General discussion

VPC32.exe worm Removal

My PC was infected last night with a VPC32.exe worm. It has taken control of my PC; I can't get online or run my virus program. I'm running XP Professional. Is there a patch I can download on my laptop and use on my PC? I'm not very computer savvy. Any help would be appreciated....Thanks

Discussion is locked
Follow
Reply to: VPC32.exe worm Removal
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: VPC32.exe worm Removal
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Would Help To Have Info

as listed in RED at top of post page including which A/V you have and which program found this!

Do you have/or had in past/ Symantec Corporate edition? If so it MAY BE legit & necessary file for A/V.

IF NOT, then it's possibly the AGOBOT XM worm & should be removed.
Copy & Paste the file name into Google and you'll get a page of items on this & how to remove. BE AWARE this worm is network aware and likely is infecting other machines that get connected to the network. Good Luck!
Happy

- Collapse -
VPC32.exe worm Removal

I'm running using Symantec Corporate edition, but it didn't find it. While on a website I got a Security Warning message and it showed a system scan. I did manage to stop the scan and everytime I tried to run any program I got a message asking if I wanted to continue with the scan. I was not able to run my A/V or any other program, it totally took control of my PC. I did Google the file and tried to follow the instrutions, but my PC doesn't have the options stated. I had to re-start in safe mode to be able to access my PC and I did a system restart to an earlier date. Now I don't get the security message or the system scan message. But, I'm not sure if my PC may still be infected. ANY THOUGHTS?

You're right my laptop did get it too, but it didn't take control of it and I was able to run Windows Defender which got rid of it.

- Collapse -
Just To Be Sure

& for peace of mind, I would do the following.
IF computer is acting normal, I would download & save Malwarebytes MBAM.exe to desktop or My Docs as well as their "offline" manual install update from the links below:
MBAM: http://www.malwarebytes.org/
Update: http://www.malwarebytes.org/mbam/database/mbam-rules.exe

Replacing Symantec with fresh copy & updating may be a good option
but possibly not necessary. It may have been corrupted but likely just thought it was it's own file. You may want to dump system restore points in case infected but I'd be tempted to wait until you're reported clear in case you don't have to. If infected files found in "system volume" then you should dump the stored points.

After physically disconnecting (unplug computer from modem) from net and laptop, I would disable Symantec background guard (auto protect?)
temporarily & then install MBAM (just by pass it's trying to contact net by "next") and then run the manual update definitions.

Reboot. Then run full scan and " fix all" for anything found.
MBAM auto copies any removed items to quarantine, so if a false positive happens, you can return it to it's rightful place. I would then reboot and run a full scan again just to be extra sure alls gone.

If MBAM doesn't want to install, try again from Safe Mode w/ networking.
Please copy & paste the log file from the scan in a reply to this post. Once clean you may reconnect modem & re-enable auto protect.
I have never had Symantec Corp so some terms maybe different but principle is the same to prevent it from interfering w MBAM install & removal actions.

You may do the same for the laptop to get rid of any left overs from your removal already performed. Once BOTH are clear, you may reconnect them in the network. Please note & report any weird behavior happening post clean up on either machine. Good Luck & I'll check back nightly or others may make suggestions to aid you further. Good Luck!! Happy

- Collapse -
Scan

I had no weird behavior happen before the scan. Below is the log from the first scan.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3961

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/6/2010 8:29:11 PM
mbam-log-2010-04-06 (20-29-11).txt

Scan type: Quick scan
Objects scanned: 123297
Time elapsed: 15 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9} (Adware.MediaMotor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

It doesn't show any VPC32.exe files so do you think the restore to an earlier date I did took care of the problem?

After that I re-booted and ran a full scan where nothing was found.

I haven't scanned my laptop yet, but will do.

I worry my PC is not safe.
Thanks for your help

- Collapse -
Laptop scan

I did a full scan and there was nothing found.

Regarding my PC, I've read that after doing a retore one should go to the system restore through the control panel and turn off system restore and restart PC and do a complete scan. Would you recommend that or should I leave well enough alone? Besides it would seem if I turned off system restore the worm would back and I would lose control of my PC again. Not sure about that though. Can the Malwarebytes MBAM be run in safe mode?

I wish I knew more about all these things......Thanks

- Collapse -
Thanks For Posting That Log! V. Helpful!

The biggest problems we the "Spyware Bot" rogue & The "My Web Search" group of adware/search re-directors. For these,

1st go into Control Panel> Add Delete Programs> and search list for anything related to the 2 above( which may or may not still be there). Be aware that the MY Search group also includes several other My items. About 15 or so? The following Link, at bottom, has full list of the programs you might find there to be un-installed:
http://www.bleepingcomputer.com/uninstall/Cat-M.html
You will need to loose any gimmicky "goodies" that were included.
Be sure to get rid of any "MY..." links in your Favorites/Bookmarks.

Also check for any of these added as toolbars to your Browser(s).
Don't know which you have IE 6,7,8? Mozilla?

If any don't want to un-install, then try again from Safe Mode. MBAM got the active threat but the program will reload w/ net access! You must dump the programs themselves.

Pop Cap Loader is adware downloaded when you play games on line at Pop Cap games. It also controls time/uses limits for try outs, licenses & logs which company should get the commissions if you should buy any.
Tip: If you want to buy, order as CD/DVD copies by mail for re-install in future!

Yes you can run MBAM in Safe Mode (takes a little longer).

Since behaving fairly normally, I would dump all restore points by
entering System Restore settings & check mark the "turn off monitoring on all drives".

To Get to System Restore, RIGHT click the My Computer Icon on desktop and click on Properties, then click System Restore Tab & enter "settings". I'm NOT sure if Symantec has taken over duties of SR with it's own back up system, which may create a different problem. Varies by version & year of program.

Once you've un-installed & re run scans in safe mode,
With Clean Results , you can turn on monitoring back on by removing check mark.

Be aware that XP (all) have a known issue w/ monitoring MORE than 1 Hard Drive at a time. If you have more than 1 HD, enable only for main drive *C:* usually.

The threat there is more of NOT dumping the existing points as they can hold copy of the infectors and would re-install them if you restored to an infected point!

You've done very good work so far (Congrats!)& you're nearing the finish line.

I'd suggest 1 or 2 other FREE programs for you...
CCleaner: It dumps all temp files accumulated daily. I always run it upon leaving the net. First run may take time due to build up existant.
Daily takes only a few seconds. Get "SLIM VERSION" at bottom of page w/ NO toolbar: http://www.piriform.com/ccleaner/builds
I DO NOT use the Reg. Cleaning part of the program!

Optionally another scanner remover (like MBAM) SuperAntiSpyware (SAS):
http://www.superantispyware.com/
Both have updates daily and between them there's not much that won't be found/fixed.

Please post back again with (hopefully) final success tale! Grin

- Collapse -
Adware

Just to make sure you are suggesting I go to System Restore and turn it off which would restore my PC back to the date of the worm, right?
And, then scan with MBAM in safe mode. I also downloaded superantispyware and ran a scan which found 5 registry cleaning trails, adware tracking cookies and an adware coupon bar which I removed.

Did the log I sent you from the MBAM scan show something dangerous?

Thanks

- Collapse -
Confusion Re; Sys Restore...

No, I don't mean to "restore to a previous time". You do not want to do that. Simply open the program, on the left side click on "System Restore Settings" and the next page will show the box that the check mark should go in (turn OFF SR on all drives). Then click Apply & OK. This will delete ALL previous stored (possibly infected) points BUT will NOT restore you away from current (better) status.

Once fully clean & working normally, you will again open system restore program & will receive a prompt saying its disabled & do you want to re-enable sys restore? Click yes & a new, 1st clean point will be auto created.

Log did not show anything terribly dangerous by standards here (LOL!)but certainly the "My Web etc." & the Spybot Rogue had potential to download much worse than you were showing.

As long as you had both MBAM & SAS fix all they found that should be fine.

You might (optionally) want to run XP's System File Checker (SFC) just in case any system files were corrupted by the malware &/or it's removal. To do this:

Dbl. LEFT click "My Computer"> Right click C: drive> left click "properties">click Tools >"error checking-check now".
Put check mark in top box "auto fix system file errors" & click fix now. OK the pop-up saying you need to re start the computer now and reboot. Then leave alone 'til it has finished and auto reboots back to welcome screen. All done. Good work ! By now you should be safe to go on net normally.

Please be careful not to sucker for many of the freebies out there as they often have toolbars &/or spyware included in them. Best to NOT install while on net.
Better to save to desktop or My Docs & immediately right click scan w/ MBAM/SAS/AV to be sure they're safe to open &/or install.

Please post back w/ success or any questions or problems. Thanks! Sandy Grin

- Collapse -
All Clear

I did everything you told me to do and everything is clear, I hope.

I also uninstalled Symantec and installed McAfee Security Center provided by my internet provider. It found a Trojan, Fake Alert-Spypro.gen.d
c:\DOCUMENTS AND SETTINGS\IBM USER\LOCAL SETTINGS\TEMP\NQHUE.EXE which was quarantined. However I ran the scan after I had turned on SR again, don't know why I did that, but after the scan I turned it off and on again so I'm assuming that will be OK? The scans with MBAM & SAS were done in safe mode with SR turned off.

Thanks for all your help I really appreciate it. Hopefully I won't have any more problems.

- Collapse -
More Problems, Maybe

After replying I scanned with MBAM and got this
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3961

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/11/2010 2:44:21 PM
mbam-log-2010-04-11 (14-44-21).txt

Scan type: Quick scan
Objects scanned: 123668
Time elapsed: 16 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Should I start all over again and turn off SR and scan in safe mode with AV, MBAM & SAS? Or is this just something you get while on the net? I used to just scan with Windows Defender and Symantec.

- Collapse -
No problems :)

Applehoney..

The two entries MBAM reported are nothing to be concerned about. They indicate your A/V and F/W were disabled. They were done so by McAfee. McAfee has its own monitoring components, and turns off the alerts by default, in order to avoid duplications from Windows Security Center. If you see the results again after a scan, you can safely click on each and choose "ignore".

I would strongly suggest against disabling System Restore, at the first sign of an infection. By disabling it, you're flushing all your restore points, and would have nothing to fall back on, should the need arise. Or at least, that's my opinion. Have a look at this thread.

Lastly .. don't forget to update MBAM. Wink Your most recent log indicates, you haven't updated it since April 6th. It updates daily. Sometimes a few times during the day.

Best of luck..
Carol

- Collapse -
Glad to hear it

I kind of thought that might have been the reason, but not being savvy about these things I wasn't sure.

Thanks

- Collapse -
Forgot to add

After MAM found the last 2 threat today and I deleted them my PC shut down and restarted by it self.

- Collapse -
After thought

If I don't do anything else should I be safe to pay bills on-line or should I still be worried?

Thanks

- Collapse -
If Your Really Worrried...

you could go thru the change passwords routines. You could also notify your Bank & Credit Card issuer & tell them that you believe you're safe
and this didn't have the time/opportunity to get out to the net BUT would they please flag your account(s) for any clearly unusual behaviors on your accounts for the next 30/60 days? They probably already have a mild version of this already but this would step it up a notch & they should be happy to do so (as they'd be the BIG losers if such happened).

Be sure to do the same scans & system restore point dump on your laptop as well. Happy

CNET Forums

Forum Info