Free Malware Removal Forum

[milo607]

Thanks in advance...this has been driving me crazy. I've tried several scanners and it keeps coming back. I was able to get VundoFix to finally run in safe mode and here is the log:

VundoFix V6.5.6

Checking Java version...

Sun Java not detected
Scan started at 5:06:32 PM 7/21/2007

Listing files found while scanning....

C:\windows\system32\butoxarl.exe
C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\oveasjxw.ini
C:\windows\system32\rfyjptxt.dll
C:\WINDOWS\system32\tmutpjnk.dll
C:\windows\system32\txtpjyfr.ini
C:\windows\system32\vmwufrwv.exe
C:\windows\system32\wqodxuvj.exe
C:\WINDOWS\system32\wxjsaevo.dll
C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\yycdd.bak2
C:\WINDOWS\system32\yycdd.ini

Beginning removal...

VundoFix V6.5.6

Checking Java version...

Sun Java not detected
Scan started at 10:50:47 AM 7/22/2007

Listing files found while scanning....

C:\windows\system32\butoxarl.exe
C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\oveasjxw.ini
C:\windows\system32\rfyjptxt.dll
C:\WINDOWS\system32\tmutpjnk.dll
C:\windows\system32\txtpjyfr.ini
C:\windows\system32\vmwufrwv.exe
C:\windows\system32\wqodxuvj.exe
C:\WINDOWS\system32\wxjsaevo.dll
C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\yycdd.bak2
C:\WINDOWS\system32\yycdd.ini

Beginning removal...

Attempting to delete C:\windows\system32\butoxarl.exe
C:\windows\system32\butoxarl.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\oveasjxw.ini
C:\WINDOWS\system32\oveasjxw.ini Has been deleted!

Attempting to delete C:\windows\system32\rfyjptxt.dll
C:\windows\system32\rfyjptxt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tmutpjnk.dll
C:\WINDOWS\system32\tmutpjnk.dll Has been deleted!

Attempting to delete C:\windows\system32\txtpjyfr.ini
C:\windows\system32\txtpjyfr.ini Has been deleted!

Attempting to delete C:\windows\system32\vmwufrwv.exe
C:\windows\system32\vmwufrwv.exe Has been deleted!

Attempting to delete C:\windows\system32\wqodxuvj.exe
C:\windows\system32\wqodxuvj.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wxjsaevo.dll
C:\WINDOWS\system32\wxjsaevo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\yycdd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yycdd.bak2
C:\WINDOWS\system32\yycdd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yycdd.ini
C:\WINDOWS\system32\yycdd.ini Has been deleted!

Performing Repairs to the registry.
Done!

But spybot still detected Virtumonde after this.... so here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:39:39 AM, on 7/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\GRBakPro\GRSrv.exe
C:\WINDOWS\system32\Hummbird\inetd32.exe
C:\Program Files\GRBakPro\GRBakPro.exe
C:\Program Files\epoagent\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\OCS Inventory Agent\ocsservice.exe
C:\oracle\ora9iclient\bin\omtsreco.exe
C:\WINDOWS\system32\PGPserv.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Timbuktu Pro\tb2logon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\epoagent\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Timbuktu Pro\minitb2.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Program Files\Stickit\STICKIT.EXE
C:\Program Files\Stickit\STICKIT.EXE
C:\Program Files\Stickit\STICKIT.EXE
C:\Documents and Settings\mjmurray\Desktop\stuff\Programs\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cs.na.baesystems.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cs.na.baesystems.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B96C097C-09F0-47A7-B519-3954328AFC03} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\nnnnmnn.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\tb2logon.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\epoagent\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\System32\WLTRAY
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: StickIt Note Launcher.lnk = C:\Program Files\Stickit\StickIt Launcher.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O4 - Global Startup: AboutTime.lnk = C:\Program Files\AboutTime\ABOUTTIM.EXE
O4 - Global Startup: PGPtray.exe.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\pgplsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\pgplsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cs.na.baesystems.com
O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/games/ ... /et3_x.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se8300.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_01) - http://windch01.cs.na.baesystems.com/Wi ... 1a-win.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://baesystems.webex.com/client/v_m ... eatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bluelnk.net
O17 - HKLM\Software\..\Telephony: DomainName = bluelnk.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bluelnk.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bluelnk.net,cs.na.baesystems.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bluelnk.net,cs.na.baesystems.com
O20 - AppInit_DLLs: PGPmapih.dll
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll (file missing)
O20 - Winlogon Notify: nnnnmnn - nnnnmnn.dll (file missing)
O20 - Winlogon Notify: Timbuktu Pro - C:\Program Files\Timbuktu Pro\Hook32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: GRBackPro (GRBackProGRSrv.exe) - Unknown owner - C:\Program Files\GRBakPro\GRSrv.exe" GRBackProGRSrv.exe (file missing)
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Communications Ltd. - C:\WINDOWS\system32\Hummbird\inetd32.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\epoagent\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - PJ Naughter - C:\Program Files\OCS Inventory Agent\ocsservice.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora9iclient\bin\omtsreco.exe
O23 - Service: Oracleora9iclientClientCache - Unknown owner - C:\oracle\ora9iclient\BIN\ONRSD.EXE
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Any suggestions????

Thanks,

Mike

[Navigator]

Hello Mike ...welcome to Malware Removal!

Spybot is probably seeing some remaining Vundo registry entries even though it appears that the Vundo files are missing (removed by VundoFix). We should be able to 'fix' this using HJT...we'll also check an AVG scan to see what it might find after cleaning out your temp files:

1. First download AVG anti-spyware (previously Ewido) from HERE and save that file to your desktop.
This is a 30 day trial of the program

• Once you have downloaded AVG anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
• Once the setup is complete you will need run AVG and update the definition files.
• On the main screen select the icon "Update" then select the "Update now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Un-Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

Close AVG anti-spyware, Do Not run a scan just yet, we will shortly.


2. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Save it to your desktop, we will use it later.

3. Please re-open HiJackThis and choose scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {B96C097C-09F0-47A7-B519-3954328AFC03} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\nnnnmnn.dll (file missing)
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll (file missing)
O20 - Winlogon Notify: nnnnmnn - nnnnmnn.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

4. Reboot into safe mode by restarting your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

5. Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

6. IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:

• Lauch AVG-anti-spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• ewido will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close AVG and reboot your system back into Normal Mode.

7. Post the results of the AVG report scan and a new HJT log for me to review...also let me know if Spybot still reports finding Vundo.

[NonSuch]

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.