Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winfixer Popups - Virtumonde Virus


  • Please log in to reply
1 reply to this topic

#1 cubix

cubix

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 26 June 2006 - 04:56 PM

I was hoping you could help me... I ran Vundo Fix, which attempted to remove the Virtumonde virus from my laptop. However, I am still receiving those annoying Winfixer popups. I have ran a Norton Antivirus and Ad-Aware scan and both say that my laptop is clean but I do not understand why I am still receiving these popups. Please find below the results of my VirtumondeBeGone scan, which caused my computer to crash :thumbsup:. I have also included my HijackThis log. Is there anything in there that shouldn't be? Do these popups have anything to do with Windows Messenger? Many thanks in advance for your help.


[06/26/2006, 22:09:41] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\User\Desktop\VirtumundoBeGone.exe" )
[06/26/2006, 22:09:47] - Detected System Information:
[06/26/2006, 22:09:47] - Windows Version: 5.1.2600, Service Pack 2
[06/26/2006, 22:09:47] - Current Username: User (Admin)
[06/26/2006, 22:09:47] - Windows is in SAFE mode with Networking.
[06/26/2006, 22:09:47] - Searching for Browser Helper Objects:
[06/26/2006, 22:09:47] - BHO 1: {01fb8ed7-d7b5-4f80-bbd5-3f2bef3851a2} ()
[06/26/2006, 22:09:47] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/26/2006, 22:09:47] - Checking for HKLM\...\Winlogon\Notify\cdmduk
[06/26/2006, 22:09:47] - Found: HKLM\...\Winlogon\Notify\cdmduk - This is probably Virtumundo.
[06/26/2006, 22:09:47] - Assigning {01fb8ed7-d7b5-4f80-bbd5-3f2bef3851a2} MSEvents Object
[06/26/2006, 22:09:47] - BHO list has been changed! Starting over...
[06/26/2006, 22:09:47] - BHO 1: {01fb8ed7-d7b5-4f80-bbd5-3f2bef3851a2} (MSEvents Object)
[06/26/2006, 22:09:47] - ALERT: Found MSEvents Object!
[06/26/2006, 22:09:47] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[06/26/2006, 22:09:47] - BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[06/26/2006, 22:09:47] - BHO 4: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[06/26/2006, 22:09:47] - Finished Searching Browser Helper Objects
[06/26/2006, 22:09:47] - *** Detected MSEvents Object
[06/26/2006, 22:09:47] - Trying to remove MSEvents Object...
[06/26/2006, 22:09:48] - Terminating Process: IEXPLORE.EXE
[06/26/2006, 22:09:48] - Terminating Process: RUNDLL32.EXE
[06/26/2006, 22:09:48] - Disabling Automatic Shell Restart
[06/26/2006, 22:09:48] - Terminating Process: EXPLORER.EXE
[06/26/2006, 22:09:48] - Suspending the NT Session Manager System Service
[06/26/2006, 22:09:49] - Terminating Windows NT Logon/Logoff Manager
[06/26/2006, 22:09:49] - Re-enabling Automatic Shell Restart
[06/26/2006, 22:09:49] - File to disable: C:\WINDOWS\system32\cdmduk.dll
[06/26/2006, 22:09:49] - Renaming C:\WINDOWS\system32\cdmduk.dll -> C:\WINDOWS\system32\cdmduk.dll.vir
[06/26/2006, 22:09:49] - File successfully renamed!
[06/26/2006, 22:09:49] - Removing HKLM\...\Browser Helper Objects\{01fb8ed7-d7b5-4f80-bbd5-3f2bef3851a2}
[06/26/2006, 22:09:49] - Removing HKCR\CLSID\{01fb8ed7-d7b5-4f80-bbd5-3f2bef3851a2}
[06/26/2006, 22:09:49] - Adding Kill Bit for ActiveX for GUID: {01fb8ed7-d7b5-4f80-bbd5-3f2bef3851a2}
[06/26/2006, 22:09:49] - Deleting ATLEvents/MSEvents Registry entries
[06/26/2006, 22:09:49] - Removing HKLM\...\Winlogon\Notify\cdmduk
[06/26/2006, 22:09:49] - Searching for Browser Helper Objects:
[06/26/2006, 22:09:49] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[06/26/2006, 22:09:49] - BHO 2: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[06/26/2006, 22:09:49] - BHO 3: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[06/26/2006, 22:09:49] - Finished Searching Browser Helper Objects
[06/26/2006, 22:09:49] - Finishing up...
[06/26/2006, 22:09:49] - A restart is needed.
[06/26/2006, 22:09:49] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[06/26/2006, 22:09:57] - Attempting to Restart via STOP error (Blue Screen!)

Logfile of HijackThis v1.99.1
Scan saved at 22:27:02, on 26/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\lycos\Lyc_SysTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Holly\Local Settings\Temp\wz8d8b\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/cd_redirects/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [lycosInside] C:\Program Files\lycos\Lyc_SysTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f009.mail.lycos.co.uk/app/uploader/FileUploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 28 June 2006 - 04:32 AM

Hi cubix and Welcome to the Bleeping Computer!


Go to the HijackThis folder and right click HijackThis.exe

Select rename and rename it to look.exe

Double Click look.exe to launch HijackThis

Do a System Scan and Save a Logfile.


Post those results in the next reply.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users