Can't Remove Virus

[ethan519]

Hi. My cousin lives in Russia and we talk almost everyday online. Everything was fine on his computer until 1 week ago, when his roomate used the computer for 4 hours, without permission. Afterwards, the computer slowed to a crawl and my cousin was not able to open folders or programs.

We bypassed his startup programs in msconfig. We then ran Adaware and Spybot. Adaware found the usual cookies and Spybot came up only with that DOExploit (which I think is simply a misread in Spybot).

We ran Trendmicro Housecall and the first time, it found 10 virus'. It seemed to get it down to 2, but the computer was still not running well (very slow and closing windows).

We ran it again in safemode, and it found only 3, and said it removed 2. The one that consistantly came up and not removed was "Chophar.a"

The other day, we ran Panda Activescan and also ran HJT. I am enclosing both logs in hopes that someone can help get this clean again. The reason why I am posting for my cousin is that his english is not great and he would never understand many of the fixes provided here.

Thank you.

 

[Mictlantecuhtli]

Well well, nice roommate.

I'd suggest this approach: Download Process Explorer, then unplug the network cable from the computer if not done already.

With Process Explorer, kill these:

C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\inet20003\winlogon.exe
C:\WINDOWS\inet20003\mm.exe
C:\WINDOWS\System32\rsvp.exe

Don't kill the winlogon.exe made by Microsoft Corporation, with description "Windows NT Logon Application" !

Then fix these with HJT:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

F3 - REG:win.ini: run=C:\WINDOWS\inet20003\winlogon.exe

O2 - BHO: VPN-OEM Extension - {11D003B5-B3B5-4BCC-A974-71148786E968} - C:\WINDOWS\System32\msexchdr.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20003\winlogon.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20003\winlogon.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00009.exe"

O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

O20 - AppInit_DLLs: C:\WINDOWS\System32\dbgwin.dll
O21 - SSODL: SysTray.Exiv - {2963ECFC-4E5C-2f3b-B334-D67434FC72E0} - (no file)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)


Then, edit c:\windows\system.ini , find the line that says this:

Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00009.exe"

Delete the "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00009.exe" part (there are a lot of spaces before it, don't let that fool you).

Uninstall VNC from "Add & Remove Programs".

Add password to screensaver, change all passwords, disable unneeded users etc.

 

[ethan519]

Thank you for answering. We did the things you suggested, though when we tried to kill the RSVP process, it came right back.

We also could not find the msexchdr.dll line.

Also, in the system.ini, there was nothing like you had mentioned, but there was a line there for "load" that had the inet20003\winlogon.exe, so we deleted that.

We ran another Hijack log. How does this one look?

As an aside....my cousin was getting a message before we did your suggested fixes. When he was not connected to the internet, a bowser window would open and give a message about needing to work offline. It has not come back since we did what you said. I am thinking maybe that was one of the trojan dialers trying to access the internet.


Thanks again-
ethan

 

[Mictlantecuhtli]

These need fixing:

O2 - BHO: VPN-OEM Extension - {11D003B5-B3B5-4BCC-A974-71148786E968} - C:\WINDOWS\System32\msuieng.dll
O21 - SSODL: XmLdrLocation - {0C887F38-5178-43DA-B9F0-B856141FCDA4} - C:\WINDOWS\System32\msuueng.dll

Delete those files after fixing & rebooting.

 

[nguyentheloi]

I also get this trojan : ibm00009.exe !!

I used Norton Antivirus 2005 and it can recognize this virus, but then, when Windows XP startup, there's a warning require ibm00009.exe file ?? I attached it heare. So, how can I deal with this problems, so that Windows won't display this warning again ? please help me, thanks !

 

[howard_hopkinso]

Hello and welcome to Techspot.

I used Norton Antivirus 2005 and it can recognize this virus, but then, when Windows XP startup, there's a warning require ibm00009.exe file ?? I attached it heare. So, how can I deal with this problems, so that Windows won't display this warning again ? please help me, thanks !

Go and read this thread. Before posting your HijackThis log, please read this. Follow all the instructions exactly.

Then, open a new thread in the security and the web forum.

Post a fresh HJT log, only after doing the above.

Regards Howard :wave: :wave:

 

[RealBlackStuff]

Before you delete xxx.dll files you need to UNregister them first as follows

Click Start/Run and type in:
REGSVR32 /U Drive:\Path\FILE.DLL
(for example: REGSVR32 /U C:\Windows\pqymml.dll) and press Enter.