HELP!!! how do i get rid of VBS/Psyme virus?!?!

Jonas_26 · ‎01-16-2005

my IE keeps on getting hijacked, and my virus scanner pops up saying that it's a VBS/psyme virus, but when i scan, it doesn't find it. i've tried ad-aware, CWShredder, AVG and spybot search and destroy but no luck. can someone please help?!?! does this thing i've attached help?

Logfile of HijackThis v1.97.7
Scan saved at 5:48:38, on 2005-01-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ninemsn Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-au\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pl: C:\Program Files\Internet Explorer\PLUGINS\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ozemail.com.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{291FA932-7264-4B3F-8D50-BE366E8375FB}: NameServer = 210.80.58.42 210.80.58.34

Jay Bollyn · ‎01-16-2005

Hi Jonas,

Current anti-spyware is useless unless run in winXP Safe Mode.

The following link will answer all your questions:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=781558

If questions persist, please reply.

:-) Jay

check Facebook

Jonas_26 · ‎01-17-2005

Thanks, but i still don't know how to get rid of the problem. i don't even know if the vbs/psyme virus is causing this!!! but it's the only thing that comes to mind. i type in internet addresses but other ones i dont want keep coming up. any suggestions?!?
thanks

John Sutherland_1 · ‎01-18-2005

Here is what McAfee says:
Virus Characteristics
This trojan exploits an unpatched (at the time of this writing) vulnerability in Internet Explorer. The vulnerability allows for the writing, and overwriting, of local files by exploiting the ADODB.Stream object. There are several variants of this trojan. Therefore this description is design to give an overview of how the trojan works.

The trojan exists as VBScript. This script contains instructions to download a remote executable, save it to a specified location on the local disk, and then execute it.
Indications of Infection

Unexpected file creation.

Run Anti Virus

John

John Sutherland_1 · ‎01-18-2005

Here is a free anti virus you might try

http://free.grisoft.com/freeweb.php

John

Jon Finley · ‎01-18-2005

First, make sure that you have the latest update from Grisoft:
http://free.grisoft.com/doc/4/lng/us/tpl/v5

Second, The conime.exe process is a backdoor/trojan. It will allow people direct access to your computer with which they can gain access to your personal information and files.

Looking at some of the other EXE files, it appears that you've got a Toshiba Laptop. If NOT, you've got more spyware to worry about.

Jon

"Do or do not. There is no try!" - Yoda

Norman_21 · ‎01-18-2005

Hi,

Update your Spyware, Adware and Anti-Virus products always before you run them.

Have you tried MS Anit-Spyware beta 1:
http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en

Even though its still beta version but it should clean the hijacked IE and you can use the Advanced Tool to setup the Hijack Browser Restore settings

BTW: Check this link for VBS/Psyme virus:
http://securityresponse.symantec.com/avcenter/venc/data/downloader.psyme.html

http://vil.nai.com/vil/content/v_100749.htm

Hope this help

"Attitudes are contagious, is yours worth catching"/ My first point was given by SEP on January 31, 2003

Jonas_26 · ‎01-21-2005

hey everyone,
thanks for the help, but the problem is still there =( i've updated everything and tried everything but no luck. usually, all i use to have to do was delete history, cookies etc, and the problem would go away. but there's still sites that come up when i start typing a new address. it doesn't go to that site, but pops up when i start typing in the address bar. any ideas?
thanks heaps

Norman_21 · ‎01-21-2005

It seems that your IE is still hijacked?
Do you have the Pop up blocker enabled in SP2?

From the HijackThis log file, remove any line with (no name)and then run Hijackthis again and post the log file here.

Sometimes and after cleaning the IE from hijacked stuff, the IE may get connectivity corruption due to invalid or removed registry keys. In such cases, winsockXPFix.exe becomes handy:
http://www.spychecker.com/program/winsockxpfix.html

Please keep us updated

Thanks and hope this help

"Attitudes are contagious, is yours worth catching"/ My first point was given by SEP on January 31, 2003

John Sutherland_1 · ‎01-24-2005

I see you are still troubled. I just checked and the VBS/Psyme trojan is not listed in the freeby I gave you. It is however listed by McAfee. You can go to McAfee and do a free scan:

http://us.mcafee.com/

It will confirm state of your computer.
I know we all like to get by on free software, but I spend a little bit for my McAfee Virus Scan on line and consider it the best insurance. It scans incoming mail as well your outgoing, so you don't pass
your troubles on.
McAfee on line sends frequent updates, sometimes every day, so I have felt quite secure with it
Best of Luck
John

Jonas_26 · ‎01-26-2005

hey ppl, i'm really sorry for the late reply. still no luck. i tried the winsockXPFix.exe but it didn't work. i was so hoping it would work. sorry john, i misread your message, so i haven't had i chance yet. i'll try it soon though (i'm using a different computer at the moment). but thanks to everyone for your help!

John Sutherland_1 · ‎01-27-2005

This trojan causes unusual file creation.
Use a good virus scan like McAfee free scan to confirm virus. Then continue search for answer.
Best wishes
John

John Sutherland_1 · ‎01-27-2005

Look at this one from Pest Control. The download can be accessed from the dowload page Your trojan listed part way down page.
It looks like a plan.

http://www.pestpatrol.com/pestinfo/t/trojandownloader_vbs_psyme.asp#Detection%20and%20Removal

John

jeff_402 · ‎06-01-2005

hello jonas.....type in mcaffee stinger.....it will get rid of all of that garbage...but you must remember....you have to turn OFF your systym restore before you run it..it should rid your comp of all the bad files..they're probably just trapped inside your systym restore..it will delete all the corrupt files...then turn your systym restore back on...peace

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

HELP!!! how do i get rid of VBS/Psyme virus?!?!

HELP!!! how do i get rid of VBS/Psyme virus?!?!

Re: HELP!!! how do i get rid of VBS/Psyme virus?!?!

Re: HELP!!! how do i get rid of VBS/Psyme virus?!?!

Re: HELP!!! how do i get rid of VBS/Psyme virus?!?!

Re: HELP!!! how do i get rid of VBS/Psyme virus?!?!

Re: HELP!!! how do i get rid of VBS/Psyme virus?!?!

Re: HELP!!! how do i get rid of VBS/Psyme virus?!?!

Re: HELP!!! how do i get rid of VBS/Psyme virus?!?!

Re: HELP!!! how do i get rid of VBS/Psyme virus?!?!

Re: HELP!!! how do i get rid of VBS/Psyme virus?!?!

Re: HELP!!! how do i get rid of VBS/Psyme virus?!?!

Re: HELP!!! how do i get rid of VBS/Psyme virus?!?!

Re: HELP!!! how do i get rid of VBS/Psyme virus?!?!

Re: HELP!!! how do i get rid of VBS/Psyme virus?!?!