Infected with Vacfix - possibly!!

My computer is running slowly when I access webpages and some programmes. I have run several different scans and only one has revealed anything that sounds likely - c:\Qoobox\Quarantine\_\Item32\VACFix.exe.vir (the underscore maybe a . [period / dot].) and also c:\WINDOWS\System32\VACFix.exe

IE8 will not always load pages and sometimes displays that it has encountered an error and has closed it for my safety. When I close the page with the error message on, other explorer windows I have up also close down. I am unable to load Microsoft Live Onecare or Trend Housecall as the page freezes and then I get an error message, then it closes down. I have a handy little programme that shows my internet usage, uploading and downloading volumes and I have a tiny amount of information going out of my computer constantly.

I have a couple of logs that I have saved (as instructed by this forum) and would be obliged if I could get some some help on this problem.

Thanks.

I see that you have used ComboFix at some point. Did you use SmitfraudFix too? Certain embedded files (VACfix.exe) that are part of legitimate programs or specialized fix tools such as SmitfraudFix may at times be detected by some anti-virus and anti-malware scanners as a "Risk Tool", "Hacking Tool", "Potentially Unwanted Program", or even "Malware" (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, registry fixes and malware strings it contains.

Such programs have legitimate uses in contexts where a Malware Removal Expert asked you to use the tool or when an authorized user/administrator has knowingly installed it. When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or it can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others or that it was simply detected as suspicious due to the security program's Heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "False Positive".

Please download OTCleanIt.exe and save to your Desktop.

• Connect to the Internet and double-click on the file to launch the program.
• Click on the green CleanUp! button.
• If you get a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the Internet, please allow the connection.
• When it has finished, OTCleanIt will ask you to reboot so it can remove itself.

-- Note: Doing this will remove any specialized tools (including this one) downloaded and used.

Open Windows Explorer, navigate to the C:\WINDOWS\System32\ folder, right-click on and delete VACFix.exe. Then empty your Recyle Bin.

Please download Malwarebytes Anti-Malware (v1.36) and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Hi,

Firstly, thank you for spending some of your time to try and solve this problem.

Yes, I was advised to try Smitfraud and Combofix.

I followed your instructions and have enclosed the log as requested, HOWEVER, when I navigated to the C:\WINDOWS\System32\ folder, there was no VACFix in there. I dont know whether this type of infection can mutate into something else - or have I been watching to many science fiction programmes?? I followed your instructions hoping something else would turn up. There is definately something going on in my computer and would be obliged for any help.

Malwarebytes' Anti-Malware 1.36
Database version: 2128
Windows 5.1.2600 Service Pack 3

14/05/2009 07:40:50
mbam-log-2009-05-14 (07-40-50).txt

Scan type: Quick Scan
Objects scanned: 107564
Time elapsed: 5 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

To me, it all looks ok, but I know it's not!! grrrrrrr.

There is definately something going on in my computer and would be obliged for any help.

Please explain with more specific details as to what is going on.

OK, I have a programme called bitmeter that monitors my broadband usage (from the old restricted broadband usage days), it shows a constant stream of information leaving my computer regardless of what I'm doing. I did my normal scans for viruses etc. and originally came up with VACFix.exe.vir I have AVG 8 as my antivirus and XP as my OS. At the same time as my computer started uploading information, it started to run slower and programmes much longer to open. I tried to download Microsofts Live Onecare and Trend Housecall but the page froze and I got the message " Internet Explorer has closed this webpage to help protect your computer" and " A malfunctioning or malicious add-on has caused Internet Explorer to close this webpage".
Sometimes I can't get IE8 to open. I regularly "clean up" my computer and have kept it performing well and has always functioned very fast - but this problem is, to say the least, a nuisance and more worringly, a security risk.

Thank you for your time in looking into this for me.

Internet Explorer Add-ons and toolbars are plug-in applications designed for the Microsoft Internet Explorer Web browser. The "Manage Add-ons" lists all the third-party browser extensions installed in Internet Explorer and provides the ability to disable them selectively but cannot be used to delete them. If an add-on is disabled, Internet Explorer adds the CLSID (Class ID) control to the "don't load list" in the registry so when launching a new instance of it, the list is checked by iexplore.exe and explorer.exe processes and never loads that control.

• Control Internet Explorer Add-ons with Add-on Manager
• How to manage Internet Explorer add-ons in XP SP2
• Troubleshooting and Internet Explorer’s (No Add-ons) Mode
• IE Add-on Management
• Prevent a Browser Helper Object from loading with Explorer.exe

Add-ons may be ActiveX controls, Toolbar extensions, and Browser Helper Objects (BHOs). More specifically, BHOs are code modules (.dlls) that are loaded into Explorer and Internet Explorer and run automatically every time you start your browser. BHO's were designed to allow developers to extend the functionality of Windows and improve features. However, some BHO's are malicious malware components which can act as a toolbar or browser plug-in and can be difficult to remove.

If you have a lot of toolbars, BHOs and Add-ons attached to Internet Explorer, you could try improving performance by disabling or removing those which are unnecessary. Sometimes Add-ons cause the browser to quit unexpectedly or not perform properly especially if it was poorly designed or was created for an earlier version of Internet Explorer. Incompatible browser extensions and add-ons can also impact system performance and cause compatibility issues such as application hangs (freezing). Many tool bars and add-ons come bundled with other software and can be removed via Add/Remove Programs from the Control Panel or Programs and Features in Vista, so start there first.

Thanks again for your fast reply.
I clicked on your links, Internet Explorer Add-ons etc, the pages won't load from the link - this is typical of this problem.
I only have the basic toolbars, and have checked for any hidden or disabled ones.
I've been through all my Add/Remove programmes and the only thing I can find (but strangely can't remove is Remote Gallery - I get up an error message "The LaunchAnywhere properties file is missing").
Look forward to hearing from you.

Basically, to do Disable Add-ons:

• Open Internet Explorer, go to the Tools menu and click Manage Add-ons.
• In the Show box, look through the list of "Add-ons currently loaded in IE'.
• If you see an unwanted add-on, you can hightlight it and choose Disable at the bottom.
• Note: The "Manage Add-ons" feature cannot be used to delete them.

There is a lot of information in those links. You may want to try using alternate browser like Firefox so you can read all the suggestions. IMO Firefox is a faster browser and I use it most of the time.

All my enabled add-ons are wanted. I don't know if you're familiar with Microsoft Live Onecare or Trend Housecall. With Live Onecare when I get to "install scanner" I used to get a small warning bar at the top saying something like a programme (I think it's ActiveX) wants to run. But now as with Trend the page justs hangs and then I get the error report "Internet Explorer has closed this webpage to help protect your computer" and " A malfunctioning or malicious add-on has caused Internet Explorer to close this webpage". When I close the page, other windows I have up, may also close.

I don't use IE8. However, you may want to try some of the suggestions in these articles.

Internet Explorer: Fix IE8 DEP Crashes
Reset Internet Explorer 8 settings
How to reset Internet Explorer settings in IE7 or IE8

GOOD news and BAD news!! The article on Internet Explorer: Fix IE8 DEP Crashes helped with the Java Virtual Machine Removal Tool, which was stopping Microsoft Live Onecare (and a couple of other programmes) from running. So that's OK now. The bad news is I ran a Spybot scan and it came up with Virtumonde.sdn, which I gather isn't the best of things to have.
Any chance of helping me out with this one?
:-)

Thanx

Did Spybot provide a specific file name associated with this malware threat(s) and if so, where is it located (full file path) at on your system?

mvps.org is no longer recommending Spybot S&D or Ad-Aware due to poor testing results. See here - (scroll down and read under Freeware Antispyware Products).

Further, most people don't understand Spybot's TeaTimer or how to use it and that feature can cause more problems than it's worth. TeaTimer monitors changes to certain critical keys in Windows registry but does not indicate if the change is normal or a modification made by a malware infection. The user must have an understanding of the registry and how TeaTimer works in order to make informed decisions to allow or deny the detected changes. Additionally, TeaTimer may conflict with other security tools which do a much better job of protecting your computer and even prevent disinfection of malware by those tools.

More effective alternatives are Malwarebytes Anti-Malware and SUPERAntiSpyware Free.

Within Spybot, the result of Virtumonde.sdn had a + sign to the left hand side, when I expanded it I got the path of c\Windows|system32\juwagima is this what you're referring to?

By the way - all the time you spend on this is much appreciated. Thanx.

Not a problem.

Get a second opinion. Go to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis.
-- Post back with the results of the file analysis.

I don't actually have a file to upload (well, I don't think I have), VACFix.exe didn't get picked up on my scans (although things still aren't right) but re-appeared today under a Win32TrojanSpy with a path of C:\Documents and Set\.\tfraudFix\VACFix.exe
I can't enter that into Jotti's virusscan or VirusTotal.