# Removing msvmcls64.exe



## Dibs (Dec 20, 2009)

I recently bought a Toshiba NB200 netbook and caught some sort of malware under the name msvmcls64.exe. This peice of malware seems to have popped up in the last few days. Here is a recent report.

At the time of discovery, I was running Norton Internet Security (30-day trial) and Windows Firewall. I run Google Chrome (not sure how secure this is). I had been downloading installers for some programs (VLC, itunes, Open office, etc)

*Symptoms:*

MSVMCLS64.EXE runs on startup and appears as a process such as "110.exe" "220.exe" "600.exe" in Task Manager.
The process will attempt to access the internet, loads a page in arabic if allowed
The process deletes other startup processes in msconfig

*Timeline*

Random arabic website would pop up
Discovered the suspicious process "110.exe" running in Task Manager.
Disabled msvmcls64.exe from startup using msconfig
Found out that several of my startup processes were removed (Ex power saver, hard drive protection, touch pad options, volume function keys)
Ran a system restore to a previous date (restoring these processes)
Installed zone alarm (didn't have it before on the laptop)
Discovered msvmcls64.exe trying to access the internet
Disabled it again
Looked for similar problems and found this website and this post
Ran ComboFix
Ran Malwarebytes - found msvmcls64.exe and deleted it.
Ran HijackThis for a logfile

*Logs:*
Combofix: (have a log but it is too big to fit in this post)

*Malwarebytes' Anti-Malware 1.42*
Database version: 3396
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

20/12/2009 9:51:45 AM
mbam-log-2009-12-20 (09-51-42).txt

Scan type: Quick Scan
Objects scanned: 117246
Time elapsed: 8 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\msvmcls64.exe (Net.Worm) -> No action taken.


*Logfile of Trend Micro HijackThis v2.0.2* (had some errors while running, but still spit out a logfile)
Scan saved at 10:06:28 AM, on 20/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\VirtuaWin\VirtuaWin.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\VirtuaWin\modules\smartCoolName.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VirtuaWin\modules\WinList.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.ca/welcome
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.ca/welcome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [TAccessibility] C:\Program Files\TOSHIBA\Accessibility\TAccessibility.exe Instant
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TUSBSleepChargeSrv] %ProgramFiles%\TOSHIBA\TOSHIBA USB Sleep and Charge Utility\TUSBSleepChargeSrv.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ThpSrv] C:\WINDOWS\system32\thpsrv /logon
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: VirtuaWin.lnk = C:\Program Files\VirtuaWin\VirtuaWin.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8059 bytes

I deleted the infected file found by Malwarebytes. Could somebody confirm that everything is OK?

On a side note, if you see any startup programs that I don't need, let me know.

Thank you!


----------



## johnb35 (Dec 20, 2009)

Break up the combofix log into multiple post or upload it to a file storage site and give me the link to it.  If you make multiple posts, make sure you get the full log.


----------



## Dibs (Dec 20, 2009)

Here is the ComboFix log:
http://dl.dropbox.com/u/3330533/ComboFix.txt


----------



## Respital (Dec 20, 2009)

Please download *Security Check* from *here* or *here*
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.


----------



## Dibs (Dec 20, 2009)

Results of screen317's Security Check version 0.99.1   
 Windows XP Service Pack 3  
*`````````````````````````````` 
Antivirus/Firewall Check:* 
 Windows Firewall Disabled!  
 Norton Internet Security    
 ZoneAlarm      
*`````````````````````````````` 
Anti-malware/Other Utilities Check:* 
 HijackThis 2.0.2    
 CCleaner     
 Java(TM) 6 Update 17  
 Java(TM) 6 Update 16  
*Out of date Java installed!* 
 Adobe Flash Player 10  
Adobe Reader 9.2 
*`````````````````````````````` 
Process Check:  
objlist.exe by Laurent* 
 Norton ccSvcHst.exe 
 Zone Labs ZoneAlarm zlclient.exe  
*``````````````````````````````
DNS Vulnerability Check:*
 GREAT! (Not vulnerable to DNS cache poisoning) 

*`````````End of Log```````````*


----------



## Respital (Dec 20, 2009)

Please download *JavaRa* to your desktop and unzip it to its own folder

 Run *JavaRa.exe*, pick the language of your choice and click Select. Then click *Remove Older Versions*.
Accept any prompts.
Open JavaRa.exe again and select *Search For Updates*.
Select *Update Using Sun Java's Website* then click Search and click on the *Open Webpage* button. Download and install the latest Java Runtime Environment (JRE) version for your computer.


----------



## Dibs (Dec 20, 2009)

Seems like the version of Java  that I am running (Java(TM) 6 Update 17 )  is the current recommended version.

In any case, I ran JavaRa.exe, uninstalled my current version and downloaded and installed it again from the website.

Security Check still reports it as out of date. Is this a problem?


----------



## johnb35 (Dec 20, 2009)

You need to go into add/remove programs and uninstall version 16.  I'm disinfecting a laptop right now but I will be back on later to go over your combofix log.


----------



## johnb35 (Dec 22, 2009)

Ok. Sorry for taking so long but according to your logs it appears your system is clean.  

Can you give me an update on how your system is running?

You can also have hijackthis fix these 2 entries as they are not needed at bootup.

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime


Run a hijackthis scan and place a check next those items and then click on fix checked at the bottom.


----------



## Dibs (Dec 24, 2009)

Hello John, the computer is working well now. Thank you and Respital for your help!


----------



## johnb35 (Dec 24, 2009)

Your welcome.  Glad everything is working fine for you now.


----------

