1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

help`me with fix adware virtumonde please

Discussion in 'Virus & Other Malware Removal' started by ptranced, Feb 21, 2008.

Thread Status:
Not open for further replies.
  1. ptranced

    ptranced Thread Starter

    Joined:
    Feb 21, 2008
    Messages:
    1
    hi guys ..
    i try to remove`it with spybot-search and destroy a nod32 ...but nothing ..
    both programas detect`it and delete`it ..but nothing ..vrtumonde is still in my pc ..
    help`me ..10x !

    i try with VundoFix and found nothing !

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:45:31 PM, on 2/21/2008
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16609)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\rundll32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Users\pmtranced\AppData\Local\Yahoo!\Messenger for Vista\Yahoo.Messenger.YmApp.exe
    C:\Program Files\Winamp\winamp.exe
    E:\Games\GG Platform\GGclient.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Windows\system32\SearchFilterHost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [5e86890f] rundll32.exe "C:\Windows\system32\ygccimkq.dll",b
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O9 - Extra button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4 (file missing)
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
    O9 - Extra button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home (file missing)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1C49565E-3196-4D54-AC4C-0DFFDAD678FA}: NameServer = 193.19.192.2,193.231.242.2
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1C49565E-3196-4D54-AC4C-0DFFDAD678FA}: NameServer = 193.19.192.2,193.231.242.2
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1C49565E-3196-4D54-AC4C-0DFFDAD678FA}: NameServer = 193.19.192.2,193.231.242.2
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)
    O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

    --
    End of file - 3984 bytes

    I RUNNING WINDOWS VISTA HOME PREMIUM

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 02/21/2008 at 06:12 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3407
    Trace Rules Database Version: 1399

    Scan type : Complete Scan
    Total Scan Time : 00:58:13

    Memory items scanned : 486
    Memory threats detected : 1
    Registry items scanned : 6089
    Registry threats detected : 17
    File items scanned : 63070
    File threats detected : 18

    Adware.Vundo Variant/Resident
    C:\WINDOWS\SYSTEM32\KHHFF.DLL
    C:\WINDOWS\SYSTEM32\KHHFF.DLL

    Adware.Vundo-Variant/Small-A
    HKLM\Software\Classes\CLSID\{49cd93ef-9002-420c-ae60-88ed7a774b01}
    HKCR\CLSID\{49CD93EF-9002-420C-AE60-88ED7A774B01}
    HKCR\CLSID\{49CD93EF-9002-420C-AE60-88ED7A774B01}\InprocServer32
    HKCR\CLSID\{49CD93EF-9002-420C-AE60-88ED7A774B01}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\BSREPYEY.DLL
    HKLM\Software\Classes\CLSID\{62b18af4-13d9-48e9-9436-f69587302681}
    HKCR\CLSID\{62B18AF4-13D9-48E9-9436-F69587302681}
    HKCR\CLSID\{62B18AF4-13D9-48E9-9436-F69587302681}\InprocServer32
    HKCR\CLSID\{62B18AF4-13D9-48E9-9436-F69587302681}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\KEFIQPSK.DLL
    C:\WINDOWS\SYSTEM32\YGCCIMKQ.DLL
    C:\WINDOWS\SYSTEM32\YKIRISPT.DLL

    Adware.Vundo-Variant
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9C4C87DF-7025-4E77-B44F-EFCC0A592F21}
    HKCR\CLSID\{9C4C87DF-7025-4E77-B44F-EFCC0A592F21}
    HKCR\CLSID\{9C4C87DF-7025-4E77-B44F-EFCC0A592F21}\InprocServer32
    HKCR\CLSID\{9C4C87DF-7025-4E77-B44F-EFCC0A592F21}\InprocServer32#ThreadingModel
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF14ABBB-25BA-44C4-92AB-49029D59D466}
    HKCR\CLSID\{EF14ABBB-25BA-44C4-92AB-49029D59D466}
    HKCR\CLSID\{EF14ABBB-25BA-44C4-92AB-49029D59D466}\InprocServer32
    HKCR\CLSID\{EF14ABBB-25BA-44C4-92AB-49029D59D466}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\YAYVS.DLL

    Adware.Vundo Variant
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{07C7156E-D651-4ACC-9AD3-498C916E9651}

    Adware.Tracking Cookie
    C:\Users\pmtranced\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
    C:\Users\pmtranced\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
    C:\Users\pmtranced\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
    C:\Users\pmtranced\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
    C:\Users\pmtranced\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
    C:\Users\pmtranced\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
    C:\Users\pmtranced\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
    C:\Users\pmtranced\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
    C:\Users\pmtranced\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
    C:\Users\pmtranced\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
    C:\Users\pmtranced\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt

    Malware.SpywareNuker
    C:\WINDOWS\SYSTEM32\DRIVERS\PSHOOK11.SYS




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:29:04 PM, on 2/21/2008
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16609)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\pmtranced\Desktop\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - {03EF7F44-929E-47CB-A05D-2A3D81B0613D} - (no file)
    O2 - BHO: (no name) - {1DC890DD-8EE8-43A2-8122-9E4A8748BEA0} - (no file)
    O2 - BHO: (no name) - {837382F0-7A44-4F20-A8BC-927A787BAB96} - C:\Windows\system32\khhff.dll (file missing)
    O2 - BHO: (no name) - {9C4C87DF-7025-4E77-B44F-EFCC0A592F21} - C:\Windows\system32\khhff.dll (file missing)
    O2 - BHO: (no name) - {BB97BDBE-D665-4D23-9F17-7170778A1290} - (no file)
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [5e86890f] rundll32.exe "C:\Windows\system32\ygccimkq.dll",b
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O9 - Extra button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4 (file missing)
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe (file missing)
    O9 - Extra button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home (file missing)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1C49565E-3196-4D54-AC4C-0DFFDAD678FA}: NameServer = 193.19.192.2,193.231.242.2
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1C49565E-3196-4D54-AC4C-0DFFDAD678FA}: NameServer = 193.19.192.2,193.231.242.2
    O17 - HKLM\System\CS2\Services\Tcpip\..\{1C49565E-3196-4D54-AC4C-0DFFDAD678FA}: NameServer = 193.19.192.2,193.231.242.2
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: runkgjcj - C:\Windows\
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)
    O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
    O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

    --
    End of file - 4103 bytes
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/685565

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice