PLEASE HELP! About to lose it - Aurora remnant? VCMnet11.exe

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by rschryver1, May 18, 2005.

  1. rschryver1

    rschryver1 Private E-2

    I hope someone can help me with this. I've been working on it most of the day and at am wits end. I'm trying to get rid of what I think are the last remnants of the Aurora spyware that I inadvertently dloaded yesterday. I've used MS Antispyware, Lavasoft's Ad-Aware and Spybot a number of times as well as dloading the supposed clean up utility from mypctuneup.com. These programs were successful in getting ride of most everything that was creating the non-stop popup issue but there is still one file that I can't prevent from loading regardless of what I do. Because of this file, the endless popup problem (rapid fire pop ups until I disable the internet connection) continues. The name of this file is VCMnet11.exe. It show up in HJS as the following:

    O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe

    I've tried using HJS to identify and delete the instance of the file from the Registry as well from the C:\Windows directory. It doesn't show up in Safemode. Everytime I reboot though, the file comes back. Any ideas how to get ride of this headache?

    Thanks,
    Rob
     
  2. rschryver1

    rschryver1 Private E-2

    I guess I should say thanks even though no one responded to my posts. I ended up using bits and pieces of other posted approaches that had been successful. After quite a few changes to the sequence these steps were performed, the problem was solved. In case anyone cares, here's what worked:
    1. Turn off System Restore
    2. Reboot (Very important to do this FIRST before deleting/fixing anything)
    3. Launch HJS, find, check off and fix reference to VCMnet11.exe
    4. Reboot in Safemode
    5. Goto C:\Windows directory, find and delete VCMnet11.exe
    6. Reboot in normal mode
    7. Turn on System Restore
    8. Rapidly drink 4-6 beers in celebration
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Glad to see you got it worked out. The steps you follow our standard operating procedures to fix most problems.
     
  4. rschryver1

    rschryver1 Private E-2

    OK - just when I thought it was safe to assume I'd fixed the problem, low and behold VCMnet11.exe has shown up yet again. It was gone all through yesterday evening but at 10AM this morning it has shown up again. I did not dload or accept any plug in's so my assumption is that is actually was never gone....just well hidden. So, with that, does anyone have any inputs? This thing just won't go away.

    Thanks,
    Rob
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This one may prove to be troublesome. Please follow the steps below.

    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps below:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

    - Also Generate a StartupList log using HijackThis.
    Run HJT and on the first screen, click the button that says "Open the Misc Tools section". In the next window first select "List also minor sections (full)" and then click the button that says "Generate StartupList log". CLick Yes to the Do you want to continue prompt. Now a notepad window will come up with the Startuplist.txt file. It is already saved in the the directory HJT is running from. So just come back here and upload the file as an attachment to your next message.
     
  6. rschryver1

    rschryver1 Private E-2

    Hello again - I've waited a few days to post this in order to better ensure this thing is actually gone this time but I think we finally have it licked.

    Below is a list of the steps I performed from the Introduction thread and the results of those steps. Perhaps this will be useful to others who run into this malicious infection. In my case, the Online Symantec Security Check and Bitdefender appear to be the utilities that found the root causes of the issue. To reiterate what chaslang repeatedly reminds everyone - FOLLOW EVERY STEP! DON'T SKIP ANYTHING.

    Getting Prepared
    1. Disabled System Restore and rebooted

    2. I don't have the about:blank or home search hijack issue but I went into services.msc anyway just to see if any of the listed services were present. None of them were.

    3. Went into Windows Explorer and ensured all hidden files would be visible per your steps

    4. Dloaded all the suggested utilities and installed/placed them in a folder under the c:\windows directory


    Scanning and Cleaning Steps
    1. Conducted the following scans while in Safe Mode:
    a. Trend Micro's Free Online Virus Scan - nothing found

    b. Online Symantec Security Check - a number of things were found. What is strange is my Symantec Antivirus Client did not detect these items. I double checked to ensure I had the most recent updates dloaded then ran a full scan and not a single one of these showed up. I located and deleted these files while in Safe Mode.
    C:\WINDOWS\system32\nsa12A.dll is infected with Adware.BigTrafficNet
    C:\WINDOWS\Downloaded Program Files\ysbactivex.dll is infected with Adware.Istbar
    C:\Program Files\Network ICE\BlackICE\evd021.enc is infected with Adware.BargainBuddy
    C:\Program Files\Network ICE\BlackICE\evd022.enc is infected with Adware.BargainBuddy
    C:\Program Files\MicrosoftAntiSpyware\Quarantine\7D7A68FD-7F85-480B-9A06901C6F\4208D37A-9BCC-44A5-85AE-99865A is infected with Adware.Bookedspace
    C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll is infected with Adware.Minibug

    c. CCleaner – found and deleted a buttload of unnecessary files. Not sure if any were responsible for my current mess, but this is a good tool to use even under normal circumstances.

    d. Adaware (with the VX2 plug in) and Spybot – ran a full system scan with Ad-Aware as well as the VX2 add-on utility. No critical objects were found. Then ran Spybot – nothing found here either. Activated the Immunize feature.

    e. Ran the following in the order listed
    1. CWShredder – ran with the fix option selected. System was clean
    2. Kill2Me – found and removed the Look2Me infection (actually the message was kind of confusing and said it removed it only if it was present so not sure if I actually had it or not)

    NOTE: Rebooted into normal mode before performing the next steps. Upon rebooting, my Symantec Antivirus program popped a warning message indicating that it had blocked the file VCMnet11.exe from loading. However, when I went into the C:\Windows directory, the file was there. I deleted it manually.

    3. Bitdefender – a number of intruders were found and some of them were deleted automatically while in Normal boot mode. Some still remained though so I rebooted into Safe Mode and successfully deleted the 2 files (uwnecwebc.exe, WxBug.EXE).

    4. RavAntivirus – nothing found

    5. TrojanScan – a few malware oriented cookies were found – ran CCleaner again to get rid of them

    6. a-squared (a²) Free edition – nothing found

    7. avast! Virus Cleaner Tool - no virus body found

    8. ADS SPY - Alternate Data Streams Spy from Merijn – no suspicious ADS streams found

    Finally, I ran CCleaner one more time, rebooted into normal mode and ran HJS to see if there was anything out of order there. I rebooted a number of times and surfed around, checked email, used AIM, etc to see if things were going to pop back up while connected to the web.

    It appears for now that things are OK. I can’t find any remnant of the VCMnet11.exe file. Hopefully that's the end of the story.

    Thanks again for your help with this issue.
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! Let me know if it comes back. I have seen people have problems with this file coming back many times.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds