|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
12-01-2005, 02:41 PM
|
#1 (permalink) | |
|
Registered User
Join Date: Jul 2005
Posts: 22
OS: win xp
|
Trojan.Vundo C:\windows\system32\vtstr.dll
Hey,
I got this Trojan about a Week ago. It's name is in my title along with the location. The norton alert stays up and will not go away. Also my cpu runs extremely slow. Here is my log Quote:
thanks, Nick |
|
|
     |
| Sponsored Links |
|
12-01-2005, 03:39 PM
|
#2 (permalink) | |||
|
Analyst, Security Team
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP
|
Hello Uffan104 and welcome to TSF
I would reccommend that you Subscribe to this thread so you are notified of any replies via email. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. You have a couple different things going on here. We will attack vundo first, then work on cleaning out the rest. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Downloads(make sure to save these in a permanent location) VundoFix.exe Double-click VundoFix.exe to extract the files Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Tools Open the VundoFix folder and doubleclick on KillVundo.bat
Please run a new scan with Hijackthis and post the log here. Please make sure to post the header of the log as it provides critical information needed to fix your system. Also please do not post logs in quote or code boxes. Thank You |
|||
|
|
|
|
12-01-2005, 06:30 PM
|
#3 (permalink) |
|
Registered User
Join Date: Jul 2005
Posts: 22
OS: win xp
|
Confused
Hey,
Before i start doing what you have suggested. Im confused about this Please run a new scan with Hijackthis and post the log here. Please make sure to post the header of the log as it provides critical information needed to fix your system. Also please do not post logs in quote or code boxes. Thank You I dont know what that is. Could you please explain? Sorry about being such a newbie Thanks, Nick |
|
|
|
|
12-01-2005, 08:35 PM
|
#4 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP
|
The "header" of the log is the portion at the top. It looks similar to this:
Logfile of HijackThis v1.99.1 Scan saved at 12:55:56 PM, on 10/3/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) If this is not what you are asking, please clarify the question. |
|
|
|
|
12-02-2005, 01:23 PM
|
#5 (permalink) | |
|
Registered User
Join Date: Jul 2005
Posts: 22
OS: win xp
|
Next Step
Thanks For helping me get rid of Vundo. My computer works so much faster now. Here is the new log .... I know I probably still have a lot of crap on my cpu.
Quote:
Nick |
|
|
|
|
|
12-02-2005, 07:19 PM
|
#6 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP
|
Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.
Viewing Hidden Files Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Downloads(make sure to save these in a permanent location) Cleanup! (Alternate Link)- Install it. You will use this later. *NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups. Ewido Security Suite
If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. HijackThis! Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) O4 - HKCU\..\Run: [gousRkY8h] ntvscax.exe O4 - HKCU\..\Run: [vtukrn] C:\WINDOWS\System32\vtukrn.exe Please remember to close all other windows, including browsers then click Fix checked. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). File and Folder Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\System32\vtukrn.exe ntvscax.exe <<< Do a search and delete this file Tools Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows: Click Options Move the slider button down to Custom CleanUp! Check the following:
Click OK, Press the CleanUp! button to start the program. If prompted to reboot, click No. Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
** This scan may take over an hour, after choosing the action for the first item you do not need to stay at the PC. Reboot your system in Normal Mode. Online Scans Perform an online scan with Internet Explorer with Panda ActiveScan ** click on "Free use ActiveScan" located on the top right hand corner
*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. *Turn off the real time scanner of any existing antivirus program while performing the online scan In your next post please include:
|
|
|
|
|
12-04-2005, 12:56 PM
|
#7 (permalink) | |
|
Registered User
Join Date: Jul 2005
Posts: 22
OS: win xp
|
Back To step one
I am really fustrated right now. It looked like things were getting better and then got some stuff from aim that a friend sent me and i wasnt paying attention or my lil sister got it from website for myspace. Now everytime I start my computer a different virus comes up. But my comp is still running pretty good. Except for the pop ups and the desktop icons that come up Such as Free xbox and such. And also i couldnt find those files to delete. Maybe i messed up on the hidden files thing. But when i tried to do the search i couldnt get it to search in hidden files. Here is my current hijack log
Quote:
thanks, Nick |
|
|
|
|
|
12-04-2005, 05:27 PM
|
#8 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP
|
You definitely did take a step in the wrong direction there. I totally understand your frusteration, but I want you to understand that this isn't anything that we can't deal with. As long as you are willing to follow the instructions posted for you by the staff we are willing to help you. Even if you already did some of the things I am about to ask you to do, now that you have aquired some new malware, I would ask that you do them again.
Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Viewing Hidden Files Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Downloads(make sure to save these in a permanent location) Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip Run the program and click the Web button as shown here:  Use this URL to copy into the address bar of the Download script window: http://downloads.subratam.org/BFUscripts/igetnetfreepod.BFU Execute the script by clicking the Execute button. If you have any questions about the use of BFU please read here: http://metallica.geekstogo.com/BFUinstructions.html Services Click Start->Run - type SERVICES.MSC & then click on the OK button
Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). HijackThis! Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll O2 - BHO: ts - {4006DCA3-433D-4FC8-AC36-42DA7797DCB7} - C:\WINDOWS\System32\bho.dll (file missing) O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\System32\nsd96.dll O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS\System32\irasvouk.dll (file missing) O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsu6.dll (file missing) O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\CMSystem\plugin.dll O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe Please remember to close all other windows, including browsers then click Fix checked. File and Folder Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Program Files\CMSystem C:\Program Files\Freeprod Toolbar C:\Program Files\Common Files\Windows\mc-110-12-0000121.exe C:\WINDOWS\IA\command.exe C:\WINDOWS\System32\irasyncd.exe Tools Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows: Click Options Move the slider button down to Custom CleanUp! Check the following:
Click OK, Press the CleanUp! button to start the program. If prompted to reboot, click No. Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
** This scan may take over an hour, after choosing the action for the first item you do not need to stay at the PC. Reboot your system in Normal Mode. Open HijackThis, click Config, then click Misc Tools. Click "Open Uninstall Manager" Click "Save List" (generates uninstall_list.txt) Click Save, copy and paste the results in your next post. Online Scans Perform an online scan with Internet Explorer with Panda ActiveScan ** click on "Free use ActiveScan" located on the top right hand corner
*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. *Turn off the real time scanner of any existing antivirus program while performing the online scan In your next post please include:
|
|
|
|
|
12-05-2005, 04:16 PM
|
#9 (permalink) | |||||
|
Registered User
Join Date: Jul 2005
Posts: 22
OS: win xp
|
Here You Go
Hey I did everything you asked. I could not find these files though in the hijack log to delete.
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file) R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll here is my hijack log Quote:
Quote:
Quote:
Quote:
Quote:
I also still have this error message when i start my cpu. Error Loading C:\WINDOWS\msbk32.dll The specified module could not be found. I am not sure what that is thanks, Nick |
|||||
|
|
|
|
12-05-2005, 04:48 PM
|
#10 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP
|
The error is because we have removed a malware file that is still trying to run at startup, the message should not show up any more when you have completed this fix.
Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Viewing Hidden Files Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Downloads(make sure to save these in a permanent location) KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175) HijackThis! Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R3 - URLSearchHook: (no name) - {23211FA9-0DF1-203A-0A16-BF5E623975F4} - C:\WINDOWS\uulatagi.dll (file missing) O2 - BHO: (no name) - {DDE6EF2C-8F28-CAED-D0AE-F09604C0EB00} - C:\WINDOWS\uulatagi.dll (file missing) O3 - Toolbar: Search - {B4866866-246E-1035-966C-D299680846CB} - C:\WINDOWS\uulatagi.dll (file missing) O4 - HKLM\..\Run: [Auto Updater] C:\WINDOWS\System32\aupdate.exe O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\msbk32.dll,DllRun O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe O4 - HKCU\..\Run: [irassync] C:\WINDOWS\System32\irasyncd.exe O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe" O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000121.exe Please remember to close all other windows, including browsers then click Fix checked. Launch KillBox.exe & select the following options:
* Click the RED X button. * Click Yes at the Delete on Reboot prompt. * Click Yes at the 'Pending Operations prompt'. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: Command <<<Unless you know what this program is File and Folder Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\PROGRAM FILES\AdDestroyer C:\PROGRAM FILES\VBouncer C:\Program Files\BullsEye Network C:\Program Files\NaviSearch C:\PROGRAM FILES\COMMON FILES\InetGet C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs Reboot your system in Normal Mode. Online Scans Please open IE and go to Kaspersky WebScanner Next Click on Kaspersky Online Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* Turn off the real time scanner of any existing antivirus program while performing the online scan In your next post please include:
|
|
|
|
|
12-06-2005, 01:50 PM
|
#11 (permalink) | ||
|
Registered User
Join Date: Jul 2005
Posts: 22
OS: win xp
|
Here You Go
Hey here is what you wanted me to do next
Kasperky Log Quote:
Hijack Log Quote:
Nick |
||
|
|
|
|
12-06-2005, 01:56 PM
|
#12 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP
|
Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.
Please follow Symantec’s Guide to clean out your Norton quarantine. Launch KillBox.exe & select the following options:
* Click the RED X button. * Click Yes at the Delete on Reboot prompt. * Click Yes at the 'Pending Operations prompt'. Online Scans Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system. How is your system now? Are there any remaining problems? |
|
|
|
|
12-06-2005, 07:29 PM
|
#13 (permalink) | |
|
Registered User
Join Date: Jul 2005
Posts: 22
OS: win xp
|
Next step
Hey
Here is the Antispyware log Quote:
I didnt know how to copy and past the trendmicro second log but all it had was profiling cookie 1 count, atuda count 1 , and go.com 1 count I cleaned them out My comp is running much better. What programs should i download to protect my comp from future malware and viruses thanks, Nick |
|
|
|
|
|
12-06-2005, 08:06 PM
|
#14 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP
|
Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved.
Disabling the Viewing of Hidden and System Files
Setting a new Restore Point Go to Start >> Run - type control sysdm.cpl,,4 & press Enter.
Windows Update Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site. Prevention A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include: AVG Free Avast! Home Edition (Antivirus & Firewall) AntiVir A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are: Zone Alarm Outpost Tiny Personal Firewall Avast! Home Edition (Antivirus & Firewall) Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed. Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses. IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC. The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed. Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all. Alternative Programs Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Desktop Weather - Free taskbar weather program that is free, malware free, and resource light. Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. |
|
|
|
| Thread Tools | |
|
|
