0

Hi I am new here, having trouble getting rid of a virus, can anyone help me??? There is 2 viruses that keep showing up here they are:

Win32/Vundo
Win32/Chisyne!generic

I have tried everything to get rid of them! I delete them and within 5 minutes they are back! Here is my hijack this log, hope to hear from someone soon

Logfile of HijackThis v1.99.1
Scan saved at 12:01:34 PM, on 9/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\atapi32.exe
C:\WINDOWS\services.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\The Franks\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ms055853420805] C:\WINDOWS\ms055853420805.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PopUpWasher] C:\PROGRA~1\Webroot\POP-UP~1\PopUpWasher.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?dd2221eedf1c40acab8c936451bd2599
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?dd2221eedf1c40acab8c936451bd2599
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159320570234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159320546421
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Atapi Driver - Unknown owner - C:\WINDOWS\atapi32.exe
O23 - Service: Microsoft Windows Spool Service (Windows Spool Service) - Unknown owner - C:\WINDOWS\services.exe

4
Contributors
3
Replies
4
Views
11 Years
Discussion Span
Last Post by DMR
0

Hi Lisa !! You have a tough time getting rid of the two virus that you mentioned I can understand. I have a solution for you. Have you ever tried the AVG 7.5 Network Edition ? It's available on Grisoft.com and hard to believe though, it has a license No as well !! You can paste the No and can have a fully functional Antivirus installed on your machine.And as far as I know, it will help you get rid of the two virus also. Have a nice time Lisa . Bye and don't direct the questions to my email A/c. Lets answer them on the forum, right ??

0

...sorry, it's late, and i wanna sleep, but these 3 look sus. Google em for fixes.

R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)

O20 - AppInit_DLLs: interceptor.dll
- actually, this last is definitely a nasty.

0

There is 2 viruses that keep showing up here they are:

Win32/Vundo
Win32/Chisyne!generic

Not surprising- the Chisyne! family of infections is known to download and install Vundo as well. :(

There is one thing we need to take care of before we continue:

C:\Documents and Settings\The Franks\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

The log entry above indicates that you are running the HijackThis.exe program from within the downloaded HijackThis.zip download package. You are also running HJT from within a Temp/Temporary downloads folder.
One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!

Please do the following:

* Create a folder for HJT outside of any Temp/Temporary folders. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

* Right-click on the HijackThis.zip folder and choose the "Extract all..." option from the resulting drop-down menu. This will start Windows' Folder Extraction Wizard. Click the "Next" button to start the wizard.

* In the next window, click on the "Browse" button. In the destination selection box, navigate to the new folder you created for HJT, hilight it, and click "OK".

* Click "Next", and then click "Finished"; a window dispaying the newly-extracted hijackthis.exe file should open.

* Double-click on the hijackthis.exe file to verify that the program works. If it does, just close hijackthis for now.

-----------------------------------------------------------------------------------

Next, let's do some initial disinfecting, and also get a better look at exactly what malicious files are on your system (the infections you have use randomly-generated file names):

You will need to close/quit all web browser programs and disconnect from the Internet for some of the following, so you should print out these instructions or save them into a text file with Notepad.

* Download the following utility and save it to your desktop or another convenient folder:

ewido Anti-spyware (30-day trial version)

* Install and Configure ewido:

  • Close all other Applications and then run the ewido installer
  • Select language click Ok
  • Click I Agree
  • Click next
  • Click Install
  • Click Finish
  • Wait Ewido will open main screen automatically.
  • Wait again a few minutes and Ewido Should Auto update itself. If it doesn't, click update at the top of the screen.
  • It is very important to get the updates
  • When updating has finished, close Ewido.

* Reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Log in to the Administrator account.

Once booted in to Safe Mode:


* Open ewido

  • Click on scanner at the top of the Ewido sceen
  • Click on Settings
  • Under How to Act click on Recommended Action choose Delete.
  • Under How to scan, all boxes should be selected
  • Under Possibly unwanted software, all boxes should be selected
  • On right side under Reports: click on Automatically generate report after every scan.
  • Under What to scan, select scan every file
  • Clickon the Scan Tab
  • Click on Complete system scan
  • Let the program scan the machine It can take a while give it time.
  • When scan has finished At bottom of screen click Apply all Actions
  • Click Save report
  • Click Save Report as
  • Click desktop
  • Click Save
  • Exit ewido

* Empty your Recycle Bin and reboot normally.

* Run HijackThis again and post the new log.

* Open the ewido report you saved and post the entire contents of that log as well.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.