N
Not Bman
Guest
Never heard of a 0day exploit before, i will see if I can update my flash.
*EDIT
I have the latest version, so should be fine, otherwise can't do much.
*EDIT
I have the latest version, so should be fine, otherwise can't do much.
unknownsoul
OSNN Senior Addict
- Joined
- 14 Jan 2004
- Messages
- 604
O2 - BHO: (no name) - {129FA2A1-408C-4824-83A4-5001581FD01E} - C:\Windows\system32\geBUOIXr.dll
O2 - BHO: (no name) - {6714DE85-4886-460F-9539-79A999BF7E5C} - C:\Windows\system32\rqRLfcyw.dll (file missing)
...
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\geBUOIXr.dll,#1
O4 - HKLM\..\Run: [a6472761] rundll32.exe "C:\Windows\system32\rphklrrm.dll",b
O4 - HKLM\..\Run: [BMa57414fd] Rundll32.exe "C:\Windows\system32\xmuswwaq.dll",s
...
Those are most likely what's causing the problems. I'd suggest getting rid of them.
Looks like a nice little trojan in stalled atm.
O2 - BHO: (no name) - {6714DE85-4886-460F-9539-79A999BF7E5C} - C:\Windows\system32\rqRLfcyw.dll (file missing)
...
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\geBUOIXr.dll,#1
O4 - HKLM\..\Run: [a6472761] rundll32.exe "C:\Windows\system32\rphklrrm.dll",b
O4 - HKLM\..\Run: [BMa57414fd] Rundll32.exe "C:\Windows\system32\xmuswwaq.dll",s
...
Those are most likely what's causing the problems. I'd suggest getting rid of them.
Looks like a nice little trojan in stalled atm.
N
Not Bman
Guest
I was just about to say that after removing those things from Spybot and Nod32 I am still having the issue. So I ran Hijackthis again and removed those items unknownsoul, and while removing them it asked me to close Firefox so that is a good sign.
I will see if it continues.
*EDIT Sorry, I just got this thing, that poped up and minimized my browser. Also right when that happened NOD32 picked this up, which has been there before and I have removed, so it came back?
I will see if it continues.
*EDIT Sorry, I just got this thing, that poped up and minimized my browser. Also right when that happened NOD32 picked this up, which has been there before and I have removed, so it came back?
Last edited by a moderator:
- Joined
- 8 Apr 2003
- Messages
- 6,376
run hijack this and spybot from safe mode
unknownsoul
OSNN Senior Addict
- Joined
- 14 Jan 2004
- Messages
- 604
also, go to this site.
housecall.trendmicro.com
it'll scan your computer from the internet, and picks up stuff the others won't. Once you find out what trojan you have, go to norton and download the individual removal tool.
Hope that helps!
housecall.trendmicro.com
it'll scan your computer from the internet, and picks up stuff the others won't. Once you find out what trojan you have, go to norton and download the individual removal tool.
Hope that helps!
roirraW "edor" ehT
Builder/Installer
- Joined
- 5 May 2008
- Messages
- 529
Have you tried anything under safe mode?
N
Not Bman
Guest
I have not tried anything under Safemode yet, after changing my ram and loading windows NOD32 found 2 more things, so obviously there is something really wrong when there shouldn't be. I take care lol.
I will be running those things under Safemode now.
I will be running those things under Safemode now.
N
Not Bman
Guest
Ran Spybot and Hijackthis from Safe Mode.
Removed all the files stated about and related ones from Hijackthis, though each time I do it seems that my cookies and passwords and all that are reset, have to reenter them.
Spybot found a bunch more, along with Vitrumonde and Virtumonde.dll once again. Removed them all, and just for the hell of it I wanted to see, I ran it again right away after and guess what, Vitrumonde.dll was still there.
Why and how is it coming back?
Removed all the files stated about and related ones from Hijackthis, though each time I do it seems that my cookies and passwords and all that are reset, have to reenter them.
Spybot found a bunch more, along with Vitrumonde and Virtumonde.dll once again. Removed them all, and just for the hell of it I wanted to see, I ran it again right away after and guess what, Vitrumonde.dll was still there.
Why and how is it coming back?
- Joined
- 31 Mar 2002
- Messages
- 18,474
Maybe read this
http://www.dslreports.com/forum/r20554952-Trojan-trojan-vitrumonde
Could be of help, maybe?
Some stuff here to
http://answers.yahoo.com/question/index?qid=20080411060345AApH1dO
http://www.411-spyware.com/remove-virtumonde
http://forum.pcmech.com/showthread.php?t=195501
http://www.dslreports.com/forum/r20554952-Trojan-trojan-vitrumonde
Could be of help, maybe?
Some stuff here to
http://answers.yahoo.com/question/index?qid=20080411060345AApH1dO
http://www.411-spyware.com/remove-virtumonde
http://forum.pcmech.com/showthread.php?t=195501
Delete your restore files and turn off pagefile before cleaning the stuff out. Windows supports malware squirelling away backups in both places.
Though I thought VISTA was better than that. You are running VISTA right?
As for how it got in there, shrug. An email, thumb drive, mp3, video, anything can be a carrier these days. Even commercial distro's have been infected, including clean, off the shelf thumb drives have been found with factory installed virii.
I'm amazed I don't get more than I do get. Fingers crossed for jinxing myself.
Though I thought VISTA was better than that. You are running VISTA right?
As for how it got in there, shrug. An email, thumb drive, mp3, video, anything can be a carrier these days. Even commercial distro's have been infected, including clean, off the shelf thumb drives have been found with factory installed virii.
I'm amazed I don't get more than I do get. Fingers crossed for jinxing myself.
- Joined
- 8 Apr 2003
- Messages
- 6,376
yes system restore is a pain in the arse in these cases, glad i don't run it 
N
Not Bman
Guest
I don't understand how I got it, I keep better care and take measures that most people shouldn't even have to or do. There has not been any new keys or cd's or anything that I added, so it is weird.
I am running Vista, I followed one of those links and downloaded the ComboFix tool, ran it and restarted and so far it seems to be good (hoping I didn't jinx it). If it does continue then I will try to clear my restore files and all that good stuff lol
I am running Vista, I followed one of those links and downloaded the ComboFix tool, ran it and restarted and so far it seems to be good (hoping I didn't jinx it). If it does continue then I will try to clear my restore files and all that good stuff lol
- Joined
- 8 Apr 2003
- Messages
- 6,376
could have been a site you went to had been compromised
N
Not Bman
Guest
Quite possible I guess, just not likely.
Anyways, so far so good. Back to way it should be.
Anyways, so far so good. Back to way it should be.
- Joined
- 8 Apr 2003
- Messages
- 6,376
seeing as tens of thousand have been hit by hacks and a lot more have been getting hit by an sql injection exploit you cant rule anything out
N
Not Bman
Guest
Running Spybot again within normal Windows...
Found Virtumonde once again, I don't understand, isn't Spybot and NOD32 and all these programs made to get rid of this crap?
Tried doing the manual remove of the files and dll and registry stuff, though I can't find any of them. WTF!!!!!!!!!!!
*also, tried downloading the vudofix whatnot program, it can't find anything infected, this is pissing me off.
Found Virtumonde once again, I don't understand, isn't Spybot and NOD32 and all these programs made to get rid of this crap?
Tried doing the manual remove of the files and dll and registry stuff, though I can't find any of them. WTF!!!!!!!!!!!
*also, tried downloading the vudofix whatnot program, it can't find anything infected, this is pissing me off.
- Joined
- 8 Apr 2003
- Messages
- 6,376
disable system restore, and set windows to show hidden folders and hidden system files, by turning off system restore it should delete all files from its folder and by turning on show hidden folders and system files it should allow all programs to see files the trojen may have hid
roirraW "edor" ehT
Builder/Installer
- Joined
- 5 May 2008
- Messages
- 529
I'll tell you one solution that makes things much easier.
I dual-boot almost all my own computers. On the older ones I have two XP installations; on my newer one I have one Vista and one XP. Normally when something like that happens where the antivirus can't get rid of something when running that Windows installation, a reboot into the other Windows and scanning from there will take care of it. Of course, I shut down Windows therefore turn the computer off before booting into the other installation.
I know you probably don't have this option, just thought I'd mention it for the future.
Also, the times when I've had to run Acronis True Image to restore a Windows partition, it restores faster from another Windows partition than by booting the Linux version from the Acronis Secure Zone or the emergency CD. It's also faster than booting BartPE although I do that when absolutely necessary. That's largely due to my older computer's VIA 8237-based SATA RAID, and apparently Linux support for it. From the Linux version, it would take 30+ minutes. From Windows it takes 10 minutes. I don't have this problem with nVidia nForce chips RAID. Acronis True Image doesn't support my ATI RAID though.
Sorry for getting off topic.
I dual-boot almost all my own computers. On the older ones I have two XP installations; on my newer one I have one Vista and one XP. Normally when something like that happens where the antivirus can't get rid of something when running that Windows installation, a reboot into the other Windows and scanning from there will take care of it. Of course, I shut down Windows therefore turn the computer off before booting into the other installation.
I know you probably don't have this option, just thought I'd mention it for the future.
Also, the times when I've had to run Acronis True Image to restore a Windows partition, it restores faster from another Windows partition than by booting the Linux version from the Acronis Secure Zone or the emergency CD. It's also faster than booting BartPE although I do that when absolutely necessary. That's largely due to my older computer's VIA 8237-based SATA RAID, and apparently Linux support for it. From the Linux version, it would take 30+ minutes. From Windows it takes 10 minutes. I don't have this problem with nVidia nForce chips RAID. Acronis True Image doesn't support my ATI RAID though.
Sorry for getting off topic.
- Joined
- 8 Apr 2003
- Messages
- 6,376
stick xp disc in - chose recovery mode, cd c:\windows\system32 - del bleh.dll or bleh.exe, that's one sure fire way to remove files, under x64 (xp or vista) you will have to go to syswow64, but normally if you disable system restore and run spybot and hijackthis from safe mode it should remove most things, also clean any and all temp files/folders - including IE hidden temp internet folders, even if you don't use IE, has on the systems i have had to clean up
Members online
No members online now.
Affiliates
Latest profile posts
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone.
Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.