1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Malware/Spyware/virus help - already done How to removal guide...

Discussion in 'Malware Removal' started by bmontana, Jan 27, 2005.

  1. bmontana

    bmontana Private E-2

    Specs:
    IBM R40 Notebook
    MS Win XPP w/Serv. pk 1
    Intel Pent M 1.3
    597MHz
    256MB RAM
    40GB Hard Drive

    Internet Providers:
    AOL
    Comcast Broadband


    Good evening,
    I am having problems with Malware and its apparent effects on my computer. I currently am running the latest McAfee AV (provided by AOL) with auto updates, as well as Zone Alarm (v 5.5 - free download version). I get random alerts with attempts to access my computer by .exe programs and .dll applications. Such examples include "xmlfont.exe, xmlanti.exe, dbdns.exe", etc. I have followed all suggested steps in the "How to: Spyware, Trojan and Virus Removal" guide, and I still have the following noticeable problems:
    a.) I cannot access the following websites via my IE browser (using my Comcast Broadband wireless connection)
    - google.com
    - 53.com (Fifth Third Bank)
    b.) I cannot access 53.com on either IE nor via my AOL web browser (although I can access google through the AOL browser)

    c.) when I restart/turn off my computer, a warning message pops up saying " 'odbcras.exe - DLL INTIIALIZATION FAILED' The application failed to inizitialize..."

    I have run the Killbox program, and have a log file created. I know it says not to post unless asked, so let me know if you would like me to send as attatchment.

    Thanks for your help!

    bmontana
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I believe you mean you have run HijackThis and created a log, not Killbox.

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
  3. bmontana

    bmontana Private E-2

    It will not let me run HiJackthis. I downloaded it to c:\Programfiles\hijackthis, and when I click the icon, a window pops up that says:

    "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

    I did just download the new AOL which has an updated version of McAfee Virus Protector, and a window showed up saying a Virus has been detected and cleaned. The file C:\docume~1\bryanm~1\locals~1\Temp\TemporaryDirectory1forhijackthis.zip\HijackThis.exe was infected by the W32/Generic.worm!p2p virus and has been deleted to complete the Clean process. It also will not let me Clean, Quarantine, or Delete the program. Says cannot find the file.

    Can you please advise?
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Either uninstall the AOL Virus protector or get the current McAfee definitions. The older version had a bug which said HijackThis had a virus and it did not. Thus your HijackThis.zip download never got downloaded. Or when you went to run Hijackthis.exe it was deleted by the virus scan.

    It has been a very long time (malware wise) since you ran the READ ME FIRST sticky steps. Since you waited so long to come back, you really should run them again. Make sure you update each program because they have changed.
     
    Last edited: Feb 18, 2005
  5. bmontana

    bmontana Private E-2

    Will do. Re-installing/running How to programs. Will post results...
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Did you get HJT 1.99.1 now?
     
  7. bmontana

    bmontana Private E-2

    I am still in the process of doing all of the reccomended steps in the How to section. I am having a problem though. When attempting to update Spybot, it fails on all updates, giving me this log for each of the updates that I attempt:

    2/17/2005 9:49:36 PM downloaded update Startup info
    2/17/2005 9:49:36 PM - URL: http://www.see-cure.de/updates/files/startup.zip
    2/17/2005 9:49:36 PM - Local file: C:\MajGeek Vir Programs\Spybot - Search & Destroy\Updates\startup.zip
    2/17/2005 9:49:36 PM - FILE REJECTED because of bad checksum

    I tried downloading the following updates:
    Advanced detection library
    Detection rules
    English help
    Immunization database
    Startup info

    All give the 'Info' result of "!!!bad checksum!"

    Any suggestions?
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  9. bmontana

    bmontana Private E-2

    Got you. Eventually got updates for Spybot. Now I can't download updates for SpywareBlaster! It's saying "Error Connecting to Server...may be temp unavailable or a conflict w/your Firewall sw installed on your PC..."

    Think it's just the server being busy again?

    I am currently doing the Trend AV Scan. I will post reply once done. I will await your response on the SpywareBlaster updates.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It could be a similar issue. Or you could be blocking it with a firewall. Do you have a firewall? If so, do a temporary disable and try to update.

    Note: you should not be online with browsers open during certain scans. Obviously you must for the online scanners but for eveything else exit all apps before scanning. See the note in the READ ME about this.
     
  11. bmontana

    bmontana Private E-2

    Yes, I have ZoneAlarm's sw firewall. I tried enabling all of the required programs in the firewall....I will try disabling the fw before trying the updates.

    Also...I ran the Trend Scan and it found 1 Trojan Virus. Couldn't clean....deleted it.

    The Symantec scan found 26 threats. I have the log saved in a wordpad document if you want. The first couple that it found were Trojan.Vundo threats. When I followed the reccomended steps to remove, I dwnld'ed and ran the FixVundo.exe program, and it found "no Trojan.Vundo" files on my computer. Odd. Any suggestions on that?

    I will disable ZoneAlarm, and try the updates.

    Thanks!
     
  12. bmontana

    bmontana Private E-2

    Tried SpywareBlaster updates again w/FW disabled, and still cannot access updates. Still says "Error connecting to server....error getting update info f/server, srvr may be temp. unavailable, or may be conflict w/FW sw installed on your computer...."
     
  13. bmontana

    bmontana Private E-2

    Ok, tried disabling firewall and Internet access, and FixVundo still found no Trojan.Vundo files on my computer. Even though my Symantec Log obviously shows I do have them. Think the Symantec AV quarantined them automatically? I have attached the Symantec log in this post as well.
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you sure these were fixed? It looks like they are still present from that log.
     
  15. bmontana

    bmontana Private E-2

    Not sure what you mean "are you sure these were fixed". No, the Trojan.Vundo files were not fixed, as I mentioned the FixVundo.exe program that Symantec tells you to use to remove the files it found "did not find any Trojan.Vundo files on your computer". Symantec's log clearly shows I have them, but FixVundo does not find them.
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you run their tool with all browsers exited and with your physical connection to the internet unplugged?

    Give that a try. If that does not work, follow my guidelines in message # 2 and post a HijackThis log.
     
  17. bmontana

    bmontana Private E-2

    Tried Symantec FixVundo.exe program with Internet connection off and all browsers exited. Still didn't find the Trojan.Vundo files that the Sym AV said it found.

    Here is my HiJack this log. Let me know what you suggest to do next.
     

    Attached Files:

  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a bunch of Virtumundo problems and some others. I'm working on your log now.
     
    Last edited: Feb 23, 2005
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also, you have a broken LSP chain. Download LSPFix from(http://www.majorgeeks.com/download4180.html) and run it.

    Check the "I know what I am doing" box Click on connwsp.dll on the left window and click on the arrow pointing to the right. Click Finish and follow the prompts.

    Download Pocket KillBox and extract it to its own folder where you will be able to find it. Do not run it yet.

    Please print out these instructions (or save them locally) so that you can operate with All Browser Windows CLOSED. Do that now before going any further.

    Please follow the instructions carefully.

    Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

    First Step:

    Open Windows Explorer and navigate to C:\WINDOWS\PREFETCH
    And delete all files in this folder. Do not delete the Prefetch folder. Just the files in it.

    Second Step:

    Run HijackThis and Check the Boxes for the Following (put do not click Fix yet):
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    O1 - Hosts: rowsertoolbar.com
    O1 - Hosts: 127.0.0.
    O1 - Hosts: .browsertoolbar.com
    O1 - Hosts: 12
    O1 - Hosts: w2.browsertoolbar.com
    O1 - Hosts: w2.browsertoolbar.com
    O1 - Hosts: 12
    O1 - Hosts: 127.0
    O1 - Hosts: om
    O1 - Hosts: .com
    O1 - Hosts: ar.com
    O1 - Hosts: lbar.com
    O1 - Hosts: oolbar.com
    O1 - Hosts: rtoolbar.com
    O1 - Hosts: sertoolbar.com
    O1 - Hosts: 127.0.0.
    O1 - Hosts: owsertoolbar.com
    O1 - Hosts: 12
    O1 - Hosts: 127.0
    O1 - Hosts: 2.browsertoolbar.com
    O1 - Hosts: ww2.browsertoolbar.com
    O1 - Hosts: 127.0
    O1 - Hosts: .www2.browsertoolbar.com
    O1 - Hosts: w.www2.browsertoolbar.com
    O1 - Hosts: 127.0.
    O1 - Hosts: 1
    O2 - BHO: CATLEvents Object - {13589181-4F0D-4553-B9F8-B4B72172C139} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\daavaj.dat (file missing)
    O2 - BHO: CATLEvents Object - {2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\dadrah.dat
    O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\bknur.dat (file missing)
    O2 - BHO: CATLEvents Object - {98BC949B-3D81-4750-836F-4BC57BD032EE} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\sysnib.dat
    O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\smavaj.dat
    O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\cvsmlru.dat
    O4 - HKLM\..\Run: [runkb] C:\WINDOWS\runkb.exe
    O4 - HKLM\..\Run: [regkey] C:\WINDOWS\regkey.exe
    O4 - HKLM\..\Run: [*wad] C:\WINDOWS\Web\wad.exe
    O4 - HKLM\..\Run: [acciis] C:\WINDOWS\acciis.exe
    O4 - HKLM\..\Run: [*faxvga] C:\WINDOWS\system\faxvga.exe
    O4 - HKLM\..\Run: [*tcpreg] C:\WINDOWS\Driver Cache\tcpreg.exe
    O4 - HKLM\..\Run: [*abrwms] C:\WINDOWS\system\abrwms.exe
    O4 - HKLM\..\Run: [*xmlfont] C:\WINDOWS\xmlfont.exe
    O4 - HKLM\..\Run: [*dlllog] C:\WINDOWS\Fonts\dlllog.exe
    O4 - HKLM\..\Run: [*wmshard] C:\WINDOWS\wmshard.exe
    O4 - HKLM\..\Run: [*cabav] C:\WINDOWS\security\Database\cabav.exe
    O4 - HKLM\..\Run: [*antivga] C:\WINDOWS\inf\antivga.exe
    O4 - HKLM\..\Run: [*docwin] C:\WINDOWS\Web\printers\docwin.exe
    O4 - HKLM\..\RunOnce: [*urlmsvc] C:\WINDOWS\security\Database\urlmsvc.exe rerun
    O4 - Startup: DLHelperEXE.exe
    O20 - Winlogon Notify: urlmsvc - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\cvsmlru.dat

    Click FIX and then Exit HijackThis.

    Third Step:

    Now run Run Pocket Killbox. Select the option to Delete on Reboot.

    1) Now, Copy and Paste C:\WINDOWS\runkb.exe into the box
    2) Now, Click the Red X and Yes to the confirmation message.
    3) A message will ask if you want to reboot now – Click NO.
    4) Repeat steps 1 to 3 for all of the below files always saying no to the Reboot now prompt until you enter the last file in the list. On that one say click YES and allow your machine to reboot however make sure you Boot To Safe Mode. You may receive an error messages after rebooting into Safe Mode that says Windows could not find the files you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

    Okay here is the list to delete using step 1 to 3 above:
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\dadrah.dat
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\javaad.dat
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\runkb.dat
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\sysnib.dat
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\smavaj.dat
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\cvsmlru.dat
    C:\WINDOWS\runkb.exe
    C:\WINDOWS\regkey.exe
    C:\WINDOWS\Web\wad.exe
    C:\WINDOWS\acciis.exe
    C:\WINDOWS\system\faxvga.exe
    C:\WINDOWS\Driver Cache\tcpreg.exe
    C:\WINDOWS\system\abrwms.exe
    C:\WINDOWS\xmlfont.exe
    C:\WINDOWS\Fonts\dlllog.exe
    C:\WINDOWS\wmshard.exe
    C:\WINDOWS\security\Database\cabav.exe
    C:\WINDOWS\inf\antivga.exe
    C:\WINDOWS\Web\printers\docwin.exe
    C:\Documents and Settings\BRYANM~1\Start Menu\Programs\Startup\DLHelperEXE.exe
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\cvsmlru.dat
    C:\WINDOWS\security\Database\urlmsvc.exe

    Fourth Step:


    While in Safe Mode (making sure that you are able to view hidden files), use Windows Explorer to navigate to and DELETE the following if they remain (we are doing a double check):
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\dadrah.dat
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\javaad.dat
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\runkb.dat
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\sysnib.dat
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\smavaj.dat
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\cvsmlru.dat
    C:\WINDOWS\runkb.exe
    C:\WINDOWS\regkey.exe
    C:\WINDOWS\Web\wad.exe
    C:\WINDOWS\acciis.exe
    C:\WINDOWS\system\faxvga.exe
    C:\WINDOWS\Driver Cache\tcpreg.exe
    C:\WINDOWS\system\abrwms.exe
    C:\WINDOWS\xmlfont.exe
    C:\WINDOWS\Fonts\dlllog.exe
    C:\WINDOWS\wmshard.exe
    C:\WINDOWS\security\Database\cabav.exe
    C:\WINDOWS\inf\antivga.exe
    C:\WINDOWS\Web\printers\docwin.exe
    C:\Documents and Settings\BRYANM~1\Start Menu\Programs\Startup\DLHelperEXE.exe
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\cvsmlru.dat
    C:\WINDOWS\security\Database\urlmsvc.exe


    Fifth Step: Searching for bad files


    We are going to be search you PC for a list of files beginning with a certain pattern (this is given further down). You first need to configure Windows XP's search options as follows:
    Click Search and the Select "All files and folders"
    Enter the filename in the "All or part of the file name:" box, so enter bkinst
    Now select "More advanced options"
    Make sure the following check boxes are checked:
    - Search system folders
    - Search hidden files and folders
    - Search subfolders
    Then click the Search button.

    Repeat the search for each of the below filenames (I already got you started on the first one): and delete all files beginning with the below. The filename extensions may be .exe, .dat, .bak and/or .ini, delete all of them:
    bkinst
    acciis
    faxvga
    tcpreg
    abrwms
    xmlfont
    dlllog
    wmshard
    cabav
    antivga
    docwin
    cvsmlru
    urlmsvc


    Sixth Step:


    Run CCleaner and Spybot S&D and have Spybot fix what it finds.

    Then, as an added precaution, clcik Start > Run and type: cleanmgr and click OK.
    Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin

    And Click OK.

    Reboot to Normal Windows and attach a fresh HJT log. How are things running? Tell me about any problems that you may have encountered with the above instructions.
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Reconsider using programs like the below! They could be the source of some of your problems!
    O9 - Extra button: StarLuck.com - {2B6AA6C9-1646-46e7-8D23-D54274F2F2F2} - C:\Program Files\Starluck Casino\bin\IEExtension_SL.dll
    O9 - Extra 'Tools' menuitem: StarLuck.com - {2B6AA6C9-1646-46e7-8D23-D54274F2F2F2} - C:\Program Files\Starluck Casino\bin\IEExtension_SL.dll
    O9 - Extra button: Carnival Casino - {776883A9-1EA8-4d8f-88B7-AA652FEF01A7} - C:\Casino\Carnival Casino\casino.exe
    O9 - Extra 'Tools' menuitem: Carnival Casino - {776883A9-1EA8-4d8f-88B7-AA652FEF01A7} - C:\Casino\Carnival Casino\casino.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
     

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds