ooberman Posted July 24, 2007 Share Posted July 24, 2007 Just recently I have been getting pop-ups for winantivirus pro, these only seem to happen when Im browsing tip.it forums. Im just wondering if anyone has experienced this also or is it just a coincidence. oober Link to comment Share on other sites More sharing options...
Brandon_7 Posted July 24, 2007 Share Posted July 24, 2007 Scan your computer for ad ware, spy ware, etc. If nothing comes up, you might want to try getting a pop-up blocker. If you're using Firefox, Adblock Plus should work great. Link to comment Share on other sites More sharing options...
weezcake Posted July 25, 2007 Share Posted July 25, 2007 Ouch, winantivirus. Nasty little thing.. http://wiki.castlecops.com/Malware_Removal:_Virtumundo It's a bit long to read, but please do. It's a nasty thing to fix :) ==================================Retired tip.it moderator.Teaching and inspiring. Link to comment Share on other sites More sharing options...
TheWilch Posted July 25, 2007 Share Posted July 25, 2007 :? this is coming up on my computer to. i tried adaware and AVG but it doesnt work, im going to read the article an see what else i can do. Link to comment Share on other sites More sharing options...
ooberman Posted July 26, 2007 Author Share Posted July 26, 2007 Thanks for the replies, I know how to remove it, I'm just wondering if anyone has experienced it while browsing these forums. oober Link to comment Share on other sites More sharing options...
Mercifull Posted July 26, 2007 Share Posted July 26, 2007 Time for the admins to check they arnt foisting malware again? Mercifull <3 Suzi "We don't want players to be able to buy their way to success in RuneScape. If we let players start doing this, it devalues RuneScape for others. We feel your status in real-life shouldn't affect your ability to be successful in RuneScape" Jagex 01/04/01 - 02/03/12 Link to comment Share on other sites More sharing options...
TheWilch Posted July 27, 2007 Share Posted July 27, 2007 well i have it and its serioulsy making my computer unstable and i cant play runescape or youtube videos. extreme laggyness, shutdowns, starts up with a weird blue display and sudden popups with things begining to download :ohnoes: I NEED HELP PLEASE. i went through the entire wiki article but my skills are basic on the computer, like i posted before all i have is adaware and the free AVG and there not working. Link to comment Share on other sites More sharing options...
weezcake Posted July 27, 2007 Share Posted July 27, 2007 well i have it and its serioulsy making my computer unstable and i cant play runescape or youtube videos. extreme laggyness, shutdowns, starts up with a weird blue display and sudden popups with things begining to download :ohnoes: I NEED HELP PLEASE. i went through the entire wiki article but my skills are basic on the computer, like i posted before all i have is adaware and the free AVG and there not working. Alright, I'll try to walk you through this slowly. 1. Download HijackThis (you'll see the download links near the top). It's a program that scans your computer and checks what's running on it. Scan (with a system log). You will find something similar to: O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\pmnkk.dll O20 - Winlogon Notify: pmnkk - C:\WINDOWS\system32\pmnkk.dll (winantivirus likes making .dll files with five random letters) 2. Download and run the Virtumundo (winantivirus) fix. http://www.atribune.org/ccount/click.php?id=4 (This will clean it up, blank out your desktop temporarily, and ask you to restart. Restart the computer. 3. Verify that your computer is clean. Run HijackThis (system scan only) and check to see if the files are still there. If they have been removed, you will see: O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\pmnkk.dll (file missing) O20 - Winlogon Notify: pmnkk - C:\WINDOWS\system32\pmnkk.dll (file missing) If this doesn't work, then please reply and I'll go through the extra removal steps. ==================================Retired tip.it moderator.Teaching and inspiring. Link to comment Share on other sites More sharing options...
TheWilch Posted July 27, 2007 Share Posted July 27, 2007 C:\WINDOWS\system32\LEXBCES[Caution: Executable File] C:\WINDOWS\system32\LEXPPS[Caution: Executable File] C:\WINDOWS\system32\spoolsv[Caution: Executable File] C:\WINDOWS\Explorer[Caution: Executable File] C:\PROGRA~1\Grisoft\AVG7\avgamsvr[Caution: Executable File] C:\WINDOWS\system32\hkcmd[Caution: Executable File] C:\Program Files\Dell AIO Printer A920\dlbkbmgr[Caution: Executable File] C:\Program Files\Dell AIO Printer A920\dlbkbmon[Caution: Executable File] C:\PROGRA~1\Grisoft\AVG7\avgupsvc[Caution: Executable File] C:\Program Files\BroadJump\Client Foundation\CFD[Caution: Executable File] C:\PROGRA~1\Grisoft\AVG7\avgemc[Caution: Executable File] C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon[Caution: Executable File] C:\Program Files\Executive Software\Diskeeper\DkService[Caution: Executable File] C:\WINDOWS\System32\svchost[Caution: Executable File] C:\WINDOWS\system32\fxssvc[Caution: Executable File] C:\WINDOWS\SYSTEM32\osk[Caution: Executable File] C:\WINDOWS\SYSTEM32\MSSWCHX[Caution: Executable File] C:\Program Files\Windows Media Player\wmplayer[Caution: Executable File] C:\Program Files\Mozilla Firefox\firefox[Caution: Executable File] C:\Program Files\Trend Micro\HijackThis\HijackThis[Caution: Executable File] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray[Caution: Executable File] O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd[Caution: Executable File] O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr[Caution: Executable File]" O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINDOWS\Temp\RECOVE~1[Caution: Executable File] O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD[Caution: Executable File] O4 - HKLM\..\Run: [uwas7cw] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw[Caution: Executable File]" -c O4 - HKLM\..\Run: [salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon[Caution: Executable File]" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc[Caution: Executable File] /STARTUP O4 - HKLM\..\Run: [MemoryManager] rundll32[Caution: Executable File] "C:\WINDOWS\system32\sfruhadm.dll",forkonce O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw[Caution: Executable File] /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw[Caution: Executable File] /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw[Caution: Executable File] /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw[Caution: Executable File] /RUNONCE (User 'Default user') O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: Executable File] O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: Executable File] O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/share ... insctl.cab O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462/2h ... mDlBrg.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/share ... cgdmgr.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr[Caution: Executable File] O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc[Caution: Executable File] O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc[Caution: Executable File] O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService[Caution: Executable File] O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES[Caution: Executable File] -- End of file - 4564 bytes thats what came up after i ran hijackthis. going to do run virtumundo now. after running virtumundo it showed 6 diffrent infected files, so i highlighted 1 and selected fix vundo. then it rebooted, i scanned it again and it says no files are infected. after running hijackthis i get the same logfile as i did before. Link to comment Share on other sites More sharing options...
weezcake Posted July 28, 2007 Share Posted July 28, 2007 Try this tool.. I used this one when I fixed up my friend's computer. I believe it's better than the first one I mentioned. http://secured2k.home.comcast.net/tools/VirtumundoBeGone.ex3 Replace the 3 in the URL with an e. The censor is blocking it. Try running that and see what happens. And send me another log after the scan, please. ==================================Retired tip.it moderator.Teaching and inspiring. Link to comment Share on other sites More sharing options...
TheWilch Posted July 29, 2007 Share Posted July 29, 2007 [07/28/2007, 21:39:28] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Evelyn Vereker\My Documents\VirtumundoBeGone[Caution: Executable File]" ) [07/28/2007, 21:39:35] - Detected System Information: [07/28/2007, 21:39:35] - Windows Version: 5.1.2600, Service Pack 2 [07/28/2007, 21:39:35] - Current Username: Evelyn Vereker (Admin) [07/28/2007, 21:39:35] - Windows is in NORMAL mode. [07/28/2007, 21:39:36] - Searching for Browser Helper Objects: [07/28/2007, 21:39:36] - BHO 1: {DCD53738-C4F9-414A-A03C-C7405A4AC844} () [07/28/2007, 21:39:36] - WARNING: BHO has no default name. Checking for Winlogon reference. [07/28/2007, 21:39:36] - Checking for HKLM\...\Winlogon\Notify\vtutqrq [07/28/2007, 21:39:36] - Found: HKLM\...\Winlogon\Notify\vtutqrq - This is probably Virtumundo. [07/28/2007, 21:39:36] - Assigning {DCD53738-C4F9-414A-A03C-C7405A4AC844} MSEvents Object [07/28/2007, 21:39:36] - BHO list has been changed! Starting over... [07/28/2007, 21:39:36] - BHO 1: {DCD53738-C4F9-414A-A03C-C7405A4AC844} (MSEvents Object) [07/28/2007, 21:39:36] - ALERT: Found MSEvents Object! [07/28/2007, 21:39:36] - Finished Searching Browser Helper Objects [07/28/2007, 21:39:36] - *** Detected MSEvents Object [07/28/2007, 21:39:36] - Trying to remove MSEvents Object... [07/28/2007, 21:39:37] - Terminating Process: IEXPLORE[Caution: Executable File] [07/28/2007, 21:39:37] - Terminating Process: RUNDLL32[Caution: Executable File] [07/28/2007, 21:39:38] - Disabling Automatic Shell Restart [07/28/2007, 21:39:38] - Terminating Process: EXPLORER[Caution: Executable File] [07/28/2007, 21:39:38] - Suspending the NT Session Manager System Service [07/28/2007, 21:39:38] - Terminating Windows NT Logon/Logoff Manager [07/28/2007, 21:39:40] - Re-enabling Automatic Shell Restart [07/28/2007, 21:39:40] - File to disable: C:\WINDOWS\system32\vtutqrq.dll [07/28/2007, 21:39:40] - Removing HKLM\...\Browser Helper Objects\{DCD53738-C4F9-414A-A03C-C7405A4AC844} [07/28/2007, 21:39:40] - Removing HKCR\CLSID\{DCD53738-C4F9-414A-A03C-C7405A4AC844} [07/28/2007, 21:39:40] - Adding Kill Bit for ActiveX for GUID: {DCD53738-C4F9-414A-A03C-C7405A4AC844} [07/28/2007, 21:39:41] - Deleting ATLEvents/MSEvents Registry entries [07/28/2007, 21:39:41] - Removing HKLM\...\Winlogon\Notify\vtutqrq [07/28/2007, 21:39:41] - Searching for Browser Helper Objects: [07/28/2007, 21:39:41] - Finished Searching Browser Helper Objects [07/28/2007, 21:39:41] - Finishing up... [07/28/2007, 21:39:41] - A restart is needed. [07/28/2007, 21:39:41] - Automatic Reboot on STOP Error is not set. User will have to manually restart. [07/28/2007, 21:40:14] - Attempting to Restart via STOP error (Blue Screen!) i tried that tool but im not sure if it scaned because my computer crashed and came up with a blue screen with white letters ive never seen before. after i restarted it i had a text.doc on my desktop Link to comment Share on other sites More sharing options...
weezcake Posted July 29, 2007 Share Posted July 29, 2007 It looks like it removed it, but crashed on the restart. Give me a copy of hijackthis log, and we can check :) ==================================Retired tip.it moderator.Teaching and inspiring. Link to comment Share on other sites More sharing options...
Jaziek Posted July 29, 2007 Share Posted July 29, 2007 just to bring this to an admin's attention... I have noticed an increase in the amount of malware advertisements on the board lately.. winantivirus pcturbopro pcsecuritypro ..and the like all of them minimize my current window, open a small second window with some text in, and when that is closed it loads a new page over TIF. It really only happens on tip.it Link to comment Share on other sites More sharing options...
TheWilch Posted July 29, 2007 Share Posted July 29, 2007 heres the new hijack log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:33:55 PM, on 7/29/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss[Caution: Executable File] C:\WINDOWS\system32\winlogon[Caution: Executable File] C:\WINDOWS\system32\services[Caution: Executable File] C:\WINDOWS\system32\lsass[Caution: Executable File] C:\WINDOWS\system32\svchost[Caution: Executable File] C:\WINDOWS\System32\svchost[Caution: Executable File] C:\WINDOWS\system32\svchost[Caution: Executable File] C:\WINDOWS\system32\LEXBCES[Caution: Executable File] C:\WINDOWS\system32\spoolsv[Caution: Executable File] C:\WINDOWS\system32\LEXPPS[Caution: Executable File] C:\WINDOWS\Explorer[Caution: Executable File] C:\PROGRA~1\Grisoft\AVG7\avgamsvr[Caution: Executable File] C:\PROGRA~1\Grisoft\AVG7\avgupsvc[Caution: Executable File] C:\PROGRA~1\Grisoft\AVG7\avgemc[Caution: Executable File] C:\WINDOWS\system32\hkcmd[Caution: Executable File] C:\Program Files\Dell AIO Printer A920\dlbkbmgr[Caution: Executable File] C:\Program Files\Dell AIO Printer A920\dlbkbmon[Caution: Executable File] C:\Program Files\BroadJump\Client Foundation\CFD[Caution: Executable File] C:\Program Files\Executive Software\Diskeeper\DkService[Caution: Executable File] C:\WINDOWS\System32\svchost[Caution: Executable File] C:\WINDOWS\SYSTEM32\osk[Caution: Executable File] C:\WINDOWS\SYSTEM32\MSSWCHX[Caution: Executable File] C:\Program Files\Mozilla Firefox\firefox[Caution: Executable File] C:\Program Files\Trend Micro\HijackThis\HijackThis[Caution: Executable File] R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray[Caution: Executable File] O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd[Caution: Executable File] O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr[Caution: Executable File]" O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINDOWS\Temp\RECOVE~1[Caution: Executable File] O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD[Caution: Executable File] O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc[Caution: Executable File] /STARTUP O4 - HKLM\..\Run: [MemoryManager] rundll32[Caution: Executable File] "C:\WINDOWS\system32\sfruhadm.dll",forkonce O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw[Caution: Executable File] /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw[Caution: Executable File] /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw[Caution: Executable File] /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw[Caution: Executable File] /RUNONCE (User 'Default user') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: Executable File] O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: Executable File] O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/share ... insctl.cab O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462/2h ... mDlBrg.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/share ... cgdmgr.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr[Caution: Executable File] O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc[Caution: Executable File] O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc[Caution: Executable File] O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService[Caution: Executable File] O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES[Caution: Executable File] -- End of file - 4114 bytes im not sure if its gone, but ive had a significant reduce of lag. my system is fully stable and its also stopped popups from coming up. your the man weez. Link to comment Share on other sites More sharing options...
ooberman Posted July 30, 2007 Author Share Posted July 30, 2007 all of them minimize my current window, open a small second window with some text in, and when that is closed it loads a new page over TIF. It really only happens on tip.it That is exactly what happens to me. Out of curiosity I browsed the forums for a while on a new laptop and the same happend within about half an hour. Now this either means there is malware within the site (not sure exactly how that works) or it is the security setup I am using which happens to be the same on both computers. oober Link to comment Share on other sites More sharing options...
TheWilch Posted July 31, 2007 Share Posted July 31, 2007 AVG is now warning me that i have a trojan downloader :? Link to comment Share on other sites More sharing options...
Jaziek Posted July 31, 2007 Share Posted July 31, 2007 AVG is now warning me that i have a trojan downloader :? unrelated to this case i think. Link to comment Share on other sites More sharing options...
weezcake Posted July 31, 2007 Share Posted July 31, 2007 wilcher, scan with AVG and such? It should be able to clean out the trojan by itself, hopefully.. And Jaziek, PM an admin with info about the malware ads and explain the situation. I haven't seen one of these bad ads yet :/ ==================================Retired tip.it moderator.Teaching and inspiring. Link to comment Share on other sites More sharing options...
TheWilch Posted August 1, 2007 Share Posted August 1, 2007 AVG is now warning me that i have a trojan downloader :? unrelated to this case i think. ^ :| but weez thanks, im 99% certain the winantivirus is gone. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now