i dont kno what happened, i went to this website and my computer got retarded with these popups. i tried ewido and adaware but they didnt get rid of it. please help Logfile of HijackThis v1.99.1 Scan saved at 12:20:10 AM, on 10/5/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ACS.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\JoEy ZuCcZ\Desktop\scan.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.1.2:8080 F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: (no name) - {3F877476-9C7C-4469-B647-FC9347520657} - C:\WINDOWS\system32\vtstu.dll O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\cbirnecn.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O20 - Winlogon Notify: vtstu - C:\WINDOWS\system32\vtstu.dll O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
Hello zucca08, your infection is called Virtumundo or Vundo. Download VundoFix to your desktop. Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. Please post the contents of C:\vundofix.txt and a new HijackThis log.
alright heres the vundo log.. VundoFix V6.2.0 Checking Java version... Scan started at 12:43:11 AM 10/5/2006 Listing files found while scanning.... C:\WINDOWS\system32\vkbcmmqg.dll C:\WINDOWS\system32\xvpjsbkw.dll C:\WINDOWS\system32\uhnutdmm.exe C:\WINDOWS\system32\vtstu.dll C:\WINDOWS\system32\utstv.ini C:\WINDOWS\system32\utstv.bak1 C:\WINDOWS\system32\utstv.bak2 Beginning removal... Attempting to delete C:\WINDOWS\system32\vkbcmmqg.dll C:\WINDOWS\system32\vkbcmmqg.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\xvpjsbkw.dll C:\WINDOWS\system32\xvpjsbkw.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\uhnutdmm.exe C:\WINDOWS\system32\uhnutdmm.exe Has been deleted! Attempting to delete C:\WINDOWS\system32\vtstu.dll C:\WINDOWS\system32\vtstu.dll Has been deleted! Attempting to delete C:\WINDOWS\system32\utstv.ini C:\WINDOWS\system32\utstv.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\utstv.bak1 C:\WINDOWS\system32\utstv.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\utstv.bak2 C:\WINDOWS\system32\utstv.bak2 Has been deleted! Performing Repairs to the registry. Done! and heres the hijackthis Logfile of HijackThis v1.99.1 Scan saved at 12:50:03 AM, on 10/5/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ACS.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\JoEy ZuCcZ\Desktop\scan.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.1.2:8080 F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: (no name) - {3F877476-9C7C-4469-B647-FC9347520657} - C:\WINDOWS\system32\vtstu.dll (file missing) O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\cbirnecn.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
Good. There's something else also. Go to Jotti's malware scan. Copy/Paste this file into "File to upload and scan". [bold]C:\WINDOWS\system32\cbirnecn.dll[/bold] Click Submit. Post the resutls in your next reply.
File: cbirnecn.dll Status: INFECTED/MALWARE MD5 7fe46253c90739ca4d52dddf288e06eb Packers detected: - Scanner results AntiVir Found Heuristic/Crypted (probable variant) ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found W32/Vundo.gen1 UNA Found nothing VirusBuster Found nothing VBA32 Found nothing
Show hidden files and folders: Control Panel > Folder Options > View tab > check "Show hidden files and folders". Restart your computer in safe mode(press F8 upon boot, select "Safe Mode" from menu and press Enter). Find and delete this file:C:\WINDOWS\system32\[bold]cbirnecn.dll[/bold] Restart in normal mode. Open HijackThis. Click "Run a system scan only". Check these(if there): [bold]O2 - BHO: (no name) - {3F877476-9C7C-4469-B647-FC9347520657} - C:\WINDOWS\system32\vtstu.dll (file missing) O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\cbirnecn.dll [/bold] Click "Fix checked". Close HijackThis. Rename HijackThis.exe to scanme.exe Run a new scan and post the log. Any more popups?
i dont seem to be getting anymore popups. thank you so much. Logfile of HijackThis v1.99.1 Scan saved at 2:36:53 PM, on 10/5/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ACS.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\JoEy ZuCcZ\Desktop\scanme.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.1.2:8080 F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
Log is clean now. You're welcome. I recommend you get a firewall to prevent future run-ins like this. Zone Labs offers their's for free. http://www.zonelabs.com/store/conte...m/freeDownload2.jsp?dc=12bms&ctry=&lang=en_gb Here's a full list of free Windows' security programs. Well worth a look. http://forums.afterdawn.com/thread_view.cfm/292257 Good luck!
