Tools\daemon.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\VIAudioi\SBADeck\ADeck.exe
C:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\iPod\bin\iPodService.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program\HijackThis\Monkey.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.actuality.fr.tc
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=
O1 - Hosts: 65.54.239.80 dp.msnmessenger.skadns.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\byxyxvw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Tweak UI] "RUNDLL32.EXE" TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AudioDeck] "C:\Program\VIAudioi\SBADeck\ADeck.exe" 1
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_07\bin\ssv.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - (no file)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - (no file)
O20 - Winlogon Notify: byxyxvw - C:\WINDOWS\SYSTEM32\byxyxvw.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\Program\CACHEM~1\CachemanXP.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program\SiSoftware\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program\SiSoftware\RpcSandraSrv.exe


VundoFix V6.2.8

Checking Java version...

Sun Java not detected
Scan started at 20:01:01 2006-11-09

Listing files found while scanning....

C:\WINDOWS\System32\vtstq.dll
C:\WINDOWS\System32\vtstq.dll
C:\WINDOWS\System32\vtstq.dll
C:\WINDOWS\System32\vtstq.dll
C:\WINDOWS\System32\vtstq.dll
C:\WINDOWS\System32\vtstq.dll
C:\WINDOWS\System32\qtstv.ini
C:\WINDOWS\System32\qtstv.bak1
C:\WINDOWS\System32\qtstv.ini
C:\WINDOWS\System32\qtstv.bak1
C:\WINDOWS\System32\qtstv.ini
C:\WINDOWS\System32\qtstv.bak1
C:\WINDOWS\System32\qtstv.ini
C:\WINDOWS\System32\qtstv.bak1
C:\WINDOWS\System32\qtstv.ini
C:\WINDOWS\System32\qtstv.bak1
C:\WINDOWS\System32\qtstv.ini
C:\WINDOWS\System32\qtstv.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\System32\vtstq.dll
C:\WINDOWS\System32\vtstq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\vtstq.dll
C:\WINDOWS\System32\vtstq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\vtstq.dll
C:\WINDOWS\System32\vtstq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\vtstq.dll
C:\WINDOWS\System32\vtstq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\vtstq.dll
C:\WINDOWS\System32\vtstq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\vtstq.dll
C:\WINDOWS\System32\vtstq.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\qtstv.ini
C:\WINDOWS\System32\qtstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\qtstv.bak1
C:\WINDOWS\System32\qtstv.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\System32\vtstq.dll
C:\WINDOWS\System32\vtstq.dll Has been deleted!

Performing Repairs to the registry.
Done!

P.S. After the reboot when I was supposed to delete the dll files manually, I couldn't find them. I even did a search on the windows folder just to be sure.

#5 Koc

Koc

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In a very Dark Place
  • Local time:10:40 PM

Posted 10 November 2006 - 07:49 AM

Hey again!

Reboot into safe mode (Press F8 right after memory count)

In safe mode:
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
Please run hijackthis and place a check next to these entries:

O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINDOWS\system32\byxyxvw.dll
O20 - Winlogon Notify: byxyxvw - C:\WINDOWS\SYSTEM32\byxyxvw.dll


Please close all windows and browsers except Hijackthis and click "Fix Checked"

Reboot

Reboot and post a new Hijackthis log and a log with Vundofix.txt :thumbsup:

#6 Bradega

Bradega
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:40 PM

Posted 10 November 2006 - 02:28 PM

Sorry for the late reply, I had some trouble, namely my keyboard not working, and everytime I opened an explorer window, the explorer.exe process would quit and I was greeted by an empty desktop. These new steps seems to have fixed this though! :thumbsup:

VundoFix V6.2.8

Checking Java version...

Sun Java not detected
Scan started at 15:40:15 2006-11-10

Listing files found while scanning....

C:\WINDOWS\System32\gebyv.dll
C:\WINDOWS\System32\gebyv.dll
C:\WINDOWS\System32\vybeg.ini
C:\WINDOWS\System32\vybeg.bak1
C:\WINDOWS\System32\vybeg.ini
C:\WINDOWS\System32\vybeg.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\System32\gebyv.dll
C:\WINDOWS\System32\gebyv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\gebyv.dll
C:\WINDOWS\System32\gebyv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\vybeg.ini
C:\WINDOWS\System32\vybeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\vybeg.bak1
C:\WINDOWS\System32\vybeg.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\System32\gebyv.dll
C:\WINDOWS\System32\gebyv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\gebyv.dll
C:\WINDOWS\System32\gebyv.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\vybeg.ini
C:\WINDOWS\System32\vybeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.8

Checking Java version...

Sun Java not detected
Scan started at 15:55:33 2006-11-10

Listing files found while scanning....

No infected files were found.


Logfile of HijackThis v1.99.1
Scan saved at 20:18:28, on 2006-11-10
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\DAEMON Tools\daemon.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\VIAudioi\SBADeck\ADeck.exe
C:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\iPod\bin\iPodService.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program\Opera\Opera.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\HijackThis\Monkey.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.actuality.fr.tc
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=
O1 - Hosts: 65.54.239.80 dp.msnmessenger.skadns.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Tweak UI] "RUNDLL32.EXE" TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AudioDeck] "C:\Program\VIAudioi\SBADeck\ADeck.exe" 1
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_07\bin\ssv.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - (no file)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CachemanXP (CachemanXPService) - Unknown owner - C:\Program\CACHEM~1\CachemanXP.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program\SiSoftware\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program\SiSoftware\RpcSandraSrv.exe

Edited by Bradega, 10 November 2006 - 02:28 PM.


#7 Koc

Koc

  • Members
  • 366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In a very Dark Place
  • Local time:10:40 PM

Posted 13 November 2006 - 02:43 PM

  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • In case it says that nothing was been found, Right click the list box (white box) in the main VundoFix window.
  • Select Add More Files? from the menu that comes up. This will open a new VundoFix window.
  • In the Window: copy and paste next in the first field: C:\WINDOWS\System32\gebyv.dll
  • Copy and paste next in the second field: C:\WINDOWS\System32\gebyv.dll
  • Click the Add Files button.
  • Click the "Close Window" button.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on. and fix following line with Hijackthis:
    O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - (no file)
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users