Trojan.FakeVir in WINDOWS\system32\vcehaeb.dll

Discussion in 'Malware Help (A Specialist Will Reply)' started by Thorman, Dec 8, 2006.

  1. Thorman

    Thorman Private E-2

    Trojan.FakeVir. in WINDOWS\system32\vcehaeb.dll

    Hi,
    Please help me rid my computer of the Trojan.FakeVir infection which BD scan has identified, tried to disinfect then delete but has not been successful. Computer still infected. I have done all the READ & RUN ME FIRST instructions with all six logs copied.

    I'll try to attach the logs in two successive posts but if my experience yesterday is anything to go by, I may not succeed owing to the Major Geeks page freezing up after uploading the files, then it disappeared altogether. The next time I tried to up ipload the files I got an error message. Don't know whether I'm being paranoid about this but I just get the feeling that the virus ind=fection is responsible for this.

    Many thanks for your help.
     

    Attached Files:

    Thorman, Dec 8, 2006
    #1
  2. Thorman

    Thorman Private E-2

    2nd part of post - with last three attachments.

    Forgot to add that the outcome of the infection are that I get a yellow triangle with an wclamationmark in middle of it - alternating with what looks like a sea mine with detonator spikes around it. Sometimes the call-outs sring out from these icons with the message :

    'Critical System Errors
    System detected virus activities.
    They may cause sritical system failure.
    Please use AntiSpyware Software to ckean
    and protect your system from parasite programs. Click this baloon (spelt wrongly as shown)
    to get all available software'

    As i said I'd be very grateful for any help in ridding my PC of this stuff.
    Thanks,
    Tom.
     

    Attached Files:

    Thorman, Dec 8, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!



    I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

    ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

    Now attach new logs from:
    • GetRunKey
    • ShowNew
    • HJT
    How are things working now?
     
    chaslang, Dec 9, 2006
    #3
  4. Thorman

    Thorman Private E-2

    Hi,

    Many thanks for your reply. I very much appreciate your help. I've done the 1st step and attached the rapport.txt log which I generated after running the Smitfraud program. I'll post this on to you and reboot in safe mode to follow Step 2 instructions. By the way, thanks for the tip about some antivirus programs detecting process.exe (contained in SmitfraudFix) as a 'risk tool'. I didn't have that problem though this time.
     

    Attached Files:

    Thorman, Dec 10, 2006
    #4
  5. Thorman

    Thorman Private E-2

    Step 2 now done with rapport.txt added, plus runkeys and showNew logs. One more post to follow to get the last log posted to you.
     

    Attached Files:

    Thorman, Dec 10, 2006
    #5
  6. Thorman

    Thorman Private E-2

    Last bit of information: HJT log attached.

    How are things working now? well the dreaded flashing icons have disappeared from my start up tray and I'm not getting weird ad pages and other stuff randomly appearing when I'm on the net. I'm so grateful to you guys. You're just the absolute best.
     

    Attached Files:

    Thorman, Dec 10, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Next time (if there is a next time) you need to remember to renamed hijackthis.exe to analyse.exe as requested. Some malware will not show up if it sees hijackthis.exe running.

    You are all clean. We just have to update Sun Java and then final cleanup.


    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment, SE v1.4.2_03

    Now install the current version of Sun Java from: Sun Java Runtime Environment


    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Dec 11, 2006
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds