Infected by Virtumundu & Other viruses

[Tejas]

Hi Friends,

Yesterday while browsing some site, suddenly i got a pop up message by spyware terminater which unknowingly i clicked as allow & then suddenly there were numerous pop ups but which i blocked as i found the names to be unknown, latter on it was (spyware terminator) was continuously showing as blocked c\windows/system32/bubefiya along with some other names in the ecd such as NEVOREFA & also the CPU usages shown is nearly 60% & above. I tried with the avast antivirus 7.5 version that i use, but was unable to detect & remove the infection.I am posting below the LOG file of Hijackthis for your review

Can you expert guys pls help me resolve this problem asap

Thanks in advance

Tejas.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:14:48 AM, on 1/18/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe

C:\WINDOWS\mHotkey.exe

C:\WINDOWS\CNYHKey.exe

C:\WINDOWS\StopHid.exe

C:\Program Files\Creative\Desktop Wireless\mouse_2k.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\SPYWAR~1\sp_rsser.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\TUProgSt.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\Sify Broadband\BBClient.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Sify Broadband\BBImpSec.exe

C:\WINDOWS\system32\rundll32.exe

C:\Documents and Settings\Administrator\Desktop\Hijack This\HijackThis.exe

C:\Documents and Settings\Administrator\Desktop\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O1 - Hosts: 203.27.235.25 www.payseal.icicibank.com

O1 - Hosts: 210.210.19.82 www.sifymall.com

O2 - BHO: (no name) - {08fc338b-a456-4705-83af-ee9c2e68af9e} - C:\WINDOWS\system32\potibubi.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [spywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [CNYHKey] CNYHKey.exe

O4 - HKLM\..\Run: [stopHid] StopHid.exe

O4 - HKLM\..\Run: [CreativeMouse ] C:\Program Files\Creative\Desktop Wireless\mouse_2k.exe

O4 - HKLM\..\Run: [jiwalizatu] Rundll32.exe "C:\WINDOWS\system32\wepanibe.dll",s

O4 - HKLM\..\Run: [CPM53526076] Rundll32.exe "c:\windows\system32\nevorefa.dll",a

O4 - HKCU\..\Run: [sifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [jiwalizatu] Rundll32.exe "C:\WINDOWS\system32\wepanibe.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{54D94671-C0B5-40D2-970E-E1795ADC0B65}: NameServer = 202.144.115.4,202.144.66.6

O17 - HKLM\System\CCS\Services\Tcpip\..\{D15589FE-A2CD-40AC-9E23-4625AD90B6FA}: NameServer = 202.144.115.4,202.144.66.6

O20 - AppInit_DLLs: C:\WINDOWS\system32\bubefiya.dll c:\windows\system32\nevorefa.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nevorefa.dll

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nevorefa.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe

O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--

End of file - 6160 bytes

[AdvancedSetup]

Hello and Welcome to Malwarebytes.org

Please read and follow the instructions provided here: I'm infected - What do I do now?

Someone will be happy to assist you further with cleaning your system if required

During this scan and cleanup process you should not install any other software unless requested to do so.

Please don't post logs here in the General forum, thanks.