Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 5 of 5 Posts

·
Registered
Joined
·
10 Posts
Discussion Starter · #1 ·
I am having some difficulties deleting several related 'rogue' programs. They have been placed in folder c:\program files\vptqwpvp and are called: GEADGsBN.exe; GEADGsBN.DLL; NBsGDAEG.exe; cnml.exe and profile.dat.

When I use Taskmaster to stop the process it appears to stop them but they return almost immediately. I deleted all references to them in the Registry that I could find (but possibly missed some), and I have tried to delete the actual files, but am denied permission because they are being used. All attempts to delete them using HJT, including the startup add-on and the 'delete at startup' options, have similarly failed. None of the various vitrus checkers or spyware programs have detected it as a problem.

What are these files? What damage can they do (they appear to be related to Outlook Express and caused several reboots when I tried to use OE).

How can I get rid of them?

Thanks

harryvm

Logfile of HijackThis v1.99.0
Scan saved at 4:24:10 PM, on 17/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\pmsvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\vptqwpvp\GEADGsBN.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\vptqwpvp\NBsGDAEG.exe
C:\Program Files\MagicKey\MagicKey.exe
C:\Program Files\MagicKey\OSD.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\xplorer2\xplorer2_UC.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CamMonitor] G:\Photo\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] G:\Photo\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus CX3100] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3100" /O6 "USB001" /M "Stylus CX3100"
O4 - Global Startup: Magic Keyboard.lnk = C:\Program Files\MagicKey\MagicKey.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel(R) 82865G Graphics Controller Power Management - Intel Corporation - C:\WINNT\System32\pmsvc.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
 

·
Registered
Joined
·
1,137 Posts
Download SpywareBlaster from here:
http://www.majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef

Install and run SpywareBlaster. Click on "Updates" and then choose "Check for updates". Next choose "Protection" and at the top you will see different tabs which are Internet Explorer, Restricted sites and Mozilla/Firefox. Choose one of them at a time and at the bottom click "Protect Against Checked Items" (make sure that all of the items are checked). Tick the boxes above the items. Make sure you do this for all of the top tabs. Mozilla/Firefox you only need to do if you have the user profiles on your computer. You may now exit out of SpywareBlaster.

Download Spybot S&D from here:
http://users.skynet.be/fa936042/spybotsd13.exe

Install and run Spybot S&D. Choose "Search for updates". Next choose "Download updates". After that, choose "Search and Destroy" and click on "Check for problems". If Spybot finds any nasties on your computer, make sure that they are ticked and choose "Fix selected problems".

Download Ad-Aware SE from here:
http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button

Install and run Ad-Aware SE. On the bottom right corner of Ad-Aware you will see an option called "Check for updates now", click on that and choose "connect". Download the updates. Next click on "Scan now" on the left side of Ad-Aware. Make sure that "Search for negligible risk entries" is crossed out and not ticked. Choose "Perform full system scan" and click "Next". After Ad-Aware scans your computer, Ad-Aware may find some bad files on your computer so make sure you tick them all and choose "Next". It will ask if you want to remove those items so just continue. After removing the items close Ad-Aware.

Restart your computer and post a fresh HijackThis log back on this thread.
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
because there are no opbvious start up entries as you appear to have fixed them somehow it is very difficult to actually see what is keeping the problem running

try this

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

and Delete this folder

C:\PROGRAM FILES\vptqwpvp\

Reboot normally and post a new log
 

·
Registered
Joined
·
106 Posts
There are a couple of things which will keep it running.

a) Windows system restore, which will restore files in the system folder, including viruses - good thinking there, Bill.

b) The other programs you aren't deleting which are lurking elsewhere and set up all the files again. My bet is in WSR as the file names are coming back the same and the backdoor viruses use random letters to create file names.


It's not always just as easy as rebooting in safe mode and deleting the files you know about. You have to deal with WSR, clear ALL the registry entries which start up files, stop the virus starting up a service, and preferably remove the files it has created in case you have missed something.



Ian
 

·
Registered
Joined
·
1,275 Posts
open regedit and search for LOGON - especially these under these keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
Look for refences to vptqwpvp, GEADGsBN.exe, GEADGsBN.DLL, NBsGDAEG.exe and / or cnml.exe under these keys - that is how this thing worked when i had it - if you find any of those references let me know
 
1 - 5 of 5 Posts
Status
Not open for further replies.
Top