Hey guys, My wife computer has a virus that I cannot get rid of. It is one of those regenerating virus's that my virus software removes but as soon as the computer reboots the damn thing comes back.

it is called "ynmusdh.exe" and my virus software labels it as a Downloader ACV-Trojan.

I have done a search to find out how to get rid of this thing and I have been un-successful in finding what I need. My next option is a reformat but I am trying to avoid it if at all possible.

Anyone have a good suggestion or an alternate option?

I assume you have disabled system restore. Ran scans from safe mode etc. It would also be helpful to fire up Hijack this post on one of the many help forums out there. In all honesty sometimes it's just easier in the long run to start over. If you have the time I suppose you could figure it out. I'd offer to help you but without access to the box it's nearly impossible to see what is happening.

Yup, hijackthis is your friend. I recently ran into a virus/trojan that was stuck so deep in the system that we ended up rebuilding. I ran spybot, adaware and hijackthis on the system and there was no sign of any remaining spyware processes. But when you tried to go to mcaffe.com it would point you to localhost (127.0.0.1). At that point I could have spent another 5-10 hours and might have gotten further removing the virus, but usually it just isn't worth it.

Ok, lets see how this goes.

I'm going to assume this is Windows XP. Download the following items:

Spysweeper free trial:
http://www.webroot.com/shoppingcart/tryme.php?bjpc=64011&vcode=DT02

AdAware:
http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button

Spybot:
http://www.spybot.info/en/mirrors/index.html

HijackThis!:
http://www.merijn.org/files/hijackthis.zip

Install the first 3 programs.

Spysweeper Install:
Just do a typical install. When it finishes, go to options and choose update definitions to make sure it has the latest. Then go to shields and turn them all on except the Startup shield, go ahead and uncheck that one. Don't scan yet.

AdAware Install:
Again, a typical install. Make sure it also does an update after installing. Also, don't scan yet.

Spybot Install:
During install, all the defaults are fine. Run the program when finished, follow the setup wizard by letting it search and then download updates. Make sure to immunize as well during the install. Close program, don't scan yet.

HijackThis!:
It's just a single executable in zip file. Extract it, we'll run it shortly.

Ok, now reboot and hit F8 between POST and windows boot to get your startup menu. Choose "Safe Mode with Networking" (I assume her PC is on broadband as well...) Once you are in safe mode first run Spysweeper. It will ask to run in its own safe mode, go ahead. Then run a sweep. If it detects anything at all, hit next so it can remove the bad stuff. Once its done, close it. Then run AdAware and choose "Custom Scan" and hit start. When it is done right click in the results box and choose "Select All" and then hit next to remove. Once its done, close program. Next Spybot, hit "Scan Now" and then when its done hit the "Fix Selected Problems" button. Close program. (hopefully these commands are fairly close, I'm pulling them from memory.) Next fire up hijack this. Hit OK to both dialog boxes. Then hit the top button, "Do a system scan and save a logfile". Save that logfile and post here, I'll tell you which things to checkmark for removal. Then go to www.sarc.com (http://www.sarc.com/). On the left hand column under the second section titled "virus definitions" the 3rd link says "Online Virus and Security Check". Click it. Then hit the go button on the next window if your popup blocker blocks it. The next window will have 2 choices. Choose Virus Scan. It will load some activex controls and then do a full system scan with the latest definitions. When its done it will tell you if there are any additional files infected and with what virus. These files you will have to delete manually but should be able to while in safe mode. Then you'll remove the specified items from HijackThis. After that, reboot into normal mode and rerun all the scans making sure they come up clean. Once they do make sure all windows updates are done. Depending on what was found, you can uninstall the spysweeper trial or if it found alot it may be worth purchasing, its a great program.

Let me know how it all turns out or things dont go according to plan. GOOD LUCK!

Thank you very much for the information. I am going to download all of this and give it a try.

Jafo,

I'm packing up to head up to Kyraath's for the gaming session. I'll be back up an running in about 4 hours in case you have any questions.

This is the Log file... I think I did this the way your instructions said.. I will catch up with you guys on Teamspeak later on tonight also.. I really appreciate the help with this. Thank you very much.


Logfile of HijackThis v1.99.1
Scan saved at 11:51:46 AM, on 11/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Install\Virus removal\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe
O4 - HKLM\..\Run: [compacjt.exe] C:\WINDOWS\System32\compacjt.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Gcj2s6.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mwfgrbq] C:\WINDOWS\mwfgrbq.exe
O4 - HKLM\..\Run: [fejwmeu] C:\WINDOWS\fejwmeu.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1129431499\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [0F15161615181B1] 12181919181B1.exe
O4 - HKLM\..\Run: [owpjaxf] C:\WINDOWS\owpjaxf.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CMMan] "C:\Program Files\CMMan\CMMan.exe"
O4 - HKCU\..\Run: [FCMan] "C:\Program Files\FCMan\FCMan.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\Install\toolbarcop.exe (HKCU)
O9 - Extra 'Tools' menuitem: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\Install\toolbarcop.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Ok, checkmark the following and hit the "fix selected". Re-scan hijackthis after removing to make sure they are gone.

REMOVE:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =

O2 - BHO: (no name) - SOFTWARE - (no file)

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [compacjt.exe] C:\WINDOWS\System32\compacjt.exe

O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\Gcj2s6.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mwfgrbq] C:\WINDOWS\mwfgrbq.exe

O4 - HKLM\..\Run: [fejwmeu] C:\WINDOWS\fejwmeu.exe

O4 - HKLM\..\Run: [0F15161615181B1] 12181919181B1.exe

O4 - HKLM\..\Run: [owpjaxf] C:\WINDOWS\owpjaxf.exe

O4 - HKCU\..\Run: [CMMan] "C:\Program Files\CMMan\CMMan.exe"

O4 - HKCU\..\Run: [FCMan] "C:\Program Files\FCMan\FCMan.exe"

O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE


It looks like she had a good spyware infection based on whats listed there. Once you are all done in safe mode here, reboot and rescan with everything in normal mode to make nothing came back. :)

Ok, this has made a huge difference. I tried to run the software from sarc.com but something was going on with the website when I tried to use it I will go back and try it again. I still have a virus that the virus software is detecting so hopyfully after I can get that to work on the Sarc site I will have more of an idea of what I am dealing with.. Thanks again.. It has already been a huge improvement..