Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blackworm Virus Popups


  • Please log in to reply
5 replies to this topic

#1 WSULib

WSULib

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:18 PM

Posted 16 March 2006 - 11:52 AM

Please let us know how to remove the Blackworm Virus.

Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 10:13:55 AM, on 3/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://library.wichita.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://library.wichita.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://libcat.wichita.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WTLHelper Object - {6D33B121-5C4C-4450-9D1F-7B67085CC199} - C:\WINNT\system32\gebca.dll
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: Circulation.lnk = ?
O4 - Startup: Online Library Catalog.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Startup: WordPerfect 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\wpwin9.exe
O4 - Global Startup: Novell Login.lnk = C:\WINNT\system32\loginw32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O20 - Winlogon Notify: gebca - C:\WINNT\system32\gebca.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\System32\cusrvc.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\System32\NALNTSRV.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:18 AM

Posted 16 March 2006 - 01:30 PM

Hello WSULib

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
David

#3 WSULib

WSULib
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:18 PM

Posted 16 March 2006 - 02:06 PM

Here are the results of the contents of the "vundofix.txt" and a new "HiJackThis" log, as you requested.

Vundo:


VundoFix V4.2.30
Scan started at 4:17:57 PM 3/10/2006

Listing files found while scanning....

C:\WINNT\system32\gebca.dll
C:\WINNT\system32\acbeg.ini
C:\WINNT\system32\acbeg.bak1

C:\WINNT\system32\acbeg.bak1
C:\WINNT\system32\acbeg.ini
C:\WINNT\system32\gebca.dll

VundoFix V4.2.33

Checking Java version...

Scan started at 12:49:10 PM 3/16/2006

Listing files found while scanning....

C:\WINNT\system32\gebca.dll
C:\WINNT\system32\acbeg.ini
C:\WINNT\system32\acbeg.bak1
C:\WINNT\system32\acbeg.bak2

C:\WINNT\system32\acbeg.bak1
C:\WINNT\system32\acbeg.bak2
C:\WINNT\system32\acbeg.ini
C:\WINNT\system32\gebca.dll
Attempting to delete C:\WINNT\system32\gebca.dll
C:\WINNT\system32\gebca.dll Has been deleted!

Attempting to delete C:\WINNT\system32\acbeg.ini
C:\WINNT\system32\acbeg.ini Has been deleted!

Attempting to delete C:\WINNT\system32\acbeg.bak1
C:\WINNT\system32\acbeg.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\acbeg.bak2
C:\WINNT\system32\acbeg.bak2 Has been deleted!

Performing Repairs to the registry.
Done!


HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:05:47 PM, on 3/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINNT\System32\NALNTSRV.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://library.wichita.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://library.wichita.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://libcat.wichita.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: Circulation.lnk = ?
O4 - Startup: Online Library Catalog.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Startup: WordPerfect 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\wpwin9.exe
O4 - Global Startup: Novell Login.lnk = C:\WINNT\system32\loginw32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\System32\cusrvc.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\System32\NALNTSRV.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:18 AM

Posted 17 March 2006 - 04:02 AM

Hi WSULib

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both software products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or F-Prot - if you remove Mcafee please understand you will have to install a new firewall as the mcafee one will have been uninstalled also.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm


This entry is optional:
O4 - Startup: Online Library Catalog.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
<---opening internet explorer at start-up is a pretty pointless idea. It's not malware but it is an optional. Tick if you wish to remove it

* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

How is the system running - have these pop-ups stopped?
David

#5 WSULib

WSULib
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:18 PM

Posted 17 March 2006 - 10:23 AM

The system is running great and there is no longer anymore pop-ups.

I removed the suggested entries from your last reply. As for the 04 - Startup: for the Online Library Catalog, it will be left as is. The users of the PC want it left that way.

This particular virus had so many variations that I was having difficulty finding the solution to the one WE had. I returned to this website due to the success I experienced in the past. I found this website a year ago in a search for my issue at that time. I was able to find the solution from another user's request last year and once again later on for another.


Thank you so much for your help.

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:18 AM

Posted 17 March 2006 - 02:22 PM

Hi WSUlib :thumbsup:

I'm glad you have been able to fix this. The fact that your system got so infected in the first place shows me that you are lacking slightly in protection. Follow this list and your potential for being infected again will reduce dramatically.

Now that you are clean, lets reset your system restore points please follow these simple steps in order
  • Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Clickthe System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer
  • Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Un-Check Turn off System Restore.
  • Click Apply, and then click OK.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs: hide
    Click here for more information on -> Computer Safety On line - Anti-Virus

    I would recommend Grisofts© AVG or AVAST©. As these are the more secure and better ones.
  • Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Click here for more information on -> Computer Safety On line - Software Firewalls
    I would recommend ZoneAlarm© as a firewall as it's easy to use. But for a more secure firewall, Sunbelts Kerio© is the one.
  • Visit Microsoft's Windows Update Site Frequently It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly
  • Install Spybot© - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here: Click here for more info -->Instructions for - Spybot S & D and Ad-aware
  • Install Lavasofts© Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here: Click here for more info -->Instructions for - Spybot S & D and Ad-aware
  • Install Javacools© SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here: Click here for more info -->Computer Safety on line - Anti-Malware
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If you have any addition questions just ask...
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users