Jump to content

ARTEMIS & VUNDO VIRUS


MANDA

Recommended Posts

FOR THE PAST 2 DAYS I HAVE BEEN HAVING MANY POP UPS FROM AN ANTIVIRUS PRO THAT HAS BEEN DOWNLOADED TO MY COMPUTER SOME HOW. MY MCAFEE KEEPS PICKING UP THE VIRUS:ARTEMIS, VUNDO, AND GENERIC.DX I DONT KNOW WHAT TO DO BECAUSE IT WILL NOT REMOVE THEM. MALWAREBYTES .EXE HAS BEEN DELETED AND IM UNABLE TO DOWNLOAD IT AGAIN. IM ALSO GETTING POP UPS ON THE INTERENT TO DIFFERENT PORN SITES AND THINGS LIKE THAT. HERE IS MY HIJAK THIS LOG. PLEASE HELP ME!!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:07:39 AM, on 11/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\DOCUME~1\Amanda\LOCALS~1\Temp\_A00FD899B5.exe

C:\DOCUME~1\Amanda\LOCALS~1\Temp\ejq9vdp.exe

C:\DOCUME~1\Amanda\LOCALS~1\Temp\mdm.exe

C:\Documents and Settings\Amanda\Local Settings\Application Data\bmsggq\emunsysguard.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\LimeWire\LimeWire.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\McAfee\MSC\mcshell.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [kscdaglx] C:\Documents and Settings\Amanda\Local Settings\Application Data\bmsggq\emunsysguard.exe

O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"

O4 - HKLM\..\Run: [fovuzevevo] Rundll32.exe "gukehere.dll",s

O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0

O4 - HKLM\..\Run: [fawiyumoz] Rundll32.exe "c:\windows\system32\guyubaha.dll",a

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntuser.dll,_IWMPEvents@0

O4 - HKCU\..\Run: [A00FD899B5.exe] C:\DOCUME~1\Amanda\LOCALS~1\Temp\_A00FD899B5.exe

O4 - HKCU\..\Run: [backUp Windows 2009] C:\DOCUME~1\Amanda\LOCALS~1\Temp\ejq9vdp.exe

O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\Amanda\LOCALS~1\Temp\mdm.exe

O4 - HKCU\..\Run: [kscdaglx] C:\Documents and Settings\Amanda\Local Settings\Application Data\bmsggq\emunsysguard.exe

O4 - HKCU\..\Run: [fontatmgfx] rundll32.exe "C:\Documents and Settings\Amanda\Local Settings\Application Data\fontatmgfx\fontatmgfx.dll", DllInit

O4 - S-1-5-18 Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe (User 'SYSTEM')

O4 - S-1-5-18 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'SYSTEM')

O4 - S-1-5-18 Startup: scandisk.dll (User 'SYSTEM')

O4 - .DEFAULT Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe (User 'Default user')

O4 - .DEFAULT Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Default user')

O4 - .DEFAULT Startup: scandisk.dll (User 'Default user')

O4 - Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe

O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

O4 - Startup: scandisk.dll

O4 - Global Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab

O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E31D0C89-560C-40C7-8212-462ED91CF1ED}: NameServer = 77.74.48.113

O18 - Filter hijack: text/html - {6d9b3587-f751-4785-b21b-adb3418eedd5} - C:\WINDOWS\batmeter16.dll

O20 - AppInit_DLLs: c:\windows\system32\guyubaha.dll,jiyazami.dll

O20 - Winlogon Notify: __c003F1D - C:\WINDOWS\system32\__c003F1D.dat (file missing)

O20 - Winlogon Notify: __c0098C4 - C:\WINDOWS\system32\__c0098C4.dat (file missing)

O20 - Winlogon Notify: __c00A3FDB - C:\WINDOWS\system32\__c00A3FDB.dat (file missing)

O20 - Winlogon Notify: __c00CC4E9 - C:\WINDOWS\system32\__c00CC4E9.dat (file missing)

O21 - SSODL: gidumutuh - {6d8c948b-4f91-4b96-a369-21c93d315cd9} - c:\windows\system32\guyubaha.dll

O22 - SharedTaskScheduler: kjaf83hfriunf3sf9sfinoi\sufh\87sefhuhdd - {A45A4B15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\mkw4se9xn4.dll (file missing)

O22 - SharedTaskScheduler: gahurihor - {6d8c948b-4f91-4b96-a369-21c93d315cd9} - c:\windows\system32\guyubaha.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 9637 bytes

Link to post
Share on other sites

  • Root Admin

Please stop posting with ALL CAPITAL LETTERS as that is considered rude and is difficult to read.

STEP 01

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.


  • O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
  • O4 - HKLM\..\Run: [kscdaglx] C:\Documents and Settings\Amanda\Local Settings\Application Data\bmsggq\emunsysguard.exe
  • O4 - HKLM\..\Run: [fovuzevevo] Rundll32.exe "gukehere.dll",s
  • O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
  • O4 - HKLM\..\Run: [fawiyumoz] Rundll32.exe "c:\windows\system32\guyubaha.dll",a
  • O4 - HKCU\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\config\SYSTEM~1\ntuser.dll,_IWMPEvents@0
  • O4 - HKCU\..\Run: [A00FD899B5.exe] C:\DOCUME~1\Amanda\LOCALS~1\Temp\_A00FD899B5.exe
  • O4 - HKCU\..\Run: [backUp Windows 2009] C:\DOCUME~1\Amanda\LOCALS~1\Temp\ejq9vdp.exe
  • O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\Amanda\LOCALS~1\Temp\mdm.exe
  • O4 - HKCU\..\Run: [kscdaglx] C:\Documents and Settings\Amanda\Local Settings\Application Data\bmsggq\emunsysguard.exe
  • O4 - HKCU\..\Run: [fontatmgfx] rundll32.exe "C:\Documents and Settings\Amanda\Local Settings\Application Data\fontatmgfx\fontatmgfx.dll", DllInit
  • O4 - S-1-5-18 Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe (User 'SYSTEM')
  • O4 - S-1-5-18 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'SYSTEM')
  • O4 - S-1-5-18 Startup: scandisk.dll (User 'SYSTEM')
  • O4 - .DEFAULT Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe (User 'Default user')
  • O4 - .DEFAULT Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Default user')
  • O4 - .DEFAULT Startup: scandisk.dll (User 'Default user')
  • O4 - Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe
  • O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
  • O4 - Startup: scandisk.dll
  • O4 - Global Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe
  • O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
  • O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab
  • O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
  • O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
  • O17 - HKLM\System\CCS\Services\Tcpip\..\{E31D0C89-560C-40C7-8212-462ED91CF1ED}: NameServer = 77.74.48.113
  • O18 - Filter hijack: text/html - {6d9b3587-f751-4785-b21b-adb3418eedd5} - C:\WINDOWS\batmeter16.dll
  • O20 - AppInit_DLLs: c:\windows\system32\guyubaha.dll,jiyazami.dll
  • O20 - Winlogon Notify: __c003F1D - C:\WINDOWS\system32\__c003F1D.dat (file missing)
  • O20 - Winlogon Notify: __c0098C4 - C:\WINDOWS\system32\__c0098C4.dat (file missing)
  • O20 - Winlogon Notify: __c00A3FDB - C:\WINDOWS\system32\__c00A3FDB.dat (file missing)
  • O20 - Winlogon Notify: __c00CC4E9 - C:\WINDOWS\system32\__c00CC4E9.dat (file missing)
  • O21 - SSODL: gidumutuh - {6d8c948b-4f91-4b96-a369-21c93d315cd9} - c:\windows\system32\guyubaha.dll
  • O22 - SharedTaskScheduler: kjaf83hfriunf3sf9sfinoi\sufh\87sefhuhdd - {A45A4B15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\mkw4se9xn4.dll (file missing)
  • O22 - SharedTaskScheduler: gahurihor - {6d8c948b-4f91-4b96-a369-21c93d315cd9} - c:\windows\system32\guyubaha.dll
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

STEP 02

Restart The Computer

STEP 03

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.