KillVBS.vbs and Continuous install updates before turn off laptop

Status
Not open for further replies.

fmirna

Posts: 11   +0
Hi there!

I have 2 issues that i'm dealing with right now...

1) a dialogue box that keeps on popping up everytime i start my laptop that says something like - cannot find script file "c:/windows/system32/killvbs.vbs". i have found a previous thread in regards to the same issue so i have followed the sets of steps in the "Viruses/Spyware/Malware, preliminary removal instructions" and attached are the 3 logs of HJT, Combofix, and AVG Antispyware. appreciate it if you could please check the logs and provide further instructions. at the moment, the killvbs popup window has stopped showing but i would like to make sure that everything is clean...

2) everytime i want to turn off my laptop, the "Install important updates before turn off" notification keeps on popping up. i've installed the updates several times but everyday is the same... it keeps on saying i should install updates. is this real? so far i have been turning off my laptop without installing the updates anymore because im not so sure these updates are real... but even after doing those steps above for removing malware/virus/spyware, the update notification is still there. could you please advise?

thanks in advance! please let me know if you need anything else =)
 
Ill look over the logs now and post back later, what thread did you find about the KillVBS problem and has it still stayed away?
 
Hi Kritius

Thanks for the reply. I've turned on my laptop and the KillVBS.vbs popup window has gone. So do you think I can safely assume that there's nothing wrong anymore? The Install Updates before Turn Off is still there though...

Could you please explain what you mean by "what thread"?

cheers
 
fmirna said:
i have found a previous thread in regards to the same issue so ...

kritius said:
Ill look over the logs now and post back later

fmirna said:
The Install Updates before Turn Off is still there though...

What happens when you go to Windows Update using Internet Explorer, and you complete all the updates.? Does that message then disappear ? Also do all updates complete successfully ? from doing Windows Update
 
HJT log is clean, just a couple of things to tidy up

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code:
    Folder::
    C:\VundoFix Backups
    C:\Program Files\Symantec
    C:\Program Files\Common Files\Symantec Shared
    C:\Documents and Settings\All Users\Application Data\Symantec
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    CFScript.gif

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

get an Uninstall List from HijackThis:
  • Open HijackThis, click Config, click Misc Tools
  • Click "Open Uninstall Manager"
  • Click "Save List" (generates uninstall_list.txt)
  • Attach it in your next post.
 
hmm... ive dragged the CFScript.txt to the Combofix.exe but nothing really happened.... only a status bar but the Combofix application didnt open. is it meant to open Combofix automatically after i dragged it and run the scan? nothing happened so i opened Combofix by double clicking it and run a scan and it created the log attached (log.txt).

looking at the log briefly, nothing seems to be different from the first Combofix log i attached on my first message (Combofix.txt). am i doing something wrong? ive continued the steps and attached is the HJT result.

thank youuu
 
ok,

Go to add/remove programs and unistall

Java(TM) 6 Update 2
Java(TM) 6 Update 3
LiveUpdate 2.7 (Symantec Corporation)
Symantec KB-DocID:2003093015493306
ZoneAlarm Spy Blocker


Since recently, Zonealarm decided to include a "ZoneAlarm Spy Blocker toolbar" as well which is an optional during install.

However, this Toolbar now uses the AskJeeves/Ask.com searchengine.

More info: here.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    C:\VundoFix Backups
    C:\Program Files\Symantec
    C:\Program Files\Common Files\Symantec Shared
    C:\Documents and Settings\All Users\Application Data\Symantec
  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
 
kimsland said:
What happens when you go to Windows Update using Internet Explorer, and you complete all the updates.? Does that message then disappear ? Also do all updates complete successfully ? from doing Windows Update/QUOTE]

Kimsland, thanks for the link. I've managed to install the following succesfully:
>> Office 2003 Service Pack 3 (SP3)
>> Cumulative Security Update for Internet Explorer 7 for Windows XP (KB947864)
>> Security Update for Microsoft XML Core Services 6.0 and Microsoft XML Core Services 6.0 Service Pack 1 (KB933579)

However, this one below keeps on saying it has been succesfully installed but the automatic update keeps on popping up, and the "Install important updates before turn off" notification also still pops up.... i've installed this one here more than 10 times already and in the Microsoft Update website when i go to the "Review Update History", each and every one of them has a green tick next to it, which means "Succeeded"
>> Security Update for Microsoft XML Core Services 4.0 Service Pack 2 (KB936181)

What else could i do? :(

cheers
 
Using Add or Remove Programs,uninstall "Msxml 4.0 Parser (0.06mb)"

Do the automatic update thingo after that
 
Kritius,

I couldn't find the Symantec KB-DocID:2003093015493306 on the add/remove programs. But i've removed all the others on the list.

Please see below for contents of the OTMoveIT2 log:

C:\VundoFix Backups moved successfully.
File/Folder C:\Program Files\Symantec not found.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\TextHub moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\incoming moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\BinHub moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20061101.019 moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20061031.020 moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20061030.018 moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs moved successfully.
C:\Program Files\Common Files\Symantec Shared\SymSetup moved successfully.
C:\Program Files\Common Files\Symantec Shared\SPManifests moved successfully.
C:\Program Files\Common Files\Symantec Shared\Security Console moved successfully.
C:\Program Files\Common Files\Symantec Shared\EENGINE moved successfully.
Folder move failed. C:\Program Files\Common Files\Symantec Shared\CCPD-LC scheduled to be moved on reboot.
Folder move failed. C:\Program Files\Common Files\Symantec Shared scheduled to be moved on reboot.
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus moved successfully.
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate moved successfully.
C:\Documents and Settings\All Users\Application Data\Symantec\ErrLogs moved successfully.
C:\Documents and Settings\All Users\Application Data\Symantec moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04202008_092855

Files moved on Reboot...
C:\Program Files\Common Files\Symantec Shared\CCPD-LC moved successfully.
C:\Program Files\Common Files\Symantec Shared moved successfully.
 
Kimsland, i cant find the Msxml 4.0 Parser (0.06mb)... i can only find the following:

MSXML 4.0 SP2 (KB925672) - 2.56MB
MSXML 4.0 SP2 (KB927978) - 2.56MB
MSXML 4.0 SP2 (KB936181) - 2.62MB
MSXML 6.0 Parser (KB933579) - 1.31MB

I havent done anything to them yet.
 
If it were me, I'd remove them all !

You could find out which is which, and even use the Windows installer cleanup utility to locate KB933579 (if exists) and remove it, from using that tool.

But why? When you could remove them all, and just go to auto-update again.

Please try one of those options (all remove, or utility)
 
Thanks Kimsland! i removed all four of those and did once auto update and reboot twice, just to make sure, and in both cases the "install updates before turn off" notification is gone! Yeay! Much appreciated! :)
 
I would like you to do an online scan so that we can what else may be in your system,
Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    o Extended (If available, otherwise use standard)
    o Scan Options:
    o Scan Archives
    o Scan Mail Bases
  • Click OK
  • Under select a target to scan, select My Computer
  • The scan will take a while so be patient and let it run.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)

    Kas-SaveReport-1.gif

  • In the Save as... prompt, select Desktop
  • In the File name box, name the file
  • In the Save as type prompt, select Text file (see below)

    Kas-Savetxt.gif

  • Include the report in your next post.
 
Please see attached for the result for Kaspersky online scan result... seems like it's not clean yet :(
 
Actually it looks quite good,

Please open the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    C:\Documents and Settings\FranSiSkA\My Documents\Downloads\Cucusoft Ultimate DVD to PSP iPOD PSP ZUNE iPhone Apple TV Video Movie Converter suite\Cucusoft MPEG AVI to DVD VCD SVCD Converter Pro.exe
  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Delete the SmitfraudFix, VundoFix and Virtmnudobegone by dragging them to the recycle bin and then emptying it.

open the OTMoveIt2 by OldTimer again.

  • Double-click OTMoveIt2.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt2 attempting to contact the internet, please allow it to do so.

  • Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and re-enable system restore here:

    Windows XP System Restore Guide

    or

    Windows Vista System Restore Guide

Re-enable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

    Instructions for Spybot S & D

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place
 
i just realised i forgot to post the result of the OTMoveIt2 from the first step when the laptop reboot after the CleanUp! button, but it did mention that the "File/Folder C:\Documents and Settings\FranSiSkA\My Documents\Downloads\Cucusoft Ultimate DVD to PSP iPOD PSP ZUNE iPhone Apple TV Video Movie Converter suite\Cucusoft MPEG AVI to DVD VCD SVCD Converter Pro.exe moved succesfully".. ill continue other steps now
 
ive finally completed all the steps and ur recommendations to reduce the risk of getting infected again... except for the "MVPS Hosts file" part, ive to take time and read it again someday. ill keep my antivirus and all other protections i have updated regularly :)

Thank You sooo soo much, Kritius, for being such a wonderful samaritan! Really i appreciate your help and kind attention very very much! The past few weeks have been stressful indeed so thank you thank you thank youuu! :)
 
Status
Not open for further replies.
Back