help removing ?ttrib.exe virus

Discussion in 'Malware Help (A Specialist Will Reply)' started by DknyGirl, May 2, 2005.

  1. DknyGirl

    DknyGirl Private E-2

    Can anyone help me remove this virus? I followed the steps exactly on the Major Geeks READ ME FIRST BEFORE ASKING FOR SUPPORT. I found quite a few things but not that particular virus. :(
    I'm not a computer expert but I'm pretty good navigating around. I can't figure this one out though.
    Thanks!
     
    DknyGirl, May 2, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What program are you using that detects this files? It is normally in c:\windows\system32 and you must be careful not to confuse it with the valid attrib.exe file. Your file ( ?ttrib.exe ) will be much larger in size.

    If you have completed all of the READ ME FIRST, follow the steps below.


    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, May 3, 2005
    #2
  3. DknyGirl

    DknyGirl Private E-2

    Yes, I did do every step on the READ ME FIRST but I still get a message from McAfee saying that you have a virus....c:\windows\system32\?ttrib.exe.
    My system 32\attrib.exe is still there, I did not delete that. I'm attaching the log file as you requested. Thanks for your help!!!
     

    Attached Files:

    DknyGirl, May 3, 2005
    #3
  4. DknyGirl

    DknyGirl Private E-2

    I need to make an amenment to my last post....McAfee is not saying you have a virus it says: c:\windows\system32\?ttrib.exe is requesting outbound access to the internet. I click block all access but it keeps appearing. 3 times in a row actually, every time it appears. Sorry for the earlier misinformation.
     
    DknyGirl, May 3, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a bunch more problems then the ?ttib.exe problem. Let's see if we can get the all in one shot.

    First you must disable SpybotSD TeaTimer, because it could get in our way while trying to remove these problems.
    To disable TeaTimer, run Spybot and click Mode and select Advanced Mode. Then click Tools and select Resident. Now in the right window pane, uncheck TeaTimer.

    Also while this is open, in the left column now select IE Tweaks and then in the right pane make sure all the Miscellaneous locks are unchecked. Now quit Spybot!

    Download LSP - Fix

    Now run LSP-Fix.

    Check the Box labeled "I know what I'm doing" and then click on the xfire_lsp_10650.dll file (in the “Keep” section) to select it.

    Then, Select the >> button to move xfire_lsp_10650.dll into the Remove section.

    Now, click the Finish Button. When the Repair Summary box appears, click OK.
    If the file is already in the Remove section, just click finish.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\system32\?ttrib.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O2 - BHO: (no name) - {DC9CA73B-1EAA-1954-FA89-161332873AB1} - C:\WINDOWS\system32\vvamotu.dll
    O4 - HKLM\..\Run: [COQRYd] C:\documents and settings\owner\local settings\temp\COQRYd.exe
    O4 - HKLM\..\Run: [khdmllu] C:\WINDOWS\gsdkfksya.exe"
    O4 - HKLM\..\Run: [Z] C:\documents and settings\owner\local settings\temp\Z.exe
    O4 - HKLM\..\Run: [d8w] C:\documents and settings\owner\local settings\temp\d8w.exe
    O4 - HKLM\..\Run: [wZee] C:\documents and settings\owner\local settings\temp\wZee.exe
    O4 - HKLM\..\Run: [IfN30] C:\documents and settings\owner\local settings\temp\IfN30.exe
    O4 - HKLM\..\Run: [LgzS] C:\documents and settings\owner\local settings\temp\LgzS.exe
    O4 - HKLM\..\Run: [v7ER38h] psnxprxy.exe
    O4 - HKLM\..\Run: [4AEWbO] C:\documents and settings\owner\local settings\temp\4AEWbO.exe
    O4 - HKLM\..\Run: [qthmwhtf] c:\windows\system32\qthmwhtf.exe
    O4 - HKCU\..\Run: [Foylqko] C:\WINDOWS\system32\?ttrib.exe
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\vvamotu.dll
    C:\documents and settings\owner\local settings\temp\COQRYd.exe
    C:\WINDOWS\gsdkfksya.exe
    C:\documents and settings\owner\local settings\temp\Z.exe
    C:\documents and settings\owner\local settings\temp\d8w.exe
    C:\documents and settings\owner\local settings\temp\wZee.exe
    C:\documents and settings\owner\local settings\temp\IfN30.exe
    C:\documents and settings\owner\local settings\temp\LgzS.exe
    c:\windows\system32\psnxprxy.exe
    C:\documents and settings\owner\local settings\temp\4AEWbO.exe
    c:\windows\system32\qthmwhtf.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, May 3, 2005
    #5
  6. DknyGirl

    DknyGirl Private E-2

    Hey, Thanks for the quick reply! I've done all you've said EXCEPT you told me to:

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\system32\vvamotu.dll
    C:\documents and settings\owner\local settings\temp\COQRYd.exe
    C:\WINDOWS\gsdkfksya.exe
    C:\documents and settings\owner\local settings\temp\Z.exe
    C:\documents and settings\owner\local settings\temp\d8w.exe
    C:\documents and settings\owner\local settings\temp\wZee.exe
    C:\documents and settings\owner\local settings\temp\IfN30.exe
    C:\documents and settings\owner\local settings\temp\LgzS.exe
    c:\windows\system32\psnxprxy.exe
    C:\documents and settings\owner\local settings\temp\4AEWbO.exe
    c:\windows\system32\qthmwhtf.exe

    Well, I couldn't find any of those files. I had checked off all the things previously suggested in: tools, folder options, view. I still completed the steps you suggested after...running ccleaner, deleting files in Prefetch and running hijacker again. I'm attaching my new log.

    Please check and see if anything looks suspucious when you get a chance. I love doing all this stuff...just wish I knew what it all meant. I hate doing without knowing why. :rolleyes: :rolleyes:

    Thanks again for your time and reply!!
     

    Attached Files:

    DknyGirl, May 3, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is now clean! Is everything working okay?

    Those files were not found because HijackThis was able to remove them when I had you fix the items using HijackThis. It can sometimes do this. I had you all attempt to delete the file manually because we never know when HJT will be able to removal the files itself. So it is sort of a double check to be safe.

    The steps I had you perform are simple to explain....they are all malware related files. They are not what we describe as "good" or "valid" Windows programs.

    You have a couple other items that can be fix but the choice is yours. These are not true malware problems. They are a mild problem that some people hate more than other people.

    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

    See the below links for a little info on those lines:
    http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453078189
    http://www.iamnotageek.com/a/backweb-137903.exe.php
     
    chaslang, May 3, 2005
    #7
  8. DknyGirl

    DknyGirl Private E-2

    Hi! So far so good, although I must say my computer was acting okay, it was just the McAfee pop up that really clued me in that something was wrong.

    I knew what you were asking me to delete were harmful files, I just wish I was better educated on what is harmful. For instance, the PowerReg Scheduler.exe, I've always seen that but thought it was a good program that comes with windows.

    Since I have your ear, so to speak maybe you can advise me on a couple of other items. For a while now, McAfee is saying: C:\WINDOWS\system32\log.dll is infected by the BackDoor -CFB virus and cannot be cleaned. Again, my computer hasn't really caused me any problems and the message only comes up when I run scans. Is there a way for me to get rid of it? Additionally, Spyware Doctor is picking up All-In-One SPY in the same log.dll file. It cannot delete it but it says it has quarantined it. Sbybot came back clean. AdAware came back clean too.

    Also, should I enable TeaTimer again? You told me to disable in the beginning.

    And lastly, any recommendations on what I should always have running to help avoid these issues?

    Thanks so much for all your help!!!!!!!!!!!!!!! :D
     
    DknyGirl, May 4, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If Spyware Doctor has really quarantined log.dll, why is McAfee still reporting it in the system32 folder.
    You should try to delete that file in safe mode. You may need to unregister the DLL first.

    I would recommend you read thru the below link. You could have some additional items related to this on your PC.

    http://www.sarc.com/avcenter/venc/data/pf/spyware.allinone.html

    Let me know what you find.

    Ad far as my recommendations, they are in the below link. You definitely need to get a real firewall installed and disable the one in Win XP SP2 because it is not good enough.

    How to Protect yourself from malware!
     
    chaslang, May 4, 2005
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds