goombawaho
MIS
Ok. Let me say that I don't have and can't get a hijack this log for this computer (already formatted). I've seen this one quite a few times and I can never get rid of it with VundoFix or VirtumondeBeGone.
Here's what I have to confirm it's Virtumonde that's bothering this computer. Any advice as to the best product or method to get rid of this thing. I've had multiple computers I've serviced have this one and I've never been able to cure it yet using Spybot, AutoRuns, Process Explorer, Mcafee and the two products listed above.
Spybot Results:
Virtumonde: [SBI $47E741CD] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\PE_C_SOFTWARE\Microsoft\aoprndtws
Smitfraud-C.CoreService: [SBI $9C656B9A] Data (File, nothing done)
C:\WINDOWS\system32\\drivers\core.cache.dsk
Virtumonde.dll: [SBI $A65264B2] Library (File, nothing done)
C:\WINDOWS\system32\\efcBSiGv.dll
Virtumonde.dll: [SBI $960C7A04] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\PE_C_SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{B82AE142-99E4-4BDB-B57E-794673B4C5D2}
Virtumonde.dll: [SBI $960C7A04] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\PE_C_SOFTWARE\Classes\CLSID\{B82AE142-99E4-4BDB-B57E-794673B4C5D2}
Mcafee Command Line virus scanner from Bart PE boot disk:
C:\Documents and Settings\owner\Local Settings\Temp\snapsnet.exe ... Found the Generic MultiDropper.d trojan !!!
The file has been deleted.
C:\Program Files\winvi\wupda.exe ... Found the Generic Dialer trojan !!!
The file has been deleted.
C:\WINDOWS\system32\bkEur01\bkEur011065.exe ... Found the Generic Downloader.s trojan !!!
The file has been deleted.
Autoruns output showing the registry entries that keep coming back:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
mlJdcDsT c:\windows\system32\mljdcdst.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
{8857EB64-A466-40B0-BD47-344DE08597D3} c:\windows\system32\tuvundus.dll
{F9DF827A-8FA7-48A3-B268-CA4DB563EA40} c:\windows\system32\mljdcdst.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
mljdcdst.dll c:\windows\system32\mljdcdst.dll
Here's what I have to confirm it's Virtumonde that's bothering this computer. Any advice as to the best product or method to get rid of this thing. I've had multiple computers I've serviced have this one and I've never been able to cure it yet using Spybot, AutoRuns, Process Explorer, Mcafee and the two products listed above.
Spybot Results:
Virtumonde: [SBI $47E741CD] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\PE_C_SOFTWARE\Microsoft\aoprndtws
Smitfraud-C.CoreService: [SBI $9C656B9A] Data (File, nothing done)
C:\WINDOWS\system32\\drivers\core.cache.dsk
Virtumonde.dll: [SBI $A65264B2] Library (File, nothing done)
C:\WINDOWS\system32\\efcBSiGv.dll
Virtumonde.dll: [SBI $960C7A04] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\PE_C_SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{B82AE142-99E4-4BDB-B57E-794673B4C5D2}
Virtumonde.dll: [SBI $960C7A04] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\PE_C_SOFTWARE\Classes\CLSID\{B82AE142-99E4-4BDB-B57E-794673B4C5D2}
Mcafee Command Line virus scanner from Bart PE boot disk:
C:\Documents and Settings\owner\Local Settings\Temp\snapsnet.exe ... Found the Generic MultiDropper.d trojan !!!
The file has been deleted.
C:\Program Files\winvi\wupda.exe ... Found the Generic Dialer trojan !!!
The file has been deleted.
C:\WINDOWS\system32\bkEur01\bkEur011065.exe ... Found the Generic Downloader.s trojan !!!
The file has been deleted.
Autoruns output showing the registry entries that keep coming back:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
mlJdcDsT c:\windows\system32\mljdcdst.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
{8857EB64-A466-40B0-BD47-344DE08597D3} c:\windows\system32\tuvundus.dll
{F9DF827A-8FA7-48A3-B268-CA4DB563EA40} c:\windows\system32\mljdcdst.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
mljdcdst.dll c:\windows\system32\mljdcdst.dll