Request solution to clean infected computer including: wvuvsrq.dll and iiiii.dll

[Blind Dragon]

AricCougar, if you did not purposely install the above listed files please use these instructions. If any of those files were installed by you, please do NOT run these instructions and let me know which file so I can update the script.
------------------------------------------------------------------------------------------------------

Avenger by Swandog

• Download Avenger by Swandog and unzip it to your Desktop.
  
  Note: This program must be run from an account with Administrator priviledges.
  
  
• Open the Avenger folder and double click Avenger.exe to launch the programme.
• Copy the text in the code box below and Paste it into the Input script here: box.

Files to delete:
C:\WINNT\system32\zip.exe
C:\WINNT\system32\sed.exe
C:\WINNT\system32\grep.exe
C:\WINNT\system32\fdsv.exe

Folders to delete:
C:\Program Files\Webteh
C:\Program Files\foobar2000

• Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  
  
• Ensure the following:
  • Scan for Rootkits is checked.
  • Automatically disable any rootkits found is Unchecked.
• Press the Execute key.
• Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
• Attach the log back here please. (it can also be found at C:\avenger.txt)

 

[AricCougar]

Finished.

(Moderator edit: There is no need to quote a post directly above yours when replying.)

Okay, just finished. Here is the log. Attached.

 

[AricCougar]

Okay

Okay, the moderator has a good point. I'll remember that.

On the main topic, since avenger appears to have shown no problems, I'll go ahead and run the other programs and submit logs here Monday evening, if i haven't heard from anyone by then with alternate instructions.

 

[momok]

Hmm, I believe fresh ComboFix and HJT logs from normal mode should be good enough. Hopefully your system is clean now. Are you experiencing any malware related problems?

 

[AricCougar]

Logs Provided

I have been having many problems with speed issues (but not able to identify any rogue processes), slow Internet, but have checked settings and monitored throughput, and my Windows Update features always freeze and do not function.

However after running these final logs, it seems that Windows Update maybe behaving for the first time in a long while. I'll post the fresh logs here now, and then go try to obtain the March updates for Windows 2000 and Office 2003 that should be there.

Additionally, I have found some websites to fail when downloading, and some php won't work. In these cases, it doesnt give errors, but rather sends me back to the home page of the domain, without delay.

EDIT: Okay there is a new issue, apparently there is no attach files link or button avilable to me. So i will try to post this, and then log out and back in to see if that fixes it to get the logs here.

 

[AricCougar]

Reboot brings back Attachment button in Firefox.

After a reboot, the button [Manage Attachments] now shows up... so i have uploaded them.

One other ailment of my computer is that every reboot, as the desktop shows up, programs wont open for a long time, because svchost.exe is taking well over 100MB RAM and 99% CPU for 20 minutes before releasing my computer to me. So that continues to be disturbing. But perhaps you will find something in the logs. Or perhaps this Windows Update failure, is somehow related to the svchost.exe process since things never complete. But no errors ever show. Its rather elusive.

I wonder if a Windows 2000 Original Install Disk Repair function would fix things without losing my data. Id probably have to find all my software disks and codes to reinstall, and i may lose other settings in that case... probably would be a headache. If its going to come to that, perhaps a complete wipe and fresh install is wiser. But that always scares me a bit because of the time it takes, and the problems ive had with the Floppy drive loading RAID drivers, etc. But i suppose its an idea on the table.

Any thoughts anyone? Thanks.

 

[momok]

Apparently these bad files are still there:

C:\WINNT\system32\sssru.ini
C:\WINNT\system32\yxxyb.ini
C:\WINNT\system32\1E37.tmp
C:\Program Files\Viewpoint\Common\ViewpointService.exe

Also this entry in HJT looks pretty suspicious; I would fix it.
O1 - Hosts: 169.254.140.213 HP000D9D198CD5

I would fix these too.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

("Viewpoint Manager Service" needs to be disabled in services.msc first before fixing the O23 entry)

I doubt your svchost.exe problem is related to the above though. It is more likely due to a buggy update. Try updating your windows again.

Regards,
momok

 

[kritius]

Why not just get rid of viewpoint?

Go to Start > Run and copy/paste or type: taskmgr

• Under the Processes tab find the following tasks or processes:
  ViewpointService.exe
  ViewMgr.exe
• Highlight and click "End Process".
• Exit Task Manager.

Click on Start > Run and type: services.msc

• Press "OK".
• Click the "Extended tab".
• Scroll down the list and find the service called "Viewpoint Manager Service"
• When you find the service, double-click on it.
• In the Properties Window > General Tab that opens, click the "Stop" button.
• From the drop-down menu next to "Startup Type", click on "Disabled".
• Now click "Apply", then "OK" and close any open windows.

Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Finally, delete the following folders if they still exist:
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder

 

[AricCougar]

Alright, ill get started on those then. But first can i ask... does anyone even know what ViewPoint is, what it does, or what it installed with? Thx for all the help.

 

[Blind Dragon]

This is my saved response

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components :

1. Click Start, point to Settings, and then click Control Panel.
2. In Control Panel, double-click Add or Remove Programs.
3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
   
   
   
   How to prevent it from being recreated every time you run the AOL software:
   • Open AOL
   • Go to Help on the toolbar
   • Select About AOL
   • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.

 

[AricCougar]

Oh well i dont think i need that then. It was apparently forced on me. I never installed it. And i dont really want the autoupdate going on anyway. So ill just delete it now, and return when i have followed all the instructions above, in a few minutes. Thanks!

 

[kritius]

Good idea.

 

[AricCougar]

Manually Deleted

Apparently these bad files are still there:

C:\WINNT\system32\sssru.ini
C:\WINNT\system32\yxxyb.ini
C:\WINNT\system32\1E37.tmp
C:\Program Files\Viewpoint\Common\ViewpointService.exe

Also this entry in HJT looks pretty suspicious; I would fix it.
O1 - Hosts: 169.254.140.213 HP000D9D198CD5

I would fix these too.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

("Viewpoint Manager Service" needs to be disabled in services.msc first before fixing the O23 entry)

I doubt your svchost.exe problem is related to the above though. It is more likely due to a buggy update. Try updating your windows again.

Regards,
momok

Alright, the deletion process was a little more troublesome than the instructions, for instance, there was no expand tab for services.msc but maybe its not used in W2k. The 2 processes would not die, so i used a program from RunScanner.net to kill them first. Then the Add/Remove window wouldn't show up no matter how many times i clicked it. After a reboot, Add/Remove finished the job. Of course only 1 of the 2 directories was there to manually delete. I suppose the other got wiped during uninstall. Viewpoint is now successfully deleted.

On other notes, I couldn't figure out how to get rid of those files, so i changed folder options to show all, and manually deleted the 2 suspect .ini files. I was able to find and remove the .tmp file path from the memsweep2 in the registry (i just exported the whole section and deleted it manually in regedit. I believe it was from an old program that i uninstalled a long time ago. Oh and the 1E37.tmp was not found at all as a file anywhere on the computer including winnt/system32, so it was probably just in the registry. And then the Explorer Restrictions got fixed by HijackThis just fine. Finally, the IP Address 169.x.x.x i verified is required for my HP 4in1 network printer to communicate with my computer, so unless you think its dangerous beyond that, i left it for now. I did verify the HP Printer's config to ensure that was accurate.

After that I took the KB numbers from the Microsoft Updates that won't install (5 of them), and i manually downloaded each. I installed all 5. However the Windows Update still freezes when downloading 0%, and even after half an hour, doesnt do anything. The IE becomes frozen and must be killed via process manager every time. The automatic updates little globe keeps showing up on reboot by the clock, still holding the outlook 2003 update. (However i dont use outlook.) So the Updates problem remains.

NEW Logs attached. Lets see if i got this right.

 

[momok]

Hi,

Firstly, let me commend you on the great job. Well done. For the O1 entry I guess thats pretty safe since you've verified it.

I'd also like to verify the contents of these 2 folders and if you created them.
C:\Program Files\Unlocker
C:\Program Files\IrfanView

Apart from that, it seems your logs are pretty much clean. I'm not quite sure what could be the cause of your update problems; but it looks like a question destined for the Windows OS section of techspot.

 

[AricCougar]

Thank you.

Hi,

Firstly, let me commend you on the great job. Well done. For the O1 entry I guess thats pretty safe since you've verified it.

I'd also like to verify the contents of these 2 folders and if you created them.
C:\Program Files\Unlocker
C:\Program Files\IrfanView

Apart from that, it seems your logs are pretty much clean. I'm not quite sure what could be the cause of your update problems; but it looks like a question destined for the Windows OS section of techspot.

Thank you momok. You guys make it easy... just follow instructions. This is a great site. I'm glad i found it. Lots of talent and skill and generally friendly people.

Yes, the O1 is absolutely verified. And Unlocker I installed recently because its free and one of the best programs to delete files that the system says are in use. (Can be dangerous if someone doesnt know what they are doing, but I've found it helpful.) I haven't had it installed, but recently a version came out, and in I added it, thinking it may come in handy during this cleaning process.

Irfanview is a photo viewer. Its not necessary for anyone. But my old version of ACDsee was getting so bloated, last week I wanted to try out the freeware alternative to it that had rave reviews online. Ive used it in past years and it was marginal compared to ACDsee, but smaller. A new upgraded version came out, so I just added it recently to see if it really was better than before. I'ts fast with a small footprint, but lacks on features, so i may remove it and buy the new ACDsee. I'll have to check reviews first.

So those 2 are verified. And perhaps my blurbs above might serve as some use to someone who finds these in someones logs in the future. Feel free to ask on any others as well. I try to be very aware of every process and listing in my Add/Remove Programs window. However, I still have lots of to learn.

Thank you for helping with the cleaning process. It sounds like I need to jump over to the Windows OS with the Windows Update Issue.

But its probably good to note that the proxy.php issue remains and stumps me. Anytime I try to download from a link that has proxy.php in it, it doesnt get the file but rather sends me back to the main homepage of that site. It does it with FF and IE both, so reinstalling both doesnt seem like the answer. I'm going to uninstall the FireFox Add-On called Download Statusbar (which is the only thing that could be construed as a download manager), reboot, and test it again. IF that doesnt work, I'll grab an old computer from the garage and connect it to the DSL to see if its more like my IP address that has been blacklisted by some site which ties into the proxy.php script used for such downloads. That ought to tell me a lot. If its really just with this computer, then perhaps a Windows Repair, or a wipe and reinstall would fix it. But i sure dont look forward to all that, losing settings, reinstalling apps, etc. So those are my plans right now, unless someone else has something to suggest.

 

[momok]

BD: This seems like a very strange problem. I suggest using avenger to remove the bad files and then deckards scanner as a proxy for a fresh log.

 

[AricCougar]

New Info!

The issue of proxy.php related download links is FIXED!!

Apparently my Outpost Firewall had Referrers set to BLOCK, so i changed to Allow and it all works now. So FF and IE are back in action.

Also my Add/Remove Window freezing when I attempt to open it... I fixed that too by going to run command doing: regsvr32 mshtml.dll and it worked! So that is done.

Now if i could just figure out how to get .Net Framework 2.0 to install, and my Windows Update (automatic and web-based) to stop freezing and act normally... then id be all set! I guess those 2 issues can be handled at another forum. But if anyone wants to hear the details on either of these, i can easily type it out, and show error message screen captures.

 

[Blind Dragon]

Well you need to be running IE 5.0 or later and go to www.update.microsoft.com

The updates need to be installed in order

Go ahead and show us.