Malware/Spyware/virus help - already done How to removal guide...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by bmontana, Jan 27, 2005.

  1. bmontana

    bmontana Private E-2

    Specs:
    IBM R40 Notebook
    MS Win XPP w/Serv. pk 1
    Intel Pent M 1.3
    597MHz
    256MB RAM
    40GB Hard Drive

    Internet Providers:
    AOL
    Comcast Broadband


    Good evening,
    I am having problems with Malware and its apparent effects on my computer. I currently am running the latest McAfee AV (provided by AOL) with auto updates, as well as Zone Alarm (v 5.5 - free download version). I get random alerts with attempts to access my computer by .exe programs and .dll applications. Such examples include "xmlfont.exe, xmlanti.exe, dbdns.exe", etc. I have followed all suggested steps in the "How to: Spyware, Trojan and Virus Removal" guide, and I still have the following noticeable problems:
    a.) I cannot access the following websites via my IE browser (using my Comcast Broadband wireless connection)
    - google.com
    - 53.com (Fifth Third Bank)
    b.) I cannot access 53.com on either IE nor via my AOL web browser (although I can access google through the AOL browser)

    c.) when I restart/turn off my computer, a warning message pops up saying " 'odbcras.exe - DLL INTIIALIZATION FAILED' The application failed to inizitialize..."

    I have run the Killbox program, and have a log file created. I know it says not to post unless asked, so let me know if you would like me to send as attatchment.

    Thanks for your help!

    bmontana
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I believe you mean you have run HijackThis and created a log, not Killbox.

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
  3. bmontana

    bmontana Private E-2

    It will not let me run HiJackthis. I downloaded it to c:\Programfiles\hijackthis, and when I click the icon, a window pops up that says:

    "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

    I did just download the new AOL which has an updated version of McAfee Virus Protector, and a window showed up saying a Virus has been detected and cleaned. The file C:\docume~1\bryanm~1\locals~1\Temp\TemporaryDirectory1forhijackthis.zip\HijackThis.exe was infected by the W32/Generic.worm!p2p virus and has been deleted to complete the Clean process. It also will not let me Clean, Quarantine, or Delete the program. Says cannot find the file.

    Can you please advise?
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Either uninstall the AOL Virus protector or get the current McAfee definitions. The older version had a bug which said HijackThis had a virus and it did not. Thus your HijackThis.zip download never got downloaded. Or when you went to run Hijackthis.exe it was deleted by the virus scan.

    It has been a very long time (malware wise) since you ran the READ ME FIRST sticky steps. Since you waited so long to come back, you really should run them again. Make sure you update each program because they have changed.
     
    Last edited: Feb 18, 2005
  5. bmontana

    bmontana Private E-2

    Will do. Re-installing/running How to programs. Will post results...
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Did you get HJT 1.99.1 now?
     
  7. bmontana

    bmontana Private E-2

    I am still in the process of doing all of the reccomended steps in the How to section. I am having a problem though. When attempting to update Spybot, it fails on all updates, giving me this log for each of the updates that I attempt:

    2/17/2005 9:49:36 PM downloaded update Startup info
    2/17/2005 9:49:36 PM - URL: http://www.see-cure.de/updates/files/startup.zip
    2/17/2005 9:49:36 PM - Local file: C:\MajGeek Vir Programs\Spybot - Search & Destroy\Updates\startup.zip
    2/17/2005 9:49:36 PM - FILE REJECTED because of bad checksum

    I tried downloading the following updates:
    Advanced detection library
    Detection rules
    English help
    Immunization database
    Startup info

    All give the 'Info' result of "!!!bad checksum!"

    Any suggestions?
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  9. bmontana

    bmontana Private E-2

    Got you. Eventually got updates for Spybot. Now I can't download updates for SpywareBlaster! It's saying "Error Connecting to Server...may be temp unavailable or a conflict w/your Firewall sw installed on your PC..."

    Think it's just the server being busy again?

    I am currently doing the Trend AV Scan. I will post reply once done. I will await your response on the SpywareBlaster updates.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It could be a similar issue. Or you could be blocking it with a firewall. Do you have a firewall? If so, do a temporary disable and try to update.

    Note: you should not be online with browsers open during certain scans. Obviously you must for the online scanners but for eveything else exit all apps before scanning. See the note in the READ ME about this.
     
  11. bmontana

    bmontana Private E-2

    Yes, I have ZoneAlarm's sw firewall. I tried enabling all of the required programs in the firewall....I will try disabling the fw before trying the updates.

    Also...I ran the Trend Scan and it found 1 Trojan Virus. Couldn't clean....deleted it.

    The Symantec scan found 26 threats. I have the log saved in a wordpad document if you want. The first couple that it found were Trojan.Vundo threats. When I followed the reccomended steps to remove, I dwnld'ed and ran the FixVundo.exe program, and it found "no Trojan.Vundo" files on my computer. Odd. Any suggestions on that?

    I will disable ZoneAlarm, and try the updates.

    Thanks!
     
  12. bmontana

    bmontana Private E-2

    Tried SpywareBlaster updates again w/FW disabled, and still cannot access updates. Still says "Error connecting to server....error getting update info f/server, srvr may be temp. unavailable, or may be conflict w/FW sw installed on your computer...."
     
  13. bmontana

    bmontana Private E-2

    Ok, tried disabling firewall and Internet access, and FixVundo still found no Trojan.Vundo files on my computer. Even though my Symantec Log obviously shows I do have them. Think the Symantec AV quarantined them automatically? I have attached the Symantec log in this post as well.
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you sure these were fixed? It looks like they are still present from that log.
     
  15. bmontana

    bmontana Private E-2

    Not sure what you mean "are you sure these were fixed". No, the Trojan.Vundo files were not fixed, as I mentioned the FixVundo.exe program that Symantec tells you to use to remove the files it found "did not find any Trojan.Vundo files on your computer". Symantec's log clearly shows I have them, but FixVundo does not find them.
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you run their tool with all browsers exited and with your physical connection to the internet unplugged?

    Give that a try. If that does not work, follow my guidelines in message # 2 and post a HijackThis log.
     
  17. bmontana

    bmontana Private E-2

    Tried Symantec FixVundo.exe program with Internet connection off and all browsers exited. Still didn't find the Trojan.Vundo files that the Sym AV said it found.

    Here is my HiJack this log. Let me know what you suggest to do next.
     

    Attached Files:

  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a bunch of Virtumundo problems and some others. I'm working on your log now.
     
    Last edited: Feb 23, 2005
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also, you have a broken LSP chain. Download LSPFix from(http://www.majorgeeks.com/download4180.html) and run it.

    Check the "I know what I am doing" box Click on connwsp.dll on the left window and click on the arrow pointing to the right. Click Finish and follow the prompts.

    Download Pocket KillBox and extract it to its own folder where you will be able to find it. Do not run it yet.

    Please print out these instructions (or save them locally) so that you can operate with All Browser Windows CLOSED. Do that now before going any further.

    Please follow the instructions carefully.

    Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

    First Step:

    Open Windows Explorer and navigate to C:\WINDOWS\PREFETCH
    And delete all files in this folder. Do not delete the Prefetch folder. Just the files in it.

    Second Step:

    Run HijackThis and Check the Boxes for the Following (put do not click Fix yet):
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    O1 - Hosts: rowsertoolbar.com
    O1 - Hosts: 127.0.0.
    O1 - Hosts: .browsertoolbar.com
    O1 - Hosts: 12
    O1 - Hosts: w2.browsertoolbar.com
    O1 - Hosts: w2.browsertoolbar.com
    O1 - Hosts: 12
    O1 - Hosts: 127.0
    O1 - Hosts: om
    O1 - Hosts: .com
    O1 - Hosts: ar.com
    O1 - Hosts: lbar.com
    O1 - Hosts: oolbar.com
    O1 - Hosts: rtoolbar.com
    O1 - Hosts: sertoolbar.com
    O1 - Hosts: 127.0.0.
    O1 - Hosts: owsertoolbar.com
    O1 - Hosts: 12
    O1 - Hosts: 127.0
    O1 - Hosts: 2.browsertoolbar.com
    O1 - Hosts: ww2.browsertoolbar.com
    O1 - Hosts: 127.0
    O1 - Hosts: .www2.browsertoolbar.com
    O1 - Hosts: w.www2.browsertoolbar.com
    O1 - Hosts: 127.0.
    O1 - Hosts: 1
    O2 - BHO: CATLEvents Object - {13589181-4F0D-4553-B9F8-B4B72172C139} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\daavaj.dat (file missing)
    O2 - BHO: CATLEvents Object - {2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\dadrah.dat
    O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\bknur.dat (file missing)
    O2 - BHO: CATLEvents Object - {98BC949B-3D81-4750-836F-4BC57BD032EE} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\sysnib.dat
    O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\smavaj.dat
    O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\cvsmlru.dat
    O4 - HKLM\..\Run: [runkb] C:\WINDOWS\runkb.exe
    O4 - HKLM\..\Run: [regkey] C:\WINDOWS\regkey.exe
    O4 - HKLM\..\Run: [*wad] C:\WINDOWS\Web\wad.exe
    O4 - HKLM\..\Run: [acciis] C:\WINDOWS\acciis.exe
    O4 - HKLM\..\Run: [*faxvga] C:\WINDOWS\system\faxvga.exe
    O4 - HKLM\..\Run: [*tcpreg] C:\WINDOWS\Driver Cache\tcpreg.exe
    O4 - HKLM\..\Run: [*abrwms] C:\WINDOWS\system\abrwms.exe
    O4 - HKLM\..\Run: [*xmlfont] C:\WINDOWS\xmlfont.exe
    O4 - HKLM\..\Run: [*dlllog] C:\WINDOWS\Fonts\dlllog.exe
    O4 - HKLM\..\Run: [*wmshard] C:\WINDOWS\wmshard.exe
    O4 - HKLM\..\Run: [*cabav] C:\WINDOWS\security\Database\cabav.exe
    O4 - HKLM\..\Run: [*antivga] C:\WINDOWS\inf\antivga.exe
    O4 - HKLM\..\Run: [*docwin] C:\WINDOWS\Web\printers\docwin.exe
    O4 - HKLM\..\RunOnce: [*urlmsvc] C:\WINDOWS\security\Database\urlmsvc.exe rerun
    O4 - Startup: DLHelperEXE.exe
    O20 - Winlogon Notify: urlmsvc - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\cvsmlru.dat

    Click FIX and then Exit HijackThis.

    Third Step:

    Now run Run Pocket Killbox. Select the option to Delete on Reboot.

    1) Now, Copy and Paste C:\WINDOWS\runkb.exe into the box
    2) Now, Click the Red X and Yes to the confirmation message.
    3) A message will ask if you want to reboot now – Click NO.
    4) Repeat steps 1 to 3 for all of the below files always saying no to the Reboot now prompt until you enter the last file in the list. On that one say click YES and allow your machine to reboot however make sure you Boot To Safe Mode. You may receive an error messages after rebooting into Safe Mode that says Windows could not find the files you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

    Okay here is the list to delete using step 1 to 3 above:
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\dadrah.dat
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\javaad.dat
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\runkb.dat
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\sysnib.dat
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\smavaj.dat
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\cvsmlru.dat
    C:\WINDOWS\runkb.exe
    C:\WINDOWS\regkey.exe
    C:\WINDOWS\Web\wad.exe
    C:\WINDOWS\acciis.exe
    C:\WINDOWS\system\faxvga.exe
    C:\WINDOWS\Driver Cache\tcpreg.exe
    C:\WINDOWS\system\abrwms.exe
    C:\WINDOWS\xmlfont.exe
    C:\WINDOWS\Fonts\dlllog.exe
    C:\WINDOWS\wmshard.exe
    C:\WINDOWS\security\Database\cabav.exe
    C:\WINDOWS\inf\antivga.exe
    C:\WINDOWS\Web\printers\docwin.exe
    C:\Documents and Settings\BRYANM~1\Start Menu\Programs\Startup\DLHelperEXE.exe
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\cvsmlru.dat
    C:\WINDOWS\security\Database\urlmsvc.exe

    Fourth Step:


    While in Safe Mode (making sure that you are able to view hidden files), use Windows Explorer to navigate to and DELETE the following if they remain (we are doing a double check):
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\dadrah.dat
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\javaad.dat
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\runkb.dat
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\sysnib.dat
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\smavaj.dat
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\cvsmlru.dat
    C:\WINDOWS\runkb.exe
    C:\WINDOWS\regkey.exe
    C:\WINDOWS\Web\wad.exe
    C:\WINDOWS\acciis.exe
    C:\WINDOWS\system\faxvga.exe
    C:\WINDOWS\Driver Cache\tcpreg.exe
    C:\WINDOWS\system\abrwms.exe
    C:\WINDOWS\xmlfont.exe
    C:\WINDOWS\Fonts\dlllog.exe
    C:\WINDOWS\wmshard.exe
    C:\WINDOWS\security\Database\cabav.exe
    C:\WINDOWS\inf\antivga.exe
    C:\WINDOWS\Web\printers\docwin.exe
    C:\Documents and Settings\BRYANM~1\Start Menu\Programs\Startup\DLHelperEXE.exe
    C:\Documents and Settings\BRYANM~1\Local Settings\Temp\cvsmlru.dat
    C:\WINDOWS\security\Database\urlmsvc.exe


    Fifth Step: Searching for bad files


    We are going to be search you PC for a list of files beginning with a certain pattern (this is given further down). You first need to configure Windows XP's search options as follows:
    Click Search and the Select "All files and folders"
    Enter the filename in the "All or part of the file name:" box, so enter bkinst
    Now select "More advanced options"
    Make sure the following check boxes are checked:
    - Search system folders
    - Search hidden files and folders
    - Search subfolders
    Then click the Search button.

    Repeat the search for each of the below filenames (I already got you started on the first one): and delete all files beginning with the below. The filename extensions may be .exe, .dat, .bak and/or .ini, delete all of them:
    bkinst
    acciis
    faxvga
    tcpreg
    abrwms
    xmlfont
    dlllog
    wmshard
    cabav
    antivga
    docwin
    cvsmlru
    urlmsvc


    Sixth Step:


    Run CCleaner and Spybot S&D and have Spybot fix what it finds.

    Then, as an added precaution, clcik Start > Run and type: cleanmgr and click OK.
    Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin

    And Click OK.

    Reboot to Normal Windows and attach a fresh HJT log. How are things running? Tell me about any problems that you may have encountered with the above instructions.
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Reconsider using programs like the below! They could be the source of some of your problems!
    O9 - Extra button: StarLuck.com - {2B6AA6C9-1646-46e7-8D23-D54274F2F2F2} - C:\Program Files\Starluck Casino\bin\IEExtension_SL.dll
    O9 - Extra 'Tools' menuitem: StarLuck.com - {2B6AA6C9-1646-46e7-8D23-D54274F2F2F2} - C:\Program Files\Starluck Casino\bin\IEExtension_SL.dll
    O9 - Extra button: Carnival Casino - {776883A9-1EA8-4d8f-88B7-AA652FEF01A7} - C:\Casino\Carnival Casino\casino.exe
    O9 - Extra 'Tools' menuitem: Carnival Casino - {776883A9-1EA8-4d8f-88B7-AA652FEF01A7} - C:\Casino\Carnival Casino\casino.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
     
  21. bmontana

    bmontana Private E-2

    Ok, reccomended steps followed. Attached follow-up HJT log as well.

    The only major problem I encountered was that I was unable to delete URLMSVC.exe in step 4 and again in step 5.

    In step 4:
    C:\WINDOWS\security\Database\urlmsvc.exe
    -can't delete C:\WINDOWS\security\Database\urlmsvc.exe
    -"Access Denied. Make sure disk is not full or writeprotected and that file is not in use.

    In step 5:
    urlmsvc
    -once again...can't delete C:\WINDOWS\security\Database\urlmsvc.exe
    -"Access Denied. Make sure disk is not full or writeprotected and that file is not in use.

    Also in step 5, I only found xmlfont and urlmsvc in my search, none of the other search filenames.


    Also, should I uncheck "Turn off System Restore" and "Show Hidden Files" once we are done here?

    Let me know what to do next. Thanks again for your help!
     

    Attached Files:

  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We are not done yet so don't change anything. Why did you start using msconfig? Do not use it to control startups. Please run msconfig and set it back for Normal Startup. You still have Virtuomondo problems due to the file you said you could not delete. You probably needed to kill the process that was running first using Task Manager.
     
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please print out these instructions (or save them locally) so that you can operate with All Browser Windows CLOSED. Do not run a browser again until told to.

    NEW IMPORTANT STEP: PHYSICALLY UNPLUG YOUR CABLE FROM THE INTERNET NOW!!! LEAVE UNPLUG UNTIL TOLD TO PLUG IN!!!

    Do that now before going any further.

    Please follow the instructions carefully.

    Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

    First Step:

    Open Windows Explorer and navigate to C:\WINDOWS\PREFETCH
    And delete all files in this folder. Do not delete the Prefetch folder. Just the files in it.

    Second Step:

    O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\cvsmlru.dat
    O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O4 - HKLM\..\Run: [*docwin] C:\WINDOWS\Web\printers\docwin.exe
    O4 - HKLM\..\RunOnce: [*urlmsvc] C:\WINDOWS\security\Database\urlmsvc.exe rerun
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O20 - Winlogon Notify: urlmsvc - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\cvsmlru.dat

    Third Step:

    I going to use a different set of options with Killbox this time so make sure you read closely.
    Now run Run Pocket Killbox. Select the option to Replace on Reboot..

    1) Now, Copy and Paste C:\Documents and Settings\BRYANM~1\Local Settings\Temp\cvsmlru.dat
    into the box
    2) Check the option to Use Dummy.
    3) Now, Click the Red X and Yes to the confirmation message.
    4) A message will ask if you want to reboot now – Click NO.
    5) Repeat steps 1 to 4 for all of the below files always saying no to the Reboot now prompt until you enter the last file in the list. On that one say click YES and allow your machine to reboot however make sure you Boot To Safe Mode. You may receive an error messages after rebooting into Safe Mode that says Windows could not find the files you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

    C:\WINDOWS\Web\printers\docwin.exe
    C:\WINDOWS\security\Database\urlmsvc.exe <--- make sure you reboot to safe mode after this one

    Fourth Step: You must be in safe mode here

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them (if found) by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\security\Database\urlmsvc.exe
    C:\WINDOWS\Web\printers\docwin.exe

    While in Safe Mode (making sure that you are able to view hidden files), use Windows Explorer to navigate to and DELETE the following if they remain (we are doing a double check):
    C:\WINDOWS\security\Database\urlmsvc.exe
    C:\WINDOWS\Web\printers\docwin.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

    Fifth Step:
    Then, as an added precaution, clcik Start > Run and type: cleanmgr and click OK.
    Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin

    And Click OK.

    Sixth Step:
    Reboot to Normal Windows! Now still no browsers and still unplugged. Run the Symantec Trojan.Vundo Removal Tool you downloaded earlier. Do not run anything else while it is running.

    Then reboot again to normal mode and reconnect your cable.

    Get a new HJT log. Open a browser and post your log.
    How are things running? Tell me about any problems that you may have encountered with the above instructions.
     
  24. bmontana

    bmontana Private E-2

    New steps followed. Problems:

    Fourth Step:
    C:\WINDOWS\security\Database\urlmsvc.exe
    -Clicked "Kill Process", asks "are you sure you want to close the selected process? Any unsaved data will be lost"
    But the urlmsvc.exe file above still shows in the process manager

    C:\WINDOWS\security\Database\urlmsvc.exe
    -Still cannot delete file above. Same error message.

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.
    -checked this as well, 'read only' was not checked


    Sixth Step:

    Tried running FixVundo.exe again, still says no Trojan.Vundo files found on your computer.


    New HJT log attached.
     

    Attached Files:

  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why am I seeing Notepad running in you HJT process list? Are you running it? Why?

    Did you run all of these steps with the cable from your dial-up, or cable modem, or DSL modem (I don't remember if we discussed how you connect) physically unplugged?
     
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Repeat the steps from step 1 (ignoring anything does not exist anymore) but this time make sure you are in Safe mode before starting Step 1 and stay in safe mode for all steps until you get to Step 6! Then return to normal boot mode. We need to get that process killed and file deleted. Something else must be locking us out.

    The below three lines still showed in your log:

    C:\WINDOWS\security\Database\urlmsvc.exe

    O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\cvsmlru.dat
    O4 - HKLM\..\RunOnce: [*urlmsvc] C:\WINDOWS\security\Database\urlmsvc.exe rerun
    O20 - Winlogon Notify: urlmsvc - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\cvsmlru.dat
     
  27. bmontana

    bmontana Private E-2

    Notepad was running because I had you're instructions pasted in there. Apologies...I thought I had all programs shut down. Trying your other suggestions...
     
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


    Any luck! Post a new HJT log when you come back.
     
  29. bmontana

    bmontana Private E-2

    Ah...how frustrating! Did all steps again, and I still could not remove any instances of 'cvsmlru.dat' or 'urlmsvc.exe'. Also, when I run the HijackThis "Open Misc. Tools", "open process manager" and look for 'urlmsvc', it finds it but when I delete it, it just pops back up w/a new "Running Process" number (I think incrementally, as the new running proc. number seems to keep getting higher).

    Attaching new HJT log. Please help!
     

    Attached Files:

  30. PhilliePhan

    PhilliePhan Guest

    Hi BMontana,

    Look in this folder C:\WINDOWS\security\Database for all occurrences of urlmsvc and cvsmlru (.ini, .exe. .dat, .bak,etc...) and delete what you can.

    You should also run a search of your machine for urlmsvc and cvsmlru and see where else they may be hiding out (Prefetch folder, etc...) and try to remove them.


    NOW:
    Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixmundo.reg


    REGEDIT4

    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urlmsvc]




    Leave it for now.


    Next:
    Make sure you are completely disconnected from the Internet.

    Then, run CCleaner.


    Now:
    Click on the fixmundo.reg file you made and allow it to merge the registry entries into the registry.


    Then, scan with HJT and check the boxes for the following:

    O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\cvsmlru.dat
    O4 - HKLM\..\RunOnce: [*urlmsvc] C:\WINDOWS\security\Database\urlmsvc.exe rerun
    O20 - Winlogon Notify: urlmsvc - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\cvsmlru.dat

    Make sure all browser windows are closed. Now, Click FIX and then while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\security\Database\urlmsvc.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

    You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

    While in Safe Mode (making sure that you are able to view hidden files) again run a search for urlmsvc and cvsmlru and delete what you find.

    Then, run CCleaner again and give us a fresh HJT log.

    Best Luck,

    PP :)
     
  31. bmontana

    bmontana Private E-2

    Ok. Followed suggested steps, and here's what occured:

    Look in this folder C:\WINDOWS\security\Database for all occurrences of urlmsvc and cvsmlru (.ini, .exe. .dat, .bak,etc...) and delete what you can.

    wouldn't let me delete urlmsvc.exe in folder above
    cvsmlru found as cvsmlru.bak1, cvsmlru.bak2, and cvsmlru.ini. Deleted.

    You should also run a search of your machine for urlmsvc and cvsmlru and see where else they may be hiding out (Prefetch folder, etc...) and try to remove them.

    deleted urlmsvc in Prefetch, but wouldn't let me delete urlmsvc.exe in c:\windows\security\database


    While in Safe Mode (making sure that you are able to view hidden files) again run a search for urlmsvc and cvsmlru and delete what you find.

    still couldn't delete urlmsvc.exe (Access Denied)
    found cvsmlru.dat and cvsmlru.ini, wouldn't let me delete .dat from c:Documentsandsettings\bryanm....


    Attached new HJT log below.

    Thank you, and pls let me know what to try next!
     

    Attached Files:

  32. PhilliePhan

    PhilliePhan Guest

    Did you merge the fixmundo.reg and then continue with the delete on reboot instructions? You must follow those instructions carefully and completely and exactly in that order! This thing has backups all over your machine, so you first have to remove all that you are able and then run the reg merge and then the delete on reboot, in that order.

    Try deleting C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\cvsmlru.dat on Reboot as well and see if that gets it.

    I know this is really frustrating - Hang in there and try the procedure again! :)

    PP
     
  33. bmontana

    bmontana Private E-2

    I'm pretty certain I did it exactly as instructed. I will retry the steps again though and see if we can get it right! Probably won't get to it until tommorow, so I will post the results then.

    Thanks!
     
  34. PhilliePhan

    PhilliePhan Guest

    Man, I've been fighting this thing for a long time and it takes a lot of tenacity! It has recently changed and become even more of a bear . . . Ton of backups, etc . . . . Well, you know ;)

    It may take a few trips through those instructions - Make sure to be disconnected from the net when you do them and to note every crevice and corner where you find it hiding.

    Good luck!

    PP :)
     
  35. bmontana

    bmontana Private E-2

    Will do! I don't have a printer at home, so I am sending this to my work email to print out there. I want to make certain I'm doing everything EXACTLY as dictated. I will post a new reply tommorow.

    Thank you!

    BM
     
  36. bmontana

    bmontana Private E-2

    I have tried a few more times EXACTLY as directed, and still no luck. I want to make certain we are on the same page here, because it appears that the problem lies in 2 areas. 1.) (and I believe the main cause of the problem) is that I cannot delete urlmsvc.exe. I find it, but it will not let me delete it. The exact error msg. is 'ERROR DELETING FILE OR FOLDER' - 'cannot delete urlmvsc: Access is denied. Make sure the disk is not full or write protected and that the file is not currently in use'.
    *note that I have already tried right clicking the file, going to Properties, and making sure the file wasn't checked as "Read Only"

    2.) Secondly, when I delete instances of cvsmlru (i.e. cvsmlru.ini - located in C:\WINDOWS\security\Database), it lets me delete it, and then in a few seconds it just pops back into the screen (as if it replicates upon deletion). This was also apparent during the HijackThis "Open Misc. Tools", "open process manager" step of the process, as when I delete urlmvsc, it just reappears with a new running process number.

    Can you please address this issue before moving on with any new suggestions.

    Thanks again for all of your help!

    BMontana
     
    Last edited: Mar 16, 2005
  37. PhilliePhan

    PhilliePhan Guest

    OK! But, it is late here and I'm about to hit the sack. Try running the Symantec removal tool one more time (humor me ;) ) and I'll try to post some new instructions Wednsday evening. There will be some commands involved and I want to make sure I get the syntax right before posting them - That won't happen at this late hour!

    PP :)
     
  38. PhilliePhan

    PhilliePhan Guest

    Hi BMontana,

    I’ve reworked the removal steps a bit, so let’s try them this way. Do them after running the Symantec Tool as I suggested in previous post. Some of the steps are rehashed, but you still need to do them thoroughly - as I’m sure you know by now! ;)

    So, off we go again . . . . . .

    Look in this folder C:\WINDOWS\security\Database for all occurrences of urlmsvc and cvsmlru (.ini, .exe. .dat, .bak,etc...) and delete what you can.

    You should also run a search of your machine for urlmsvc and cvsmlru and see where else they may be hiding out (Prefetch folder, etc...) and try to remove them.


    NOW:
    Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixmundo.reg


    REGEDIT4

    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urlmsvc]




    Leave it for now.


    NEXT:
    Make sure you are completely disconnected from the Internet.

    Then, run CCleaner.


    NOW:
    DoubleClick on the fixmundo.reg file you made and follow the prompts to allow it to merge the registry entries into the registry.



    NOW:
    Please boot to Safe Mode.

    THEN:
    Open a command prompt by clicking Start, Run, and enter cmd and click OK.
    Please enter the following lines in the command prompt window and follow each with the enter key (at any prompts you get just answer yes! Make sure you enter the commands correctly, don't miss the spaces):

    cacls C:\WINDOWS\security\Database\urlmsvc.exe /g Everyone:f
    cd C:\WINDOWS\security\Database
    attrib -r -h -s urlmsvc.exe
    del urlmsvc.exe
    exit


    NEXT:
    Empty your Recycle Bin


    THEN:
    Scan with HijackThis and fix the following lines:
    O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\cvsmlru.dat
    O4 - HKLM\..\RunOnce: [*urlmsvc] C:\WINDOWS\security\Database\urlmsvc.exe rerun
    O20 - Winlogon Notify: urlmsvc - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\cvsmlru.dat


    FINALLY:
    Reboot to normal windows and tell me how you fared. If you received any error messages along the way, let me know! Also, if the above was unsuccessful, give me fresh HJT log.

    Best luck :)
    PP
     
  39. bmontana

    bmontana Private E-2

    Finally....some progress! I followed the steps and am now finding no occurances of urlmsvc or cvsmlru. I have posted a new HJT log. Please let me know how it looks. Also, please let me know if there are any "follow up" steps that I should do. For instance, can I delete the fixmundo.reg file from my desktop? Thank you for all of your help. You have been very helpful and I appreciate your persistance!

    bmontana
     

    Attached Files:

  40. PhilliePhan

    PhilliePhan Guest

    You're Welcome! Glad to be able to help :)

    You can go ahead and delete that file from Desktop.

    Also, fix this line with HijackThis:
    O20 - Winlogon Notify: urlmsvc - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\cvsmlru.dat (file missing)
    I'm surprised it remained . . .

    You should now visit Windows Updates and get updated!
    Also, have a look at Chaslang's Recommendations!! if you have not done so already!

    Happy Computing :)
    PP
     
  41. bmontana

    bmontana Private E-2

    Will do. I will delete that file w/HJT as well.

    I have encountered a few more issues. When I go to restart/shut down the computer, I get 2 types of error messages.
    1.) 'Non-Responsive Program' for "AOLDIAL.exe" and "tfswctrl.exe" (and one other that I didn't write down and don't remember).
    2.) An error stating 'shellmon.exe' - "DLL initialization failed"

    Could you please advise on this as well?

    Thank you!

    bmontana
     
  42. PhilliePhan

    PhilliePhan Guest

    Do you get these all the time? Try rebooting and see if they come up again. If they do, please attach a fresh HJT log and we'll see what we can see!

    PP :)
     
  43. bmontana

    bmontana Private E-2

    I just rebooted and it didn't happen this time. I will let you know if it happens again. Anyways, odd thing with the HJT log. Perhaps I uploaded the wrong log, b/c when I check now the 020 - Winlogon Notify: urlmsvc.... is no longer there (see HJT log attached). So I guess I will just update and see what happens.

    Also, through all of these antispyware/removal/etc. programs that I have loaded I now am being prevented from viewing java files. When I contacted the site's support they told me (after downloading new java.sun.com/download drivers didn't work) that it was a firewall preventing the java program from working. When I go to the java screen, I see everything normal except the actual java, where there is just a box in the upper lefthand corner with a square, a circle, and a triangle (red, blue, and green) inside. I disabled my Zone Alarm firewall, but it looks like there are more firewalls, at least one of which is preventing the java program (and who knows what else) from running. Any advice on how to find all of the firewalls running on my computer and how to disable/remove them?

    Thanks again!

    bmontana
     

    Attached Files:

  44. PhilliePhan

    PhilliePhan Guest

    I was surprised to see that line there since running the registry merge should have removed it! Log looks clean now. I imagine those other errors were merely coincidental with all the work you have done. If they persist, you can let us know.

    For the Java, I am not sure. Could be a number of things, from Firewall to Security Settings. I suggest posting the question in the Software Forum - You might get a more knowledgeable response there.

    BTW, you shouldn't turn your Firewall off - There has to be another workaround! (I just don't know it off the top of my head;))
    Also, Windows XP has it's own firewall and it should be turned OFF if you are running a better one like ZA. Go START > Control Panel > Network and Internet Connections > Windows Firewall and check settings to make sure it is off.

    PP :)
     
  45. bmontana

    bmontana Private E-2

    I will seek help on the java in the Software Forum (in fact I have already submitted a thread).

    As for the error messages, I got them again (when I had to restart the computer after I downloaded "Win XP Service Pack 2" from Microsoft Updates). This time I got:

    'Ending Program' Nonresponsive for 4 applications:
    1.) "tphkmgr"
    2.) "tfswctrl.exe"
    3.) "AOLDIAL.exe"
    4.) "asp.exe"

    Think this could have to do with a firewall error as well?

    Also, I have one icon on my desktop that says "desktop.ini" and it is much lighter in color than the rest of the icons...like it's been deleted but is still there (how's that for an amateur explanation!). Anyways, do you know what this is and how/why this got on my desktop?

    Thanks again!

    bmontana
     
  46. PhilliePhan

    PhilliePhan Guest

    I do not know. I doubt they are related to or contribute to firewall errors, but I am not sure. There could be a number of causes for these failing to run. . . .

    Now this I do know! You likely still have the viewing of hidden System files enabled and that is a file that is normally hidden! If you turn off the Viewing of Hidden Files, it ought to disappear.

    Hey! I got one!! ;)

    BTW: Note that, after installing SP2, it turns the Windows Firewall on by default! If you run another Firewall, be sure to disable the Windows Firewall.

    PP:)
     
  47. bmontana

    bmontana Private E-2

    nice! Well thanks for the view hidden files advice!

    As far as the error messages when I log off/restart, do you have any advice or reccomendations?

    I definately made certain to turn Windows' firewall off when I finished downloaded SP2.

    Awaiting your response!

    bmontana
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds