Malware/Spyware/virus help - already done How to removal guide...

[bmontana]

Specs:
IBM R40 Notebook
MS Win XPP w/Serv. pk 1
Intel Pent M 1.3
597MHz
256MB RAM
40GB Hard Drive

Internet Providers:
AOL
Comcast Broadband


Good evening,
I am having problems with Malware and its apparent effects on my computer. I currently am running the latest McAfee AV (provided by AOL) with auto updates, as well as Zone Alarm (v 5.5 - free download version). I get random alerts with attempts to access my computer by .exe programs and .dll applications. Such examples include "xmlfont.exe, xmlanti.exe, dbdns.exe", etc. I have followed all suggested steps in the "How to: Spyware, Trojan and Virus Removal" guide, and I still have the following noticeable problems:
a.) I cannot access the following websites via my IE browser (using my Comcast Broadband wireless connection)
- google.com
- 53.com (Fifth Third Bank)
b.) I cannot access 53.com on either IE nor via my AOL web browser (although I can access google through the AOL browser)

c.) when I restart/turn off my computer, a warning message pops up saying " 'odbcras.exe - DLL INTIIALIZATION FAILED' The application failed to inizitialize..."

I have run the Killbox program, and have a log file created. I know it says not to post unless asked, so let me know if you would like me to send as attatchment.

Thanks for your help!

bmontana

[chaslang]

Quote:

Originally Posted by bmontana

I have run the Killbox program, and have a log file created. I know it says not to post unless asked, so let me know if you would like me to send as attatchment.

I believe you mean you have run HijackThis and created a log, not Killbox.

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

[bmontana]

It will not let me run HiJackthis. I downloaded it to c:\Programfiles\hijackthis, and when I click the icon, a window pops up that says:

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

I did just download the new AOL which has an updated version of McAfee Virus Protector, and a window showed up saying a Virus has been detected and cleaned. The file C:\docume~1\bryanm~1\locals~1\Temp\TemporaryDirectory1forhijackthis.zip\HijackThis.exe was infected by the W32/Generic.worm!p2p virus and has been deleted to complete the Clean process. It also will not let me Clean, Quarantine, or Delete the program. Says cannot find the file.

Can you please advise?

[chaslang]

Quote:

Originally Posted by bmontana

It will not let me run HiJackthis. I downloaded it to c:\Programfiles\hijackthis, and when I click the icon, a window pops up that says:

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

I did just download the new AOL which has an updated version of McAfee Virus Protector, and a window showed up saying a Virus has been detected and cleaned. The file C:\docume~1\bryanm~1\locals~1\Temp\TemporaryDirectory1forhijackthis.zip\HijackThis.exe was infected by the W32/Generic.worm!p2p virus and has been deleted to complete the Clean process. It also will not let me Clean, Quarantine, or Delete the program. Says cannot find the file.

Can you please advise?

Either uninstall the AOL Virus protector or get the current McAfee definitions. The older version had a bug which said HijackThis had a virus and it did not. Thus your HijackThis.zip download never got downloaded. Or when you went to run Hijackthis.exe it was deleted by the virus scan.

It has been a very long time (malware wise) since you ran the READ ME FIRST sticky steps. Since you waited so long to come back, you really should run them again. Make sure you update each program because they have changed.

[bmontana]

Will do. Re-installing/running How to programs. Will post results...

[chaslang]

Quote:

Originally Posted by bmontana

Will do. Re-installing/running How to programs. Will post results...

Okay! Did you get HJT 1.99.1 now?

[bmontana]

I am still in the process of doing all of the reccomended steps in the How to section. I am having a problem though. When attempting to update Spybot, it fails on all updates, giving me this log for each of the updates that I attempt:

2/17/2005 9:49:36 PM downloaded update Startup info
2/17/2005 9:49:36 PM - URL: http://www.see-cure.de/updates/files/startup.zip
2/17/2005 9:49:36 PM - Local file: C:\MajGeek Vir Programs\Spybot - Search & Destroy\Updates\startup.zip
2/17/2005 9:49:36 PM - FILE REJECTED because of bad checksum

I tried downloading the following updates:
Advanced detection library
Detection rules
English help
Immunization database
Startup info

All give the 'Info' result of "!!!bad checksum!"

Any suggestions?

[chaslang]

The server is just busy. Either keep trying, change the server, or get it from MGs: Spybot Search and Destroy Detection Update

[bmontana]

Got you. Eventually got updates for Spybot. Now I can't download updates for SpywareBlaster! It's saying "Error Connecting to Server...may be temp unavailable or a conflict w/your Firewall sw installed on your PC..."

Think it's just the server being busy again?

I am currently doing the Trend AV Scan. I will post reply once done. I will await your response on the SpywareBlaster updates.

[chaslang]

Quote:

Originally Posted by bmontana

Got you. Eventually got updates for Spybot. Now I can't download updates for SpywareBlaster! It's saying "Error Connecting to Server...may be temp unavailable or a conflict w/your Firewall sw installed on your PC..."

Think it's just the server being busy again?
.

It could be a similar issue. Or you could be blocking it with a firewall. Do you have a firewall? If so, do a temporary disable and try to update.

Note: you should not be online with browsers open during certain scans. Obviously you must for the online scanners but for eveything else exit all apps before scanning. See the note in the READ ME about this.

[bmontana]

Yes, I have ZoneAlarm's sw firewall. I tried enabling all of the required programs in the firewall....I will try disabling the fw before trying the updates.

Also...I ran the Trend Scan and it found 1 Trojan Virus. Couldn't clean....deleted it.

The Symantec scan found 26 threats. I have the log saved in a wordpad document if you want. The first couple that it found were Trojan.Vundo threats. When I followed the reccomended steps to remove, I dwnld'ed and ran the FixVundo.exe program, and it found "no Trojan.Vundo" files on my computer. Odd. Any suggestions on that?

I will disable ZoneAlarm, and try the updates.

Thanks!

[bmontana]

Tried SpywareBlaster updates again w/FW disabled, and still cannot access updates. Still says "Error connecting to server....error getting update info f/server, srvr may be temp. unavailable, or may be conflict w/FW sw installed on your computer...."

[bmontana]

Ok, tried disabling firewall and Internet access, and FixVundo still found no Trojan.Vundo files on my computer. Even though my Symantec Log obviously shows I do have them. Think the Symantec AV quarantined them automatically? I have attached the Symantec log in this post as well.

[chaslang]

Quote:

Originally Posted by bmontana

Ok, tried disabling firewall and Internet access, and FixVundo still found no Trojan.Vundo files on my computer. Even though my Symantec Log obviously shows I do have them. Think the Symantec AV quarantined them automatically? I have attached the Symantec log in this post as well.

Are you sure these were fixed? It looks like they are still present from that log.

[bmontana]

Not sure what you mean "are you sure these were fixed". No, the Trojan.Vundo files were not fixed, as I mentioned the FixVundo.exe program that Symantec tells you to use to remove the files it found "did not find any Trojan.Vundo files on your computer". Symantec's log clearly shows I have them, but FixVundo does not find them.

[chaslang]

Did you run their tool with all browsers exited and with your physical connection to the internet unplugged?

Give that a try. If that does not work, follow my guidelines in message # 2 and post a HijackThis log.

[bmontana]

Tried Symantec FixVundo.exe program with Internet connection off and all browsers exited. Still didn't find the Trojan.Vundo files that the Sym AV said it found.

Here is my HiJack this log. Let me know what you suggest to do next.

[chaslang]

You have a bunch of Virtumundo problems and some others. I'm working on your log now.

[chaslang]

Also, you have a broken LSP chain. Download LSPFix from(http://www.majorgeeks.com/download4180.html) and run it.

Check the "I know what I am doing" box Click on connwsp.dll on the left window and click on the arrow pointing to the right. Click Finish and follow the prompts.

Download Pocket KillBox and extract it to its own folder where you will be able to find it. Do not run it yet.

Please print out these instructions (or save them locally) so that you can operate with All Browser Windows CLOSED. Do that now before going any further.

Please follow the instructions carefully.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

First Step:

Open Windows Explorer and navigate to C:\WINDOWS\PREFETCH
And delete all files in this folder. Do not delete the Prefetch folder. Just the files in it.

Second Step:

Run HijackThis and Check the Boxes for the Following (put do not click Fix yet):
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O1 - Hosts: rowsertoolbar.com
O1 - Hosts: 127.0.0.
O1 - Hosts: .browsertoolbar.com
O1 - Hosts: 12
O1 - Hosts: w2.browsertoolbar.com
O1 - Hosts: w2.browsertoolbar.com
O1 - Hosts: 12
O1 - Hosts: 127.0
O1 - Hosts: om
O1 - Hosts: .com
O1 - Hosts: ar.com
O1 - Hosts: lbar.com
O1 - Hosts: oolbar.com
O1 - Hosts: rtoolbar.com
O1 - Hosts: sertoolbar.com
O1 - Hosts: 127.0.0.
O1 - Hosts: owsertoolbar.com
O1 - Hosts: 12
O1 - Hosts: 127.0
O1 - Hosts: 2.browsertoolbar.com
O1 - Hosts: ww2.browsertoolbar.com
O1 - Hosts: 127.0
O1 - Hosts: .www2.browsertoolbar.com
O1 - Hosts: w.www2.browsertoolbar.com
O1 - Hosts: 127.0.
O1 - Hosts: 1
O2 - BHO: CATLEvents Object - {13589181-4F0D-4553-B9F8-B4B72172C139} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\daavaj.dat (file missing)
O2 - BHO: CATLEvents Object - {2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\dadrah.dat
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\bknur.dat (file missing)
O2 - BHO: CATLEvents Object - {98BC949B-3D81-4750-836F-4BC57BD032EE} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\sysnib.dat
O2 - BHO: CATLEvents Object - {D487068E-9B04-4FE5-8A83-08344F800BF5} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\smavaj.dat
O2 - BHO: CATLEvents Object - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\cvsmlru.dat
O4 - HKLM\..\Run: [runkb] C:\WINDOWS\runkb.exe
O4 - HKLM\..\Run: [regkey] C:\WINDOWS\regkey.exe
O4 - HKLM\..\Run: [*wad] C:\WINDOWS\Web\wad.exe
O4 - HKLM\..\Run: [acciis] C:\WINDOWS\acciis.exe
O4 - HKLM\..\Run: [*faxvga] C:\WINDOWS\system\faxvga.exe
O4 - HKLM\..\Run: [*tcpreg] C:\WINDOWS\Driver Cache\tcpreg.exe
O4 - HKLM\..\Run: [*abrwms] C:\WINDOWS\system\abrwms.exe
O4 - HKLM\..\Run: [*xmlfont] C:\WINDOWS\xmlfont.exe
O4 - HKLM\..\Run: [*dlllog] C:\WINDOWS\Fonts\dlllog.exe
O4 - HKLM\..\Run: [*wmshard] C:\WINDOWS\wmshard.exe
O4 - HKLM\..\Run: [*cabav] C:\WINDOWS\security\Database\cabav.exe
O4 - HKLM\..\Run: [*antivga] C:\WINDOWS\inf\antivga.exe
O4 - HKLM\..\Run: [*docwin] C:\WINDOWS\Web\printers\docwin.exe
O4 - HKLM\..\RunOnce: [*urlmsvc] C:\WINDOWS\security\Database\urlmsvc.exe rerun
O4 - Startup: DLHelperEXE.exe
O20 - Winlogon Notify: urlmsvc - C:\DOCUME~1\BRYANM~1\LOCALS~1\Temp\cvsmlru.dat

Click FIX and then Exit HijackThis.

Third Step:

Now run Run Pocket Killbox. Select the option to Delete on Reboot.

1) Now, Copy and Paste C:\WINDOWS\runkb.exe into the box
2) Now, Click the Red X and Yes to the confirmation message.
3) A message will ask if you want to reboot now – Click NO.
4) Repeat steps 1 to 3 for all of the below files always saying no to the Reboot now prompt until you enter the last file in the list. On that one say click YES and allow your machine to reboot however make sure you Boot To Safe Mode. You may receive an error messages after rebooting into Safe Mode that says Windows could not find the files you told it to delete. Just click okay and DO NOT REBOOT AGAIN.

Okay here is the list to delete using step 1 to 3 above:
C:\Documents and Settings\BRYANM~1\Local Settings\Temp\dadrah.dat
C:\Documents and Settings\BRYANM~1\Local Settings\Temp\javaad.dat
C:\Documents and Settings\BRYANM~1\Local Settings\Temp\runkb.dat
C:\Documents and Settings\BRYANM~1\Local Settings\Temp\sysnib.dat
C:\Documents and Settings\BRYANM~1\Local Settings\Temp\smavaj.dat
C:\Documents and Settings\BRYANM~1\Local Settings\Temp\cvsmlru.dat
C:\WINDOWS\runkb.exe
C:\WINDOWS\regkey.exe
C:\WINDOWS\Web\wad.exe
C:\WINDOWS\acciis.exe
C:\WINDOWS\system\faxvga.exe
C:\WINDOWS\Driver Cache\tcpreg.exe
C:\WINDOWS\system\abrwms.exe
C:\WINDOWS\xmlfont.exe
C:\WINDOWS\Fonts\dlllog.exe
C:\WINDOWS\wmshard.exe
C:\WINDOWS\security\Database\cabav.exe
C:\WINDOWS\inf\antivga.exe
C:\WINDOWS\Web\printers\docwin.exe
C:\Documents and Settings\BRYANM~1\Start Menu\Programs\Startup\DLHelperEXE.exe
C:\Documents and Settings\BRYANM~1\Local Settings\Temp\cvsmlru.dat
C:\WINDOWS\security\Database\urlmsvc.exe

Fourth Step:


While in Safe Mode (making sure that you are able to view hidden files), use Windows Explorer to navigate to and DELETE the following if they remain (we are doing a double check):
C:\Documents and Settings\BRYANM~1\Local Settings\Temp\dadrah.dat
C:\Documents and Settings\BRYANM~1\Local Settings\Temp\javaad.dat
C:\Documents and Settings\BRYANM~1\Local Settings\Temp\runkb.dat
C:\Documents and Settings\BRYANM~1\Local Settings\Temp\sysnib.dat
C:\Documents and Settings\BRYANM~1\Local Settings\Temp\smavaj.dat
C:\Documents and Settings\BRYANM~1\Local Settings\Temp\cvsmlru.dat
C:\WINDOWS\runkb.exe
C:\WINDOWS\regkey.exe
C:\WINDOWS\Web\wad.exe
C:\WINDOWS\acciis.exe
C:\WINDOWS\system\faxvga.exe
C:\WINDOWS\Driver Cache\tcpreg.exe
C:\WINDOWS\system\abrwms.exe
C:\WINDOWS\xmlfont.exe
C:\WINDOWS\Fonts\dlllog.exe
C:\WINDOWS\wmshard.exe
C:\WINDOWS\security\Database\cabav.exe
C:\WINDOWS\inf\antivga.exe
C:\WINDOWS\Web\printers\docwin.exe
C:\Documents and Settings\BRYANM~1\Start Menu\Programs\Startup\DLHelperEXE.exe
C:\Documents and Settings\BRYANM~1\Local Settings\Temp\cvsmlru.dat
C:\WINDOWS\security\Database\urlmsvc.exe


Fifth Step: Searching for bad files


We are going to be search you PC for a list of files beginning with a certain pattern (this is given further down). You first need to configure Windows XP's search options as follows:
Click Search and the Select "All files and folders"
Enter the filename in the "All or part of the file name:" box, so enter bkinst
Now select "More advanced options"
Make sure the following check boxes are checked:
- Search system folders
- Search hidden files and folders
- Search subfolders
Then click the Search button.

Repeat the search for each of the below filenames (I already got you started on the first one): and delete all files beginning with the below. The filename extensions may be .exe, .dat, .bak and/or .ini, delete all of them:
bkinst
acciis
faxvga
tcpreg
abrwms
xmlfont
dlllog
wmshard
cabav
antivga
docwin
cvsmlru
urlmsvc


Sixth Step:


Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, clcik Start > Run and type: cleanmgr and click OK.
Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and attach a fresh HJT log. How are things running? Tell me about any problems that you may have encountered with the above instructions.

[chaslang]

Reconsider using programs like the below! They could be the source of some of your problems!
O9 - Extra button: StarLuck.com - {2B6AA6C9-1646-46e7-8D23-D54274F2F2F2} - C:\Program Files\Starluck Casino\bin\IEExtension_SL.dll
O9 - Extra 'Tools' menuitem: StarLuck.com - {2B6AA6C9-1646-46e7-8D23-D54274F2F2F2} - C:\Program Files\Starluck Casino\bin\IEExtension_SL.dll
O9 - Extra button: Carnival Casino - {776883A9-1EA8-4d8f-88B7-AA652FEF01A7} - C:\Casino\Carnival Casino\casino.exe
O9 - Extra 'Tools' menuitem: Carnival Casino - {776883A9-1EA8-4d8f-88B7-AA652FEF01A7} - C:\Casino\Carnival Casino\casino.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll