What has infected my .exe files..???

[ALL THUMBS]

G'day everyone,

I have gone and done something silly and downloaded a keygen or crack for a particular software program that I shouldn't have that wasn't a keygen!

However, I have clicked one and it completely shutdown the pc and restarted, not a good sign, i know.

Since then, the AVG antivirus program has detected that some of my startup programs are infected which has put them into the virus vault.

I have attached my hijack this log if any one can help.

What can I do to regain the access of these hijacked .exe's, if anything?

[jholland1964]

There is no attached log. Please go here and follow all steps and then post back in this thread with all requested logs.

[PhilliePhan]

What can I do to regain the access of these hijacked .exe's, if anything?

It sounds like you have one of the latest Vundo variants. In addition to the scans that Judy requested, I suggest you also go ahead and download RenV.exe to your Desktop and run it from the Desktop.

http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe

It ought to produce a log - please include that for Judy along with the others.

Best Luck
PP

[ALL THUMBS]

Thank you for your guidence in trying to repair my computer, it has been somewhat helpful.

I have followed your steps to the letter and have found that my programs that started up before still havent started up after the clean up.

I have also downloaded phillie's suggestion and produce a log file, however it only shows three line items as mentioned below.

Code:

Ran on Tue 01/22/2008 -  1:25:14.31

I did download the Vundo removal tool and ran it, perhaps thats why it only shows what is mentioned above.

AFT done its job by removing all temp files.

Spybot, while in safemode it had a problem, when it came to fixing the problems, it showed that it was not responding during the process of fixing it.

Before i posted this thread, AVG Antivirus detected 12-15 exe's files that i knew where safe exe's but it still put them into to vault, from there I had action AVG to delete these, should i have done this action. If not, do i need to reinstall the programs that where listed?

From time to time, a popup shows, mentioning do i want to try to reconnect to the internet. Click on Try Again to reconnect. I am assuming that its still in here some where.

I hope that I have given enough info to help you, to help me.

hijackthis log file from ALL Thumbs.txt

Kaspersky Scan of ALL Thumbs PC.txt

Report-Scan-20080122-002139 of ALL Thumbs.txt

[ALL THUMBS]

hijackthis log file from ALL Thumbs.txt

Kaspersky Scan of ALL Thumbs PC.txt

Report-Scan-20080122-002139 of ALL Thumbs.txt

Thank you for your guidence in trying to repair my computer, it has been somewhat helpful.

I have followed your steps to the letter and have found that my programs that started up before still havent started up after the clean up.

I have also downloaded phillie's suggestion and produce a log file, however it only shows three line items as mentioned below.

Code:

Ran on Tue 01/22/2008 -  1:25:14.31

I did download the Vundo removal tool and ran it, perhaps thats why it only shows what is mentioned above.

AFT done its job by removing all temp files.

Spybot, while in safemode it had a problem, when it came to fixing the problems, it showed that it was not responding during the process of fixing it.

Before i posted this thread, AVG Antivirus detected 12-15 exe's files that i knew where safe exe's but it still put them into to vault, from there I had action AVG to delete these, should i have done this action. If not, do i need to reinstall the programs that where listed?

From time to time, a popup shows, mentioning do i want to try to reconnect to the internet. Click on Try Again to reconnect. I am assuming that its still in here some where.

I hope that I have given enough info to help you, to help me.


Regards
Vince

[PhilliePhan]

Hi Vince,
It looks like Judy will be away for the week, so I'll try to keep an eye on your thread as best I can

I have followed your steps to the letter and have found that my programs that started up before still havent started up after the clean up.
I have also downloaded phillie's suggestion and produce a log file, however it only shows three line items as mentioned below.

Looks like some of the infected .exes were removed and therefore not detected by RenV. Can you tell me what they were?

I did download the Vundo removal tool and ran it, perhaps thats why it only shows what is mentioned above.

Which Vundo tool? Atribune's VundoFix? I still see Vundo in the HJT Log...

Spybot, while in safemode it had a problem, when it came to fixing the problems, it showed that it was not responding during the process of fixing it.

Actually, I'd like you to disable the "Tea Timer" as it just gets in the way of fixes. Or, just disable Spybot for the time being.

Before i posted this thread, AVG Antivirus detected 12-15 exe's files that i knew where safe exe's but it still put them into to vault, from there I had action AVG to delete these, should i have done this action. If not, do i need to reinstall the programs that where listed?

Do you still have the log from AVG AV when those deletions were made? I'd like to see it.
-- You'll need to reinstall any damaged programs. Might be best to wait until After we finish, though


Let's go ahead and do this:

-- Look in Add/Remove programs and remove any old Java versions and then reinstall latest version.
http://www.java.com/en/

• Download combofix.exe by sUBs to the infested computer's Desktop.
  
• Alternate Download
  
• (If you already have a previous version, delete it and download a new version).
• Double click combofix.exe & follow the prompts.
  Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to

• Produce a log for you. ( C:\Combofix.txt)
• Restore your Internet connection.

IMPORTANT:

• Do not use your computer while Combofix is running.
• Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

Please post the log for me and we'll go from there.

I will try to check back as time permits - I don't work with malware too often these days due to other commitments.

Cheers
PP

[ALL THUMBS]

Hi there PP,

I downloaded combofix and ran it on my infected pc. I am some what comfortable that the pc is now healed and on the way to a speedy recovery.

I have attached my log files that you have requested to so that you can make your judgement if it is clean or not.

I am aware that you can't assure me that my system is infection free, but if you able to tell me that combofix has targeted the files that it needed to find, i will feel more comfortable with the system.


Not that it matters, but when I went looking for the Combofix.txt log file, it didn't appear in loction that you mentioned in the instructions and when the program mentioned it, instead I had found it in: C:\ComboFix\ComboFix.txt

Thanks in advance for your help in healing the system.

[PhilliePhan]

I am aware that you can't assure me that my system is infection free, but if you able to tell me that combofix has targeted the files that it needed to find, i will feel more comfortable with the system.

Thanks in advance for your help in healing the system.

Happy to try to help

Looks like you did have a Vundo infection and the newest Vundo is particularly insidious as it injects code into legitimate programs. I would venture a guess that that is likely what your AV caught and deleted - However, the whole thing looks to "clean" to me, if that makes any sense... So, I can't be certain.


Anyhoo, let's clean up what shows in the logs:


-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe



-- Let Combofix run as before and post me that log along with a fresh HJT Log.


* Additionally, please upload C:\WINDOWS\vchost.exe here --> http://virusscan.jotti.org/ and have it scanned to see if it is infected. Please let me know what you find.
Note the spelling carefully - it is not to be confused with svchost.exe, though you won't find a legitimate svchost.exe outside the system32 folder.


And . . . We'll see what remains to be done
PP

[ALL THUMBS]

Hi PP,

I have downloaded a fresh copy of combofix, ran it from my desktop with the steps you provided.

After combofix had showed that itcompleted, I had to manually restart the PC because I think it froze, i think, because it took some time to (15 mins) to show that it completed.

I did serch for the file vchost.exe but only found vchost that showed that was related to a mp3 file. Is that the file I need to upload to the website above?

Attached, please find another log from from AVG which i reinstalled and updated. It did show up trojans aslo which has placed them into the Vault.

Also find attached, a log file from HJT and Combofix

You were right, its sounds to clean to be true!!

Vince

[PhilliePhan]

Hi Vince,

We're making a bit of progress

I did serch for the file vchost.exe but only found vchost that showed that was related to a mp3 file. Is that the file I need to upload to the website above?

It will be at this location as shown in the log:

C:\WINDOWS\vchost.exe

At this point, I do not know what it is, good or bad. You ought to be able to navigate to it with the Browse box at the top of the Jotti page. You should also be able to locate it in the Windows Folder manually.
You might need to Enable the Viewing of Hidden Files to see it.

I would definitely like to get that scanned....

Attached, please find another log from from AVG which i reinstalled and updated. It did show up trojans aslo which has placed them into the Vault.

Most of those are backups and you can delete them safely:
-- C:\QooBox\Quarantine

-- Run HijackThis and, on the Quickstart gui, select View the list of backups and then delete those malware backups that show in the AVG log. These are just Registry keys belonging to what we would hope are deleted malware files

-- You do need to DELETE this one manually:
C:\WINDOWS\system32\winpdc32.dll
You may need to do this in Safe Mode and with Viewing of Hidden Files Enabled.
Let me know how that shakes out.


ALSO:
Please scan with HijackThis and Check the Boxes for the following, if they remain:

O2 - BHO: (no name) - {A1D6ACF0-0874-47EC-BA66-E3A93C27979D} - (no file)
O2 - BHO: (no name) - {D7FD6C15-4927-4AAE-BF12-FBDABD287EB1} - (no file)

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: nnnmmkj - C:\WINDOWS\

Be sure All Browser Windows are Closed and then Click Fix Checked.
**You'll probably need to turn off SpybotSD's Tea Timer to to allow the above changes.

Also, I would suggest removing AdwareAlert, as there are better options to be found - including those that you already have onboard (Spyware Doctor, Windows Defender, Spybot)


Then, please do the AVG AntiSpy and Kaspersky Online scan steps in the Read Me First Sticky that Judy linked earlier and post those logs for me.

Cheers
PP