Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Noticeboard
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » I have a popup virus. Please help

[Fixed] Hijackthis! Logs - I have a popup virus. Please help posted in the Security & Safety forums; Here is my log file Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:40:33 PM, on 1/16/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) ...

JOIN US NOW to remove these Ads

Post New Thread  Reply
Page 1 of 2 1 2 >
  #1  
Old 01-17-2008
Bronze Member
  
Join Date: Jan 2008
Posts: 4
PC Experience: Some Experience
dholstine - See this Members User comments on their Profile page
Unhappy I have a popup virus. Please help
Here is my log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:33 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.ex e
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\TEMP\DA5601.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\system32\windows
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by COE
F3 - REG:win.ini: load=C:\WINDOWS\system32\byvuv.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [02e224b4] rundll32.exe "C:\WINDOWS\system32\fftuaiaf.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-527237240-1708537768-682003330-202960\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-527237240-1708537768-682003330-325593\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-527237240-1708537768-682003330-3859\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe (User '?')
O4 - HKUS\S-1-5-21-527237240-1708537768-682003330-42617\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-527237240-1708537768-682003330-43151\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-527237240-1708537768-682003330-5117\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-527237240-1708537768-682003330-6053\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - S-1-5-21-527237240-1708537768-682003330-12582 Startup: iam_verify.lnk = C:\WINDOWS\system32\iam_verify.exe (User '?')
O4 - S-1-5-21-527237240-1708537768-682003330-155857 Startup: iam_verify.lnk = C:\WINDOWS\system32\iam_verify.exe (User '?')
O4 - S-1-5-21-527237240-1708537768-682003330-202960 Startup: iam_verify.lnk = C:\WINDOWS\system32\iam_verify.exe (User '?')
O4 - S-1-5-21-527237240-1708537768-682003330-325593 Startup: iam_verify.lnk = C:\WINDOWS\system32\iam_verify.exe (User '?')
O4 - S-1-5-21-527237240-1708537768-682003330-3859 Startup: iam_verify.lnk = C:\WINDOWS\system32\iam_verify.exe (User '?')
O4 - S-1-5-21-527237240-1708537768-682003330-42617 Startup: iam_verify.lnk = C:\WINDOWS\system32\iam_verify.exe (User '?')
O4 - S-1-5-21-527237240-1708537768-682003330-43151 Startup: iam_verify.lnk = C:\WINDOWS\system32\iam_verify.exe (User '?')
O4 - S-1-5-21-527237240-1708537768-682003330-5117 Startup: iam_verify.lnk = C:\WINDOWS\system32\iam_verify.exe (User '?')
O4 - S-1-5-21-527237240-1708537768-682003330-6053 Startup: iam_verify.lnk = C:\WINDOWS\system32\iam_verify.exe (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\AdobeReader7\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO. EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID. EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 10721 bytes
  #2  
Old 01-17-2008
Senior Security Analyst
  
Join Date: Dec 2006
Location: In a van, down by the river
Posts: 545
PC Experience: Experienced
dahli - See this Members User comments on their Profile page dahli - See this Members User comments on their Profile page dahli - See this Members User comments on their Profile page
Default Re: I have a popup virus. Please help
Hello and welcome to PCHF,

Could you please go here and submit the following files:

C:\WINDOWS\system32\iam_verify.exe
C:\WINDOWS\system32\fftuaiaf.dll
C:\WINDOWS\system32\byvuv.exe

Post the logs for each that it creates.

Thanks.


__________________
Steve
  #3  
Old 01-17-2008
Bronze Member
  
Join Date: Jan 2008
Posts: 4
PC Experience: Some Experience
dholstine - See this Members User comments on their Profile page
Default Re: I have a popup virus. Please help
File iam_verify.exe received on 01.17.2008 04:51:34 (CET)
AntivirusVersionLast UpdateResultAhnLab-V32008.1.17.102008.01.16-AntiVir7.6.0.482008.01.16-Authentium4.93.82008.01.16-Avast4.7.1098.02008.01.16-AVG7.5.0.5162008.01.16-BitDefender7.22008.01.17-CAT-QuickHeal9.002008.01.16-ClamAV0.91.22008.01.17-DrWeb4.44.0.091702008.01.16-eSafe7.0.15.02008.01.16-eTrust-Vet31.3.54642008.01.17-Ewido4.02008.01.16-FileAdvisor12008.01.17-Fortinet3.14.0.02008.01.17-F-Prot4.4.2.542008.01.16-F-Secure6.70.13260.02008.01.17-IkarusT3.1.1.202008.01.17-Kaspersky7.0.0.1252008.01.17-McAfee52092008.01.16-Microsoft1.31092008.01.17-NOD32v227992008.01.16-Norman5.80.022008.01.16-Panda9.0.0.42008.01.17-Prevx1V22008.01.17-Rising20.27.22.002008.01.16-Sophos4.24.02008.01.17-Sunbelt2.2.907.02008.01.17-Symantec102008.01.17-TheHacker6.2.9.1882008.01.16-VBA323.12.2.52008.01.15-VirusBuster4.3.26:92008.01.16-Webwasher-Gateway6.6.22008.01.16-
Additional informationFile size: 32768 bytesMD5: de4ba5effafa4c928f01bbc49aeb4f77SHA1: ab32aa7f7b20d1e44b30e23279d07759288b3af7PEiD: -


File fftuaiaf.dll received on 01.17.2008 04:58:17 (CET)
AntivirusVersionLast UpdateResultAhnLab-V32008.1.17.102008.01.16-AntiVir7.6.0.482008.01.16TR/Dldr.ConHook.GenAuthentium4.93.82008.01.16-Avast4.7.1098.02008.01.16-AVG7.5.0.5162008.01.16LopBitDefender7.22008.01.17-CAT-QuickHeal9.002008.01.16-ClamAV0.91.22008.01.17-DrWeb4.44.0.091702008.01.16-eSafe7.0.15.02008.01.16-eTrust-Vet31.3.54642008.01.17-Ewido4.02008.01.16-FileAdvisor12008.01.17-Fortinet3.14.0.02008.01.17-F-Prot4.4.2.542008.01.16W32/Virtumonde.G.gen!EldoradoF-Secure6.70.13260.02008.01.17-IkarusT3.1.1.202008.01.17-Kaspersky7.0.0.1252008.01.17-McAfee52092008.01.16-Microsoft1.31092008.01.17Trojan:Win32/Vundo.gen!ANOD32v228002008.01.17-Norman5.80.022008.01.16-Panda9.0.0.42008.01.17Suspicious filePrevx1V22008.01.17Trojan.VundoRising20.27.22.0 02008.01.16-Sophos4.24.02008.01.17Troj/Virtum-GenSunbelt2.2.907.02008.01.17-Symantec102008.01.17-TheHacker6.2.9.1882008.01.16-VBA323.12.2.52008.01.15-VirusBuster4.3.26:92008.01.16Adware.Vundo.V.GenWeb washer-Gateway6.6.22008.01.16Trojan.Dldr.ConHook.Gen
Additional informationFile size: 86592 bytesMD5: 3bda5b89484218cf40ee2b62ed2678e8SHA1: b9cd44b6f6638de3c4d1a1ae9be9caa1ee3516eaPEiD: -Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=E2C884F04018328752D201C0B E033B00DDA20A09<table border="1"><tr><td colspan="4">File fftuaiaf.dll received on 01.17.2008 04:58:17 (CET)</td></tr><tr><td>Antivirus</td><td>Version</td><td>Last Update</td><td>Result</td</tr><tr><td>AhnLab-V3</td><td>2008.1.17.10</td><td>2008.01.16</td><td>-</td</tr><tr><td>AntiVir</td><td>7.6.0.48</td><td>2008.01.16</td><td style="color: red;">TR/Dldr.ConHook.Gen</td</tr><tr><td>Authentium</td><td>4.93.8</td><td>2008.01.16</td><td>-</td</tr><tr><td>Avast</td><td>4.7.1098.0</td><td>2008.01.16</td><td>-</td</tr><tr><td>AVG</td><td>7.5.0.516</td><td>2008.01.16</td><td style="color: red;">Lop</td</tr><tr><td>BitDefender</td><td>7.2</td><td>2008.01.17</td><td>-</td</tr><tr><td>CAT-QuickHeal</td><td>9.00</td><td>2008.01.16</td><td>-</td</tr><tr><td>ClamAV</td><td>0.91.2</td><td>2008.01.17</td><td>-</td</tr><tr><td>DrWeb</td><td>4.44.0.09170</td><td>2008.01.16</td><td>-</td</tr><tr><td>eSafe</td><td>7.0.15.0</td><td>2008.01.16</td><td>-</td</tr><tr><td>eTrust-Vet</td><td>31.3.5464</td><td>2008.01.17</td><td>-</td</tr><tr><td>Ewido</td><td>4.0</td><td>2008.01.16</td><td>-</td</tr><tr><td>FileAdvisor</td><td>1</td><td>2008.01.17</td><td>-</td</tr><tr><td>Fortinet</td><td>3.14.0.0</td><td>2008.01.17</td><td>-</td</tr><tr><td>F-Prot</td><td>4.4.2.54</td><td>2008.01.16</td><td style="color: red;">W32/Virtumonde.G.gen!Eldorado</td</tr><tr><td>F-Secure</td><td>6.70.13260.0</td><td>2008.01.17</td><td>-</td</tr><tr><td>Ikarus</td><td>T3.1.1.20</td><td>2008.01.17</td><td>-</td</tr><tr><td>Kaspersky</td><td>7.0.0.125</td><td>2008.01.17</td><td>-</td</tr><tr><td>McAfee</td><td>5209</td><td>2008.01.16</td><td>-</td</tr><tr><td>Microsoft</td><td>1.3109</td><td>2008.01.17</td><td style="color: red;">Trojan:Win32/Vundo.gen!A</td</tr><tr><td>NOD32v2</td><td>2800</td><td>2008.01.17</td><td>-</td</tr><tr><td>Norman</td><td>5.80.02</td><td>2008.01.16</td><td>-</td</tr><tr><td>Panda</td><td>9.0.0.4</td><td>2008.01.17</td><td style="color: red;">Suspicious file</td</tr><tr><td>Prevx1</td><td>V2</td><td>2008.01.17</td><td style="color: red;">Trojan.Vundo</td</tr><tr><td>Rising</td><td>20.27.22.00</td><td>2008.01.16</td><td>-</td</tr><tr><td>Sophos</td><td>4.24.0</td><td>2008.01.17</td><td style="color: red;">Troj/Virtum-Gen</td</tr><tr><td>Sunbelt</td><td>2.2.907.0</td><td>2008.01.17</td><td>-</td</tr><tr><td>Symantec</td><td>10</td><td>2008.01.17</td><td>-</td</tr><tr><td>TheHacker</td><td>6.2.9.188</td><td>2008.01.16</td><td>-</td</tr><tr><td>VBA32</td><td>3.12.2.5</td><td>2008.01.15</td><td>-</td</tr><tr><td>VirusBuster</td><td>4.3.26:9</td><td>2008.01.16</td><td style="color: red;">Adware.Vundo.V.Gen</td</tr><tr><td>Webwasher-Gateway</td><td>6.6.2</td><td>2008.01.16</td><td style="color: red;">Trojan.Dldr.ConHook.Gen</td</tr><tr><td colspan="4">&nbsp;</td></tr><tr><td colspan="4">Additional information</td></tr><tr><td colspan="4">File size: 86592 bytes</td></tr><tr><td colspan="4">MD5: 3bda5b89484218cf40ee2b62ed2678e8</td></tr><tr><td colspan="4">SHA1: b9cd44b6f6638de3c4d1a1ae9be9caa1ee3516ea</td></tr><tr><td colspan="4">PEiD: -</td></tr><tr><td colspan="4">Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=E2C884F04018328752D201C0B E033B00DDA20A09</td></tr></table>
Antivirus Version Last Update ResultAhnLab-V3 2008.1.17.10 2008.01.16 -AntiVir 7.6.0.48 2008.01.16 TR/Dldr.ConHook.GenAuthentium 4.93.8 2008.01.16 -Avast 4.7.1098.0 2008.01.16 -AVG 7.5.0.516 2008.01.16 LopBitDefender 7.2 2008.01.17 -CAT-QuickHeal 9.00 2008.01.16 -ClamAV 0.91.2 2008.01.17 -DrWeb 4.44.0.09170 2008.01.16 -eSafe 7.0.15.0 2008.01.16 -eTrust-Vet 31.3.5464 2008.01.17 -Ewido 4.0 2008.01.16 -FileAdvisor 1 2008.01.17 -Fortinet 3.14.0.0 2008.01.17 -F-Prot 4.4.2.54 2008.01.16 W32/Virtumonde.G.gen!EldoradoF-Secure 6.70.13260.0 2008.01.17 -Ikarus T3.1.1.20 2008.01.17 -Kaspersky 7.0.0.125 2008.01.17 -McAfee 5209 2008.01.16 -Microsoft 1.3109 2008.01.17 Trojan:Win32/Vundo.gen!ANOD32v2 2800 2008.01.17 -Norman 5.80.02 2008.01.16 -Panda 9.0.0.4 2008.01.17 Suspicious filePrevx1 V2 2008.01.17 Trojan.VundoRising 20.27.22.00 2008.01.16 -Sophos 4.24.0 2008.01.17 Troj/Virtum-GenSunbelt 2.2.907.0 2008.01.17 -Symantec 10 2008.01.17 -TheHacker 6.2.9.188 2008.01.16 -VBA32 3.12.2.5 2008.01.15 -VirusBuster 4.3.26:9 2008.01.16 Adware.Vundo.V.GenWebwasher-Gateway 6.6.2 2008.01.16 Trojan.Dldr.ConHook.GenAdditional informationFile size: 86592 bytesMD5: 3bda5b89484218cf40ee2b62ed2678e8SHA1: b9cd44b6f6638de3c4d1a1ae9be9caa1ee3516eaPEiD: -Prevx info: 43079132.DLL - Prevx File byvuv.dll received on 01.17.2008 05:08:08 (CET)
AntivirusVersionLast UpdateResultAhnLab-V32008.1.17.102008.01.16-AntiVir7.6.0.482008.01.16-Authentium4.93.82008.01.16-Avast4.7.1098.02008.01.16Win32:TratBHOAVG7.5.0.516 2008.01.16Generic9.AQNBBitDefender7.22008.01.17Tro jan.Vundo.DVDCAT-QuickHeal9.002008.01.16-ClamAV0.91.22008.01.17-DrWeb4.44.0.091702008.01.16-eSafe7.0.15.02008.01.16-eTrust-Vet31.3.54642008.01.17-Ewido4.02008.01.16-FileAdvisor12008.01.17-Fortinet3.14.0.02008.01.17-F-Prot4.4.2.542008.01.16W32/Virtumonde.G.gen!EldoradoF-Secure6.70.13260.02008.01.17Vundo.ALIkarusT3.1.1.2 02008.01.17-Kaspersky7.0.0.1252008.01.17-McAfee52092008.01.16-Microsoft1.31092008.01.17Trojan:Win32/Vundo.gen!ANOD32v228002008.01.17-Norman5.80.022008.01.16Vundo.ALPanda9.0.0.42008.01 .17-Prevx1V22008.01.17Trojan.VundoRising20.27.22.00200 8.01.16-Sophos4.24.02008.01.17W32/VirtInf-BSunbelt2.2.907.02008.01.17-Symantec102008.01.17Trojan.VundoTheHacker6.2.9.188 2008.01.16-VBA323.12.2.52008.01.15-VirusBuster4.3.26:92008.01.16Adware.Vundo.V.GenWeb washer-Gateway6.6.22008.01.16Win32.Malware.gen (suspicious)
Additional informationFile size: 330752 bytesMD5: 6d2ec7cb0066c316918cfcb86b4556d3SHA1: c072013bb6c329b0e00fa5633f03dd46a7017fa4PEiD: -Prevx info: 95006955.DLL - Prevx
  #4  
Old 01-17-2008
Senior Security Analyst
  
Join Date: Dec 2006
Location: In a van, down by the river
Posts: 545
PC Experience: Experienced
dahli - See this Members User comments on their Profile page dahli - See this Members User comments on their Profile page dahli - See this Members User comments on their Profile page
Default Re: I have a popup virus. Please help
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.


__________________
Steve
  #5  
Old 01-17-2008
Bronze Member
  
Join Date: Jan 2008
Posts: 4
PC Experience: Some Experience
dholstine - See this Members User comments on their Profile page
Default Re: I have a popup virus. Please help
VundoFix V6.7.7
Checking Java version...
Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 11:18:53 PM 1/16/2008
Listing files found while scanning....
C:\windows\system32\bboudnna.dll
C:\windows\system32\bboudnna.dllbox
Beginning removal...
Attempting to delete C:\windows\system32\bboudnna.dll
C:\windows\system32\bboudnna.dll Has been deleted!
Attempting to delete C:\windows\system32\bboudnna.dllbox
C:\windows\system32\bboudnna.dllbox Has been deleted!
Performing Repairs to the registry.
Done!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:25 AM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
c:\windows\coe\tools\biweeklyrestart.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.ex e
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\DDEE5C.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdobeReader7\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weyer.com/roots
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.weyer.com/sutton/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.weyer.com/roots
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by COE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = isaus.corp.weyer.pri:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.pri;*.weyer.com;*.wii.com;*.corpqa.weyerqa.pri;1 27.0.0.1;im.weyerhaeuser.com;conf.weyerhaeuser.com ;mail.weyerhaeuser.com
F3 - REG:win.ini: load=C:\WINDOWS\system32\byvuv.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [02e224b4] rundll32.exe "C:\WINDOWS\system32\fftuaiaf.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\AdobeReader7\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.weyer.com/sutton/
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.weyer.pri
O17 - HKLM\Software\..\Telephony: DomainName = corp.weyer.pri
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.weyer.pri
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.weyer.pri
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BiWeekly Restart (BiWeeklyRestart) - EDS - c:\windows\coe\tools\biweeklyrestart.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO. EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID. EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - https://mail.weyerhaeuser.com/exchan...6.JPG?attach=1
--
End of file - 8587 bytes
  #6  
Old 01-19-2008
Senior Security Analyst
  
Join Date: Dec 2006
Location: In a van, down by the river
Posts: 545
PC Experience: Experienced
dahli - See this Members User comments on their Profile page dahli - See this Members User comments on their Profile page dahli - See this Members User comments on their Profile page
Default Re: I have a popup virus. Please help
Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.[/color][/b]


1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop
2. Double click combofix.exe & follow the prompts.
This can take a while, so please be patient.
If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
Do NOT run ComboFix more than once.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Do not run Combofix more than once.
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


__________________
Steve
  #7  
Old 01-20-2008
Bronze Member
  
Join Date: Jan 2008
Posts: 4
PC Experience: Some Experience
dholstine - See this Members User comments on their Profile page
Default Re: I have a popup virus. Please help
Thanks so much for all your help. It is fixed.

Reply
Satellite TV on your PC - over 3000 Channels! Click Here!
Page 1 of 2 1 2 >

Bookmarks

« Hi. Need Help - Not sure why CPU Usage is jumping up and down so much | here is my logfile: someone help!!! »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On

Contact Us - PC Help Forum - Site Map - Privacy Statement - Top
All times are GMT +1. The time now is 04:03 PM.
Powered by vBulletin
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.2.0 RC7
All Graphics & Content Copyright © 2004-2008 - PC Help Forum.com


Back to Top