TechSpot

KillVBS.vbs and Continuous install updates before turn off laptop

By fmirna
Apr 17, 2008
  1. Hi there!

    I have 2 issues that i'm dealing with right now...

    1) a dialogue box that keeps on popping up everytime i start my laptop that says something like - cannot find script file "c:/windows/system32/killvbs.vbs". i have found a previous thread in regards to the same issue so i have followed the sets of steps in the "Viruses/Spyware/Malware, preliminary removal instructions" and attached are the 3 logs of HJT, Combofix, and AVG Antispyware. appreciate it if you could please check the logs and provide further instructions. at the moment, the killvbs popup window has stopped showing but i would like to make sure that everything is clean...

    2) everytime i want to turn off my laptop, the "Install important updates before turn off" notification keeps on popping up. i've installed the updates several times but everyday is the same... it keeps on saying i should install updates. is this real? so far i have been turning off my laptop without installing the updates anymore because im not so sure these updates are real... but even after doing those steps above for removing malware/virus/spyware, the update notification is still there. could you please advise?

    thanks in advance! please let me know if you need anything else =)
     
  2. kritius

    kritius TS Guru Posts: 2,087

    Ill look over the logs now and post back later, what thread did you find about the KillVBS problem and has it still stayed away?
     
  3. fmirna

    fmirna TS Rookie Topic Starter

    Hi Kritius

    Thanks for the reply. I've turned on my laptop and the KillVBS.vbs popup window has gone. So do you think I can safely assume that there's nothing wrong anymore? The Install Updates before Turn Off is still there though...

    Could you please explain what you mean by "what thread"?

    cheers
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    What happens when you go to Windows Update using Internet Explorer, and you complete all the updates.? Does that message then disappear ? Also do all updates complete successfully ? from doing Windows Update
     
  5. kritius

    kritius TS Guru Posts: 2,087

    HJT log is clean, just a couple of things to tidy up

    COMBOFIX-Script

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      Folder::
      C:\VundoFix Backups
      C:\Program Files\Symantec
      C:\Program Files\Common Files\Symantec Shared
      C:\Documents and Settings\All Users\Application Data\Symantec
      
      
          
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    get an Uninstall List from HijackThis:
    • Open HijackThis, click Config, click Misc Tools
    • Click "Open Uninstall Manager"
    • Click "Save List" (generates uninstall_list.txt)
    • Attach it in your next post.
     
  6. fmirna

    fmirna TS Rookie Topic Starter

    hmm... ive dragged the CFScript.txt to the Combofix.exe but nothing really happened.... only a status bar but the Combofix application didnt open. is it meant to open Combofix automatically after i dragged it and run the scan? nothing happened so i opened Combofix by double clicking it and run a scan and it created the log attached (log.txt).

    looking at the log briefly, nothing seems to be different from the first Combofix log i attached on my first message (Combofix.txt). am i doing something wrong? ive continued the steps and attached is the HJT result.

    thank youuu
     
  7. kritius

    kritius TS Guru Posts: 2,087

    ok,

    Go to add/remove programs and unistall

    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    LiveUpdate 2.7 (Symantec Corporation)
    Symantec KB-DocID:2003093015493306
    ZoneAlarm Spy Blocker


    Since recently, Zonealarm decided to include a "ZoneAlarm Spy Blocker toolbar" as well which is an optional during install.

    However, this Toolbar now uses the AskJeeves/Ask.com searchengine.

    More info: here.

    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      C:\VundoFix Backups
      C:\Program Files\Symantec
      C:\Program Files\Common Files\Symantec Shared
      C:\Documents and Settings\All Users\Application Data\Symantec
          
    • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
     
  8. fmirna

    fmirna TS Rookie Topic Starter

     
  9. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Using Add or Remove Programs,uninstall "Msxml 4.0 Parser (0.06mb)"

    Do the automatic update thingo after that
     
  10. fmirna

    fmirna TS Rookie Topic Starter

    Kritius,

    I couldn't find the Symantec KB-DocID:2003093015493306 on the add/remove programs. But i've removed all the others on the list.

    Please see below for contents of the OTMoveIT2 log:

    C:\VundoFix Backups moved successfully.
    File/Folder C:\Program Files\Symantec not found.
    C:\Program Files\Common Files\Symantec Shared\VirusDefs\TextHub moved successfully.
    C:\Program Files\Common Files\Symantec Shared\VirusDefs\incoming moved successfully.
    C:\Program Files\Common Files\Symantec Shared\VirusDefs\BinHub moved successfully.
    C:\Program Files\Common Files\Symantec Shared\VirusDefs\20061101.019 moved successfully.
    C:\Program Files\Common Files\Symantec Shared\VirusDefs\20061031.020 moved successfully.
    C:\Program Files\Common Files\Symantec Shared\VirusDefs\20061030.018 moved successfully.
    C:\Program Files\Common Files\Symantec Shared\VirusDefs moved successfully.
    C:\Program Files\Common Files\Symantec Shared\SymSetup moved successfully.
    C:\Program Files\Common Files\Symantec Shared\SPManifests moved successfully.
    C:\Program Files\Common Files\Symantec Shared\Security Console moved successfully.
    C:\Program Files\Common Files\Symantec Shared\EENGINE moved successfully.
    Folder move failed. C:\Program Files\Common Files\Symantec Shared\CCPD-LC scheduled to be moved on reboot.
    Folder move failed. C:\Program Files\Common Files\Symantec Shared scheduled to be moved on reboot.
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus moved successfully.
    C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate moved successfully.
    C:\Documents and Settings\All Users\Application Data\Symantec\ErrLogs moved successfully.
    C:\Documents and Settings\All Users\Application Data\Symantec moved successfully.

    OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04202008_092855

    Files moved on Reboot...
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC moved successfully.
    C:\Program Files\Common Files\Symantec Shared moved successfully.
     
  11. fmirna

    fmirna TS Rookie Topic Starter

    Kimsland, i cant find the Msxml 4.0 Parser (0.06mb)... i can only find the following:

    MSXML 4.0 SP2 (KB925672) - 2.56MB
    MSXML 4.0 SP2 (KB927978) - 2.56MB
    MSXML 4.0 SP2 (KB936181) - 2.62MB
    MSXML 6.0 Parser (KB933579) - 1.31MB

    I havent done anything to them yet.
     
     
  12. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    If it were me, I'd remove them all !

    You could find out which is which, and even use the Windows installer cleanup utility to locate KB933579 (if exists) and remove it, from using that tool.

    But why? When you could remove them all, and just go to auto-update again.

    Please try one of those options (all remove, or utility)
     
  13. fmirna

    fmirna TS Rookie Topic Starter

    Thanks Kimsland! i removed all four of those and did once auto update and reboot twice, just to make sure, and in both cases the "install updates before turn off" notification is gone! Yeay! Much appreciated! :)
     
  14. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    I have to get one right a day!
    Thanks for the update :)
     
  15. fmirna

    fmirna TS Rookie Topic Starter

    haha, im sure with ur rank of TechSpot Guru, ull get more than one right a day for sure! :D
     
  16. kritius

    kritius TS Guru Posts: 2,087

    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • Include the report in your next post.
     
  17. fmirna

    fmirna TS Rookie Topic Starter

    Please see attached for the result for Kaspersky online scan result... seems like it's not clean yet :(
     
  18. kritius

    kritius TS Guru Posts: 2,087

    Actually it looks quite good,

    Please open the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      C:\Documents and Settings\FranSiSkA\My Documents\Downloads\Cucusoft Ultimate DVD to PSP iPOD PSP ZUNE iPhone Apple TV Video Movie Converter suite\Cucusoft MPEG AVI to DVD VCD SVCD Converter Pro.exe
          
    • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    Delete the SmitfraudFix, VundoFix and Virtmnudobegone by dragging them to the recycle bin and then emptying it.

    open the OTMoveIt2 by OldTimer again.

    • Double-click OTMoveIt2.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes, if not delete it by yourself.

    Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt2 attempting to contact the internet, please allow it to do so.

    • Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

      You can find instructions on how to enable and re-enable system restore here:

      Windows XP System Restore Guide

      or

      Windows Vista System Restore Guide

    Re-enable system restore with instructions from tutorial above

    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.

    • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

      This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

      Instructions for Spybot S & D

    • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware

    • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    Here are some additional utilities that will enhance your safety

    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
      Using Winpatrol to protect your computer from malicious software

    Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

    Also, please read this great article by Tony Klein So How Did I Get Infected In First Place
     
  19. fmirna

    fmirna TS Rookie Topic Starter

    i just realised i forgot to post the result of the OTMoveIt2 from the first step when the laptop reboot after the CleanUp! button, but it did mention that the "File/Folder C:\Documents and Settings\FranSiSkA\My Documents\Downloads\Cucusoft Ultimate DVD to PSP iPOD PSP ZUNE iPhone Apple TV Video Movie Converter suite\Cucusoft MPEG AVI to DVD VCD SVCD Converter Pro.exe moved succesfully".. ill continue other steps now
     
  20. fmirna

    fmirna TS Rookie Topic Starter

    ive finally completed all the steps and ur recommendations to reduce the risk of getting infected again... except for the "MVPS Hosts file" part, ive to take time and read it again someday. ill keep my antivirus and all other protections i have updated regularly :)

    Thank You sooo soo much, Kritius, for being such a wonderful samaritan! Really i appreciate your help and kind attention very very much! The past few weeks have been stressful indeed so thank you thank you thank youuu! :)
     
  21. kritius

    kritius TS Guru Posts: 2,087

    No problem any time,

    if a moderator reads this the thread can be closed
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.