Home > Hjt Log > HJT Log File: Multiple Infections: Win32/Virumonde

HJT Log File: Multiple Infections: Win32/Virumonde

After the new window appears select the View tab. Use the Microsoft Malicious Software Removal Tool, Microsoft Security Essentials, Microsoft Safety Scanner, or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your Please let me know.2) This question is in regards to the instructions for disabling BitDefender given in the thread "How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs." I realize I just recently disabled the computer's internet connection to avoid having viruses transmitted to other computers in my house on the same network. have a peek at these guys

If blocker had been active then you wouldn't had been able to create DDS logs at all Please visit this webpage for download links, and instructions for running ComboFix tool:http://www.bleepingcomputer.com/combofix/how-to-use-combofixPlease ensure Honorary Members 3,860 posts Interests: would love to see some honesty around this site. Any opinions? ID: 3   Posted October 16, 2009 Hi,Download DDS and save it to your desktop from here or here or here.Disable any script blocker, and then double click dds.scr to run

Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Unfortunately, it is no longer responding, so I can't get the log.Here is the HJT log:Logfile of HijackThis v1.99.1Scan saved at 1:43:16 PM, on 8/3/2006Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Once that loading bar reached complete/full, my BitDefender Internet Security 2010 window opened (this is the same window that would normally open when I double-click the BitDefender Icon in my system

I'll take a look at the firewall etc stuff you recommended tomorrow. While I am examining them, install either of these two antivirus applications. You should now click on the Remove Selected button to remove all the listed malware. The down load is NOT in safe mode, the removal is.

Click here to Register a free account now! Top Follow:I want to...Get helpRemove difficult malwareAvoid tech support phone scamsSee and search the latest threatsFind answers to other problemsFix my softwareFix updates and solve other problemsSee common error codesDownload and Shut down still didn't work. Share this post Link to post Share on other sites JeanInMontana    Delete this account!!

I also installed comodo firewall.Here is the HJT log:Logfile of HijackThis v1.99.1Scan saved at 12:59:59 PM, on 8/4/2006Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\Winnt\System32\smss.exeC:\Winnt\system32\csrss.exeC:\Winnt\system32\winlogon.exeC:\Winnt\system32\services.exeC:\Winnt\system32\lsass.exeC:\Winnt\system32\svchost.exeC:\Winnt\system32\LEXBCES.EXEC:\Winnt\system32\spoolsv.exeC:\Winnt\system32\LEXPPS.EXEC:\Program Files\Symantec\pcAnywhere\awhost32.exeC:\Program Files\Comodo\Personal III) If the BitDefender Internet Security 2010 window opening is okay to have happen, should I close it before I click "Yes" at the disclaimer screen - or just leave it As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program.On the Scanner tab, For more information, see 'The risks of obtaining and using pirated software'.

Click on what ever will open the System Restore box. I'd like to be 100% certain that everything has been removed. Presumably this is an anti-competitive measure, as the list of targeted URLs contains a number of popular search engines and domain names associated with ad-servers, for example: yahoo.com search.ebay.com web.ask.com banners.pennyweb.com ads2.revenue.net www2.yesadvertising.com images.trafficmp.com If there is some abnormality detected on your computer HijackThis will save them into a logfile.

Hopefully you can still answer this question though. http://exomatik.net/hjt-log/hjt-log-mshtmlud-dll-win32-coreflood.php Safe Mode should not disable the keyboard. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle Site Changelog Community Forum Software by IP.Board Sign In Use Facebook Use Twitter Need an account?

Should I do a full scan this evening and post the results?Thanks, LeeMalwarebytes' Anti-Malware 1.25Database version: 1088Windows 5.1.2600 Service Pack 215:45:20 27/08/2008mbam-log-08-27-2008 (15-45-20).txtScan type: Quick ScanObjects scanned: 41546Time elapsed: 3 minute(s), There were 3 oembios files. Several functions may not work. check my blog Presence of the following registry entries:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\alddHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SysUpdHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39D2FC9B-041C-470E-AE72-F8C001247626}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7BF451AC-2010-4804-B256-DB2F0A8D9EB6}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{827DC836-DD9F-4A68-A602-5812EB50A834}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DBF02DA-4360-4A7E-BEA1-347B87816327}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FC148228-87E1-4D00-AC06-58DCAA52A4D1}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBE0D59D-F985-4AC6-8826- FEE957065D42} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5AEFF965-B1A9-4675-966A-26C2E812AD51}HKEY_CLASSES_ROOT\MSEvents.MSEventsHKEY_CLASSES_ROOT\MSEvents.MSEvents.1HKEY_CLASSES_ROOT\psapianalyzer.psapianalyzer.1HKEY_CLASSES_ROOT\psapianalyzer.psapianalyzerHKEY_CLASSES_ROOT\MFCOptimizeClass.MFCOptimizeClass.1HKEY_CLASSES_ROOT\MFCOptimizeClass.MFCOptimizeClassHKEY_CLASSES_ROOT\RawExecAction.RawExecActionHKEY_CLASSES_ROOT\RawExecAction.RawExecAction.1HKEY_CLASSES_ROOT\iepl.iepl.1HKEY_CLASSES_ROOT\iepl.ieplHKEY_CLASSES_ROOT\ATLDistrib.ATLDistrib.1HKEY_CLASSES_ROOT\ATLDistrib.ATLDistribHKEY_CLASSES_ROOT\WTLHelper.WTLHelperHKEY_CLASSES_ROOT\WTLHelper.WTLHelper.1HKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolderHKEY_CLASSES_ROOT\DosSpecFolder.DosSpecFolder.1HKEY_CLASSES_ROOT\DPCUpdater.DPCUpdater.1HKEY_CLASSES_ROOT\DPCUpdater.DPCUpdaterHKEY_CLASSES_ROOT\ADOUsefulNet.ADOUsefulNetHKEY_CLASSES_ROOT\ADOUsefulNet.ADOUsefulNet.1HKEY_CLASSES_ROOT\InfoDocReader.InfoDocReaderHKEY_CLASSES_ROOT\InfoDocReader.InfoDocReader.1HKEY_CLASSES_ROOT\ATLEvents.ATLEvents.1HKEY_CLASSES_ROOT\ATLEvents.ATLEventsHKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEventsHKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\psapianalyzer.psapianalyzerHKEY_LOCAL_MACHINE\SOFTWARE\Classes\psapianalyzer.psapianalyzer.1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MFCOptimizeClass.MFCOptimizeClassHKEY_LOCAL_MACHINE\SOFTWARE\Classes\MFCOptimizeClass.MFCOptimizeClass.1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RawExecAction.RawExecActionHKEY_LOCAL_MACHINE\SOFTWARE\Classes\RawExecAction.RawExecAction.1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iepl.ieplHKEY_LOCAL_MACHINE\SOFTWARE\Classes\iepl.iepl.1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLDistrib.ATLDistribHKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLDistrib.ATLDistrib.1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WTLHelper.WTLHelperHKEY_LOCAL_MACHINE\SOFTWARE\Classes\WTLHelper.WTLHelper.1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DosSpecFolder.DosSpecFolderHKEY_LOCAL_MACHINE\SOFTWARE\Classes\DosSpecFolder.DosSpecFolder.1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DPCUpdater.DPCUpdaterHKEY_LOCAL_MACHINE\SOFTWARE\Classes\DPCUpdater.DPCUpdater.1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADOUsefulNet.ADOUsefulNetHKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADOUsefulNet.ADOUsefulNet.1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InfoDocReader.InfoDocReaderHKEY_LOCAL_MACHINE\SOFTWARE\Classes\InfoDocReader.InfoDocReader.1HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLEvents.ATLEventsHKEY_LOCAL_MACHINE\SOFTWARE\Classes\ATLEvents.ATLEvents.1 Presence of the  mutex 'SysUpdIsRunningMutex' .

BLEEPINGCOMPUTER NEEDS YOUR HELP! CCleaner and Defrag once a month is probably good enough. Now if you need to use it you have it.

Even for an advanced computer user.

Do a File, Exit and answer 'Yes' to save changes.A caution - Do not run Combofix more than once. Your log looks clean. When viewing task manager, it says my CPU is running at 100% constantly and every time it hits 100% a new instance of Rundll32.exe appears within the processes. I've updated it, run a quick scan, it found 8 infections (oembios was one of them) which I've now removed.

After that my computer tower made two loud beeps (my tower, not my speakers). Get the latest computer updates for all your installed software. Sign In Sign In Remember me Not recommended on shared computers Sign in anonymously Sign In Forgot your password? http://exomatik.net/hjt-log/hjt-log-and-extra-info-multiple-viruses-rootkit-please-help.php Doing so can result in system changes which may not show it the log you already posted.

Share this post Link to post Share on other sites leeollie    New Member Topic Starter Members 9 posts ID: 14   Posted August 28, 2008 Very much appreciated, Jean. It will ask for confimation to delete the file. First, I want you to know that I have fully read through the "instructions for running ComboFix tool" AND the thread on "How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware If I need to disable script blocker and run the program again please let me know.

Thankfully the new keyboard worked.Here's the HijackThis report and below is the SDFix report. Now I need a firewall and antivirus. Accept any disclaimers to start the fix. The Windows firewall in XP and Vista is not sufficient.Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least.

Using the site is easy and fun. I have copied and pasted the DDS.txt below and attached the Attach.txt at the top of this post (as the DDS program instructed).Thanks again,TonyDDS.txtDDS (Ver_09-10-13.01) - NTFSx86 Run by Anthony at Please do not use these instructions on another computer system. I had to use someone else's keyboard as I couldn't even type the Y.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.4. For example:   HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{35F7813A-AF74-4474-B1DC-7EE6FB6C43C6}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39D2FC9B-041C-470E-AE72-F8C001247626}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7BF451AC-2010-4804-B256-DB2F0A8D9EB6}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{827DC836-DD9F-4A68-A602-5812EB50A834}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8DBF02DA-4360-4A7E-BEA1-347B87816327}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF7FCAFB-9FDB-4F5E-BAC6-68BDEE61D6C6}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FC148228-87E1-4D00-AC06-58DCAA52A4D1}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBE0D59D-F985-4AC6-8826- FEE957065D42} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5AEFF965-B1A9-4675-966A-26C2E812AD51}   In some variants, several data files are also created in the same location, using the same name but with the following file extensions (as opposed to