Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yes, I Am An Idiot (vundo, Etc)


  • This topic is locked This topic is locked
4 replies to this topic

#1 jrhalstead

jrhalstead

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 26 March 2007 - 06:46 PM

Short story, I was stupid. In the general area of being somewhere I shouldn't be. Here is the HJT log

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:38 PM

Posted 27 March 2007 - 09:03 AM

Hi,

Please do not attach your logs, but copy and paste them in your thread.

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.


* Download VirtumundoBegone, place it on your desktop.
  • Doubleclick VirtumundoBeGone.exe to start the tool.
  • Follow the instructions on the screen.
  • Don't worry if you'll get a Blue screen with an error in it - this is normal.
After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

O2 - BHO: (no name) - {052435E8-FC7B-4132-ABFD-529371BBF547} - C:\WINDOWS\system32\pmkjh.dll
O2 - BHO: (no name) - {4F0388F6-7635-4CD6-8B10-82DF3379386D} - C:\WINDOWS\system32\fcccyxv.dll
O2 - BHO: (no name) - {75523EB1-EE17-45B0-B0BD-E6597D431421} - C:\WINDOWS\system32\awvvv.dll (file missing)
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\gjmlqgth.dll",setvm
O20 - Winlogon Notify: fcccyxv - C:\WINDOWS\SYSTEM32\fcccyxv.dll
O20 - Winlogon Notify: pmkjh - C:\WINDOWS\system32\pmkjh.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Post the contents of the log VBG.TXT which present on your desktop together with a new HijackThislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 jrhalstead

jrhalstead
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 27 March 2007 - 07:52 PM

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:47:35 PM, on 3/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Xdrive\Xdrive Desktop\XdriveService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Xdrive\XDRIVE~1\XdrSmb.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe
C:\Program Files\Xdrive\Xdrive Desktop\XdriveTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Xdrive\Xdrive Desktop\XdriveTray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox 2 Beta 2\firefox.exe
C:\Documents and Settings\Hosoke\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [XdriveTray] "C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe" /trayicon
O4 - HKCU\..\Run: [XdriveTrayIcon] "C:\Program Files\Xdrive\Xdrive Desktop\XdriveTray.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save to &Xdrive - res://C:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} (QuickBooks Online Edition Utilities Class v9) - https://accounting.quickbooks.com/c1/v16.580/qboax9.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136138221296
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microsoft.com/...p/TLIEFlash.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1530D335-2C8A-40E2-BBC3-7E4678C0ED04}: NameServer = 24.25.5.60,24.25.5.61
O17 - HKLM\System\CCS\Services\Tcpip\..\{417DB9B6-9747-4068-8BE6-699ED3EAA0E0}: NameServer = 192.168.1.100,24.25.5.60,24.25.5.61
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\PROGRA~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\PROGRA~1\APC\POWERC~1\server\PBESER~1.EXE
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Maya 7 PLE Documentation Server (mple7docserver) - Unknown owner - C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Xdrive Service - Xdrive LLC - C:\Program Files\Xdrive\Xdrive Desktop\XdriveService.exe

--
End of file - 11989 bytes



[03/27/2007, 20:10:30] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Hosoke\Desktop\VirtumundoBeGone.exe" )
[03/27/2007, 20:10:37] - Detected System Information:
[03/27/2007, 20:10:37] - Windows Version: 5.1.2600, Service Pack 2
[03/27/2007, 20:10:37] - Current Username: Hosoke (Admin)
[03/27/2007, 20:10:37] - Windows is in NORMAL mode.
[03/27/2007, 20:10:37] - Searching for Browser Helper Objects:
[03/27/2007, 20:10:37] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/27/2007, 20:10:37] - BHO 2: {052435E8-FC7B-4132-ABFD-529371BBF547} ()
[03/27/2007, 20:10:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2007, 20:10:37] - Checking for HKLM\...\Winlogon\Notify\pmkjh
[03/27/2007, 20:10:37] - Found: HKLM\...\Winlogon\Notify\pmkjh - This is probably Virtumundo.
[03/27/2007, 20:10:37] - Assigning {052435E8-FC7B-4132-ABFD-529371BBF547} MSEvents Object
[03/27/2007, 20:10:37] - BHO list has been changed! Starting over...
[03/27/2007, 20:10:37] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/27/2007, 20:10:37] - BHO 2: {052435E8-FC7B-4132-ABFD-529371BBF547} (MSEvents Object)
[03/27/2007, 20:10:37] - ALERT: Found MSEvents Object!
[03/27/2007, 20:10:37] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/27/2007, 20:10:37] - BHO 4: {37E259FD-DE11-4660-8374-08E78B5E9F12} ()
[03/27/2007, 20:10:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2007, 20:10:37] - Checking for HKLM\...\Winlogon\Notify\pmkjh
[03/27/2007, 20:10:37] - Found: HKLM\...\Winlogon\Notify\pmkjh - This is probably Virtumundo.
[03/27/2007, 20:10:37] - Assigning {37E259FD-DE11-4660-8374-08E78B5E9F12} MSEvents Object
[03/27/2007, 20:10:37] - BHO list has been changed! Starting over...
[03/27/2007, 20:10:37] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/27/2007, 20:10:37] - BHO 2: {052435E8-FC7B-4132-ABFD-529371BBF547} (MSEvents Object)
[03/27/2007, 20:10:37] - ALERT: Found MSEvents Object!
[03/27/2007, 20:10:37] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/27/2007, 20:10:37] - BHO 4: {37E259FD-DE11-4660-8374-08E78B5E9F12} (MSEvents Object)
[03/27/2007, 20:10:37] - ALERT: Found MSEvents Object!
[03/27/2007, 20:10:37] - BHO 5: {4F0388F6-7635-4CD6-8B10-82DF3379386D} ()
[03/27/2007, 20:10:37] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2007, 20:10:37] - Checking for HKLM\...\Winlogon\Notify\fcccyxv
[03/27/2007, 20:10:37] - Found: HKLM\...\Winlogon\Notify\fcccyxv - This is probably Virtumundo.
[03/27/2007, 20:10:37] - Assigning {4F0388F6-7635-4CD6-8B10-82DF3379386D} MSEvents Object
[03/27/2007, 20:10:37] - BHO list has been changed! Starting over...
[03/27/2007, 20:10:37] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/27/2007, 20:10:37] - BHO 2: {052435E8-FC7B-4132-ABFD-529371BBF547} (MSEvents Object)
[03/27/2007, 20:10:37] - ALERT: Found MSEvents Object!
[03/27/2007, 20:10:38] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/27/2007, 20:10:38] - BHO 4: {37E259FD-DE11-4660-8374-08E78B5E9F12} (MSEvents Object)
[03/27/2007, 20:10:38] - ALERT: Found MSEvents Object!
[03/27/2007, 20:10:38] - BHO 5: {4F0388F6-7635-4CD6-8B10-82DF3379386D} (MSEvents Object)
[03/27/2007, 20:10:38] - ALERT: Found MSEvents Object!
[03/27/2007, 20:10:38] - BHO 6: {57E218E6-5A80-4f0c-AB25-83598F25D7E9} ()
[03/27/2007, 20:10:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2007, 20:10:38] - Checking for HKLM\...\Winlogon\Notify\tnfsiplc
[03/27/2007, 20:10:38] - Key not found: HKLM\...\Winlogon\Notify\tnfsiplc, continuing.
[03/27/2007, 20:10:38] - BHO 7: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[03/27/2007, 20:10:38] - BHO 8: {75523EB1-EE17-45B0-B0BD-E6597D431421} ()
[03/27/2007, 20:10:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2007, 20:10:38] - Checking for HKLM\...\Winlogon\Notify\awvvv
[03/27/2007, 20:10:38] - Key not found: HKLM\...\Winlogon\Notify\awvvv, continuing.
[03/27/2007, 20:10:38] - BHO 9: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/27/2007, 20:10:38] - BHO 10: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[03/27/2007, 20:10:38] - BHO 11: {B2131893-D43B-44C7-BE38-85B704F15307} ()
[03/27/2007, 20:10:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2007, 20:10:38] - Checking for HKLM\...\Winlogon\Notify\pmkjh
[03/27/2007, 20:10:38] - Found: HKLM\...\Winlogon\Notify\pmkjh - This is probably Virtumundo.
[03/27/2007, 20:10:38] - Assigning {B2131893-D43B-44C7-BE38-85B704F15307} MSEvents Object
[03/27/2007, 20:10:38] - BHO list has been changed! Starting over...
[03/27/2007, 20:10:38] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/27/2007, 20:10:38] - BHO 2: {052435E8-FC7B-4132-ABFD-529371BBF547} (MSEvents Object)
[03/27/2007, 20:10:38] - ALERT: Found MSEvents Object!
[03/27/2007, 20:10:38] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/27/2007, 20:10:38] - BHO 4: {37E259FD-DE11-4660-8374-08E78B5E9F12} (MSEvents Object)
[03/27/2007, 20:10:38] - ALERT: Found MSEvents Object!
[03/27/2007, 20:10:38] - BHO 5: {4F0388F6-7635-4CD6-8B10-82DF3379386D} (MSEvents Object)
[03/27/2007, 20:10:38] - ALERT: Found MSEvents Object!
[03/27/2007, 20:10:38] - BHO 6: {57E218E6-5A80-4f0c-AB25-83598F25D7E9} ()
[03/27/2007, 20:10:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2007, 20:10:38] - Checking for HKLM\...\Winlogon\Notify\tnfsiplc
[03/27/2007, 20:10:38] - Key not found: HKLM\...\Winlogon\Notify\tnfsiplc, continuing.
[03/27/2007, 20:10:38] - BHO 7: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[03/27/2007, 20:10:38] - BHO 8: {75523EB1-EE17-45B0-B0BD-E6597D431421} ()
[03/27/2007, 20:10:38] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2007, 20:10:38] - Checking for HKLM\...\Winlogon\Notify\awvvv
[03/27/2007, 20:10:38] - Key not found: HKLM\...\Winlogon\Notify\awvvv, continuing.
[03/27/2007, 20:10:38] - BHO 9: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/27/2007, 20:10:38] - BHO 10: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[03/27/2007, 20:10:38] - BHO 11: {B2131893-D43B-44C7-BE38-85B704F15307} (MSEvents Object)
[03/27/2007, 20:10:38] - ALERT: Found MSEvents Object!
[03/27/2007, 20:10:38] - Finished Searching Browser Helper Objects
[03/27/2007, 20:10:38] - *** Detected MSEvents Object
[03/27/2007, 20:10:38] - Trying to remove MSEvents Object...
[03/27/2007, 20:10:39] - Terminating Process: IEXPLORE.EXE
[03/27/2007, 20:10:39] - Terminating Process: RUNDLL32.EXE
[03/27/2007, 20:10:39] - Disabling Automatic Shell Restart
[03/27/2007, 20:10:39] - Terminating Process: EXPLORER.EXE
[03/27/2007, 20:12:06] - Suspending the NT Session Manager System Service
[03/27/2007, 20:12:06] - Terminating Windows NT Logon/Logoff Manager
[03/27/2007, 20:17:08] - Re-enabling Automatic Shell Restart
[03/27/2007, 20:17:08] - File to disable: C:\WINDOWS\system32\pmkjh.dll
[03/27/2007, 20:17:08] - Renaming C:\WINDOWS\system32\pmkjh.dll -> C:\WINDOWS\system32\pmkjh.dll.vir
[03/27/2007, 20:17:09] - File successfully renamed!
[03/27/2007, 20:17:09] - Removing HKLM\...\Browser Helper Objects\{052435E8-FC7B-4132-ABFD-529371BBF547}
[03/27/2007, 20:17:09] - Removing HKCR\CLSID\{052435E8-FC7B-4132-ABFD-529371BBF547}
[03/27/2007, 20:17:09] - Adding Kill Bit for ActiveX for GUID: {052435E8-FC7B-4132-ABFD-529371BBF547}
[03/27/2007, 20:17:09] - Deleting ATLEvents/MSEvents Registry entries
[03/27/2007, 20:17:09] - Removing HKLM\...\Winlogon\Notify\pmkjh
[03/27/2007, 20:17:09] - Searching for Browser Helper Objects:
[03/27/2007, 20:17:09] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/27/2007, 20:17:09] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/27/2007, 20:17:09] - BHO 3: {37E259FD-DE11-4660-8374-08E78B5E9F12} (MSEvents Object)
[03/27/2007, 20:17:09] - ALERT: Found MSEvents Object!
[03/27/2007, 20:17:09] - BHO 4: {4F0388F6-7635-4CD6-8B10-82DF3379386D} (MSEvents Object)
[03/27/2007, 20:17:09] - ALERT: Found MSEvents Object!
[03/27/2007, 20:17:09] - BHO 5: {57E218E6-5A80-4f0c-AB25-83598F25D7E9} ()
[03/27/2007, 20:17:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2007, 20:17:09] - Checking for HKLM\...\Winlogon\Notify\tnfsiplc
[03/27/2007, 20:17:09] - Key not found: HKLM\...\Winlogon\Notify\tnfsiplc, continuing.
[03/27/2007, 20:17:09] - BHO 6: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[03/27/2007, 20:17:09] - BHO 7: {75523EB1-EE17-45B0-B0BD-E6597D431421} ()
[03/27/2007, 20:17:09] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2007, 20:17:09] - Checking for HKLM\...\Winlogon\Notify\awvvv
[03/27/2007, 20:17:09] - Key not found: HKLM\...\Winlogon\Notify\awvvv, continuing.
[03/27/2007, 20:17:09] - BHO 8: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/27/2007, 20:17:09] - BHO 9: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[03/27/2007, 20:17:09] - BHO 10: {B2131893-D43B-44C7-BE38-85B704F15307} (MSEvents Object)
[03/27/2007, 20:17:09] - ALERT: Found MSEvents Object!
[03/27/2007, 20:17:09] - Finished Searching Browser Helper Objects
[03/27/2007, 20:17:09] - *** Detected MSEvents Object
[03/27/2007, 20:17:09] - Trying to remove MSEvents Object...
[03/27/2007, 20:17:10] - Terminating Process: IEXPLORE.EXE
[03/27/2007, 20:17:11] - Terminating Process: RUNDLL32.EXE
[03/27/2007, 20:17:11] - Disabling Automatic Shell Restart
[03/27/2007, 20:17:11] - Terminating Process: EXPLORER.EXE
[03/27/2007, 20:17:11] - Suspending the NT Session Manager System Service
[03/27/2007, 20:17:11] - Terminating Windows NT Logon/Logoff Manager
[03/27/2007, 20:17:11] - Re-enabling Automatic Shell Restart
[03/27/2007, 20:17:11] - File to disable: C:\WINDOWS\system32\pmkjh.dll
[03/27/2007, 20:17:11] - Removing HKLM\...\Browser Helper Objects\{37E259FD-DE11-4660-8374-08E78B5E9F12}
[03/27/2007, 20:17:11] - Removing HKCR\CLSID\{37E259FD-DE11-4660-8374-08E78B5E9F12}
[03/27/2007, 20:17:11] - Adding Kill Bit for ActiveX for GUID: {37E259FD-DE11-4660-8374-08E78B5E9F12}
[03/27/2007, 20:17:11] - Deleting ATLEvents/MSEvents Registry entries
[03/27/2007, 20:17:11] - Removing HKLM\...\Winlogon\Notify\pmkjh
[03/27/2007, 20:17:11] - Searching for Browser Helper Objects:
[03/27/2007, 20:17:11] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/27/2007, 20:17:11] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/27/2007, 20:17:11] - BHO 3: {4F0388F6-7635-4CD6-8B10-82DF3379386D} (MSEvents Object)
[03/27/2007, 20:17:11] - ALERT: Found MSEvents Object!
[03/27/2007, 20:17:11] - BHO 4: {57E218E6-5A80-4f0c-AB25-83598F25D7E9} ()
[03/27/2007, 20:17:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2007, 20:17:11] - Checking for HKLM\...\Winlogon\Notify\tnfsiplc
[03/27/2007, 20:17:11] - Key not found: HKLM\...\Winlogon\Notify\tnfsiplc, continuing.
[03/27/2007, 20:17:11] - BHO 5: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[03/27/2007, 20:17:11] - BHO 6: {75523EB1-EE17-45B0-B0BD-E6597D431421} ()
[03/27/2007, 20:17:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2007, 20:17:11] - Checking for HKLM\...\Winlogon\Notify\awvvv
[03/27/2007, 20:17:11] - Key not found: HKLM\...\Winlogon\Notify\awvvv, continuing.
[03/27/2007, 20:17:11] - BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/27/2007, 20:17:11] - BHO 8: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[03/27/2007, 20:17:11] - BHO 9: {B2131893-D43B-44C7-BE38-85B704F15307} (MSEvents Object)
[03/27/2007, 20:17:11] - ALERT: Found MSEvents Object!
[03/27/2007, 20:17:11] - Finished Searching Browser Helper Objects
[03/27/2007, 20:17:11] - *** Detected MSEvents Object
[03/27/2007, 20:17:11] - Trying to remove MSEvents Object...
[03/27/2007, 20:17:12] - Terminating Process: IEXPLORE.EXE
[03/27/2007, 20:17:12] - Terminating Process: RUNDLL32.EXE
[03/27/2007, 20:17:12] - Disabling Automatic Shell Restart
[03/27/2007, 20:17:12] - Terminating Process: EXPLORER.EXE
[03/27/2007, 20:17:12] - Suspending the NT Session Manager System Service
[03/27/2007, 20:17:12] - Terminating Windows NT Logon/Logoff Manager
[03/27/2007, 20:17:12] - Re-enabling Automatic Shell Restart
[03/27/2007, 20:17:12] - File to disable: C:\WINDOWS\system32\fcccyxv.dll
[03/27/2007, 20:17:12] - Renaming C:\WINDOWS\system32\fcccyxv.dll -> C:\WINDOWS\system32\fcccyxv.dll.vir
[03/27/2007, 20:17:12] - File successfully renamed!
[03/27/2007, 20:17:12] - Removing HKLM\...\Browser Helper Objects\{4F0388F6-7635-4CD6-8B10-82DF3379386D}
[03/27/2007, 20:17:12] - Removing HKCR\CLSID\{4F0388F6-7635-4CD6-8B10-82DF3379386D}
[03/27/2007, 20:17:12] - Adding Kill Bit for ActiveX for GUID: {4F0388F6-7635-4CD6-8B10-82DF3379386D}
[03/27/2007, 20:17:12] - Deleting ATLEvents/MSEvents Registry entries
[03/27/2007, 20:17:12] - Removing HKLM\...\Winlogon\Notify\fcccyxv
[03/27/2007, 20:17:12] - Searching for Browser Helper Objects:
[03/27/2007, 20:17:12] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/27/2007, 20:17:12] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/27/2007, 20:17:12] - BHO 3: {57E218E6-5A80-4f0c-AB25-83598F25D7E9} ()
[03/27/2007, 20:17:12] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2007, 20:17:12] - Checking for HKLM\...\Winlogon\Notify\tnfsiplc
[03/27/2007, 20:17:12] - Key not found: HKLM\...\Winlogon\Notify\tnfsiplc, continuing.
[03/27/2007, 20:17:13] - BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[03/27/2007, 20:17:13] - BHO 5: {75523EB1-EE17-45B0-B0BD-E6597D431421} ()
[03/27/2007, 20:17:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2007, 20:17:13] - Checking for HKLM\...\Winlogon\Notify\awvvv
[03/27/2007, 20:17:13] - Key not found: HKLM\...\Winlogon\Notify\awvvv, continuing.
[03/27/2007, 20:17:13] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/27/2007, 20:17:13] - BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[03/27/2007, 20:17:13] - BHO 8: {B2131893-D43B-44C7-BE38-85B704F15307} (MSEvents Object)
[03/27/2007, 20:17:13] - ALERT: Found MSEvents Object!
[03/27/2007, 20:17:13] - Finished Searching Browser Helper Objects
[03/27/2007, 20:17:13] - *** Detected MSEvents Object
[03/27/2007, 20:17:13] - Trying to remove MSEvents Object...
[03/27/2007, 20:17:14] - Terminating Process: IEXPLORE.EXE
[03/27/2007, 20:17:14] - Terminating Process: RUNDLL32.EXE
[03/27/2007, 20:17:14] - Disabling Automatic Shell Restart
[03/27/2007, 20:17:14] - Terminating Process: EXPLORER.EXE
[03/27/2007, 20:17:14] - Suspending the NT Session Manager System Service
[03/27/2007, 20:17:14] - Terminating Windows NT Logon/Logoff Manager
[03/27/2007, 20:17:14] - Re-enabling Automatic Shell Restart
[03/27/2007, 20:17:14] - File to disable: C:\WINDOWS\system32\pmkjh.dll
[03/27/2007, 20:17:14] - Removing HKLM\...\Browser Helper Objects\{B2131893-D43B-44C7-BE38-85B704F15307}
[03/27/2007, 20:17:14] - Removing HKCR\CLSID\{B2131893-D43B-44C7-BE38-85B704F15307}
[03/27/2007, 20:17:14] - Adding Kill Bit for ActiveX for GUID: {B2131893-D43B-44C7-BE38-85B704F15307}
[03/27/2007, 20:17:14] - Deleting ATLEvents/MSEvents Registry entries
[03/27/2007, 20:17:14] - Removing HKLM\...\Winlogon\Notify\pmkjh
[03/27/2007, 20:17:14] - Searching for Browser Helper Objects:
[03/27/2007, 20:17:14] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/27/2007, 20:17:14] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/27/2007, 20:17:14] - BHO 3: {57E218E6-5A80-4f0c-AB25-83598F25D7E9} ()
[03/27/2007, 20:17:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2007, 20:17:14] - Checking for HKLM\...\Winlogon\Notify\tnfsiplc
[03/27/2007, 20:17:14] - Key not found: HKLM\...\Winlogon\Notify\tnfsiplc, continuing.
[03/27/2007, 20:17:14] - BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[03/27/2007, 20:17:14] - BHO 5: {75523EB1-EE17-45B0-B0BD-E6597D431421} ()
[03/27/2007, 20:17:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/27/2007, 20:17:14] - Checking for HKLM\...\Winlogon\Notify\awvvv
[03/27/2007, 20:17:14] - Key not found: HKLM\...\Winlogon\Notify\awvvv, continuing.
[03/27/2007, 20:17:14] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/27/2007, 20:17:14] - BHO 7: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[03/27/2007, 20:17:14] - Finished Searching Browser Helper Objects
[03/27/2007, 20:17:14] - Finishing up...
[03/27/2007, 20:17:14] - A restart is needed.
[03/27/2007, 20:19:30] - Attempting to Restart via STOP error (Blue Screen!)

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:38 PM

Posted 28 March 2007 - 03:31 AM

Hi,

Your log looks clean again. How are things running now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:38 PM

Posted 06 April 2007 - 04:55 PM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users