Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: virumonde on my system

  1. #1
    Junior Member
    Join Date
    Oct 2008
    Location
    Hawaii
    Posts
    6

    Default virumonde on my system

    I had a bunch of pop ups after visiting what I though a good site. After trying several things I downloaded and installed the current Spybot and ran it.

    It found the virumonde trojan and cleaned it but the trojan came back. It wanted to reboot to continue and after Spybot's 4th reboot request I wonder what's going on.

    Looking at other posts here it seems like this trojan needs special handling to get rid of it so if you can help me please post what information you need from me.

    my system works but when I start firefox the popups start and a scan by spybot finds virumonde again.

    I'm posting this from another computer using IE.

    thanks!

  2. #2
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi dpainter

    Click here to download HJTInstall.exe
    • Save HJTInstall.exe to your desktop.
    • Doubleclick on the HJTInstall.exe icon on your desktop.
    • By default it will install to C:\Program Files\Trend Micro\HijackThis .
    • Click on Install.
    • It will create a HijackThis icon on the desktop.
    • Once installed, it will launch Hijackthis.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
    • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  3. #3
    Junior Member
    Join Date
    Oct 2008
    Location
    Hawaii
    Posts
    6

    Default

    hi Shaba,

    After my post I got another problem. For several days I had no problem booting to safe or normal mode but yesterday I can't.

    I got

    Stop C000021a {fatal system error} The Windows Logon Process system process terminated unexpectedly with a status of 0x0000000 (0x00000000, 0x00000000)

    The system has been shut down.

    I know sometimes damaged files can be replaced and this error got around but it's no longer worth it to keep trying to fix. I'm going to boot linux & reformat the hard disc then reinstall the OS. That's the easy part, the hard part is reinstalling and getting all my application configuration back.

    Thanks for your help, I really appreciate it and didn't realize spybot had evolved to have such a great support system. I *will* have spybot on my newly formatted disc.

    mahalo (thanks)
    Dennis

  4. #4
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Sorry to hear that.

    Please post HijackThis log after reformatting.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  5. #5
    Junior Member
    Join Date
    Oct 2008
    Location
    Hawaii
    Posts
    6

    Default

    Reformatted the ntfs partition & reinstalled windows.

    Here is the hjt file after above, (I hope it's clean):

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:35:23 PM, on 10/18/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    --
    End of file - 1162 bytes

  6. #6
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Yes it is clean but there is no antivirus installed:

    Looking over your log, it seems you don't have any evidence of an anti-virus software.

    Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

    1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Free support.
    2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
    3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

    You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.

    Post back a fresh HijackThis log after installing antivirus, please.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  7. #7
    Junior Member
    Join Date
    Oct 2008
    Location
    Hawaii
    Posts
    6

    Default

    When I ran HJT the computer was not connected to the internet. I have symantec av and it will be installed before connecting to the internet so I should be clean at that point. I will also be downloading the latest virus defs and putting them on the affected computer before connecting.

    It now looks like I will have to contect dell about the xp reinstall as I think their disks I have did not install all the drivers it needs.

    I am posting here from a desktop system so that is how I am posting but not from the affected computer. This computer, the one I am posting on shows clean by symantec and spybot but now got a strange issue that every time I start ms word the installer runs "... configure scansoft paperport 11" but paperport has been on this computer over a year. I can't see how that's virus issue.

    Anyway once I get the dell laptop, the affected computer, all working I will run HJT and post here.

  8. #8
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    "This computer, the one I am posting on shows clean by symantec and spybot but now got a strange issue that every time I start ms word the installer runs "... configure scansoft paperport 11" but paperport has been on this computer over a year. I can't see how that's virus issue."

    No, it is not virus issue.

    It could be due to windows installer leftovers.

    This could help, remove
    scansoft paperport 11 related entries.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  9. #9
    Junior Member
    Join Date
    Oct 2008
    Location
    Hawaii
    Posts
    6

    Default

    Busy reloading apps but here is the HJT right after installing the av soft. I also d/l the latest av defs file on another, protected, machine and updated before going live on the internet.

    I don't know about symantic but have to run it for the company I vpn into. It seems ok for protection.

    I did learn a lot more about scripting problems and now have the noscript add-on for firefox. lots of good info at their website.

    Thanks for the link on the windows installer problem!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:52:00 AM, on 10/19/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Symantec AntiVirus\VPTray.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 3354 bytes

  10. #10
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Java needs to be updated, otherwise looks good to me:

    Please download JavaRa and unzip it to your desktop.

    ***Please close any instances of Internet Explorer before continuing!***

    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.


    Then download and install Java Runtime Environment (JRE) 6 Update 10.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •