More vrtumondo help

[Hahn]

I have gone to the page that is supposed to have the
removal help for virtumondo but it does not seem to be
working for me, first of all I don't seem to have all of
the lines listed there to remove although ms antispy says
I have virtumondo I don't have a line with an 020-
Winlogon that matches the line 02-BHO: MS Events Object
and I have no lines with anything that says repair or any
lines for that matter that start with 020 or Winlogon
Notify: so how can I get rid of this thing and just as a
sidebar if ms antispy can find it why can't it get rid of
it? and here is my hijack this log maybe someone can tell
me what I'm missing.


Logfile of HijackThis v1.99.0
Scan saved at 2:31:34 PM, on 10/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton
AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-
LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP
InSight\SBC\IPClient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Visual Networks\Visual IP
InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Roxio\Easy CD Creator 5
\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\Kodak\Kodak EasyShare
software\bin\EasyShare.exe
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\wkcalrem.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Microsoft
AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec
Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\TOMHAH~1\LOCALS~1\Temp\Temporary Directory 1
for hijackthis.zip\HijackThis.exe

R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0
\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-
868B0683C697} - C:\WINDOWS\system32\gebca.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-
001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-
943D-298DDF1699E1} - C:\Program Files\Common
Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-
FADC6B084872} - C:\Program Files\Norton Internet
Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-
4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common
Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - C:\Program Files\Norton Internet
Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32
\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32
\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program
Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program
Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program
Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [BJCFD] C:\Program
Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program
Files\Visual Networks\Visual IP
InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program
Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1
\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1
\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1
\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1
\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [iTunesHelper] C:\Program
Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program
Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton
Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1
\mimboot.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell
Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk =
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk =
C:\Program Files\Kodak\Kodak EasyShare
software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar
Reminders.lnk = ?
O4 - Global Startup: SBC Self Support Tool.lnk =
C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-
4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32
\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-
00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX
ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8}
(IEPlayInterface Class) -
http://www.lotrdvd.com/dvdkey/extended_dvd/downloads/iaiep
lay.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}
(Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/SharedContent/vc/bin/Av
Sniff.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A}
(Microsoft.WinRep) -
https://webresponse.one.microsoft.com/oas/ActiveX/winrep.c
ab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5}
(Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/SharedContent/common/bi
n/cabsa.cab
O16 - DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} -
http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1}
(ParallelGraphics Cortona Control) -
http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C}
(cpbrkpie Control) -
http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r33
02/cpbrkpie.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE}
(Symantec RuFSI Registry Information Class) -
http://security.symantec.com/sscv6/SharedContent/common/bi
n/cabsa.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} -
http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB}
(iTunesDetector Class) -
http://ax.phobos.apple.com.edgesuite.net/detection/ITDetec
tor.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D}
(QDiagHUpdateObj Class) -
http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
O23 - Service: Symantec Event Manager - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access -
Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program
Files\Norton Internet Security\ISSVC.exe
O23 - Service: Kodak Camera Connection Software - Eastman
Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: License Management Service ESD - element5 -
C:\Program Files\Common Files\element5
Shared\Service\Licence Manager ESD.exe
O23 - Service: Norton AntiVirus Auto-Protect Service -
Symantec Corporation - C:\Program Files\Norton Internet
Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel(R)
Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA
Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program
Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation -
C:\Program Files\Norton Internet Security\Norton
AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec
Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1
\SBServ.exe
O23 - Service: Symantec Network Drivers Service -
Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation -
C:\Program Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service - Sony Corporation -
C:\Program Files\Common Files\Sony
Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\CCPD-
LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\Security
Center\SymWSC.exe

 

[AndyManchesta]

Hi There , You do have the Vundo Infection (Virtumonde) but its not
added itself to the Winlogon/Notify key which would of shown as a 020
entry in Hijack This , We could use Vundo Fix but Im not sure its
required here with it just being entered as a BHO entry.

Let's try it this way first

Download Killbox

http://www.downloads.subratam.org/KillBox.zip

Unzip it to the desktop but do NOT run it yet.

Download Hijack This again but this time save it to desktop or C:drive
as its in your temp folders at the moment and we will be clearing them
later(You could move it from temp' but it may be easier to download it
again)

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Copy this to notepad so you can view it in safemode.

Then please reboot into Safe Mode by restarting your computer and
pressing F8 as your computer is booting up. Then select the Safe Mode
option.

Once in Safe Mode, please run Killbox.

Click "Delete on Reboot".
Paste the following into the top "Full Path of File to Delete" box.

C:\WINDOWS\system32\gebca.dll

It should then show written in Blue below.

Click "Unregister .dll Before Deleting"

Click the red circle with a white X "Delete File" button
Click "Yes" at the Delete on Reboot prompt.
Click "No" at the Pending Operations prompt.


In Safe mode Run Hijack This again and check these entries

R3 - Default URLSearchHook is missing

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-
868B0683C697} - C:\WINDOWS\system32\gebca.dll

With the above checked and all other browser windows closed press
"Fix Checked"

Run MS Antispy on a full system scan and remove anything found

Next clear Temp files

Goto start menu and run and type

cleanmgr

press enter and place checks next to temporary files then press ok


Reboot back to Normal Mode

Run a Virus scan here

http://www.pandasoftware.com/activescan/

After the scan finishes save the logfile incase you need more help with
this.


Let us know if you have any problems

Regards

Andy