PDA

View Full Version : Virtumonde Virus - explorer.exe crashes repeatedly



rpm5099
31-05-2008, 08:43 AM
Ok, I've tried to remove with Spybot search and destroy, and I keep getting the same result when I restart but it is recognizing the virtumonde.dll. I'm trying ad aware because it claims it has a virtumonde removal tool built into it but so far it hasnt worked. I need to restart and try it in safe mode. I seem to have removed all of the malware except for the virtumonde which crashes hijack this as soon as I get the log so I dont know if its complete. The explorer.exe crashing does not happen in safe mode. Heres the log that I was able to generate:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:52:24, on 5/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SPIRun] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F81C2365-6A74-4247-BD57-D0FC684D3ABE}: NameServer = 192.168.100.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5198 bytes

Speedy Gonzales
31-05-2008, 09:05 AM
Run HJT again tick these then tick fix checked

Close browsers

O4 - HKLM\..\Run: [SPIRun] Rundll32 SPIRun.dll,RunDLLEntry

Did you use Nlite or something??

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

Uninstall all versions of Sun Java, yours is out of date. Link is in my sig.

Try trojan remover in my sig below. Install it update it then click on scan.

Then select all options under utilitites.

Then open my computer / right mouse on c then scan with trojan remover.

See what it picks up

rpm5099
31-05-2008, 09:13 AM
Ok, I'm finishing a scan of malwarebytes anti malware that I picked up from another post on here. I'll run the HJT and remove those you just said and complete the trojan removal program. I'll post the lost from that as soon as its complete.

rpm5099
31-05-2008, 09:14 AM
Oh and yes I had to use Nlite to slipstream my raid drivers becuase there was windows setup kept hanging during the driver signing confirmation.

rpm5099
31-05-2008, 09:15 AM
do I need to be in safe mode for these scans btw? can I use safe mode with networking to allow the scanning software to update iteslf? Thanks

Speedy Gonzales
31-05-2008, 09:19 AM
No, you should be able to tick these in normal windows

Altho if My computer crashes in normal windows, you'll have to scan with trojan remover in safe mode - networking

Umm leave the entries under where I asked about Nlite then.

Not too sure if these can be ticked or not.

I've never had to slipstream SATA drivers. So, I've never seen those entries before in startup.

rpm5099
31-05-2008, 09:37 AM
the nlite entries are just for the initial windows install and I'm pretty sure they arent necesary so I went ahead and got rid of them. Explorer.exe crashes regularly so I'm running trojan remover in safe mode, but its still restarting even in safe mode. I'll post again in a minute as soon as this trojan scan is complete.

Also, the one key you had me remove, is that related to the virtumonde virus? Thanks.

Speedy Gonzales
31-05-2008, 09:41 AM
Also, the one key you had me remove, is that related to the virtumonde virus? Thanks.

I have no idea what that entry did or does.

I've never seen that entry before either

Oops, if you've got anything made by creative, that 1st entry may belong to it

rpm5099
31-05-2008, 10:01 AM
This TR scan is taking forever, in the meantime heres the malware log:

Malwarebytes' Anti-Malware 1.14
Database version: 800

4:36:15 PM 5/30/2008
mbam-log-5-30-2008 (16-36-15).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 173194
Time elapsed: 29 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\mlJApQkj.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\rqRLfDUl.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{06e12c36-760f-4d92-8509-5e5dbf12c423} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{06e12c36-760f-4d92-8509-5e5dbf12c423} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljapqkj (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d0889446-e659-4d97-9f2e-ec809a906fe4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{d0889446-e659-4d97-9f2e-ec809a906fe4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{06e12c36-760f-4d92-8509-5e5dbf12c423} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqrlfdul -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mlJApQkj.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\rqRLfDUl.dll (Trojan.Vundo) -> Delete on reboot.

Speedy Gonzales
31-05-2008, 10:04 AM
Look like that removed it, all you have to do is reboot

rpm5099
31-05-2008, 10:06 AM
no, rebooted and still not removed. explorer still has continual restarts.

Speedy Gonzales
31-05-2008, 10:09 AM
Are we talking about my computer or internet explorer crashing?

Theyre different things

rpm5099
31-05-2008, 10:14 AM
explorer.exe - entire desktop and taskbar. crashes, restarts itself, crashes again until it eventually stops restarting.

Speedy Gonzales
31-05-2008, 10:21 AM
Try clicking on the more info, or info link, whatever its called in the window that comes up when it crashes. Bottom right I think.

Instead of closing it

That'll at least, tell us whats crashing it

Or go to control panel / admin tools / event viewer. Go to application / system (probably the 1st 1)

Find the entry / time it crashed. Dbl click on it. Click on the icon under the down arrow paste it here

rpm5099
31-05-2008, 11:39 AM
Well I think the Trojan removertook care of it but heres the logs just in case:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:49:30, on 5/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Robbie\Application Data\Simply Super Software\Trojan Remover\jmy1.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\Robbie\Application Data\Simply Super Software\Trojan Remover\jmy1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {06E12C36-760F-4D92-8509-5E5DBF12C423} - C:\WINDOWS\system32\mlJApQkj.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {2F585198-0585-426D-A821-CB8C1FA5E99F} - C:\WINDOWS\system32\mlJBqRKC.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {602F0220-1AF3-4869-8749-01DCC10AFB60} - C:\WINDOWS\system32\rqRLfDUl.dll (file missing)
O2 - BHO: (no name) - {65A24242-5104-493F-9449-8F5D7608C801} - C:\WINDOWS\system32\awtqqoMD.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {E32419F2-A132-4BBE-8392-B2761E396CD8} - C:\WINDOWS\system32\mlJDsRJc.dll (file missing)
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F81C2365-6A74-4247-BD57-D0FC684D3ABE}: NameServer = 192.168.100.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: mlJApQkj - mlJApQkj.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5975 bytes
***** TROJAN REMOVER HAS RESTARTED THE SYSTEM *****
5/30/2008 5:48:36 PM: Trojan Remover has been restarted
C:\WINDOWS\system32\mlJApQkj.dll - file ownership assigned to MAINTHEBRUCE\Robbie
C:\WINDOWS\system32\mlJApQkj.dll - RAW erasure required
C:\WINDOWS\system32\mlJApQkj.dll has been renamed to C:\WINDOWS\system32\mlJApQkj.dll.vir
5/30/2008 5:48:36 PM: Trojan Remover closed
************************************************** **********


***** TROJAN REMOVER HAS RESTARTED THE SYSTEM *****
5/30/2008 5:46:37 PM: Trojan Remover has been restarted
C:\WINDOWS\system32\mlJApQkj.dll - file ownership assigned to MAINTHEBRUCE\Robbie
--------------------------------------------------
The system must be restarted one more time to complete the file operations.
Trojan Remover is restarting the system.
--------------------------------------------------
5/30/2008 5:47:12 PM: Trojan Remover closed
************************************************** **********


***** DRIVE/DIRECTORY SCAN *****
Trojan Remover Ver 6.6.9.2533. For information, email support@simplysup1.com
[Unregistered version]
Scan started at: 4:46:53 PM 30 May 2008
Using Database v7012
Operating System: Windows XP SP3 [Windows XP Professional Service Pack 3 (Build 2600)]
File System: NTFS
Data directory: C:\Documents and Settings\Robbie\Application Data\Simply Super Software\Trojan Remover\
Logfile directory: C:\Documents and Settings\Robbie\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges


**************************************************
PC appears to be in SAFE MODE with Network Support.

**************************************************

Carrying out scan on C:\
(including subdirectories)
Archive files will be EXCLUDED.
------------------------------
C:\Documents and Settings\Robbie\Local Settings\Temporary Internet Files\Content.IE5\A2TL4VVQ\css4[1] appears to contain: Adware.VrtuMonde
C:\Documents and Settings\Robbie\Local Settings\Temporary Internet Files\Content.IE5\A2TL4VVQ\css4[1] - file renamed to: C:\Documents and Settings\Robbie\Local Settings\Temporary Internet Files\Content.IE5\A2TL4VVQ\css4[1].vir
C:\WINDOWS\system32\mlJApQkj.dll appears to contain: Adware.VirtuMonde
C:\WINDOWS\system32\mlJApQkj.dll - file ownership assigned to: MAINTHEBRUCE\Robbie
C:\WINDOWS\system32\mlJApQkj.dll - file backed up to C:\WINDOWS\system32\mlJApQkj.dll.vir
C:\WINDOWS\system32\mlJApQkj.dll - file has been neutralised
C:\WINDOWS\system32\mlJApQkj.dll - file ownership assigned to: MAINTHEBRUCE\Robbie
Previously renamed file C:\WINDOWS\system32\mlJApQkj.dll.vir has been deleted
C:\WINDOWS\system32\mlJApQkj.dll - file ownership assigned to: MAINTHEBRUCE\Robbie
C:\WINDOWS\system32\mlJApQkj.dll - file backed up to C:\WINDOWS\system32\mlJApQkj.dll.vir
C:\WINDOWS\system32\mlJApQkj.dll - file has been neutralised
C:\WINDOWS\system32\mlJApQkj.dll - marked for renaming when the PC is restarted
C:\WINDOWS\system32\mlJBqRKC.dll appears to contain: Adware.VirtuMonde (Heuristic Detection)
C:\WINDOWS\system32\mlJBqRKC.dll - file renamed to: C:\WINDOWS\system32\mlJBqRKC.dll.vir
C:\WINDOWS\system32\CKRqBJlm.ini - HIDDEN and SYSTEM file attributes removed
C:\WINDOWS\system32\CKRqBJlm.ini, associated with Adware.VirtuMonde, has been deleted
C:\WINDOWS\system32\CKRqBJlm.ini2 - HIDDEN and SYSTEM file attributes removed
C:\WINDOWS\system32\CKRqBJlm.ini2, associated with Adware.VirtuMonde, has been deleted
C:\WINDOWS\system32\rqRLfDUl.dll appears to contain: Adware.VirtuMonde (Heuristic Detection)
C:\WINDOWS\system32\rqRLfDUl.dll - file renamed to: C:\WINDOWS\system32\rqRLfDUl.dll.vir
C:\WINDOWS\system32\lUDfLRqr.ini - HIDDEN and SYSTEM file attributes removed
C:\WINDOWS\system32\lUDfLRqr.ini, associated with Adware.VirtuMonde, has been deleted
C:\WINDOWS\system32\lUDfLRqr.ini2 - HIDDEN and SYSTEM file attributes removed
C:\WINDOWS\system32\lUDfLRqr.ini2, associated with Adware.VirtuMonde, has been deleted
------------------------------
71072 files scanned
4 Malware file(s) detected
Scan completed at: 5:43:48 PM 30 May 2008
-------------------------------------------------------------------------
One or more files could not be moved or renamed as requested.
They may be in use by Windows, so Trojan Remover needs
to restart the system in order to deal with these files.
5/30/2008 5:44:10 PM: restart commenced
************************************************** **********


***** WINDOWS EXPLORER POLICIES RESET *****
Trojan Remover Ver 6.6.9.2533. For information, email support@simplysup1.com
[Unregistered version]
Scan started at: 4:46:34 PM 30 May 2008
Using Database v7012
Operating System: Windows XP SP3 [Windows XP Professional Service Pack 3 (Build 2600)]
File System: NTFS
Data directory: C:\Documents and Settings\Robbie\Application Data\Simply Super Software\Trojan Remover\
Logfile directory: C:\Documents and Settings\Robbie\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges


**************************************************
PC appears to be in SAFE MODE with Network Support.

**************************************************

Checking for HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System
- this key has been removed
----------
Checking for HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\NonEnum
- no action required on this key as it does not exist
Checking for HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
- no action required: value either does not exist or is set to False
Checking for HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103}
- no action required: value either does not exist or is set to False
----------
Checking for HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\DisallowRun
- no action required on this key as it does not exist
----------
Checking Values in:
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer
Value: DisallowRun - value does not exist, no action required
Value: NoActiveDesktopChanges - value does not exist, no action required
Value: NoActiveDesktop - not set, no action required
Value: NoFileMenu - value does not exist, no action required
Value: NoClose - value does not exist, no action required
Value: NoDesktop - value does not exist, no action required
Value: NoDrives - value does not exist, no action required
Value: NoFind - value does not exist, no action required
Value: NoFolderOptions - value does not exist, no action required
Value: NoRun - value does not exist, no action required
Value: NoFavoritesMenu - value does not exist, no action required
Value: NoRecentDocsMenu - value does not exist, no action required
Value: NoSetFolders - value does not exist, no action required
Value: NoControlPanel - value does not exist, no action required
Value: NoNetHood - value does not exist, no action required
Value: NoToolbarCustomize - value has been removed
----------
Checking Values in:
HKCU\Control Panel\Desktop
----------
Checking HKCU ActiveDesktop Policies:
----------
Checking HKCU Add/Remove Programs Policies:
----------
Checking for HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\DisallowRun
- no action required on this key as it does not exist
----------
Checking Values in:
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer
Value: DisallowRun - value does not exist, no action required
Value: NoActiveDesktopChanges - value does not exist, no action required
Value: NoActiveDesktop - not set, no action required
Value: NoFileMenu - value does not exist, no action required
Value: NoClose - value does not exist, no action required
Value: NoDesktop - value does not exist, no action required
Value: NoDrives - value does not exist, no action required
Value: NoFind - value does not exist, no action required
Value: NoFolderOptions - value does not exist, no action required
Value: NoRun - value does not exist, no action required
Value: NoFavoritesMenu - value does not exist, no action required
Value: NoRecentDocsMenu - value does not exist, no action required
Value: NoSetFolders - value does not exist, no action required
Value: NoControlPanel - value does not exist, no action required
Value: NoNetHood - value does not exist, no action required
Value: NoToolbarCustomize - value has been removed
----------
Checking HKLM ActiveDesktop Policies:
----------
Checking HKLM Add/Remove Programs Policies:
----------
************************************************** **********


***** LAYERED SERVICE PROVIDER CHECKS *****
Trojan Remover Ver 6.6.9.2533. For information, email support@simplysup1.com
[Unregistered version]
Scan started at: 4:46:30 PM 30 May 2008
Using Database v7012
Operating System: Windows XP SP3 [Windows XP Professional Service Pack 3 (Build 2600)]
File System: NTFS
Data directory: C:\Documents and Settings\Robbie\Application Data\Simply Super Software\Trojan Remover\
Logfile directory: C:\Documents and Settings\Robbie\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges


**************************************************
PC appears to be in SAFE MODE with Network Support.

**************************************************

No errors were located in the Layered Service Provider Registry entries.
No action was taken.
************************************************** **********


***** WINDOWS UPDATE POLICIES RESET *****
Trojan Remover Ver 6.6.9.2533. For information, email support@simplysup1.com
[Unregistered version]
Scan started at: 4:46:23 PM 30 May 2008
Using Database v7012
Operating System: Windows XP SP3 [Windows XP Professional Service Pack 3 (Build 2600)]
File System: NTFS
Data directory: C:\Documents and Settings\Robbie\Application Data\Simply Super Software\Trojan Remover\
Logfile directory: C:\Documents and Settings\Robbie\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges


**************************************************
PC appears to be in SAFE MODE with Network Support.

**************************************************

No invalid Windows Update Policies found to reset.
************************************************** **********


***** WINDOWS HOSTS FILE RESET *****
Trojan Remover Ver 6.6.9.2533. For information, email support@simplysup1.com
[Unregistered version]
Scan started at: 4:46:19 PM 30 May 2008
Using Database v7012
Operating System: Windows XP SP3 [Windows XP Professional Service Pack 3 (Build 2600)]
File System: NTFS
Data directory: C:\Documents and Settings\Robbie\Application Data\Simply Super Software\Trojan Remover\
Logfile directory: C:\Documents and Settings\Robbie\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges


**************************************************
PC appears to be in SAFE MODE with Network Support.

**************************************************

C:\WINDOWS\system32\DRIVERS\ETC\HOSTS has been copied to C:\WINDOWS\system32\DRIVERS\ETC\HOSTS.TRB
The default HOSTS file was successfully reset.
************************************************** **********


***** INTERNET EXPLORER HOME/START/SEARCH PAGE AND POLICY RESTRICTIONS RESET ****
Trojan Remover Ver 6.6.9.2533. For information, email support@simplysup1.com
[Unregistered version]
Scan started at: 4:46:13 PM 30 May 2008
Using Database v7012
Operating System: Windows XP SP3 [Windows XP Professional Service Pack 3 (Build 2600)]
File System: NTFS
Data directory: C:\Documents and Settings\Robbie\Application Data\Simply Super Software\Trojan Remover\
Logfile directory: C:\Documents and Settings\Robbie\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges


**************************************************
PC appears to be in SAFE MODE with Network Support.

**************************************************

Existing Home/Start/Search Page settings are as follows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Local Page":
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch":
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"SearchAssistant":
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://www.google.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
These settings will now be reset to their defaults:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer\"NoToolbarCustomize" policy reset to default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer\"NoBandCustomize" policy reset to default
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL" has been reset
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL" has been reset
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Local Page" has been reset
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Search Page" has been reset
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch" has been reset
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"SearchAssistant" has been reset
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\URL\Prefixes\"www" has been reset
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\URL\Prefixes\"ftp" has been reset
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\URL\Prefixes\"gopher" has been reset
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\URL\Prefixes\"home" has been reset
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\URL\Prefixes\"mosaic" has been reset
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\"NoToolbarCustomize" policy reset to default
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\"NoBandCustomize" policy reset to default
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL" has been reset
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Local Page" has been reset
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Page" has been reset
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Show_FullURL" has been reset
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Show_ToolBar" has been reset
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Show_URLToolBar" has been reset
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" has been reset
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Show_StatusBar" has been reset
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Show_URLinStatusBar" has been reset
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Window_Placement" has been reset
--------------------
************************************************** **********

rpm5099
31-05-2008, 11:42 AM
btw, there was no error reporting triggered by explorer.exe crashing, the shell would just disappear and come back continually. that has stoped, so it may be fixed - what do you guys think?

Pancake
31-05-2008, 11:44 AM
Its being run from the registry.This is a new season design Vundo...


Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer and also those in the registry.

Please visit this webpage for download links, and instructions for running ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new 'HijackThis' log so that we can continue to do any further cleaning that your system may require.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.