what is this virus VBS:Malware [Script] ??? ???
It is malware written in Visual Basic.
If you need help removing it please post a hijackthis log here please. (http://www.merijn.org/files/hijackthis.zip)
–lee
OK… I have it too. Avast finds it each time and suggests I send it to the chest. I then get a message that an error has occurred (“Sharing violation has occurred”). And the file doesn’t make it into the Virus chest
When Avast attempts to delete or repair it, I get the same pop-up window that says “An error has occurred in the processing of 1 result(s).”
Is there a problem with the Avast software or is it the Malware script making me crazy?
Is there a way to nuke this thing (and how much damage will it do before I’m able to nuke it?
Thanks!
k.
What is the reported location of the script?
…/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/***/exploit.htm
the “***” in the actual address is a list of characters that reads like a cat is stepping on the keyboard.
I’ve cleaned out all Temp and Temp. Internet files but after doing another standard avast says it found it again (with the same results I described in my earlier post). However I did boot scan and it came up with nothing.
As if I wasn’t confused enough before…
Thanks!
If it’s in Temporary Internet Files, you can safely delete it (i.e. let avast! delete it). Does it help?
No. As I said in the prior post:
"I’ve cleaned out all Temp and Temp. Internet files but after doing another standard avast says it found it again (with the same results I described in my earlier post). "
That’s why I’m confused.
Thanks,
k.
As i asked above, post a hijackthis log here please
–lee
Sorry lee,
I don’t have HiJackThis… I tried to install it once before and ran into problems. Ultimately, got it installed but never got it working correctly.
It was a while back… and I don’t remember what the specifics problems were, just that I finally gave up after several attempts.
I’m willing to give it another try - I’m running Win2000 Professional - any idea if there’s a trick to getting to work right on this operating system?
Thanks,
k.
Hi,
Hijackthis works just fine on my Win2000Prof
get it from e.g. here:
http://tomcoyote.org/hjt
it doesn’t have to be installed, just unpacked
try using the internal updater (config/misc/updater…) to see if this is the newest version
or:
reboot to safeMode (F8-Boot), make sure all programs & browser windows are closed, then go to controlpanel
->internetoptions → delete files → Checkmark OFFLINE files → OK → ok
if necessary, repeat this for all users
and set better security in your browser: look in the link “VirusRemoval” below in my sig
Ok… here’s the logfile… I’ll have to post it in a couple of posts because of the length.
Logfile of HijackThis v1.99.1
Scan saved at 7:28:08 PM, on 3/9/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\WINNT\System32\CTHELPER.EXE
C:\WINNT\system32\wrasikb.exe
C:\WINNT\ymlo.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\packager.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
C:\PROGRA~1\HEWLET~1\HPPSC7~1\bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\HPOSTS07.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
Logfile con’t:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netsync.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: US Class - {1FFED2CB-FC98-49f8-B3D0-678D03350F1E} - C:\WINNT\mscore.dll
N1 - Netscape 4: user_pref(“browser.startup.homepage”, “http://www.userfriendly.org”); (C:\Program Files\Netscape\Users\kate\prefs.js)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - (no file)
O2 - BHO: (no name) - {} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
O4 - HKLM..\Run: [IntelliType] “C:\Program Files\Microsoft Hardware\Keyboard\type32.exe”
O4 - HKLM..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM..\Run: [Mediafour Mac Volume Notifications] “C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE” /auto
O4 - HKLM..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM..\Run: [Jet Detection] “C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe”
O4 - HKLM..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\system32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM..\Run: [klilewhmhdf] C:\WINNT\system32\wrasikb.exe
O4 - HKLM..\Run: [Jawa32] C:\WINNT\jawa32.exe
O4 - HKLM..\Run: [Lvbqo] C:\WINNT\ymlo.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Jawa322] C:\WINNT\jawa32.exe
O4 - HKLM..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM..\Run: [farmmext] C:\WINNT\farmmext.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Getting Started with MacDrive 5.lnk = C:\Program Files\Mediafour\MacDrive5\1033\MDGSTART.EXE
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp psc 700 series\bin\hpodev07.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://webmail.dftel.com:8181/iNotes6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry.com/aftfiles/files/install/AncestryFamilyTree.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/wdriver/3rdPartyContent/dnastudios/harrypotter/wtinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip..{FDCBB782-A1EC-4ECF-BC02-ED9BF3092EF0}: Domain = netsync.net
O17 - HKLM\System\CCS\Services\Tcpip..{FDCBB782-A1EC-4ECF-BC02-ED9BF3092EF0}: NameServer = 206.231.8.2,206.231.8.3
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
I don’t want to jinx anything… but I think it’s gone!!! ;D
After cleaning out some junk that HijackThis found and running the online tool from Trend, things seem to be ok.
Thanks for everything.
k.
Hi
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
r1 - hkcu\software\microsoft\windows\currentversion\internet settings
proxyoverride = localhost
r3 - URLSearchHook: US Class - {1FFED2CB-FC98-49f8-B3D0-678D03350F1E} - C:\WINNT\mscore.dll
o2 - bho: (no name) - software - (no file)
o2 - bho: (no name) - {22b9a67d-e689-44b6-b775-0e8fe84b4f9b} - (no file)
o2 - bho: (no name) - {} - (no file)
o2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINNT\ceres.dll
o2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll
o3 - toolbar: (no name) - {2cde1a7d-a478-4291-bf31-e1b4c16f92eb} - (no file)
o4 - HKLM..\Run: [Jawa32] C:\WINNT\jawa32.exe
o4 - HKLM..\Run: [klilewhmhdf] C:\WINNT\system32\wrasikb.exe
o4 - HKLM..\Run: [Lvbqo] C:\WINNT\ymlo.exe
o4 - HKLM..\Run: [Jawa322] C:\WINNT\jawa32.exe
o4 - HKLM..\Run: [farmmext] C:\WINNT\farmmext.exe
o4 - hklm..\run: [stcinstaller] c:\installer\id53.exe
o4 - hklm..\run: [win server updt] c:\winnt\wupdt.exe
o9 - extra button: related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\winnt\web\related.htm
o9 - extra ‘tools’ menuitem: show &related links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\winnt\web\related.htm
o16 - dpf: {084f552d-19eb-4668-9788-984cbc781a8f} (asyncdownloader class) - http://survey.otxresearch.com/preloader.dll
o16 - dpf: {11260943-421b-11d0-8eac-0000c07d88cf} (ipix activex control) - http://www.ipix.com/viewers/ipixx.cab
o16 - dpf: {1239cc52-59ef-4dfa-8c61-90ffa846df7e} (musicnotes viewer) - http://www.musicnotes.com/download/mnviewer.cab
o16 - dpf: {3bffe033-bf43-11d5-a271-00a024a51325} (inotes6 class) - http://webmail.dftel.com:8181/inotes6.cab
o16 - dpf: {41f17733-b041-4099-a042-b518bb6a408c} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/quicktimeinstaller.exe
o16 - dpf: {51045741-8c4e-4eac-8f03-08e43a6fbb29} - http://aft.ancestry.com/aftfiles/files/install/ancestryfamilytree.cab
o16 - dpf: {74d05d43-3236-11d4-bdcd-00c04f9a3b61} (housecall control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
o16 - dpf: {90c9629e-cd32-11d3-bbfb-00105a1f0d68} (installshield international setup player) - http://www.napster.com/client/isetup.cab
o16 - dpf: {ab29a544-d6b4-4e36-a1f8-d3e34fc7b00a} (wthoster class) - http://www.wildtangent.com/install/wdriver/3rdpartycontent/dnastudios/harrypotter/wtinst.cab
o16 - dpf: {b38870e4-7ecb-40da-8c6a-595f0a5519ff} (msnmessengersetupdownloadcontrol class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :
o4 - hklm..\run: [windvdpatch] cthelper.exe
o4 - hkcu..\run: [msnmsgr] “c:\program files\msn messenger\msnmsgr.exe” /background
The go to taskmanager (Alt + Ctrl + Delete) then kill these processes:
wrasikb.exe
ymlo.exe
The delete these files: (if still there)
C:\WINNT\system32[b]wrasikb.exe[/b]
C:\WINNT[b]ymlo.exe[/b]
c:\installer[b]id53.exe[/b]
C:\WINNT[b]jawa32.exe[/b]
C:\WINNT[b]ymlo.exe[/b]
C:\WINNT[b]wupdt.exe[/b]
C:\WINNT[b]farmmext.exe[/b]
C:\WINNT[b]mscore.dll[/b]
C:\WINNT[b]ceres.dll[/b]
C:\WINNT[b]systb.dll[/b]
Then download, update and run Spybot, Ad-Aware and Spywareblaster from here: http://members.home.nl/edeijl/ache/cleaning.htm
The download and run ccleaner to get rid of all your Temp files: http://www.filehippo.com/download_ccleaner.html
The reboot your machine, then redo and repost your hijackthis log so we can confirm your system is clean.
–lee