67 replies to this topic

[wcosgroj]

I have picked up the above referenced virus and have tried the Symantec, which does not work. I have read the success of others in their removal efforts on this site. Can I follow the advice given to others for removal, or is the process different for each machine and OS? I am running Windows XP Prof. I am not tech savvy. In fact, not even sure I'm in the right place on this site. Thanks.

[Trevuren]

Hello wcosgroj and welcome to the What the Tech Forums

My name is Trevuren and I will be helping you with your problem.


Download HijackThis from Here .

• Choose the default location of C:\Program Files\Trend Micro\HijackThis as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!
• Click the Install button.
• Accept the license agreement .
• Click Do a system scan and save a log file. A Notepad file will open.
• Select all the text by hitting the [Ctrl+A] keys, then copy your selection to the clipboard by pressing the [Ctrl+C] keys.
• Paste the log into this thread by hitting the [Ctrl+V] keys.
• when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
• POST the log into this thread using 'Add Reply' (Ctrl-V to 'paste')

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

[wcosgroj]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:30 PM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\vptray.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ig
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [winNT updatc] wupgrd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [300c136d] rundll32.exe "C:\WINDOWS\system32\wcvlxhhb.dll",b
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BM333f20f1] Rundll32.exe "C:\WINDOWS\system32\fxmpfxhq.dll",s
O4 - HKLM\..\RunServices: [winNT updatc] wupgrd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (14.0)) - http://www.daviencro...ls/LTOCX14N.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115175111734
O16 - DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} (Pegasus PrintPRO Control v2.0) - http://www.daviencro...ls/prntpro2.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7205 bytes

[Trevuren]

Your system may be infected with a Vundo trojan File infector. This infection renames executable files that run at startup and replaces them with infected copies. If this is the case we will try to reverse the process. Be advised that there is a possibility that you may have to reinstall certain programs where a legitimate replacement file can not be found.


Please download ComboFix by sUBs from HERE or HERE directly to your Desktop.

Note: If you already have a current version of ComboFix on your machine, please DELETE it from your desktop before downloading the newest version.

Go to -> Run -> copy/paste the following single line command in the runbox & click OK

indent]"%userprofile%\desktop\combofix.exe" /killall [/indent]

• ComboFix will automatically start. Any monitoring programs will be shut down like your antivirus, antispyware programs for example.
• ComboFix may restart your computer, this is normal.
• When finished, it will produce a log, ComboFix.txt.
• Please post ComboFix.txt in your next reply along with a new HijackThis log.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

[wcosgroj]

Trevuren, I ran combofix last night and have a problem. It did what you said...ran, turned computer off, turned computer back on, then it did nothing. After about 30 minutes, I tried to log in from the usual "select profile to log in screen" and it acted like it was going to boot up, then said it was closing down, then went back to the "select profile..." screen. I finally shut it off and went to bed. I tried again this morning and it did the same thing. I tried to start in safe mode, and when I got to the log in screen, it did the same thing, except asked for a password, which it has never done before. I hit enter, and it said it was logging off, then came right back to the log in screen. I shut it down, restarted in normal mode, and just left it running and then came to work. I won't be able to get back to it till late afternoon. What next? Wcosgroj

[Trevuren]

A. Please DELETE the version of ComboFix.exe that is on your desktop as well as the following folder: C:\ComboFix.

B. Download Combofix from the link below. You must rename it before saving it. Save it to your desktop. I suggest that you rename it to Combo-Fix.exe. The tool will suggest that name as default any way. This is a special version of the tool.

Link






--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results"
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
• Remember to re enable the protection again afterwards.

2. Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Notes:

• Do not mouseclick combofix's window while it's running. That may cause it to stall
• CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

[wcosgroj]

Perhaps I did not make myself clear this morning...I was posting from a different machine. I cannot log in on the infected machine after trying to run Combofix last night. I cant take the actions you outlined last night since I cant log in. I am on a different computer now...not the infected one. Can you give instructions to get me to be able to log in on the infected one? I tried safe mode but that didnt work either. Help. Thanx, wcosgroj

[Trevuren]

Do you have your original Windows Installation CD?

What was displayed in CF's window before it rebooted. Surely there was something displayed. Did you notice any error messages?

I tried to start in safe mode

Were there any options available to you?

Edited by Trevuren, 21 February 2008 - 10:42 PM.

[wcosgroj]

I do have the windows os CD. I did not notice what combofix was doing when it was running...I was busy doing other things and did not keep my eyes glued to the screen. I noticed a large blue "dos" type box open and lots of data flowing/scrolling through it. It eventually stopped, went away, the computer signed off, then came back on. Like I said, after about 30 minutes of it doing nothing, with just the welcome screen showing, I tried to log in. It starts the log in sequence then immediately says "logging off". I am sending this from another computer. Am I to do something with the CD you asked about? Thanks for your patience...like I said, I'm not very tech savvy, and I have long periods away from the infected computer. wcosgroj Later... In safe mode, I get the standard choices, but none that I was brave enough to try enabled me to log in.

Edited by wcosgroj, 22 February 2008 - 08:29 AM.

[Trevuren]

Please list all the options that the system is offering while in Safe Mode. This is very important imformation. Please be patient as we will probably have to walk you through some very delicate steps. The object of this exercise, if we can carry it off, will be to not only get your system to boot up normally for you again but also to figure out what damage the infection did to your system that caused this problem. I am in contact with one of the top specialists in the field and feel assured that we are doing our very best to help you regain control of your system, Regards, Trevuren

[wcosgroj]

I will be going back to that location (home) for lunch...will email you soon with the listed choices in safe mode. wcosgroj

[Trevuren]

Please also include "all" the options that you did actually try whilst in Safe Mode. Thanks, Trevuren

[wcosgroj]

OK, Here's what the safe mode screen looks like: Windows Advanced Options Menu: Please select...... Safe Mode Safe Mode w/Networking Safe Mode w/Command Prompt Enable Boot Log Enable VGA Mode Last known Good Config.... Directory Services Restore Mode Debugging Mode Disable Auto Restart on System Failure Start Windows Normally Reboot Return to OS Choiuces Menu The ones I've tried are "safe mode", "last known good config..." and "Reboot" When I hit "safe mode" , the next screen says: "Please select OS to start" and the only choice is "Microsoft Windows XP Professional". When I click that, I go to the MS welcome screen with the two family profiles offered for choice. When I hit mine, it acts like it is starting the log in, then goes to "logging off" Hope this makes sense. I must leave this working computer for an hour or so...I'll look for a reply when I get back. Thanks, wcosgroj

[wcosgroj]

Oh, when I hit Last know good config...it took me to the log in screen and the failed log in process was the same. The Reboot entry also took me to the log in screen with the same result. wcosgroj

[Trevuren]

The outlook for saving your system does not look too rosy. The trats infection did a real number on it. I am now trying to see if anything at all can be salvaged.