Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Svchost Using Lots Of Cpu


  • This topic is locked This topic is locked
8 replies to this topic

#1 Leeg10

Leeg10

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 09 May 2007 - 01:59 PM

Hi,
my machine is running lsow and when I check Taks Manager I see the SVCHOST file is using up to 99% of my CPU. I read about this being a pretty common virus but I can't find any definitive cure. I'm running Trend Micro PC Cillin and is often finds deletes .dll files saying they are infected. I've Adaware and Spybot and the machine rus fine for a short while after using them but once I reboot, it happens again.
There is obviously something which is reinventing itself but I cannot find it at all! I have switched of system restore to make sure it can't imbed itself in there, I can only imagine is written itself in to the regitry but I have no idea where, please see log below.
Thanks

Logfile of HijackThis v1.99.1
Scan saved at 20:58:59, on 09/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AS00_WN311B] C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe -hide
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSconfig] ssms.exe
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\yabxwkuc.dll",realset
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe -all
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Adult Messenger.lnk = C:\Program Files\Exo Adult\ExoAdult.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxuk101AXGB
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147035527953
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://cdn.digitalci...m/video/kdx.cab
O16 - DPF: {D84C4D49-A63A-4432-B319-718ECA705773} - https://securera.edw...=5400,0,41115,1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: SVCLOAD - Unknown owner - c:\windows\system32\dllcache\sys32\winlogon.exe
O23 - Service: SVCMGR - Unknown owner - c:\windows\system32\dllcache\sys32\winlogon.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 09 May 2007 - 04:11 PM

Hello and Welcome to the forum.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Open the HijackThis Folder. Find the file HijackThis.exe, Right Click on the file and Select Rename. Rename Hijackthis.exe to Spyware.exe.

Post a new HijackThis Log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 Leeg10

Leeg10

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 13 May 2007 - 09:31 AM

Hi, I followed the steps you mentioned and have pasted my latest Hijackthis log below.

Since my first post I have noticed more things going on, on my machine.
winlogon.exe is fluctuating between 00% and 54% so it seems it has affected this as well as my svchost.exe file
My Trend Micro PC Cillin Internet Security comes up with 10 pages all the same saying...
Infected File: C:\WINDOWS\system32\wvutqrp.dll
Virus name: TROJ VUNDO.ATT Scan result: Unable to clean or delete the infected file

I also have Microsoft Windows Defender, this comes up with a warning saying Adware:Win32/Virtumode.gen, Alert level: Severe. The path of this file is C:\WINDOWS\SYSTEM32\MLJGD.DLL I am unable to remove this as when I try deleting the file it says it is in use even if I'm not running anything.

My machine is currently unusable, I only switch it on to try to sort this problem out, at the moment I am using someone elses laptop to get to this site.
Your assistance in removing this carp** from my machine would be hugely appreciated.

Thanks in advance

Lee

Logfile of HijackThis v1.99.1
Scan saved at 16:04:04, on 13/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\Spyware.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - C:\WINDOWS\system32\wvutqro.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {A4C7A32C-5585-45E2-9908-35734F2150F9} - C:\WINDOWS\system32\mljgd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\ycfhexqi.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AS00_WN311B] C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe -hide
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSconfig] ssms.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\ncivkfec.dll",realset
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe -all
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxuk101AXGB
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147035527953
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://cdn.digitalci...m/video/kdx.cab
O16 - DPF: {D84C4D49-A63A-4432-B319-718ECA705773} - https://securera.edw...=5400,0,41115,1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: mljgd - C:\WINDOWS\system32\mljgd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvutqro - C:\WINDOWS\SYSTEM32\wvutqro.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 13 May 2007 - 03:26 PM

* Download VirtumundoBegone, place it on your desktop.

Doubleclick VirtumundoBeGone.exe to start the tool.
Follow the instructions on the screen.
Don't worry if you'll get a Blue screen with an error in it - this is normal.
After reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - C:\WINDOWS\system32\wvutqro.dll
O2 - BHO: (no name) - {A4C7A32C-5585-45E2-9908-35734F2150F9} - C:\WINDOWS\system32\mljgd.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\ycfhexqi.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSconfig] ssms.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\ncivkfec.dll",realset
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxuk101AXGB
O20 - Winlogon Notify: mljgd - C:\WINDOWS\system32\mljgd.dll
O20 - Winlogon Notify: wvutqro - C:\WINDOWS\SYSTEM32\wvutqro.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Delete these files if listed:
C:\WINDOWS\system32\wvutqro.dll
C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\ycfhexqi.dll
C:\WINDOWS\system32\ncivkfec.dll


Empty Recycle Bin

Reboot

Post the contents of the log VBG.TXT which present on your desktop together with a new HijackThis log in your next reply.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 Leeg10

Leeg10

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 14 May 2007 - 02:52 PM

Ok, followed the steps you mentioned, the machine is considerably faster now.
My latest log is below for VBG and my Hijackthis log.

VBG LOG

[05/14/2007, 21:27:45] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Lee\Desktop\VirtumundoBeGone.exe" )
[05/14/2007, 21:27:53] - Detected System Information:
[05/14/2007, 21:27:53] - Windows Version: 5.1.2600, Service Pack 2
[05/14/2007, 21:27:53] - Current Username: Lee (Admin)
[05/14/2007, 21:27:53] - Windows is in NORMAL mode.
[05/14/2007, 21:27:53] - Searching for Browser Helper Objects:
[05/14/2007, 21:27:53] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/14/2007, 21:27:53] - BHO 2: {182B90A3-F372-438A-800C-6814B4DE417B} ()
[05/14/2007, 21:27:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/14/2007, 21:27:53] - Checking for HKLM\...\Winlogon\Notify\wvutqro
[05/14/2007, 21:27:53] - Found: HKLM\...\Winlogon\Notify\wvutqro - This is probably Virtumundo.
[05/14/2007, 21:27:53] - Assigning {182B90A3-F372-438A-800C-6814B4DE417B} MSEvents Object
[05/14/2007, 21:27:53] - BHO list has been changed! Starting over...
[05/14/2007, 21:27:53] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/14/2007, 21:27:53] - BHO 2: {182B90A3-F372-438A-800C-6814B4DE417B} (MSEvents Object)
[05/14/2007, 21:27:53] - ALERT: Found MSEvents Object!
[05/14/2007, 21:27:53] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[05/14/2007, 21:27:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/14/2007, 21:27:53] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[05/14/2007, 21:27:53] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[05/14/2007, 21:27:53] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/14/2007, 21:27:53] - BHO 5: {9394EDE7-C8B5-483E-8773-474BF36AF6E4} (ST)
[05/14/2007, 21:27:53] - BHO 6: {A4C7A32C-5585-45E2-9908-35734F2150F9} ()
[05/14/2007, 21:27:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/14/2007, 21:27:53] - Checking for HKLM\...\Winlogon\Notify\mljgd
[05/14/2007, 21:27:53] - Key not found: HKLM\...\Winlogon\Notify\mljgd, continuing.
[05/14/2007, 21:27:53] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/14/2007, 21:27:53] - BHO 8: {D651AFF4-9590-424d-BD1E-8E33E090DFB3} ()
[05/14/2007, 21:27:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/14/2007, 21:27:53] - Checking for HKLM\...\Winlogon\Notify\ycfhexqi
[05/14/2007, 21:27:53] - Key not found: HKLM\...\Winlogon\Notify\ycfhexqi, continuing.
[05/14/2007, 21:27:53] - Finished Searching Browser Helper Objects
[05/14/2007, 21:27:53] - *** Detected MSEvents Object
[05/14/2007, 21:27:53] - Trying to remove MSEvents Object...
[05/14/2007, 21:27:54] - Terminating Process: IEXPLORE.EXE
[05/14/2007, 21:28:00] - Terminating Process: RUNDLL32.EXE
[05/14/2007, 21:28:05] - Disabling Automatic Shell Restart
[05/14/2007, 21:28:05] - Terminating Process: EXPLORER.EXE
[05/14/2007, 21:28:07] - Suspending the NT Session Manager System Service
[05/14/2007, 21:28:13] - Terminating Windows NT Logon/Logoff Manager
[05/14/2007, 21:28:22] - Re-enabling Automatic Shell Restart
[05/14/2007, 21:28:22] - File to disable: C:\WINDOWS\system32\wvutqro.dll
[05/14/2007, 21:28:22] - Renaming C:\WINDOWS\system32\wvutqro.dll -> C:\WINDOWS\system32\wvutqro.dll.vir
[05/14/2007, 21:28:22] - File successfully renamed!
[05/14/2007, 21:28:22] - Removing HKLM\...\Browser Helper Objects\{182B90A3-F372-438A-800C-6814B4DE417B}
[05/14/2007, 21:28:22] - Removing HKCR\CLSID\{182B90A3-F372-438A-800C-6814B4DE417B}
[05/14/2007, 21:28:22] - Adding Kill Bit for ActiveX for GUID: {182B90A3-F372-438A-800C-6814B4DE417B}
[05/14/2007, 21:28:22] - Deleting ATLEvents/MSEvents Registry entries
[05/14/2007, 21:28:22] - Removing HKLM\...\Winlogon\Notify\wvutqro
[05/14/2007, 21:28:22] - Searching for Browser Helper Objects:
[05/14/2007, 21:28:22] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/14/2007, 21:28:22] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[05/14/2007, 21:28:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/14/2007, 21:28:22] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[05/14/2007, 21:28:22] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[05/14/2007, 21:28:22] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/14/2007, 21:28:22] - BHO 4: {9394EDE7-C8B5-483E-8773-474BF36AF6E4} (ST)
[05/14/2007, 21:28:22] - BHO 5: {A4C7A32C-5585-45E2-9908-35734F2150F9} ()
[05/14/2007, 21:28:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/14/2007, 21:28:22] - Checking for HKLM\...\Winlogon\Notify\mljgd
[05/14/2007, 21:28:22] - Key not found: HKLM\...\Winlogon\Notify\mljgd, continuing.
[05/14/2007, 21:28:22] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/14/2007, 21:28:22] - BHO 7: {D651AFF4-9590-424d-BD1E-8E33E090DFB3} ()
[05/14/2007, 21:28:22] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/14/2007, 21:28:22] - Checking for HKLM\...\Winlogon\Notify\ycfhexqi
[05/14/2007, 21:28:22] - Key not found: HKLM\...\Winlogon\Notify\ycfhexqi, continuing.
[05/14/2007, 21:28:22] - Finished Searching Browser Helper Objects
[05/14/2007, 21:28:22] - Finishing up...
[05/14/2007, 21:28:22] - A restart is needed.
[05/14/2007, 21:28:45] - Attempting to Restart via STOP error (Blue Screen!)

Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 21:46:04, on 14/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\Spyware.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AS00_WN311B] C:\Program Files\NETGEAR\WN311B\Utility\WN311B.exe -hide
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe -all
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147035527953
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - http://cdn.digitalci...m/video/kdx.cab
O16 - DPF: {D84C4D49-A63A-4432-B319-718ECA705773} - https://securera.edw...=5400,0,41115,1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 14 May 2007 - 02:56 PM

You can remove any programs I had you install. Use Add/Remove Programs to remove if listed there otherwise just delete them and empty recycle bin.

Log looks good :D


You need to create a new Clean restore point.

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.



If you dont have any programs like these, I would recommend that you get them.
Spywareblaster,
Spywareguard.


Also get a FREE FIREWALL and FREE ANTI VIRUS if you need one.

Only run one Anti-Virus and Firewall program.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Do not use Ad-aware if you have McAfee's VirusScan and AntiSpyware


Safe Surfing. :D

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 Leeg10

Leeg10

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 15 May 2007 - 01:58 PM

Brilliant, you're a genius! Thanks so much mate, machine is working perfectly. I have Trend Micro Pc-Cillin as my internet security, Ad-aware, Spybot and Microsoft Windows Defender, I think the virus got through as I relaxed my firewall for a few days a couple of weeks back, I won't be doing that again! I notice you're from Missouri, I'm from the UK abd work for a company called Edward Jones who are based in St Louis but I work in the London office. I was just in St Louis a couple of weeks ago and will be back in September/October, I owe you some beers!! All the best mate Thanks again.

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 15 May 2007 - 06:34 PM

Edward Jones is a major St. Louis company. I hope you enjoyed your stay here :wavey: Great job :thumbup: You're more then welcome. Glad we were able to help Peace be with you :wavey:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 15 May 2007 - 06:35 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users