Pages: 1

 

2008-05-07 12:17:59
kylef
Gone
+1,352|6764|N. Ireland
Items downloaded today: Logitech SetPoint from official Logitech site
Items I don't normally run that were ran today: ctfmon.exe - when I plug my iPod in it always appears so this time I decided to check what it did...all it did was the view the iPod directory

I was happily browsing my computer and then Windows Defender popped up. With something not very nice. Trojan:Win32/VB to be precise. Of course, I removed it today. I also un-installed SetPoint just in case. This is the first hint of a virus I have ever had in...at least two years. Curiously, I decided to check out Windows Defender and what it had to say for itself:

Category:
Trojan

Description:
This program has potentially unwanted behavior.

Advice:
Permit this detected item only if you trust the program or the software publisher.

Resources:
file:
C:\Users\Kyle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ctfmon.exe

startup:
C:\Users\Kyle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\ctfmon.exe
I know that ctfmon.exe is a harmless application...has Windows been tricked into thinking it is a trojan? Or is it a Trojan? Currently running AVG as I write this.

Thanks

Update: AVG found something..:

https://i159.photobucket.com/albums/t143/leetkyle/avgdetection.png

Last edited by kylef (2008-05-07 12:22:10)

2008-05-07 12:30:06
jamiet757
Member
+138|6893
Sometimes malicious software can install programs with similar names to commonly used ones, but they are infected with a virus or something.

Just because it showed up after you installed setpoint doesn't mean that is what gave you the virus, sometimes they don't show up right away, to prevent you from going back with system restore to before the virus was there.
2008-05-07 12:41:13
kylef
Gone
+1,352|6764|N. Ireland
Yeah - I'm aware they can mascaraed as common programs, although there surely must have been some sort of evidence as I haven't installed any new applications or anything like that in a quite a while..
2008-05-07 13:05:50
Freezer7Pro
I don't come here a lot anymore.
+1,447|6468|Winland

Scripts?
The idea of any hi-fi system is to reproduce the source material as faithfully as possible, and to deliberately add distortion to everything you hear (due to amplifier deficiencies) because it sounds 'nice' is simply not high fidelity. If that is what you want to hear then there is no problem with that, but by adding so much additional material (by way of harmonics and intermodulation) you have a tailored sound system, not a hi-fi. - Rod Elliot, ESP
2008-05-07 13:14:42
CrazeD
Member
+368|6943|Maine

Freezer7Pro wrote:

Also, antivirus is for idiots who can't see that XXX KEYGEN.COM XXX CRACKS CDKEYS XXX might be malacious.
Hmm, I guess you're an idiot Kyle, according to Freezer...

What makes you think you have to install an application to get a virus? You can get viruses from downloading infected files, accepting transfers over IM clients, emails, shady websites... You could have picked this up from anywhere.

Just do a scan in safe mode till it's gone. If you can't get rid of it that way you'll either have to try a different AV or research it, as there may be a specific utility to get rid of it.
2008-05-07 13:15:21
steelie34
pub hero!
+603|6652|the land of bourbon
it looks like it used hueristic detection to identify that file, meaning the function of that dll could be viral, but may be legitimate if you have installed a new program recently.  but if you have no idea where the file virtualdns.dll came from, you should remove it.
https://bf3s.com/sigs/36e1d9e36ae924048a933db90fb05bb247fe315e.png
2008-05-07 13:33:42
ghettoperson
Member
+1,943|6920

Post a Hijack This log.
2008-05-07 13:54:28
kylef
Gone
+1,352|6764|N. Ireland
Thanks for all the replies...I was due for a reformat but didn't want to do it until after my exams. Anyway, I'm not sure how this little bugger got in. I download cautiously and always scan after files I am hazy about. This is the first time Windows Defender has detected this file. As requested, here is a HijackThis log...I'm not sure if AVG got rid of 'em for good.

Logfile of HijackThis v1.99.1
Scan saved at 21:52:28, on 07/05/2008
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\DisplayFusion\DisplayFusion.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Steam\Steam.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Kyle\Documents\Downloads\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: CVirtualDNSObj Object - {86C510E9-97EF-4749-914F-0280247BE3A6} - C:\Windows\VirtualDNS.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [LogiSPSetupNeedReboot] rundll32.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [DisplayFusion] "C:\Program Files\DisplayFusion\DisplayFusion.exe"
O4 - Global Startup: UltraMon.lnk = ?
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDC02279-7092-43E0-A6D5-7FA1F75BF75F}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
I appreciate any help, thanks

Update: I'm also running Ad-Aware here, will post what it finds once it is done (however that'll probably be another half an hour at least!)

Last edited by kylef (2008-05-07 13:57:30)

2008-05-07 14:04:30
ghettoperson
Member
+1,943|6920

Check the box next to 'O2 - BHO: CVirtualDNSObj Object - {86C510E9-97EF-4749-914F-0280247BE3A6} - C:\Windows\VirtualDNS.dll (file missing)' and hit fix checked. Should sort you out.

This I believe is your problem
2008-05-07 14:09:08
kylef
Gone
+1,352|6764|N. Ireland
Done - whatever that did it appears to have done it successfully as it no longer shows up in a new log. I appreciate your help. 18 New Critical Objects found, however it's probably just 2 or 3 cookies. Had a bit of a scare with "Trojan" heh.
2008-05-07 14:10:03
ghettoperson
Member
+1,943|6920

Heh, it's all good. Always use protection kids!
2008-05-07 14:13:51
ReTox
Member
+100|6770|State of RETOXification
The naming of virus files to be the same as windows files is easily defeated but only if you know how.  In the task manager under the processes tab look for the suspect file and if it says the owner is SYSTEM it is very likely to be legit.  The ones you see with an owner the same as your log on name are possibly malicious and worth scanning/investigating aggressively.
2008-05-07 14:15:46
GC_PaNzerFIN
Work and study @ Technical Uni
+528|6685|Finland

ghettoperson wrote:

Heh, it's all good. Always use protection kids!
heh...
3930K | H100i | RIVF | 16GB DDR3 | GTX 480 | AX750 | 800D | 512GB SSD | 3TB HDD | Xonar DX | W8
2008-05-07 14:18:29
kylef
Gone
+1,352|6764|N. Ireland
Thanks Retox...I'd karma you but I appear to have run out! Thanks a lot, though - just took a look and everything seems normal...a few which I didn't know but Google solved that.

lol Ghetto ;) Anyway - all of those objects found via Ad-Aware was just a cookie (TAC rating 3) and a non-threatening MRU list. All good :) I'll run AVG while I'm out in the morning just to be sure ;) Thanks a lot.

Freezer - no scripts...at least known that I know of :P

Last edited by kylef (2008-05-07 14:18:56)

2008-05-07 14:44:31
.Sup
be nice
+2,646|6724|The Twilight Zone
I'll karma him for you kyle
https://www.shrani.si/f/3H/7h/45GTw71U/untitled-1.png
2008-05-07 14:45:39
r2zoo
Knowledge is power, guard it well
+126|6867|Michigan, USA
Not sure what the huge "scare" was about, virus's arent that huge a deal.  Although its all settled Id like to point out the fact that various virus scanners and the such can detect regular programs as malcious.  Mcafee wouldnt let me install BF2 off the disk, as it kept telling me there wee trojans and the such on the disk, when that was not true.
2008-05-07 14:50:03
kylef
Gone
+1,352|6764|N. Ireland

r2zoo wrote:

Not sure what the huge "scare" was about, virus's arent that huge a deal.  Although its all settled Id like to point out the fact that various virus scanners and the such can detect regular programs as malcious.  Mcafee wouldnt let me install BF2 off the disk, as it kept telling me there wee trojans and the such on the disk, when that was not true.
Yeah, I have a few applications which I know are safe yet AV said otherwise. Although that is only a few exceptions to the rule, I guess - heh.

Thanks .Sup!
2008-05-07 15:06:59
Brasso
member
+1,549|6901

.Sup wrote:

I'll karma him for you kyle
me too, he deserves it
"people in ny have a general idea of how to drive. one of the pedals goes forward the other one prevents you from dying"
2008-05-07 15:12:35
jamiet757
Member
+138|6893

r2zoo wrote:

Not sure what the huge "scare" was about, virus's arent that huge a deal.  Although its all settled Id like to point out the fact that various virus scanners and the such can detect regular programs as malcious.  Mcafee wouldnt let me install BF2 off the disk, as it kept telling me there wee trojans and the such on the disk, when that was not true.
Some viruses can be a very huge deal. A lot of times it isn't the case, you just run your AV program and it is gone, but I have had a few in my time that I could not get rid of no matter what I did, so I had to reformat. That is scary. So what do you mean they aren't a huge deal?
2008-05-07 15:20:33
S.Lythberg
Mastermind
+429|6717|Chicago, IL
watch those scanners, Norton and Avast! have both tried to delete BF2 localization files.

I'd keep an eye on your task manager to see if anything odd opens up.
2008-05-07 16:49:01
CrazeD
Member
+368|6943|Maine

S.Lythberg wrote:

watch those scanners, Norton and Avast! have both tried to delete BF2 localization files.

I'd keep an eye on your task manager to see if anything odd opens up.
Orly? Avast doesn't care about my BF2 localization files.

However, it has sounded alarm to several other things that aren't viruses. That's okay though, I'd rather have a cautious scanner than one that doesn't work.
2008-05-07 17:07:32
FatherTed
xD
+3,936|6771|so randum
https://www.keepcondom.com/images/products/trojan-her-pleasure-warm1.jpg
Small hourglass island
Always raining and foggy
Use an umbrella
2008-05-07 18:20:03
ghettoperson
Member
+1,943|6920

FatherTed wrote:

http://www.keepcondom.com/images/produc … -warm1.jpg
Kyle only uses Durex, he has to be safe.
2008-05-08 04:57:46
Peter
Super Awesome Member
+494|6673|dm_maidenhead

kylef wrote:

Items downloaded today: Logitech SetPoint from official Logitech site, over 10GB of bukkake videos
Items I don't normally run that were ran today: ctfmon.exe - when I plug my iPod in it always appears so this time I decided to check what it did...all it did was the view the iPod directory

I was happily browsing my computer and then Windows Defender popped up. With something not very nice. Trojan:Win32/VB to be precise. Of course, I removed it today. I also un-installed SetPoint just in case. This is the first hint of a virus I have ever had in...at least two years. Curiously, I decided to check out Windows Defender and what it had to say for itself:

...
Fixed
2008-05-08 10:21:11
kylef
Gone
+1,352|6764|N. Ireland
Yep, most of the machines here only sell Durex so I guess I'm stuck - huh?

Anyway, ran another AV scan today and everything came up absolutely clear. Big thanks to you all!

 

Pages: 1

Board footer

Privacy Policy - © 2025 Jeff Minard