I've tried and tried but I need help

About a week ago, my 14-year old daughter was surfing the web on my computer, and somehow downloaded some nasty spyware that I have not been able to get rid of. I really, really need help!

Not only do the same and other bad stuff come back, but there is an alert on my task bar about updates being downloaded and ready to install, but there is no indication of WHAT program these are updates to. When I shut down, I'm given the option to install upon reboot or just shut down without installing upon reboot. Since I don't know what the updates are, I click on the second option. I recently upgraded to SP2. In SP1, Windows updates always gave me the option to see what updates there were before choosing to install. This does not. (Could they be Windows updates that SP2 handles differently? Anyone know?)

Here's what I've done: after reading the material on this website ("Spyware, Trojan and Virus Removal" and "HJT Tutorial):

1. Disabled XP's System Restore. Engablec hidden files and folders and extensions.
2. Checked to see whether "Network Security Service" or "Workstation Netlogon Service" were running. They weren't.
3. Downloaded and installed many tools: (Adware SE, VX2 Cleaner Plug-In, CCleaner, Spybot, SpyBlaster, Mcafee Avert STinger; CWShredder, Kill2me; about:Buster; HSRemove)
4. Did scan at Trend Micro's Online Virus Scan. It found and removed 4 Trojan RVP.D files.
5. Tried an online scan at Symantec Security Check. It froze. (I was able to run it a few days later; clean)
6. Ran Stinger -- found and removed bugbear virus.
7. Rebooted in Safe mode. Ran CCleaner
8.Ran Adaware and Spybot. (They found and removed PeopleOnPage, OnePop and few other things. Spybot found DSOExploit but I read up on that, and I know it is just a glitch in the program. Spybot tells me that print32.dll is not a Windows Image -- I don't know what that means or what to do about that.) Immunized with Spybot. Ran Spyblaster
9. Ran CWShredder, Kill2me, About:Buster and HSRemove.

However, in the days that followed, there were these popup ads that kept appearing (although I have enabled IE's popup blocker as well as the one on the Google toolbar).

So each day, I've been running Adaware and Spybot, and also Norton Anti Virus. Sometimes I run them in Safemode, sometimes in normal mode. Occasionally Adaware freezes in Safemode, occasionally Norton freezes both in safe and normal mode. Adaware has detected (and removed -- but it keeps coming back SAHAgent; I found and followed Norton's instructions to remove SAHAgent, altering registry keys.)

But even though I clean it up, stuff comes back -- the old stuff (PeopleOnPage, for example) and sometimes new stuff. I haven't yet run HJT because I'm a little daunted by it. I'm not sure what I would do with the results. I've just run Adaware three times: the first time it removed most stuff but said make sure all windows are closed and try again; the second time, all windows closed, it still could not remove the remaining offending things, so gave me the option to reboot and have Adaware try to remove what was left; it did. I copied the first two adaware logs onto Word files. I've attached the first log, which is split into two files, because it was too large to upload as one file.

And I am very suspicious of some of what now appears in the startup list when I go in to msconfig. What's kvern16? vernn16? something appears but has no name? dbgbene.exe? etc.

I'm really stuck and frustrated, and feeling a bit out of my element (I'm a literature professor!) I've been googling for info, and this forum seems the strongest and most informed, so I'm hoping that I can get some help. Thanks, thanks, thanks. (Please, please, please!)

 

Hi LitProf,

Please follow these instructions to scan with HijackThis:
http://forums.majorgeeks.com/showthread.php?t=38752

Make sure your HJT is up-to-date and in its own folder C:\Program Files\HijackThis. Please save your log as a .txt file and attach it.

You should note that there is a new Cumulative Update for SP2 - That may be the cause of the messsage you are receiving. Perhaps you should visit Windows Updates and check.

Anyhoo, go ahead and attach a HJT log. I am going to be away from my computer for long stretches this weekend, but I'm sure somebody will take a look. Just wanted to get the ball rolling.

Best,

PP

***You'd never know it, but I have a BA in English. I made it fun, though. My focus area was Critical Theory concerning Literature and Film. I concentrated on the hard-boiled detective novel & Film Noir. Plus a little Hemingway as well. And, it appears I minored in babbling on. . . .

 

Thanks, PP.

I scanned with Hijack this, and am attaching the log.

I ran Adaware, which turned up nothing, which gave me (false) hope. I ran Seach & Destroy, which turned up OnePop (yet again). I saved those results as a .txt file, too, and am attaching (SD.txt).

And, yes, the update was the cumulative for SP2; thanks for the reassurance on that, PP. I guess I'm getting paranoid, since this intractable gunk has gotten onto my system!

Anyway, I'd be SO grateful for help!

LitProf

(P.S. PP -- it warms my heart when people say studying lit was fun. Theory, film noir and detective novels sounds fabulous (fun, but also not easy -- you are quite modest, PP)

 

Hi LitProf - Good Catch!

Do you know what this is?
C:\DOCUME~1\Sara\LOCALS~1\Temp\svcmm32.exe
O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\Sara\LOCALS~1\Temp\svcmm32.exe" /startup
I suspect it is harmless.

These two look bad to me, but I couldn’t find any info on them:
C:\WINDOWS\system32\dbgbene.exe
C:\WINDOWS\system32\accut.exe

Please download this tool and run it in Safe Mode:
a-squared (a²) Free edition

Now, Reboot and run HijackThis. Check the boxes for the following if you find them:
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: Invisible Class - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - C:\WINDOWS\System32\kvern16.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\Sara\LOCALS~1\Temp\svcmm32.exe" /startup

O4 - HKLM\..\Run: [p7oO33i] dbgbene.exe

O4 - HKCU\..\Run: [vernn16.dll] C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\vernn16.dll

O4 - HKCU\..\Run: [kvern16.dll] C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\kvern16.dll

O4 - HKCU\..\Run: [Yw7ERTGqh] accut.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp.com/awebui/jsp/answerweb/applets/HPISWebManager.CAB

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe

Make sure ALL browser windows are CLOSED before you click FIX.

Now, reboot to SAFE MODE and make sure you have enabled the Viewing of Hidden Files. Track down and DELETE the following (if they remain):

C:\WINDOWS\System32\vernn16.dll
C:\WINDOWS\System32\kvern16.dll
C:\WINDOWS\system32\dbgbene.exe
C:\WINDOWS\system32\accut.exe

Reboot to Normal Windows and attach a new log. Let me know if you ran into any problems with the above instructions.

I'll check back when I get a chance.

Best luck,
PP
***By the way, where do you Prof Lit?

 

Hi PP --

I have NO IDEA what C:\DOCUME~1\Sara\LOCALS~1\Temp\svcmm32.exe
is. Not only that, in my attempt to clean up whatever is lurking in my computer, I deleted everything in that temp file. And could not delete svcmm32.exe. I've tried to google it to see if I could find out something about it, but haven't turned up anything.

I also don't know what dbgbene.exe and accut.exe are. I found a file called ebay.txt and deleted it; one of the recurrent popups has been a French ebay popup, and I thought it might be related.

Anyway, I'll follow your suggestions and let you know what happens.

I LitProf in York U. in Toronto, and used to be at U of Delaware. Where's your English BA from?

 

We'll work on that after this first batch.

My English BA (not my only degree) is from The Ohio State University. Currently I am working on a screenplay loosely based on Ivan Turgenev's Fathers and Sons. I am about to begin pursuit of an M.Ed. so that I may teach in an inner city Urban Academy. . . And I'm babbling again

I am in this forum intermittently - I'll check back when I am able.

Best,
PP

 

OK. Here's what I did.

1. Ran a-squared in Safe Mode. No Malware found.
2. Ran HijackThis in Normal Mode. Found and checked and had HJT fix these:
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: Invisible Class - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - C:\WINDOWS\System32\kvern16.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [USB controller] "C:\DOCUME~1\Sara\LOCALS~1\Temp\svcmm32.exe" /startup

O4 - HKLM\..\Run: [p7oO33i] dbgbene.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp.com/awebui/jsp/...SWebManager.CAB

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

3. In Safe Mode, deleted (all in the C:\\WINDOWS\System32\ directory): vernn16.dll, dbgbene.exe, and accut.ext. Couldn't find kvern16.dll

4. Ran HJT in Normal mode, and attaching logfile.

PP -- Ohio State is a great place. Is this your first screenplay?

 

Hi LitProf,

Your HJT log is free of malware Are things running OK?

I assume you want the Discover items?
O2 - BHO: Discover deskshop Browser Helper Object
O9 - Extra button: Deskshop

Everything looks good! I don't see C:\DOCUME~1\Sara\LOCALS~1\Temp\svcmm32.exe Perhaps it is gone for good.

You should take a look at Chaslang's recommendations for safeguarding your computer: How to Protect yourself from malware!
It is a good idea to use Spyware Blaster and SpybotSD's Immunization feature. Remember to internet update them regularly!

Happy Computing

PP

***Is this your first screenplay? ~ It's the first one that doesn't stink!!!

 

Thanks so much for your help, PP. I will read that.

Hope that the computer is, indeed, malware free. (I still see kvern16 and vernn16 and accut.exe when I look at the startup list on msconfig...)

Anyway, good luck on the screenplay and on your MEd.

Much thanks,
LitProf

 

Please attach a new HJT log. Those should not be there. I wondered why the 04 entries were not in your list of "Fixed" items, but they did not show in your last log. They would have been in the list of running processes. Boot in normal Windows and please send me a log.

PP

 

Ok, PP. I'm attaching a new HJT log. I ran Adaware and it came up clean, but when I ran S&D it detected OnePop (aka InvisiblePop, aka veg32).

A thought: does it matter, for the purposes of malware removal, that on this computer there are several user accounts?

LitProf

 

Yes, it does. A cleanup needs to be done for each account.
Also, System Restore must be OFF - Otherwise it restores the malware! I am concerned about this Norton Ghost on your machine. I am not familiar with it, but it may be doing the same as System Restore. Is there any way to disable it without messing things up?

Hang on while I look at your log.

*** OK - I see that they are back in this log, but they were not in the last log. I may have to call in reinforcements, but we WILL beat this.
How many accounts are on your computer?

PP

 

Hi LitProf,
I've got a few ideas.
Try this for each user account:

Make sure any kind of System Restore is OFF and enable the viewing of hidden files.

Using Task Manager (ctrl-alt-del), end the following running processes:
vernn16
kvern16
accut.exe
Then, track down and DELETE these bad files. You may have to run a search of your machine to find them, but you should have no problem deleting them if the running process has been stopped.

C:\WINDOWS\System32\kvern16.dll

accut.exe

C:\WINDOWS\System32\vernn16.dll

If that doesn’t work, try using START > RUN > MSCONFIG > STARTUP Tab and uncheck the running processes of these malware so that they do not run at startup and then delete the offending files.

Please keep checking in on this thread. I am going to be tied up the next few days, but will check in when I can. I will also ask our resident genius, Chaslang, to take a look.

Hang in there

PP

 

Hi PP,
Thanks for being in this mess with me!

I don't think Norton Ghost is a problem, at least I've assumed that it is not, because when Symantec gives instructions for removing various viruses and trojans, it always instructs you to make sure that System Restore has been disabled. Given that Norton Systemworks contains both Anti-Virus and Ghost, I would imagine that if Ghost were a problem, Norton would tell you what to do about it. In any event, I've never actually used Ghost -- never launched it.

There are 3 user accounts on the computer. One I essentially reserve for admin stuff (installing programs, updates, etc.). One I use to do my work. I tend to leave that one with limited privileges, but often find that I am blocked from doing something, and then give it admin privileges. The third almost always has only limited privileges. I almost always run the anti-spyware from the admin account (which isn't called that because I've renamed, but still is the primary account).

Anyway, I'll try your suggestions and get back.

Hopefully,
LitProf

 

Following up on my last e-mail, I'd already unchecked vernn, kvern and accut on msconfig (and thankfully, they remained unchecked upon booting up again). And the respective .dll files are no longer in the System32 folder.

LitProf

 

Hi LitProf,

Go ahead and try my suggestions. You may want to poke around a bit on your own - You probably have a good idea of what to look for by now!
I am still awaiting Chaslang's advice. If need be, we can run separate HJT for each account and see if that does the trick.

I am popping in and out of the forum these days. It's a bit fortuitous that we seem to be on the same schedule Keep checking back. If I am gone for long streches, don't worry - I won't forget about you! We'll figure this one out!

Best,
PP

 

Thanks for looking at this, Chaslang. (And continued thanks to you, too, PP.)

Here's what happened when I followed your advice, Chaslang:

On all the texts input to the Run dialog box, no real results (ie "failed" or "can't find")

Under Task Manager, none of the listed processes show up.

HijackThis turned up clean, without any of the problematic lines.

In Safe mode, in Windows Explorer, the only one I could locate was "...\Temp\svcmm32.exe" which I was able to delete (I had some how been prevented from deleting that before.)

So this all looks good. I'm attaching the HJT log, since I wouldn't mind another pair of eyes checking it out.

That's all good news. Here is what puzzles me. When I look at the startup list under msconfig, I still see my old friends vernn16, kvern, and accut. I have unchecked them, and they remain unchecked through several bootups. But I don't know why they are stil there, or how to remove them. Any ideas on that?

More thanks than I can say,
LitProf

 

When I entered C:\Program Files\CxtPls\ace.dll in the Run dialogue box, the computer responded that it could not find it. But when I did find it in Windows Explorer in Safe Mode, and I deleted the directory.

 

I searched for and deleted all instances of kvern, vernn16 and accut in the registry. (And now they are no longer in the startup of msconfig, since some of the deletions were from Startup). (Should I do the same for dbgbene?)

And I think (I hope) that this solves it. No more popups, nothing showing up when I ran Ad-Aware and S&D.

Anything else I should check for?

I can't thank you enough!

LitProf

 

He's right, you know!

You should check out (or have your daughter do so ) Chas' recommendations for safeguarding your computer against Malware:
How to protect yourself from malware!

Best,
PP

 

We've already checked read those recommendations and implemented them!

Again, thanks/merci. (We do things in both languages in Canada!)

 

I forgot I already linked that - These threads tend to blur together after a bit!

Happy Computing
PP