TechSpot

Can't Remove Virus

By ethan519
Dec 8, 2005
  1. Hi. My cousin lives in Russia and we talk almost everyday online. Everything was fine on his computer until 1 week ago, when his roomate used the computer for 4 hours, without permission. Afterwards, the computer slowed to a crawl and my cousin was not able to open folders or programs.

    We bypassed his startup programs in msconfig. We then ran Adaware and Spybot. Adaware found the usual cookies and Spybot came up only with that DOExploit (which I think is simply a misread in Spybot).

    We ran Trendmicro Housecall and the first time, it found 10 virus'. It seemed to get it down to 2, but the computer was still not running well (very slow and closing windows).

    We ran it again in safemode, and it found only 3, and said it removed 2. The one that consistantly came up and not removed was "Chophar.a"

    The other day, we ran Panda Activescan and also ran HJT. I am enclosing both logs in hopes that someone can help get this clean again. The reason why I am posting for my cousin is that his english is not great and he would never understand many of the fixes provided here.

    Thank you.
     
  2. Mictlantecuhtli

    Mictlantecuhtli TS Evangelist Posts: 4,916   +9

    Well well, nice roommate.

    I'd suggest this approach: Download Process Explorer, then unplug the network cable from the computer if not done already.

    With Process Explorer, kill these:

    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\WINDOWS\inet20003\winlogon.exe
    C:\WINDOWS\inet20003\mm.exe
    C:\WINDOWS\System32\rsvp.exe

    Don't kill the winlogon.exe made by Microsoft Corporation, with description "Windows NT Logon Application" !

    Then fix these with HJT:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

    F3 - REG:win.ini: run=C:\WINDOWS\inet20003\winlogon.exe

    O2 - BHO: VPN-OEM Extension - {11D003B5-B3B5-4BCC-A974-71148786E968} - C:\WINDOWS\System32\msexchdr.dll
    O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

    O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20003\winlogon.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20003\winlogon.exe
    O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00009.exe"

    O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

    O20 - AppInit_DLLs: C:\WINDOWS\System32\dbgwin.dll
    O21 - SSODL: SysTray.Exiv - {2963ECFC-4E5C-2f3b-B334-D67434FC72E0} - (no file)
    O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)


    Then, edit c:\windows\system.ini , find the line that says this:

    Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00009.exe"

    Delete the "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00009.exe" part (there are a lot of spaces before it, don't let that fool you).

    Uninstall VNC from "Add & Remove Programs".

    Add password to screensaver, change all passwords, disable unneeded users etc.
     
  3. ethan519

    ethan519 TS Rookie Topic Starter

    Thank you for answering. We did the things you suggested, though when we tried to kill the RSVP process, it came right back.

    We also could not find the msexchdr.dll line.

    Also, in the system.ini, there was nothing like you had mentioned, but there was a line there for "load" that had the inet20003\winlogon.exe, so we deleted that.

    We ran another Hijack log. How does this one look?

    As an aside....my cousin was getting a message before we did your suggested fixes. When he was not connected to the internet, a bowser window would open and give a message about needing to work offline. It has not come back since we did what you said. I am thinking maybe that was one of the trojan dialers trying to access the internet.


    Thanks again-
    ethan
     
  4. Mictlantecuhtli

    Mictlantecuhtli TS Evangelist Posts: 4,916   +9

    These need fixing:

    O2 - BHO: VPN-OEM Extension - {11D003B5-B3B5-4BCC-A974-71148786E968} - C:\WINDOWS\System32\msuieng.dll
    O21 - SSODL: XmLdrLocation - {0C887F38-5178-43DA-B9F0-B856141FCDA4} - C:\WINDOWS\System32\msuueng.dll

    Delete those files after fixing & rebooting.
     
  5. nguyentheloi

    nguyentheloi TS Rookie

    I also get this trojan : ibm00009.exe !!

    I used Norton Antivirus 2005 and it can recognize this virus, but then, when Windows XP startup, there's a warning require ibm00009.exe file ?? I attached it heare. So, how can I deal with this problems, so that Windows won't display this warning again ? please help me, thanks !
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Go and read this thread. Before posting your HijackThis log, please read this. Follow all the instructions exactly.

    Then, open a new thread in the security and the web forum.

    Post a fresh HJT log, only after doing the above.

    Regards Howard :wave: :wave:
     
  7. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Before you delete xxx.dll files you need to UNregister them first as follows

    Click Start/Run and type in:
    REGSVR32 /U Drive:\Path\FILE.DLL
    (for example: REGSVR32 /U C:\Windows\pqymml.dll) and press Enter.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.