Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Remove Vundo Trajon Here Is My Hijack Log


  • This topic is locked This topic is locked
21 replies to this topic

#1 jerrel

jerrel

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 16 June 2007 - 01:31 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:25:53 PM, on 6/16/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2462.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\scardsvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\mysql\bin\mysqld.exe
C:\PROGRA~1\NowSMS\MMSCNT.EXE
C:\PROGRA~1\NowSMS\SMSGWNT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\PROGRA~1\NowSMS\SMSGWS.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mdm.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\CodeSegment\SMS Studio Server\SMSStudio.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\PROGRA~1\NowSMS\MMSC.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.1.159.19:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SMS Studio Server] "C:\Program Files\CodeSegment\SMS Studio Server\SMSStudio.exe" /h
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Program Files\Zend\ZendStudioClient-5.1.0\bin\ZendIEToolbar.dll/DebugCurrent.html
O8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Program Files\Zend\ZendStudioClient-5.1.0\bin\ZendIEToolbar.dll/DebugNext.html
O9 - Extra button: (no name) - {233A9694-667E-11d1-9DFB-006097D5040A} - (no file)
O9 - Extra button: Contacts - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - C:\Program Files\Internet Explorer\iecont.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147719734390
O17 - HKLM\System\CCS\Services\Tcpip\..\{6561A3ED-0EE5-4EF4-B76A-A179AA619271}: NameServer = 200.1.156.11,200.1.157.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{6561A3ED-0EE5-4EF4-B76A-A179AA619271}: NameServer = 200.1.156.11,200.1.157.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{6561A3ED-0EE5-4EF4-B76A-A179AA619271}: NameServer = 200.1.156.11,200.1.157.11
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld.exe
O23 - Service: NowMMSC - Unknown owner - C:\PROGRA~1\NowSMS\MMSCNT.EXE
O23 - Service: NowSMS - Unknown owner - C:\PROGRA~1\NowSMS\SMSGWNT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:47 AM

Posted 17 June 2007 - 12:56 AM

Hello jerrel,

I received a vundo virus through MSN and cant seem to remove it

.

Why do you think you have a Vundo infection? Did you antivirus program warn you?


I need you to rename Hijackthis because I believe that you may have the Vundo infection that can hide some entries in your log.
  • Please go to the folder where you saved Hijackthis.exe:
    C:\Program Files\HijackThis\HijackThis.exe
  • Right-click on it, then select Rename.
  • Name it something like: AnalyzeThis.exe (or whatever you want)
  • Then double-click AnalyzeThis.exe to scan and then post the new logfile.
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt.

Edited by SifuMike, 17 June 2007 - 01:02 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 jerrel

jerrel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 17 June 2007 - 05:32 AM

Hi SifuMike,

Its Mcaffee that warned me about the virus.
If my Messenger is closed, the virus sleeps, but as soon as i start it up the pc goes crazy.
I explorer windows start poping up, msn chat wndows start poping up.

I did run vundofix, but it can't seem to find the virus on my pc.
I also ran virtumondubegone.exe in safe mode, no results.

Here is my new hijackfile. I renamed hijackthis.exe to me.exe

Logfile of HijackThis v1.99.1
Scan saved at 7:27:16 AM, on 6/17/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2462.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\scardsvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\mysql\bin\mysqld.exe
C:\PROGRA~1\NowSMS\MMSCNT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\CodeSegment\SMS Studio Server\SMSStudio.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Radmin\radmin.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\PROGRA~1\NowSMS\SMSGWNT.EXE
C:\PROGRA~1\NowSMS\SMSGWS.EXE
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\WINNT\System32\mdm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis\me.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.1.159.19:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [SMS Studio Server] "C:\Program Files\CodeSegment\SMS Studio Server\SMSStudio.exe" /h
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Program Files\Zend\ZendStudioClient-5.1.0\bin\ZendIEToolbar.dll/DebugCurrent.html
O8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Program Files\Zend\ZendStudioClient-5.1.0\bin\ZendIEToolbar.dll/DebugNext.html
O9 - Extra button: (no name) - {233A9694-667E-11d1-9DFB-006097D5040A} - (no file)
O9 - Extra button: Contacts - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - C:\Program Files\Internet Explorer\iecont.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147719734390
O17 - HKLM\System\CCS\Services\Tcpip\..\{6561A3ED-0EE5-4EF4-B76A-A179AA619271}: NameServer = 200.1.156.11,200.1.157.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{6561A3ED-0EE5-4EF4-B76A-A179AA619271}: NameServer = 200.1.156.11,200.1.157.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{6561A3ED-0EE5-4EF4-B76A-A179AA619271}: NameServer = 200.1.156.11,200.1.157.11
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld.exe
O23 - Service: NowMMSC - Unknown owner - C:\PROGRA~1\NowSMS\MMSCNT.EXE
O23 - Service: NowSMS - Unknown owner - C:\PROGRA~1\NowSMS\SMSGWNT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:47 AM

Posted 17 June 2007 - 10:05 PM

Its Mcaffee that warned me about the virus.
If my Messenger is closed, the virus sleeps, but as soon as i start it up the pc goes crazy.


What does McAfee say about the virus? Is it blocking or removing it?
Does it give a location?
What does the popup say?
Is this a Messenger popup (not to be confused with MSN Messenger)?

BTW, you are using an ancient verions of IE, so you need to upgrade to IE7. It is far more secure then IE6.

Your hijackthis log does not show any malware, so we will have to dig deeper.

You will need to use Internet Explorer for this scan.
Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.

************************

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.
In the right pane, uncheck Enable Script Blocking (recommended).
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 jerrel

jerrel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 18 June 2007 - 10:02 AM

Hi SifuMike,

I use windows 2000 server, I dont think Iexplorer 7 runs on this OS. Have to check

What does McAfee say about the virus? Is it blocking or removing it?
It removes a couple of the files, but then again it can't remove a few.
After a while, it seems that the files previously deleted, are born again.


Does it give a location?
Yes, you can see the location in the first few lines of the bit defender log
tempinternetfile folder


What does the popup say?
These popups are just MSN messenger windows that go crazy
For every frend in my list a chat windows opens.


Is this a Messenger popup (not to be confused with MSN Messenger)?
Yes its msn messenger im talking about.

See below my bitdefender log
****************************
BitDefender Online Scanner



Scan report generated at: Mon, Jun 18, 2007 - 11:39:36





Scan path: A:\;C:\;D:\;E:\;







Statistics

Time
00:59:51

Files
264625

Folders
5817

Boot Sectors
2

Archives
3740

Packed Files
18125




Results

Identified Viruses
4

Infected Files
6

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
6




Engines Info

Virus Definitions
514082

Engine build
AVCORE v1.0 (build 2410) (i386) (Jun 12 2007 21:08:27)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ET3K0F3N\im[1].mp3
Infected with: Win32.Worm.MSN.Agent.A

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ET3K0F3N\im[1].mp3
Disinfection failed

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ET3K0F3N\im[1].mp3
Deleted

C:\Documents and Settings\Administrator\Desktop\psetup.exe
Infected with: Win32.Worm.MSN.Agent.A

C:\Documents and Settings\Administrator\Desktop\psetup.exe
Disinfection failed

C:\Documents and Settings\Administrator\Desktop\psetup.exe
Deleted

C:\Program Files\eMule\Incoming\PayPunch Enterprise 5.3.56.zip=>PayPunch Enterprise 5.3.56.exe
Infected with: Win32.Bagle.HV@mm

C:\Program Files\eMule\Incoming\PayPunch Enterprise 5.3.56.zip=>PayPunch Enterprise 5.3.56.exe
Deleted

C:\Program Files\eMule\Incoming\PayPunch Enterprise 5.3.56.zip
Updated

C:\Program Files\eMule\Incoming\Back2Life 2.4.zip=>Back2Life 2.4.exe
Infected with: Win32.Bagle.HM@mm

C:\Program Files\eMule\Incoming\Back2Life 2.4.zip=>Back2Life 2.4.exe
Deleted

C:\Program Files\eMule\Incoming\Back2Life 2.4.zip
Updated

C:\Program Files\MP3 Stream Creator\Patch.exe
Infected with: Backdoor.Pcclient.GV

C:\Program Files\MP3 Stream Creator\Patch.exe
Disinfection failed

C:\Program Files\MP3 Stream Creator\Patch.exe
Deleted

C:\psetup.exe
Infected with: Win32.Worm.MSN.Agent.A

C:\psetup.exe
Disinfection failed

C:\psetup.exe
Deleted

***************************************************


See below my Combofix log
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

ComboFix 07-06-17 - C:\Documents and Settings\Administrator\Desktop\virus\ComboFix.exe
"Administrator" - 06/18/2007 11:48:51 - Service Pack 4


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


f:\autorun.inf


((((((((((((((((((((((((( Files Created from 2007-05-18 to 2007-06-18 )))))))))))))))))))))))))))))))


2007-06-18 11:48 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-18 10:05 <DIR> d-------- C:\WINNT\BDOSCAN8
2007-06-18 08:47 256 ---hs---- C:\SYSJR22.SYS
2007-06-18 08:46 29,184 --a------ C:\WINNT\system32\jesterrun.dll
2007-06-18 08:46 <DIR> d-------- C:\Program Files\FlashJester
2007-06-16 14:56 <DIR> d-------- C:\VundoFix Backups
2007-06-16 14:30 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-15 10:51 203,264 --a------ C:\WINNT\system32\monitor_and_mode.scr
2007-06-15 10:51 <DIR> d-------- C:\WINNT\system32\monitor_and_mode dir
2007-06-15 08:22 <DIR> d-------- C:\Program Files\ScreenTime
2007-06-15 08:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-14 10:10 5,040 --a------ C:\WINNT\system32\R5CoInst.dll
2007-06-14 10:10 23,312 --a------ C:\WINNT\system32\_shfoldr.dll
2007-06-14 10:10 22,815 --a------ C:\WINNT\system32\drivers\eps2kt1.sys
2007-06-14 10:10 13,441 --a------ C:\WINNT\system32\drivers\smccard.sys
2007-06-14 10:10 <DIR> d-------- C:\Program Files\Software Installation Information
2007-06-14 10:10 <DIR> d-------- C:\Program Files\backupdrivers
2007-06-14 10:08 <DIR> d-------- C:\Program Files\ODEON
2007-06-14 10:06 406,528 --a------ C:\WINNT\system32\FTD2XXUN.exe
2007-06-14 10:06 25,596 --a------ C:\WINNT\system32\drivers\FTD2XX.sys
2007-06-13 15:47 <DIR> d-------- C:\Program Files\Anim-FX
2007-06-13 15:44 1,505,115 --a------ C:\Anim-FX v3.5.exe
2007-06-09 12:46 <DIR> d-------- C:\Program Files\GlobFX Technologies
2007-06-05 15:47 <DIR> d-------- C:\Program Files\Motion-Twin
2007-05-26 00:18 <DIR> d-------- C:\chatroom
2007-05-19 10:50 <DIR> dr------- C:\exercise_files
2007-05-14 14:26 <DIR> d-------- C:\Program Files\Avanquest update
2007-05-14 14:24 24,192 --a------ C:\DOCUME~1\ADMINI~1\usbsermptxp.sys
2007-05-14 14:24 22,768 --a------ C:\WINNT\system32\drivers\usbsermpt.sys
2007-05-14 14:24 22,768 --a------ C:\DOCUME~1\ADMINI~1\usbsermpt.sys
2007-05-14 14:24 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2007-05-14 14:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BVRP Software


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-18 13:48:48 32,768 ----a-w C:\WINNT\system32\RYDLL32.DLL
2007-06-18 13:48:46 5,632 ----a-w C:\WINNT\ust_pro_2.exe
2007-06-18 13:48:46 102,400 ----a-w C:\WINNT\nhds3een.dll
2007-06-18 13:48:42 348,160 ----a-w C:\WINNT\msvcr71.dll
2007-06-18 13:48:18 86,016 ----a-w C:\WINNT\nddrety2.dll
2007-06-18 13:48:18 5,632 ----a-w C:\WINNT\ustpro2.exe
2007-06-18 13:48:18 5,632 ----a-w C:\WINNT\ustpro_2.exe
2007-06-18 13:48:16 5,632 ----a-w C:\WINNT\ustpro.exe
2007-06-18 13:48:16 5,632 ----a-w C:\WINNT\ust_pro.exe
2007-06-18 13:48:14 9,728 ----a-w C:\WINNT\ust.exe
2007-06-18 13:48:12 5,172 ----a-w C:\WINNT\ovrdata.dat
2007-06-18 13:48:12 10,103 ----a-w C:\WINNT\flsdata.dat
2007-06-18 13:48:10 94,208 ----a-w C:\WINNT\nddoverw.dll
2007-06-18 13:48:10 94,208 ----a-w C:\WINNT\nddmopr2.dll
2007-06-18 13:48:10 81,920 ----a-w C:\WINNT\nddretyr.dll
2007-06-18 13:48:10 113,152 ----a-w C:\WINNT\nddloper.dll
2007-06-18 13:48:10 110,592 ----a-w C:\WINNT\YS6016Pdll.dll
2007-06-18 13:48:08 974,848 ----a-w C:\WINNT\mfc70.dll
2007-06-18 13:48:08 929,844 ----a-w C:\WINNT\Mfc42d.dll
2007-06-18 13:48:08 798,773 ----a-w C:\WINNT\Mfco42d.dll
2007-06-18 13:48:08 385,100 ----a-w C:\WINNT\Msvcrtd.dll
2007-06-18 13:48:08 344,064 ----a-w C:\WINNT\msvcr70.dll
2007-06-18 13:48:08 259 ----a-w C:\WINNT\axbind.reg
2007-06-18 13:48:08 25,600 ----a-w C:\WINNT\Borlndmm.dll
2007-06-18 13:48:08 1,497,088 ----a-w C:\WINNT\Cc3250mt.dll
2007-04-27 15:39:18 2,828 --sha-w C:\WINNT\system32\KGyGaAvL.sys
2007-04-25 21:52:36 -------- d-----w C:\Program Files\Virtual sMs Handset
2007-04-13 11:42:32 9,926,656 ----a-w C:\WINNT\ustm.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [09/23/05 08:12p]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [07/08/05 06:18p]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [08/10/05 12:49p]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [09/22/05 06:29p]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [01/11/06 12:05p]
"NWEReboot"="" []
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [08/11/05 10:02p]
"nwiz"="nwiz.exe" [06/01/06 05:22p C:\WINNT\system32\nwiz.exe]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [12/13/05 08:49a]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [08/11/05 04:30p]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [08/11/05 04:30p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [06/16/07 12:02p]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [11/30/05 04:56p]
"SMS Studio Server"="C:\Program Files\CodeSegment\SMS Studio Server\SMSStudio.exe" [01/01/07 02:00a]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages FPNWCLNT RASSFM KDCSVC scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv Tapisrv
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
WmdmPmSN


Contents of the 'Scheduled Tasks' folder
2007-06-18 03:05:08 C:\WINNT\tasks\Viamailer.job
2007-06-01 03:00:10 C:\WINNT\tasks\Chatmailer.job
2007-06-18 14:00:02 C:\WINNT\tasks\Ti8.job
2007-06-18 14:50:02 C:\WINNT\tasks\B104mailer.job
2007-06-18 02:55:04 C:\WINNT\tasks\Perceelmailer.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-18 11:50:12
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 06/18/2007 11:51:09

--- E O F ---
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Appreciate your help

Jerrel

Edited by jerrel, 18 June 2007 - 10:06 AM.


#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:47 AM

Posted 18 June 2007 - 10:36 AM

Hi Jerrel,

I use windows 2000 server, I dont think Iexplorer 7 runs on this OS. Have to check

I just checked, and Windows 2000 Server does not support IE7.


Are you still getting msn messenger pops about the virus?


You have some suspicious files we need to check.

You will need to configure Windows to show Hidden files.

Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINNT\system32\jesterrun.dll


Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

C:\WINNT\system32\R5CoInst.dll
C:\WINNT\system32\_shfoldr.dll



Once scanned, copy and paste the results also in your next reply.

I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

*******************


Download MsnCleaner_eng.zip
Unzip it to your desktop, but don't use it yet.
  • Now reboot into Safe Mode. (It MUST be run Safe Mode to work.)
    tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.
  • Double-click MsnCleaner_eng.exe to run it.
  • Click the Analyze button.
  • A report will be created once after you finish scan.
  • If it finds an infection, click the Deleted button.
  • Now, please reboot back to normal mode.
  • Please post the contents of C:\MsnCleaner.txt in a reply to this post.

Edited by SifuMike, 18 June 2007 - 10:40 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 jerrel

jerrel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 18 June 2007 - 02:13 PM

SifuMike,

Here is the info you asked for.

********************* Scan from bitfender on three files ****************************
STATUS: SCANNINGFile "jesterrun.dll" received on 06.18.2007 at 18:08:04 (CET) is being scanned by VirusTotal in this moment. Results will be shown as they're generated.

Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.18.2007 no virus found
AntiVir 7.4.0.32 06.18.2007 no virus found
Authentium 4.93.8 06.16.2007 no virus found
Avast 4.7.997.0 06.18.2007 no virus found
AVG 7.5.0.467 06.17.2007 no virus found
BitDefender 7.2 06.18.2007 no virus found
CAT-QuickHeal 9.00 06.18.2007 no virus found


Aditional Information
File size: 29184 bytes
MD5: bc79e5d91d4925bacd535921976ea8f8
SHA1: 327903e98d4db053106fd962ae987d7f535d6cbc
packers: UPX



STATUS: SCANNINGFile "R5CoInst.dll" received on 06.18.2007 at 18:19:27 (CET) is being scanned by VirusTotal in this moment. Results will be shown as they're generated.

Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.18.2007 no virus found


Aditional Information
File size: 5040 bytes
MD5: e85bb84852aa11f76251b260597f6900
SHA1: c1ab5ba10d73d74f03794f4344f19c4e37527033



STATUS: FINISHEDComplete scanning result of "_shfoldr.dll", received in VirusTotal at 06.18.2007, 19:06:41 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.16.0 06.18.2007 no virus found
AntiVir 7.4.0.32 06.18.2007 no virus found
Authentium 4.93.8 06.16.2007 no virus found
Avast 4.7.997.0 06.18.2007 no virus found
AVG 7.5.0.467 06.17.2007 no virus found
BitDefender 7.2 06.18.2007 no virus found
CAT-QuickHeal 9.00 06.18.2007 no virus found
ClamAV devel-20070416 06.18.2007 no virus found
DrWeb 4.33 06.18.2007 no virus found
eSafe 7.0.15.0 06.17.2007 no virus found
eTrust-Vet 30.7.3726 06.18.2007 no virus found
Ewido 4.0 06.18.2007 no virus found
FileAdvisor 1 06.18.2007 No threat detected
Fortinet 2.85.0.0 06.18.2007 no virus found
F-Prot 4.3.2.48 06.15.2007 no virus found
F-Secure 6.70.13030.0 06.18.2007 no virus found
Ikarus T3.1.1.8 06.18.2007 no virus found
Kaspersky 4.0.2.24 06.18.2007 no virus found
McAfee

**************************************************************************

XXXXXXXXXXX MSN cleaner log in safemode XXXXXXXXXXXXXXXXXXX
- Logfile MsnCleaner 1.0.9
- Created Logfile: 6/18/2007 on 4:05:17 PM
- Operative System: WINDOWS 2000
- Boot mode: Safe mode with network support
_________________________________________

Detected files: 0
Deleted files: 0
Undeleted Files: 0

<<<<<<< No file found >>>>>>>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:47 AM

Posted 18 June 2007 - 02:23 PM

Those files look OK. :thumbsup:

Are you still getting popups?

Edited by SifuMike, 18 June 2007 - 03:30 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 jerrel

jerrel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 18 June 2007 - 03:05 PM

Yes i still get popups, and Macaffee still alerts me for this virus, that i cant be deleted.
What is my next step Guru ? (o:

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:47 AM

Posted 18 June 2007 - 03:29 PM

Hi jerrel,

Please tell me exactly what McAfee is telling you, and the location of the virus.

If you could copy and paste the exact message from McAfee, that would be a help. :thumbsup:

Edited by SifuMike, 18 June 2007 - 03:32 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 jerrel

jerrel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 18 June 2007 - 07:06 PM

Hi SifuMike,

I have to say, that i do see a decrease of the virus activity,because the virus now does start up MSN messenger by it self, and it also tries to sign it in, but it doesnt open a chat window for every buddy on my list.
I hope this is not just for the moment, but a result of all the work we,ve done till now.
I attached a file with a screenshot of my desktop, showing mcaffee alert, and MSN messenger that was started by the virus.
The message is in dutch, but what it says, is that the file ra[1].mp3 in the temporary internet folder is infected with the vondu virus.
Also if i continue, it pops up again and says that the file in C:/art.mp3 has the same virus.

The funny thing is that when i try to find these files with the virustotal website, it cant seem to find it.This while all hidden and system files are visible.

Pleas advice

Attached Files


Edited by jerrel, 18 June 2007 - 07:29 PM.


#12 jerrel

jerrel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 18 June 2007 - 11:24 PM

Its me again,
Im sorry to say, but the virus is still active.
It just opened like a trillion Iexplorer windows, with all of my buddy email already filled in the to box of the hotmail window.
We have to distroy this beast.
I can beat us like this
I think its time to pull out your magic wand

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:47 AM

Posted 18 June 2007 - 11:41 PM

Hi Jerrel,

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\

Since it is in the IE temp folder then run CCleaner to clean the temp files. :thumbsup:

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial
*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

Let me know if that fixes it. :flowers:


Please download MsnVirRem.exe to your desktop from here
First close any other programs you have running as this will require a reboot
Double click MsnVirRem.exe to run it
Once open, click the button labelled "Search and Destroy"
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "Reboot" Button.
After the Reboot, you WILL receive file not found errors (usually 4) please acknowledge them and continue.
A Message should popup from MsnVirRem if not, double click the program again and it will finish
Please Post the contents of C:\msnvirrem.log.

Edited by SifuMike, 19 June 2007 - 01:12 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 jerrel

jerrel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 19 June 2007 - 06:18 AM

goodmorning,
i will execute the above steps, but what about the infected file in the cdrive.
how do we get rid of that one ?

#15 jerrel

jerrel
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 19 June 2007 - 07:07 AM

Hi followed the above step, and still is the little beast isnt gone.
If i start up msn messenger, the virus seems to copy it self back to the temp internet folder.
And all hell breaks lose.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users