Computer Hope
Software => Computer viruses and spyware => Topic started by: Two-eyes on September 20, 2009, 09:42:02 AM
-
Hi there,
I found this file while [idly] browsing through my program files. I did a search about it, and it seems that it is some sort of adware. I followed the steps mentioned in the post by evilfantasy, and now I'm here... attached are the log files requested.
I would like to point out that I scanned the file with AVG and prevX (they were options when I right-clicked the file), but no threat was detected. I also scanned the computer with AVG, prevX, removeIt and spybot S&D, but none found it as a thread. Also, I search in prevX's log file the directory (prog files\VVSN....), but I didn't even find it.
hope everything is in order,
Two-Eyes %
PS: I found this site saying how to remove the file (just now, AFTER, all the scans :(): would you suggest I follow it's instructions...(I have NEVER seen SAVEInst.exe at work in the TaskManager...and I look at it a LOT of times) http://www.ehow.com/how_5167603_remove-saveinst-exe.html
(http://www.ehow.com/how_5167603_remove-saveinst-exe.html)
PS2: There is no actual hurry, since the file doesn't seem to be doing damage... I just don't like the fact that I have adware on my PC...and all the stuff the scans found
PS3: On a particular thread, a poster (i believe it was BC_Programmer, but don't quote me) said that "if I see rundll32.exe running, I would start a scan, etc etc". Would that imply that if rundll32.exe is running, ther is a chance of malware?
Thanks again
EDIT: after the scans and deletes, the file still exists
also: inserted hyperlink to site
[attachment deleted by admin]
-
Might I also add:
I tried the "Self help" part of the sticky topic by evilfantasy, and found out that there is vvsn.exe running, but it's not in the taskManger (so it's hidden). Just a piece of help, for you not to have to do the same thing...which I bet you will :P
Thanks for yer help
EDIT: here's the HijackThis log after using CH's tool: http://www.computerhope.com/cgi-bin/process.pl?o=2085359 (http://www.computerhope.com/cgi-bin/process.pl?o=2085359)
[21-sept-09] just an update:
I installed and ran Ad Aware: it remove a few cookies and quarantined "Win32HacktoolWinSpy"
Also, I have Spybot S&D. Browsing through it I found this:
Under tools>system start up
Key: HK_LM: Run(current system)
Value: VVSN
Command Line: c:\program files\VVSN\VVSN.exe
Now, I looked for that file and didn't find it, not even with search with the option to look in hidden folder and files on.
CH's HijackThis tool also points this process out.
in S&D, it is highlighted in red, which means "malicious program" [from the help file :)]
I haven't done anything else...as far as I remember.
[I thought it's better to give you a fuller picture...thanks]
-
Would that imply that if rundll32.exe is running, ther is a chance of malware?
No, rundll32.exe is required for your computer to run properly. He must have meant something else by his comment.
This infection of yours isn't particularly harmful; people just don't normally want it on their computer. If you would like to get rid of it, you can open HijackThis and run a scan. Place a checkmark next to this entry:
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
Close all other windows and click on Fix Checked. Now, open up your Add/Remove Programs and unistall the following (if they exist):
VVSN
WhenU
If it still exists, then delete this folder: C:\Program Files\VVSN
If that doesn't get rid of it, I have other steps you can try. This should get rid of it, though, if it isn't gone already.
-
OK...first of all, thanks for your reply.
Now,
There were no WhenU or VVSN entries in Add/Remove Programs.
I fixed the registry entry, and restarted. I re-ran HijackThis and found the entry still there, so I deleted program files\VVSN, and restarted. When I clicked on my profile (there are two profiles), a blue screen flashed, and the computer restarted(by itself). When I clicked on my profile again, everything went well except that a window saying that "An error occurred" appeared, with the option to send a report to MicroSoft or to ignore it. (I sent the report.) These are the files it sent:
C:\DOCUME~1\Steven\LOCALS~1\Temp\WER2f76.dir00\Mini092309-01.dmp
C:\DOCUME~1\Steven\LOCALS~1\Temp\WER2f76.dir00\sysdata.xml
This is the "Error Report": http://wer.microsoft.com/responses/Response.aspx/10/en-US/5.1.2600.2.00010100.3.0?SGD=945d630a-8f2a-4062-bfcb-5232729c4a0a (http://wer.microsoft.com/responses/Response.aspx/10/en-US/5.1.2600.2.00010100.3.0?SGD=945d630a-8f2a-4062-bfcb-5232729c4a0a)
I scanned with HJT again and the VVSN entry was still there. Then, I noticed that there was a button called "info on selected item", and it showed, among other things, that "Action taken: Registry value deleted".
Hope I didn't do something bad...
thanks again,
Two-Eyes %
-
Sounds quite stubborn. It's good to be persistent, but try to not stray too far from instructions because HijackThis can damage your computer's registry if not used properly. You should be fine, but it's always best to be careful. Go ahead and follow this next set of steps; it should give me a better idea of what's going on...
Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.
NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.
-
Hi.
Attached are the logs you asked for. Hope everything is ok.
Two-Eyes %
PS:
1) Also, an Internet Explorer icon appeared on my desktop (I'm not sure if it happened after instaling comboFix or after it scan my PC). It won't be a problem to remove it, will it? UPDATE: ComboFix changed the default browser to IE (i prefer Chrome), I think that's why...
2) the original HJT mentions that I have multiple AVs. In fact, this laptop has seen 4 AVs: Panda, Norton, McAfee, and I currently have AVG. I believe that the previous three were uninstalled (this laptop was my sister's so I'm not sure about what she did), but there are still references to them in C:\Program Files, and Panda has "C:\Panda". Would simply deleting these files remove them, or do I need to do something else. They do not appear in Add/Remove programs.
These are the files (hope this isn't too much trouble):
PANDA:
C:\PANDA\PANDA
C:\PANDA\PANDA\cop.cmd
C:\PANDA\PANDA\Panda.exe
C:\PANDA\PANDA\Panda.lnk
NORTON:
C:\norton\BLAD3M4STER.NFO
C:\norton\WAREZ-XYZ.nfo
MCAFEE:
-C:\Program Files\McAfee
C:\Program Files\McAfee\VirusScan Wireless
C:\Program Files\McAfee\VirusScan Wireless\Logs
C:\Program Files\McAfee\VirusScan Wireless\Logs\McEPOC.exe
C:\Program Files\McAfee\VirusScan Wireless\Logs\McWCE.exe
-C:\Program Files\McAfee virusscan professional edition 7.00 retail
C:\Program Files\McAfee virusscan professional edition 7.00 retail\Contact.Txt
C:\Program Files\McAfee virusscan professional edition 7.00 retail\extra.cab
C:\Program Files\McAfee virusscan professional edition 7.00 retail\instmsia.exe
C:\Program Files\McAfee virusscan professional edition 7.00 retail\instmsiw.exe
C:\Program Files\McAfee virusscan professional edition 7.00 retail\LICENSE.PDF
C:\Program Files\McAfee virusscan professional edition 7.00 retail\LICENSE.TXT
C:\Program Files\McAfee virusscan professional edition 7.00 retail\MFW
C:\Program Files\McAfee virusscan professional edition 7.00 retail\Naifiltr.cat
C:\Program Files\McAfee virusscan professional edition 7.00 retail\NaiFiltr.inf
C:\Program Files\McAfee virusscan professional edition 7.00 retail\Readme.txt
C:\Program Files\McAfee virusscan professional edition 7.00 retail\setup.exe
C:\Program Files\McAfee virusscan professional edition 7.00 retail\setup.ini
C:\Program Files\McAfee virusscan professional edition 7.00 retail\VSP.msi
C:\Program Files\McAfee virusscan professional edition 7.00 retail\VSP.pdf
C:\Program Files\McAfee virusscan professional edition 7.00 retail\WINXP
C:\Program Files\McAfee virusscan professional edition 7.00 retail\MFW\Contact.Txt
C:\Program Files\McAfee virusscan professional edition 7.00 retail\MFW\extra.cab
C:\Program Files\McAfee virusscan professional edition 7.00 retail\MFW\instmsia.exe
C:\Program Files\McAfee virusscan professional edition 7.00 retail\MFW\instmsiw.exe
C:\Program Files\McAfee virusscan professional edition 7.00 retail\MFW\LICENSE.PDF
C:\Program Files\McAfee virusscan professional edition 7.00 retail\MFW\LICENSE.TXT
C:\Program Files\McAfee virusscan professional edition 7.00 retail\MFW\MFW.msi
C:\Program Files\McAfee virusscan professional edition 7.00 retail\MFW\MFW.pdf
C:\Program Files\McAfee virusscan professional edition 7.00 retail\MFW\Readme.txt
C:\Program Files\McAfee virusscan professional edition 7.00 retail\MFW\setup.exe
C:\Program Files\McAfee virusscan professional edition 7.00 retail\MFW\setup.ini
C:\Program Files\McAfee virusscan professional edition 7.00 retail\WINXP\NaiFiltr.sys
[attachment deleted by admin]
-
Not too much trouble at all. This may actually end up being one of the easier infections this week. I hope. Ha ha. Okay...first, it appears that VVSN is no longer adding itself to your startup, which is a very good sign. That doesn't mean it is gone, however, so go ahead and follow these steps:
Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system
Delete these files/folders, as follows:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
Folder::
c:\program files\VVSN
File::
c:\program files\VVSN\VVSN.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VVSN"=-
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply, along with a new HijackThis log.
Note: Do not click ComboFix's window while it is running. That may cause your system to freeze
That will hopefully get rid of any trace of this infection. Now, as for those other anti-virus programs...as you guessed, they are most likely just leftovers. Thankfully, there is a very simple way to deal with this. Download these three programs:
Panda Security Uninstaller: http://www.pandasecurity.com/resources/sop/UNINSTALLER_09.exe
McAfee Consumer Products Remover: http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
Norton Removal Tool: ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe (will remove ALL Norton products, so save product your keys if you have other programs by them)
All you have to do is start each program. Once one has completed, move on to the next. This will likely require you to restart the computer several times. But it should remove all files and registry keys related to these programs. After you have done this, you can then delete the three removal tools.
-
Dear Chris,
Please find logs attached. Also, thanks for the links :).
Awaiting your next reply [and hoping it's an all clear ;)]
Two-Eyes %
[attachment deleted by admin]
-
Looks good! Your logs are clean and that infection should be gone for good now. All you need to do now is get a good firewall on that computer and you'll be set. You're vulnerable without one, so you should look into getting either ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=dbtopnav_za), Kerio Personal Firewall (http://www.sunbelt-software.com/Kerio.cfm), or Comodo (http://www.personalfirewall.comodo.com). They're all good free firewalls. Just be sure you only have one installed at a time! Download the firewall of your choice, disconnect from the internet, disable Windows Firewall, and install your new firewall.
Also, I would suggest clearing out the System Restore files. This is to prevent anyone from accidentally loading a backed up version of the infection. Simply follow these steps...
1. Go to Start > Programs > Accessories > System Tools > System Restore
2. Click on System Restore Settings.
3. Check Turn off System Restore and click OK.
4. Restart your computer.
5. Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK.
6. Create a new restore point and close the program.
System Restore will now be active again. If you would like to learn more about System Restore, go here (http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx).
-
Super, thanks :D.
One more thing... how do I remove HJT and ComboFix? I believe I can simply delete HJT, but CF??
Thanks again
Two-Eyes %
-
To remove HijackThis, you can simply uninstall it from Add/Remove Programs. To remove ComboFix, go to Start > Run, type in combofix /u (note the space between "combofix" and "/u"), and click OK. It will uninstall itself for you. Sorry, I left that out of my previous post.