PDA

View Full Version : DESPERATE! Trojan-keylogger.WIN32.fung virus...



BasketballOSU
01-11-2008, 05:34 PM
This thing is driving me absolutely insane. I have searched and tried all the steps suggested all over the internet that seem to work for other people, yet for some reason none of those steps seems applicable to my case with this virus.

It's the one that causes this popup every 15 minutes:

http://www.removeonline.com/images/warning22.jpg

I have merely exited out of this every time, haven't clicked on it or anything.

What would be the proper steps to go about removing this? Do you guys want a hijack this logfile?

Thanks!

gary67
01-11-2008, 05:38 PM
Yes post a logfile and also run some of the malware trojan scans you might need to turn off system restore while your doing this too as sometimes they can be there and come back on reboot

BasketballOSU
01-11-2008, 05:39 PM
Tell you what I'll go ahead and hopefully save some time by going ahead and posting the logfile here:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:02 PM, on 10/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Sound Blaster Audigy 2\SB Performance Utility\CTPowUti.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webshots\webshots.scr
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster Audigy 2\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Audigy 2\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTPerformanceUtility] C:\Program Files\Creative\Sound Blaster Audigy 2\SB Performance Utility\CTPowUti.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [wixpo] "C:\Documents and Settings\Grant\Application Data\Google\mupd1_2_645698.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202935117843
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

BasketballOSU
01-11-2008, 05:42 PM
Also I have already ran Trojan Remover and Spybot S&D and Malwarebytes anti-malware something or other, which I found on other threads helping with this particular virus, but they didn't find anything.

wainuitech
01-11-2008, 06:07 PM
hmmmmm being A tough nut eh! looked at the log, strangely cant see any real threat, you can remove the following

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)

Disable system Restore - Right click My Computer/Properties/Restore Tab.

Download from my sig Spyware terminator and Super antispyware. Install and run.

In spyware terminator On the Settings Tab / Scan Settings / Tick every thing, on the scan Tab select Full Scan - do a full system scan.

Is malwarebytes fully upto date, and did you do a full system scan - the short scans dont work that well sometimes.

Edited: After a betetr look - I think this is the bug
O4 - HKCU\..\Run: [wixpo] "C:\Documents and Settings\Grant\Application Data\Google\mupd1_2_645698.exe"

read This forum / instructions (http://www.removeonline.com/remove-trojan-keylogger-win32-fung-trojankeyloggerwin32fung-removal-instructions/) and run through the removal of the dll files.

wainuitech
01-11-2008, 07:17 PM
You may have to manually go in and remove the file

C:\Documents and Settings\Grant\Application Data\Google\mupd1_2_645698.exe"

When you open the C: drive, up top select Tools/ Folder options/ view Tab, make sure "show hidden files and Folders" is selected, then navigate to the file, Befoe you do you may also have to end the process - bring up task manager - ctrl+alt+ del and look for the mupd1 XXXXX running, select it and end process - then delete the file.

BasketballOSU
01-11-2008, 07:41 PM
I went into the Application Data folder and tried to delete it, but it wouldn't delete.

So I pulled up task manager to end the process first, and that does not show up under the list of processes, either for my name or under "System"...

:confused::confused:

Speedy Gonzales
01-11-2008, 07:48 PM
Tick this as well

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

Then uninstall all versions of Java, then update it

If you've disabled system restore now, just tick what Wainui posted previously and the above. If you've done this already, its probably not running since its been removed from startup

Just go to C:\Documents and Settings\Grant\Application Data\Google\mupd1_2_645698.exe <-- and delete that file

wainuitech
01-11-2008, 07:55 PM
Three things to try -
Use Hijackthis , tick and remove that entry - Reboot - try going back and see if the file will delete
restart the PC in safe mode, keep tapping F8, enter safe mode, navigate to the file and see if it will delete
Lastly- try using " move on Boot" Link to file below
Download and install, MoveOnBoot (http://www.softpedia.com/get/System/Boot-Manager-Disk/MoveOnBoot.shtml) select the file and reboot.

feersumendjinn
01-11-2008, 09:09 PM
Think you're looking at this all wrong, the warning box (supposedly put there by Windows Firewall) is a fake (note the bad spelling!), and the trojan mentioned is probably b*llsh*t, all designed to scare you into downloading a "fix", which will download even more malware.
The malware you already have is possibly disabling some of your attempts to remove it (maybe stopping access to the registry etc).
I would definitely do all the above fixes, plus get/run Smitfraudfix, maybe Combofix also; is your McAfee antivirus fully updated (or is it the version you got with your Dell and it's expired :eek:)?, as I see XP is still on SP2, and IE is still V.6 (is very unwise security-wise).
It may come to the point where you have to reinstall Windows (do you have a hidden restore partition on your C: drive?, usually accessed by pressing F10 (I think) when booting up).

Bangbug
02-11-2008, 05:08 PM
oh hey, there was someone else with the same problem as me.
Did it all go well?
Did you listen closely to the sagely wisdom of speedy and wainui?
I've just gotten rid of mine and thanks to the above mentioned, some other clutter. I might even be able to help now~! wouldn't that be novel... <-- is the the right novel?
good luck :)

jwil1
02-11-2008, 05:16 PM
Duplicate thread here (http://pressf1.pcworld.co.nz/showthread.php?t=94487)

Are both threads about the same problem Bangbug? If so, please keep to one thread. :)

Is the virus removed now? Nortons AV removed too?

Speedy Gonzales
02-11-2008, 05:31 PM
This isnt Bangbug's thread

Bangbug
02-11-2008, 05:31 PM
Duplicate thread here (http://pressf1.pcworld.co.nz/showthread.php?t=94487)

Are both threads about the same problem Bangbug? If so, please keep to one thread. :)

Is the virus removed now? Nortons AV removed too?

Yes, same problem apparently... that's what i was saying.
And yes... i will keep to one thread.
Had i seen this thread.

And if you would like to ask questions about my problem, please keep to one thread and ask there... lol :P just kidding. yup. norton gone. virus gone and i'm in man love. if wainui and speedy are guys. if they're not... all the better. lol. ;)

jwil1
02-11-2008, 05:32 PM
This isnt Bangbug's thread

Whoops... :blush:

Sorry about that - is it a similar problem though?

Speedy Gonzales
02-11-2008, 05:38 PM
It looks like it was the same keylogger / trojan.

And the file in documents and settings likes changing names

BasketballOSU
02-11-2008, 06:07 PM
Went through everything in the replies and it appears to be working. Pop-up free for an hour now and can't find the file anywhere....

Thanks again for all the help guys!