w32.bacalid. - vcab.dll invection Help needed

Hello.

On Monday I got a clients computer taht was suspected to be invected with a virus. A the client took it to someone else first to try and fix the problem they ended up installing AVG with Symantic (not a good Combo). Anycase, when I got the pc I teied to get to the bottom of the proble to find the tipe of virus infection resultin in infecting my own computer after I used my memory stick to tranfer a tool to the client pc and then inserting it into my pc.
As it may, the closesed I could get to obtain information about the virus, is a description: VCAB.dll. Generic2.OEH. W32.bacalid.
Doing a search on the internet I concluded that to remove the virus would be easy as just to run a virus scan with the latest definitions or the removal tool (symantec, Stinger):major
Problem. the client computers explorer does not even allow running programs as the get terminated. Opening things like control panel gets terminate.
My computer experiance the same but not in such a big way. I managed to run the AV, Anti Spy, Registry Cleaner, Removal tool, but to no avail..

I noticed that there are some processess running that are sucpet. When terminated the just return. :confused
Process example: hole.zip, untiteled.doc, I can not remember the other one.
Sometime Avg Scan detedts the virus and moves it to the vault, but the computer is still corrupt and the virus just returns. The VCAB.dll file in the Local settings Temp Directory just returns, And cannot be deleted manually??

Well I am stuck here and are in desperate need of help. As times goes on to clean the my pc it seems to get worce, the clients pc is even worse, as I can not even run add remove programs to uninstall symatec AV (out dated subscription)
No other virusess or threads are detected on my pc, maybe some other virus is also hiding??

Please help....... :cry
System restore is disabled. I did run all the scanners as suggested, I even ran Hijack this and told it to delete/fix all the threads.... Most probably should not have done that...
I cannot run any system activity on the computer as it terminates, and on the clients pc allmost every thing terminates.

Regards
Melt

 

Hi Tim

I have followed your guidelines, and scanned the computer.
The Bacaid virus just keeps on returning.
I cannot open any windows system programs like Controlpanel, Windows proberties extc. They just terminate after a while.
The virus gets picked up by AVG and quarintined, I delete it but it just comes back.
All internet sites read that this virus is easy to remove roflmao ???

What i found that on my memory stick, all folders were duplicated with a .exe extention. The original folders are then hidden. the only way to access them is to unhide them in the folder options.
They also do not get fixed by the antivirus when scanned???

Your programs I ran might have pre termnated as I got a message of a fatel program error.
Aplication faile to initialize properly. (processdll.exe error??

 

Hi meltvn!
I like your humor. It has the dark elements of masochism to it. lol



1) Go to add/remove programs and uninstall the below:

- Java 2 Runtime Environment, SE v1.4.2

2) Next we want to kill a service:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Core LC
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT (it will now be called analyse.exe and you will find it inside the MGTools folder of your root drive), but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste Symantec Core LCinto the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now run HJT/analyse.exe (select Do a system scan only) and select the following lines but DO NOT CLICK FIXuntil you exit all browser sessions including the one you are reading in right now:


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, "C:\WINDOWS\system32\M5VBVM60.EXE StartUp"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
04 - HKCU\..\Run: [Secure64] C:\WINDOWS\system32\dllcache\Regedit32.com StartUp
O4 - HKCU\..\Run: [Secure32] C:\WINDOWS\system32\dllcache\Shell32.com StartUp
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

After you click fix, just close hijackthis.


4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

5) Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hi Abri

Thanks for the reply.
Is there a way to uninstall Java from the command prompt or within the program folder as I am unable to use add and remove programs. I terminates as soon as I open it. rolleyes

Thanks
Melt

 

Just leave it for now. Did you continue with the rest of the instructions? If you can't do one thing, continue one with the next. The old javas are vulnerabilities. We routinely try to get rid of them and will come back to that.

abri

 

Hello Abri

I have done all as directed.
Your Getlog.bat program fails to execute :mad
I am attaching the Avenger log and the Mgtools Log I think.

The PC is still infected with the Generic2.OEH (w32.Bacalid) virus. :banghead

 

It seems like the MGtools log does not want to go
Melt

 

I think it is because it is the same one I have sent the first time. The sizes are exact same size??

Regards
Melt

 

Hi Tim

I have done as you told, but had to delete the two files and directories manually as the Aventure Tool did not run, It said it was corrupt possibly by a virus infection.
Folders to delete:

C:\WINDOWS\system32\dllchache

Files to delete:

C:\WINDOWS\system32\M5VBVM60.EXE

What I also noticed, is that windows automatically hides the system32 file, it also resets the show hidden atterebutes in explore no matter if I set the. Just on the following window I open It is reset.

Have just rebooted and got a message for the first time..
Windows File protection, scanning windows ....??? window change and is looking for the Windows CD
Will com back wit the result later. have to go

Regards
Melt

 

Hi meltvn!
Imust have a word with you. Avenger did run and it deleted those items I asked you to have it delete. Check the log in post #7.
Secondly, you did already run the GetLogs.bat because you already produced the logs when you first installed MGTools.exe. Therefore, that does work.

Now.
Since everything is working, I would like for you to continue. First I would like for you to fix an item I missed the first time around in HijackThis and then I will give you a link to a removal tool for the specific virus you have.

First, go to the MGTools folder under C and open it. Look for analyse.exe (which is HijackThis renamed) and double click on it. Click on Do a System Scan Only. In the list it creates, look for the entry O4 - HKLM\..\Run: [Blank AntiViri] C:\AUT0EXEC.BAT StartUp. Put a checkmark next to this item and then close all your browsers and then hit Fix. After you finish, just close HijackThis.

Next, please go to C:\AUT0EXEC.BAT and delete this.

After you finish those two steps, please see the McAfee Stinger tool which you'll find about halfway down this page: http://vil.nai.com/vil/Content/v_140566.htm[/quote]

Let me know how you are getting on.
abri

 

Hello Again Abri

Thanks for your support, I think you must be biting your teath by now when you here from me?

I have done as told, the computer seemed to be fine for a short while and then the virus just reappeared?

And this is only the one computer??

The tool ended up clean, I don't know if it was because AVG detected the virus befor the scan finished.

I am all in your hands now......

I still found folders on the computer that represented a exe extention and the original folders as hidden with the original files inside..

Regards
Melt

 

Every thing about the virus returned..
I am unable to go to directories in internet explorer on the second level. All windows system programs terminates, well all is back to hell....
Is there no manual way to remove the virus. Symantec always used to have a manual removal of viruses section, but it seems not to be anymore. Well for this one there is non I could find??

Regards
Melt

 

Hi meltvn,

There is a Symantec Removal Tool and the directions http://www.symantec.com/security_response/writeup.jsp?docid=2006-091414-3913-99

The tool itself is linked to partway into the instructions. Please see if this helps and let me know.

abri

 

Hi Abri

No it did not help.
Still invected

I am out of suggestions

Attached is my latest Hijack logfile

Regards
Melt

 

Hi meltvn!

Sorry the removal tools from McAfee and Symantec didn't work.
In your HijackThis log there are two entries which need to be fixed. In order to help you, I need the whole set of logs, but first do the following

1) Please run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, "C:\WINDOWS\system32\M5VBVM60.EXE StartUp"
O4 - HKLM\..\Run: [Blank AntiViri] C:\AUT0EXEC.BAT StartUp

After you click fix, just close hijackthis.


2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

3) Now run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates.

abri

 

Hi Abri

I found this link, maybe it might be of more guidance??

http://www.avira.com/en/threats/section/fulldetails/id_vir/3286/tr_vb.bg.html

I will follow your procedures, jus busy with a scan. It is 2AM in the morning here by me so I am going to call it a night and proceed tomorrow morning.

Thanks
Melt

 

Hi Abri

Here is your log file

Hope we can get ontop of this virus now, I still have a secon pc to fix with the same virus. :major

Regards
Melt

 

hello abri

the good news is that avira antivir contained the virus, amasing :celebrate

I could manually remove the dllchash file and the autoexec. the virus does not reappear after two complete scans.

the :crap processes are all gone, and everything seems to be holding up.
if you could now help me fix the registry changes, it would be much appreciated.

the link i have send you two posts down should have more meaning to you that for me.

I am sending you the latest hjt file as i can still see the instancess that the program were suppose to fix..

regards
melt

 

Hi meltvn,

I'm glad you are making progress! Please go to add/remove programs and uninstall AVG. Leave Avira. If Avira fixed the trojan you mentioned, then it also seems to have removed all the associated files, because they do not appear in your original logs. Since then you haven't posted anything except hijackthis so it's not possible to check if they appeared later.

The two files which I asked you to fix in HijackThis are still there. Sometimes antivirus or anti malware programs prevent items from being fixed. Please turn off the computer and unplug it from the internet. Boot back up and try fixing these two items again after disabling any antivirus, anti-spyware and your firewall. If this does not work (you can check the log for these two items) then please repeat the procedure in Safe Mode (gotten to by hitting the F8 key during the boot sequence until the menu appears where Safe Mode is one of the choices.)

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, "C:\WINDOWS\system32\M5VBVM60.EXE StartUp"
O4 - HKLM\..\Run: [Blank AntiViri] C:\AUT0EXEC.BAT StartUp

After you click fix, just close hijackthis.

After you finish, re-enable all protection software and then re-connect to the internet.

Then run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates.[/b] GetLogs.bat is located in the MGTools folder under C:\ The logs themselves can be found directly under C:\ with the name MGlogs.zip.

Let me know how things are running now?

abri

 

Hello again abri

Have done all that was asked. Attached find the logfile.
I hope this pc is done now.

kind regards
melt

 

Hi meltvn!
That all looks better! If you are not having further malware problems, there are two things left to do.

1) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

Unfortunately, from the time you started this thread to now, Java updated.

2) Go to add/remove programs and uninstall the below:

- Java(TM) 6 Update 3

3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment

Finally, I would like for you to do our final cleanup procedures which will remove the tools and logs we put on your computer:

 

Hi Abri

The Notebook computer is already back to the owner.

Thanks for your help, it was highly appreciated.

The only computer left is my own one. The virus has been removed, but there is still some registry and program start-up issues.

If you don't mind, I would like to send a log file to you. I just need to follow the steps in crating the files indicated on this forum.

I will send it of to you most probably on Friday.

Again thanks for your help. :wave
Regards
Melt

 

Hi meltvn!
Thanks. Your second computer may be having software rather than malware problems. Please start a new thread for that computer. It's better for us that way. After we look at the logs, we can tell you better if you will get more help here or in the Software Forum.
abri