VundoFix V6.5.6
Checking Java version...
Sun Java not detected
Scan started at 5:06:32 PM 7/21/2007
Listing files found while scanning....
C:\windows\system32\butoxarl.exe
C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\oveasjxw.ini
C:\windows\system32\rfyjptxt.dll
C:\WINDOWS\system32\tmutpjnk.dll
C:\windows\system32\txtpjyfr.ini
C:\windows\system32\vmwufrwv.exe
C:\windows\system32\wqodxuvj.exe
C:\WINDOWS\system32\wxjsaevo.dll
C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\yycdd.bak2
C:\WINDOWS\system32\yycdd.ini
Beginning removal...
VundoFix V6.5.6
Checking Java version...
Sun Java not detected
Scan started at 10:50:47 AM 7/22/2007
Listing files found while scanning....
C:\windows\system32\butoxarl.exe
C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\oveasjxw.ini
C:\windows\system32\rfyjptxt.dll
C:\WINDOWS\system32\tmutpjnk.dll
C:\windows\system32\txtpjyfr.ini
C:\windows\system32\vmwufrwv.exe
C:\windows\system32\wqodxuvj.exe
C:\WINDOWS\system32\wxjsaevo.dll
C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\yycdd.bak2
C:\WINDOWS\system32\yycdd.ini
Beginning removal...
Attempting to delete C:\windows\system32\butoxarl.exe
C:\windows\system32\butoxarl.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\oveasjxw.ini
C:\WINDOWS\system32\oveasjxw.ini Has been deleted!
Attempting to delete C:\windows\system32\rfyjptxt.dll
C:\windows\system32\rfyjptxt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tmutpjnk.dll
C:\WINDOWS\system32\tmutpjnk.dll Has been deleted!
Attempting to delete C:\windows\system32\txtpjyfr.ini
C:\windows\system32\txtpjyfr.ini Has been deleted!
Attempting to delete C:\windows\system32\vmwufrwv.exe
C:\windows\system32\vmwufrwv.exe Has been deleted!
Attempting to delete C:\windows\system32\wqodxuvj.exe
C:\windows\system32\wqodxuvj.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\wxjsaevo.dll
C:\WINDOWS\system32\wxjsaevo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\yycdd.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\yycdd.bak2
C:\WINDOWS\system32\yycdd.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\yycdd.ini
C:\WINDOWS\system32\yycdd.ini Has been deleted!
Performing Repairs to the registry.
Done!
But spybot still detected Virtumonde after this.... so here is the HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:39:39 AM, on 7/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\GRBakPro\GRSrv.exe
C:\WINDOWS\system32\Hummbird\inetd32.exe
C:\Program Files\GRBakPro\GRBakPro.exe
C:\Program Files\epoagent\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\OCS Inventory Agent\ocsservice.exe
C:\oracle\ora9iclient\bin\omtsreco.exe
C:\WINDOWS\system32\PGPserv.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Timbuktu Pro\tb2logon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\epoagent\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Timbuktu Pro\minitb2.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Program Files\Stickit\STICKIT.EXE
C:\Program Files\Stickit\STICKIT.EXE
C:\Program Files\Stickit\STICKIT.EXE
C:\Documents and Settings\mjmurray\Desktop\stuff\Programs\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cs.na.baesystems.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cs.na.baesystems.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {B96C097C-09F0-47A7-B519-3954328AFC03} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINDOWS\system32\nnnnmnn.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\tb2logon.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\epoagent\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\System32\WLTRAY
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Startup: StickIt Note Launcher.lnk = C:\Program Files\Stickit\StickIt Launcher.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O4 - Global Startup: AboutTime.lnk = C:\Program Files\AboutTime\ABOUTTIM.EXE
O4 - Global Startup: PGPtray.exe.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\pgplsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\pgplsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cs.na.baesystems.com
O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/games/ ... /et3_x.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se8300.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.3.1_01) - http://windch01.cs.na.baesystems.com/Wi ... 1a-win.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://baesystems.webex.com/client/v_m ... eatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bluelnk.net
O17 - HKLM\Software\..\Telephony: DomainName = bluelnk.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bluelnk.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bluelnk.net,cs.na.baesystems.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bluelnk.net,cs.na.baesystems.com
O20 - AppInit_DLLs: PGPmapih.dll
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll (file missing)
O20 - Winlogon Notify: nnnnmnn - nnnnmnn.dll (file missing)
O20 - Winlogon Notify: Timbuktu Pro - C:\Program Files\Timbuktu Pro\Hook32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: GRBackPro (GRBackProGRSrv.exe) - Unknown owner - C:\Program Files\GRBakPro\GRSrv.exe" GRBackProGRSrv.exe (file missing)
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Communications Ltd. - C:\WINDOWS\system32\Hummbird\inetd32.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\epoagent\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - PJ Naughter - C:\Program Files\OCS Inventory Agent\ocsservice.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora9iclient\bin\omtsreco.exe
O23 - Service: Oracleora9iclientClientCache - Unknown owner - C:\oracle\ora9iclient\BIN\ONRSD.EXE
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
Any suggestions????
Thanks,
Mike