resilient malware
#16
Posted 06 May 2006 - 12:09 AM
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
Register to Remove
#17
Posted 06 May 2006 - 12:10 AM
#18
Posted 06 May 2006 - 12:40 AM
this is getting pretty involved
Keep reading....
This is the only other way I know to kill this.
I've used this on a few hundred infections before FixVundo came along.
FOLLOW THE INSTRUCTIONS TO THE LETTER!!!
Step 1:
Please download Process Explorer by Systernals from:
Process Explorer
Also download/unzip KillBox by Option^Explicit from:
Killbox.zip
Step 2:
Download this file and save it where you can find it:
FixVundo Registry File
Copy/paste the text in the Quote box below into Notepad, and save it where you can find it as "killme.txt"
C:\WINDOWS\SYSTEM32\srutv.ini
C:\WINDOWS\SYSTEM32\vturs.dll
C:\WINDOWS\SYSTEM32\vtutu.dll
Step 3:
Print out the following instructions as you will not have Internet Access for the rest of this fix.
Reboot in "safe" mode.
The rest of this fix must be done in safe mode.
Unzip Process Explorer and double click on procexp.exe
In the top section of the Process Exlporer screen double-click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.
Once you see this screen click on each instance of:
vturs.dll
once and then click the kill button.
After you have killed all of:
vturs.dll
under winlogon click OK.
If you see any of the files listed below, kill them as well.
Files to look for:
--------------------------
srutv.ini
vtutu.dll
BE SURE TO KILL ONLY THESE FILES!!!
Probably not all of them will be present. That is OK.
Next double-click on explorer.exe, select the Threads tab, and again click once on each instance of:
vturs.dll
then click the kill button.
If you see any of the files listed below kill them as well.
Files to look for:
--------------------------
srutv.ini
vtutu.dll
BE SURE TO KILL ONLY THESE FILES!!!
Probably not all of them will be present. That is OK
Once you have done that click OK again.
If you see wrsssdk.exe in there, follow the same procedure for it as well.
Next run Hijack This! and place a check beside each of the following (if they are present):
O2 - BHO: (no name) - {B1117698-41FF-4257-9608-B54A4985E6FB} - C:\WINDOWS\system32\vturs.dll
O20 - Winlogon Notify: vturs - C:\WINDOWS\system32\vturs.dll
Now click Fix checked and close HijackThis!
Now double-click on the vundo.reg file that you saved on your earlier and allow it to merge with the registry.
Step 4:
Find and open the "killme.txt" file with Notepad.
Then copy the all file names in the "killme.txt" to the clipboard by highlighting them and pressing <Ctrl>C (hold the <Ctrl> key down, then press C):
Close "killme.txt".
Double click on Killbox.exe and then check the Delete on reboot button.
In Killbox, click File (in the upper left of Killbox), and choose "Paste from Clipboard".
Click the red dot with the white X in it, in the upper right of Killbox, then click "Yes", and "Yes" again.
After the reboot, "copy/paste" a new Hijack This! log file into this thread.
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
#19
Posted 06 May 2006 - 01:21 AM
Logfile of HijackThis v1.99.1
Scan saved at 3:20:01 AM, on 5/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Your Name\Desktop\procexp.exe
C:\Documents and Settings\Your Name\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - C:\Program Files\CoralEurobetPoker\coraleurobetpoker.exe (file missing)
O9 - Extra 'Tools' menuitem: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - C:\Program Files\CoralEurobetPoker\coraleurobetpoker.exe (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125533870578
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125533864625
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
#20
Posted 06 May 2006 - 07:13 AM
Send out an A.P.B..... VUNDO IS DEAD!!!!
Find and delete these files as well:
C:\WINDOWS\SYSTEM32\srutv.ini
C:\WINDOWS\SYSTEM32\vtutu.dll
Be sure to show hidden files when looking for these files.
The rest of the log looks good!!!
M68
Post Infection Items To Ponder
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
#21
Posted 06 May 2006 - 09:05 AM
#22
Posted 08 May 2006 - 05:03 PM
If you need this topic reopened, please request this by sending an email to us at the following link
(Click for address)
Include your post user name and detail why you need it reopened with a valid link to your post.
Any bad links or emails that are not from the original poster will be deleted without response.
Any emails without the subject "Reopen" will be deleted without being looked at.
If this is not your thread please start a New Topic.
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users