Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Alert! Message In Clock.


  • Please log in to reply
18 replies to this topic

#1 Julescariad

Julescariad

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cardiff
  • Local time:11:26 PM

Posted 27 May 2008 - 01:47 PM

My computer has been infected with some pop-up message trojans or viruses. It has at least two visible problems: one is that the system clock now displays both the time and a message "VIRUS ALERT!" right after the time. The other problem is that various pop ups from both reputable and non reputable companies keep invading my IE. Last night a VIRUS ALERT! sign appeared on a message someone sent me on messenger, I have run AVG, ADAWARE, C Cleaner and SPYBOT in the safe mode but to no avail. The VIRUS ALERT! sign seems to be getting more virulent and invading more of my computer. Should I run a Hijack Log? Has anyone any idea! I really would be grateful.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:06:26 PM

Posted 27 May 2008 - 02:00 PM

Moving to Am I Infected
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 27 May 2008 - 02:01 PM

:thumbsup:
suggest you first take s system restore point NOW then
try running these two scanners and see what they find ?


Superantispyware; guide on how to install and run


If you have not already got a Downloads folder , I suggest you create a new folder in My Documents, and name it Downloads ;

Installing superantispywareSuperantispyware is found here


http://www.superantispyware.com/index.html

Download to the Downloads folder the free exe to superantispyware from here


http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

you install superantispyware by clicking on the icon in the downloads folder ;
it will launch the installation process;
follow the instructions and I suggest you ask for a default installation ;
ensure it creates a desktop icon for you ;
once the program has been installed it should ask you if you wish to update the program ; say YES

if it does not ask you , you need TO fully update the definitions by opening the program and find the ‘check for updates ‘tab in the bottom left of the menus you see; click on it and it will do the update for you ;
I suggest you ask it to check for updates again once the first update is complete just to be sure


please then reboot your computer ; it is preferable to run the scan in your computers safe mode;

please open this program from the desktop icon
please run the scan while you are OFF line and do not have the computer doing any other work while the scan runs

go to the preferences tab on the right
on the General tab I suggest you disable the scan on start up

on the Hijack protection tab I suggest you tick BOTH items; this enables the program to give you a Hijack home page alert if your home page gets changes ; if you DO get a home page hijack, when you boot up the computer superantispyware will open and tell you the home page has changed and will ask you if this is a legitimate change;

in statistics/logs- go to the bottom and you will see two boxes asking about keeping a log of scanning results and saving empty logs?

Tick both of them

Then go back to the main screen and see the tab that says scan your computer? Do you see that ?

Click on it

A screen will open ;on the left hand side ensure your FIXED drive ( most probably the C drive) is ticked;
Also tick in there any other section that is used and attached .
On the right had side you see three scanning options?; please click the Complete scan option

OK; you are now set to scan

Please then click on the ‘next’ tab and let the scan run please run the scan while you are OFF line and do not have the computer doing any other work while the scan runs

From my experience running this program the complete full scan CAN take many hours to run depending on how much is on your computer so be patient and let it run; maybe go for a cuppa or watch a favourite program while this one runs

Once the scan IS complete you will be presented with a box telling you what the scan has found ( if anything); if harmful objects have been found click on the OK button ; on the next screen all the harmful objects should have a check mark beside them, ; click ‘next’


A notification should appear that

‘quarantine and removal is complete’

click ‘ok’
and then the Finish button to get returned to the main menu


If you have run the scan in computers safe mode you will need to reboot to computer normal mode

If you have run in computer’s normal mode I suggest you reboot to enable the ‘fix’ the program has performed to consolidate

You then need to retrieve the scan result

Open the program and return to the statistics /logs section ; locate the most recent log ; left mouse click on it to highlight it and click the ‘view log’ tab

The log should appear in maybe note pad ; you need to copy and paste that log for examination
Once you have posted the log please close the superantispyware program

...................................................................

and
malawarebytes
you need to be ON line to start this process and please run the scan in computer's NORMAL mode
your exe is
http://www.besttechie.net/tools/mbam-setup.exe


alternate download link 1

http://malwarebytes.gt500.org/mbam-setup.exe


alternate download link

2
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html




suggest; download the exe to your downloads folder so you know where to find it;

create from that folder a shortcut to your desktop

.
Double-click on the exe to install the application.
The installation is relatively straight forward; just follow the prompts and do not make any changes to default settings.

When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
The Program will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, you may manually download them from
here
http://www.malwarebytes.org/mbam/database/mbam-rules.exe

On the main interface you will see different tabs at the top of the program?

Select each to see what they ask of you and what they each represent;
When you are ready to scan you will be asked to select the drives you wish to scan? The program should recognise ALL your drives ; if it does not I suggest you select all drives

You will be asked to select either a quick scan or a full computer scan my recommendation is to do a full scan so your search does not miss anything

Click the start button and let the scan run; it will show you how it is progressing, what section it is on and the elapsed time I ran a full trial scan on my relatively empty XP for a ‘sampling ‘ ;your scan may take about an hour or so to run


When the scan is complete a message box will say "The scan completed successfully. Click on 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
On the Main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Ensure everything is checked,

click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log should be saved automatically and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit the program .


Note: please be aware ;

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


let us know the results from both scans?see if we can keep you OUT of the HJT log section

#4 Julescariad

Julescariad
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cardiff
  • Local time:11:26 PM

Posted 27 May 2008 - 03:02 PM

Kay, done the first one, and here is the log; about to do the second one now!
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/27/2008 at 08:55 PM

Application Version : 4.1.1046

Core Rules Database Version : 3468
Trace Rules Database Version: 1459

Scan type : Complete Scan
Total Scan Time : 00:21:00

Memory items scanned : 189
Memory threats detected : 2
Registry items scanned : 6854
Registry threats detected : 12
File items scanned : 18418
File threats detected : 67

Trojan.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\KHFEXOPO.DLL
C:\WINDOWS\SYSTEM32\KHFEXOPO.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A3F62A9-AFEB-4543-AE4D-DC2442444E64}
HKCR\CLSID\{4A3F62A9-AFEB-4543-AE4D-DC2442444E64}
HKCR\CLSID\{4A3F62A9-AFEB-4543-AE4D-DC2442444E64}\InprocServer32
HKCR\CLSID\{4A3F62A9-AFEB-4543-AE4D-DC2442444E64}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CB55C337-34C0-4F49-AC9F-908ADF09C735}
HKCR\CLSID\{CB55C337-34C0-4F49-AC9F-908ADF09C735}
HKCR\CLSID\{CB55C337-34C0-4F49-AC9F-908ADF09C735}\InprocServer32
HKCR\CLSID\{CB55C337-34C0-4F49-AC9F-908ADF09C735}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{4A3F62A9-AFEB-4543-AE4D-DC2442444E64}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\khfEXopo
C:\WINDOWS\SYSTEM32\HCJLSCHL.DLL

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\WVUOLBXW.DLL
C:\WINDOWS\SYSTEM32\WVUOLBXW.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Jules\Cookies\jules@tribalfusion[1].txt
C:\Documents and Settings\Jules\Cookies\jules@msnportal.112.2o7[1].txt
C:\Documents and Settings\Jules\Cookies\jules@atdmt[2].txt
C:\Documents and Settings\Jules\Cookies\jules@82.98.235[1].txt
C:\Documents and Settings\Jules\Cookies\jules@doubleclick[2].txt
C:\Documents and Settings\Jules\Cookies\jules@ads.pointroll[2].txt
.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.adtech.de [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.adtech.de [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.msnportal.112.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
ad1.clickhype.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
C:\Documents and Settings\Guest\Cookies\guest@tribalfusion[2].txt
C:\Documents and Settings\Guest\Cookies\guest@questionmarket[1].txt
C:\Documents and Settings\Guest\Cookies\guest@media.adrevolver[3].txt
C:\Documents and Settings\Guest\Cookies\guest@serving-sys[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ad1.clickhype[2].txt
C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ad1.emediate[2].txt
C:\Documents and Settings\Guest\Cookies\guest@adbrite[2].txt
C:\Documents and Settings\Guest\Cookies\guest@doubleclick[2].txt
C:\Documents and Settings\Guest\Cookies\guest@ad.103092804[2].txt
C:\Documents and Settings\Guest\Cookies\guest@ad.adserverplus[2].txt
C:\Documents and Settings\Guest\Cookies\guest@revsci[2].txt
C:\Documents and Settings\Guest\Cookies\guest@interclick[2].txt
C:\Documents and Settings\Guest\Cookies\guest@bluestreak[2].txt
C:\Documents and Settings\Guest\Cookies\guest@clickaider[2].txt
C:\Documents and Settings\Guest\Cookies\guest@atoc.112.2o7[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adecn[1].txt
C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt
C:\Documents and Settings\Guest\Cookies\guest@statcounter[2].txt
C:\Documents and Settings\Guest\Cookies\guest@statse.webtrendslive[2].txt
C:\Documents and Settings\Guest\Cookies\guest@azjmp[1].txt
C:\Documents and Settings\Guest\Cookies\guest@atwola[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adrevenue[2].txt
C:\Documents and Settings\Guest\Cookies\guest@kontera[2].txt
C:\Documents and Settings\Guest\Cookies\guest@adrevolver[1].txt
C:\Documents and Settings\Guest\Cookies\guest@reduxads.valuead[2].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.revsci[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adopt.specificclick[2].txt
C:\Documents and Settings\Guest\Cookies\guest@ufindus[1].txt
C:\Documents and Settings\Guest\Cookies\guest@zedo[2].txt
C:\Documents and Settings\Guest\Cookies\guest@ad.accelerator-media[2].txt
C:\Documents and Settings\Guest\Cookies\guest@usenext[2].txt
C:\Documents and Settings\Guest\Cookies\guest@msnportal.112.2o7[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ad.uk.tangozebra[1].txt
C:\Documents and Settings\Guest\Cookies\guest@advertising[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adopt.euroclick[2].txt
C:\Documents and Settings\Guest\Cookies\guest@bs.serving-sys[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adv.webmd[1].txt
C:\Documents and Settings\Guest\Cookies\guest@perf.overture[1].txt
C:\Documents and Settings\Guest\Cookies\guest@mediaservices.myspace[1].txt
C:\Documents and Settings\Guest\Cookies\guest@www.googleadservices[3].txt
C:\Documents and Settings\Guest\Cookies\guest@www.googleadservices[2].txt
C:\Documents and Settings\Guest\Cookies\guest@www.googleadservices[1].txt
C:\Documents and Settings\Guest\Cookies\guest@tradedoubler[2].txt
C:\Documents and Settings\Guest\Cookies\guest@overture[1].txt
C:\Documents and Settings\Guest\Cookies\guest@realmedia[1].txt
C:\Documents and Settings\Guest\Cookies\guest@server.iad.liveperson[2].txt
C:\Documents and Settings\Guest\Cookies\guest@fastclick[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adserver.mediarun[1].txt
C:\Documents and Settings\Guest\Cookies\guest@click4holidayhomes[2].txt
C:\Documents and Settings\Guest\Cookies\guest@adtech[2].txt
C:\Documents and Settings\Guest\Cookies\guest@2o7[2].txt
C:\Documents and Settings\Guest\Cookies\guest@adviva[2].txt
C:\Documents and Settings\Guest\Cookies\guest@122.2o7[2].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.mininova[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.pointroll[2].txt
C:\Documents and Settings\Guest\Cookies\guest@media.adrevolver[1].txt
C:\Documents and Settings\Guest\Cookies\guest@mediaplex[1].txt

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\RemoveRP

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:26 PM

Posted 27 May 2008 - 03:22 PM

That was a good scan. Now run this ,post the log and tell us how the PC is operating after.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Julescariad

Julescariad
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cardiff
  • Local time:11:26 PM

Posted 27 May 2008 - 04:01 PM

OK, here's the second log report from Malwarebytes, the VIRUS ALERT! sign is still next to my clock! Thanks so much for your help.
Malwarebytes' Anti-Malware 1.12
Database version: 791

Scan type: Full Scan (C:\|)
Objects scanned: 120210
Time elapsed: 37 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vltdfabw (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vregfwlx (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:26 PM

Posted 27 May 2008 - 04:10 PM

Ok then let's run these.

Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Julescariad

Julescariad
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cardiff
  • Local time:11:26 PM

Posted 27 May 2008 - 04:10 PM

I have rebooted and all the old problems are sitll there, it still says VIRUS ALERT! next to my clock in 'MY Computer' properties 'automatic updates' and I am still getting the pop ups when I am in IE. I have tried going in through Firefox and I have my privacy settings set up to their highest but it is still getting through. It's pesky!!Julescariad.

#9 Julescariad

Julescariad
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cardiff
  • Local time:11:26 PM

Posted 27 May 2008 - 05:19 PM

OK, here's a weird thing, after I ran ATF cleaner in safe mode, on the left of my clock was a little yellow bug, when I rebooted in normal the yellow bug was gome but it STILL says VIRUS ALERT! here is the log for the super scan although it didn't find anything and I did a full scan, all the same problems do still seem to be there though, confusing! OOOh, it also says VIRUS ALERT! on the General properties on MY Computer and if I click into the date and time properties it says VIRUS ALERT! under the Internet Time tab, it seems to be sneaking in in all sorts of places. Another place is in 'My Photos' under each photos properties it says VIRUS ALERT!, in my Music, the same thing, always in the details box in the bottom left corner, it's all over the spot.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/27/2008 at 08:55 PM

Application Version : 4.1.1046

Core Rules Database Version : 3468
Trace Rules Database Version: 1459

Scan type : Complete Scan
Total Scan Time : 00:21:00

Memory items scanned : 189
Memory threats detected : 2
Registry items scanned : 6854
Registry threats detected : 12
File items scanned : 18418
File threats detected : 67

Trojan.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\KHFEXOPO.DLL
C:\WINDOWS\SYSTEM32\KHFEXOPO.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A3F62A9-AFEB-4543-AE4D-DC2442444E64}
HKCR\CLSID\{4A3F62A9-AFEB-4543-AE4D-DC2442444E64}
HKCR\CLSID\{4A3F62A9-AFEB-4543-AE4D-DC2442444E64}\InprocServer32
HKCR\CLSID\{4A3F62A9-AFEB-4543-AE4D-DC2442444E64}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CB55C337-34C0-4F49-AC9F-908ADF09C735}
HKCR\CLSID\{CB55C337-34C0-4F49-AC9F-908ADF09C735}
HKCR\CLSID\{CB55C337-34C0-4F49-AC9F-908ADF09C735}\InprocServer32
HKCR\CLSID\{CB55C337-34C0-4F49-AC9F-908ADF09C735}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{4A3F62A9-AFEB-4543-AE4D-DC2442444E64}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\khfEXopo
C:\WINDOWS\SYSTEM32\HCJLSCHL.DLL

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\WVUOLBXW.DLL
C:\WINDOWS\SYSTEM32\WVUOLBXW.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Jules\Cookies\jules@tribalfusion[1].txt
C:\Documents and Settings\Jules\Cookies\jules@msnportal.112.2o7[1].txt
C:\Documents and Settings\Jules\Cookies\jules@atdmt[2].txt
C:\Documents and Settings\Jules\Cookies\jules@82.98.235[1].txt
C:\Documents and Settings\Jules\Cookies\jules@doubleclick[2].txt
C:\Documents and Settings\Jules\Cookies\jules@ads.pointroll[2].txt
.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.adtech.de [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.adtech.de [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.msnportal.112.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
ad1.clickhype.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\ny968650.default\cookies.txt ]
C:\Documents and Settings\Guest\Cookies\guest@tribalfusion[2].txt
C:\Documents and Settings\Guest\Cookies\guest@questionmarket[1].txt
C:\Documents and Settings\Guest\Cookies\guest@media.adrevolver[3].txt
C:\Documents and Settings\Guest\Cookies\guest@serving-sys[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ad1.clickhype[2].txt
C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ad1.emediate[2].txt
C:\Documents and Settings\Guest\Cookies\guest@adbrite[2].txt
C:\Documents and Settings\Guest\Cookies\guest@doubleclick[2].txt
C:\Documents and Settings\Guest\Cookies\guest@ad.103092804[2].txt
C:\Documents and Settings\Guest\Cookies\guest@ad.adserverplus[2].txt
C:\Documents and Settings\Guest\Cookies\guest@revsci[2].txt
C:\Documents and Settings\Guest\Cookies\guest@interclick[2].txt
C:\Documents and Settings\Guest\Cookies\guest@bluestreak[2].txt
C:\Documents and Settings\Guest\Cookies\guest@clickaider[2].txt
C:\Documents and Settings\Guest\Cookies\guest@atoc.112.2o7[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adecn[1].txt
C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt
C:\Documents and Settings\Guest\Cookies\guest@statcounter[2].txt
C:\Documents and Settings\Guest\Cookies\guest@statse.webtrendslive[2].txt
C:\Documents and Settings\Guest\Cookies\guest@azjmp[1].txt
C:\Documents and Settings\Guest\Cookies\guest@atwola[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adrevenue[2].txt
C:\Documents and Settings\Guest\Cookies\guest@kontera[2].txt
C:\Documents and Settings\Guest\Cookies\guest@adrevolver[1].txt
C:\Documents and Settings\Guest\Cookies\guest@reduxads.valuead[2].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.revsci[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adopt.specificclick[2].txt
C:\Documents and Settings\Guest\Cookies\guest@ufindus[1].txt
C:\Documents and Settings\Guest\Cookies\guest@zedo[2].txt
C:\Documents and Settings\Guest\Cookies\guest@ad.accelerator-media[2].txt
C:\Documents and Settings\Guest\Cookies\guest@usenext[2].txt
C:\Documents and Settings\Guest\Cookies\guest@msnportal.112.2o7[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ad.uk.tangozebra[1].txt
C:\Documents and Settings\Guest\Cookies\guest@advertising[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adopt.euroclick[2].txt
C:\Documents and Settings\Guest\Cookies\guest@bs.serving-sys[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adv.webmd[1].txt
C:\Documents and Settings\Guest\Cookies\guest@perf.overture[1].txt
C:\Documents and Settings\Guest\Cookies\guest@mediaservices.myspace[1].txt
C:\Documents and Settings\Guest\Cookies\guest@www.googleadservices[3].txt
C:\Documents and Settings\Guest\Cookies\guest@www.googleadservices[2].txt
C:\Documents and Settings\Guest\Cookies\guest@www.googleadservices[1].txt
C:\Documents and Settings\Guest\Cookies\guest@tradedoubler[2].txt
C:\Documents and Settings\Guest\Cookies\guest@overture[1].txt
C:\Documents and Settings\Guest\Cookies\guest@realmedia[1].txt
C:\Documents and Settings\Guest\Cookies\guest@server.iad.liveperson[2].txt
C:\Documents and Settings\Guest\Cookies\guest@fastclick[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adserver.mediarun[1].txt
C:\Documents and Settings\Guest\Cookies\guest@click4holidayhomes[2].txt
C:\Documents and Settings\Guest\Cookies\guest@adtech[2].txt
C:\Documents and Settings\Guest\Cookies\guest@2o7[2].txt
C:\Documents and Settings\Guest\Cookies\guest@adviva[2].txt
C:\Documents and Settings\Guest\Cookies\guest@122.2o7[2].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.mininova[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.pointroll[2].txt
C:\Documents and Settings\Guest\Cookies\guest@media.adrevolver[1].txt
C:\Documents and Settings\Guest\Cookies\guest@mediaplex[1].txt

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\RemoveRP

Edited by Julescariad, 27 May 2008 - 05:53 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:26 PM

Posted 27 May 2008 - 08:24 PM

Actually the 2 scans found about 10 Vundo infections. Trojan.Vundo is a component of an adware program that downloads and displays pop-up advertisements. It is known to be installed by visiting a Web site link contained in a spammed email.

I think we can get this using SDFix tool. SDFix will remove the known Trojans and Worms found on your computer.
How to use SDFix
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 DaveM2008

DaveM2008

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:26 PM

Posted 27 May 2008 - 09:58 PM

If I am correct I also had the same issue. I finally searched the registery for VIRUS ALERT! and I found The text was appended sTimeFormat Key. This key is located in My Computer\HKEY_CURRENT_USER\Control Panel\International. Hope this is what you are lookinf for.

#12 Rob.B

Rob.B

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 27 May 2008 - 10:47 PM

Been hovering around the internet to get some insight on this virus and see what people have come up with. Ive been on these forums a lot but never signed up, i figured now would be a good time.

Anyway, ive seen this virus pop up in the last 2 days on a large number of machines. i work with a large group of techs, so we see a lot of volume.

As for the "virus alert" text, its just a simple edit of the time format. you can do it via registry to as DaveM2008 pointed out or you can do the following:

Go to Control Panel> Regional and Language Options> Regional Options tab> Hit the "Customize" button on the right> Go to Time Tab

Here you will see your current settings, just fix your format and your good to go.


Ive also noticed this virus edits start menu display and other icon display, which can be restored using tweakui. if you have any issues with this, let me know.

Hopefully this helps.

#13 Julescariad

Julescariad
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Cardiff
  • Local time:11:26 PM

Posted 28 May 2008 - 03:34 AM

That worked!! Wow! Thanks so much, one last thing, I know have; AVG, Antivirus 2008 pro, AdAware, Spybot search and destroy, Malware bytes anti malware, CC cleaner and Super anti spyware installed, which ofo these should I keep and which need to be removed. You are all clever, clever people. Jules.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:26 PM

Posted 28 May 2008 - 10:10 PM

Remove this Antivirus 2008 pro,i don't believe it is safe.

Now if all is well
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 z23

z23

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 30 May 2008 - 04:28 AM

i had the same problem with the virus alert in the clock but i cant change my background etc or access my hard drive through my computer or settings through start up

it says it has been stopped by the administrator.

:s

anyone have any ideas?

im using xp

Edited by z23, 30 May 2008 - 04:36 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users