Help please with a virus

View previous topic View next topic Go down

Help please with a virus

Post by t1123d on 22nd December 2008, 8:56 pm

Hello. I'm new to this website. I've been having problems with this virus for quite some time. It causes the computer to run slower than normal and causes it to freeze frequently. A virus detected bubble always pops up in the corner on the taskbar at the bottom right of my computer screen. Also, it redirects the browser when I click on websites found by Google and doesn't allow for me to download any anti-spyware. If I can download it somehow, the spyware won't run. Please help if you can! Thank you!




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:05 PM, on 12/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brastk.exe
C:\Documents and Settings\Danny Y\lsass.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Danny Y\Desktop\hijackgpthis.exe
C:\WINDOWS\system32\notepad.exe

R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [brastk] brastk.exe
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Danny Y\lsass.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\RunOnce: [tdss] C:\WINDOWS\TEMP\15848000.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'Default user')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - [You must be registered and logged in to see this link.] Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\karna.dat
O21 - SSODL: Wizfmmp - {50F823A6-FA52-890C-9518-8A2C721214A5} - C:\WINDOWS\system32\jip.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4321 bytes

t1123d
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-22
OS OS : windows xp
Points Points : 29080
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help please with a virus

Post by Belahzur on 22nd December 2008, 9:22 pm

Hello.


  • Open Hijack This.
  • Press "Do a system scan only"
  • Check the boxes infront of these lines.

    R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O4 - HKLM\..\Run: [brastk] brastk.exe
    O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Danny Y\lsass.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\RunOnce: [tdss] C:\WINDOWS\TEMP\15848000.exe
    O4 - HKUS\S-1-5-18\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'Default user')
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - [You must be registered and logged in to see this link.] Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O20 - AppInit_DLLs: C:\WINDOWS\system32\karna.dat
    O21 - SSODL: Wizfmmp - {50F823A6-FA52-890C-9518-8A2C721214A5} - C:\WINDOWS\system32\jip.dll
    O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

  • Press "Fix Checked"
  • Close Hijack This.



1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
C:\Documents and Settings\Danny Y\lsass.exe
C:\WINDOWS\system32\karna.dat
C:\WINDOWS\system32\jip.dll
C:\WINDOWS\TEMP\15848000.exe
C:\WINDOWS\system32\brastk.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help please with a virus

Post by t1123d on 22nd December 2008, 9:39 pm

Hello. I've deleted the items in Hijackthis but i cannot download The Avenger through the given link. When i click it it says failed to connect. sorry about the edit.

t1123d
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-22
OS OS : windows xp
Points Points : 29080
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help please with a virus

Post by Belahzur on 22nd December 2008, 9:41 pm

Hello.
Download from here:
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help please with a virus

Post by t1123d on 22nd December 2008, 9:49 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSpqlt.sys
Driver disabled successfully.

Rootkit scan completed.

File "C:\Documents and Settings\Danny Y\lsass.exe" deleted successfully.
File "C:\WINDOWS\system32\karna.dat" deleted successfully.
File "C:\WINDOWS\system32\jip.dll" deleted successfully.
File "C:\WINDOWS\TEMP\15848000.exe" deleted successfully.
File "C:\WINDOWS\system32\brastk.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Thank you so much!

t1123d
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-22
OS OS : windows xp
Points Points : 29080
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help please with a virus

Post by Belahzur on 22nd December 2008, 9:53 pm

Hello.
The rootkit has been disabled.


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help please with a virus

Post by t1123d on 22nd December 2008, 11:37 pm

Hello. After using combo fix, my computer is stuck at a black screen and I can't see any icons or the taskbar. I'm using another computer to post right now.

t1123d
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-22
OS OS : windows xp
Points Points : 29080
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help please with a virus

Post by Belahzur on 22nd December 2008, 11:39 pm

It refuses to boot?
Darn. Sad tearing

Does it say why? like a file missing or something?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help please with a virus

Post by t1123d on 22nd December 2008, 11:48 pm

It doesn't say anything at all Sad tearing . After it loads the welcome screen it takes me to a black screen that's empty except for the mouse.

t1123d
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-22
OS OS : windows xp
Points Points : 29080
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help please with a virus

Post by Belahzur on 22nd December 2008, 11:52 pm

Ah.
So it does boot, we might be able to do something.
Press alt + ctrl + del twice to open the Task Manager.

Press the "Applications" tab and press the "New Task..." button at the bottom of the window.
Type in "explorer" and press "Okay"

Does your icons and other stuff load now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help please with a virus

Post by t1123d on 22nd December 2008, 11:57 pm

Ok. I will try that immediately when I get to my computer. I had to resort to going to a friend's house to use his computer. Sad tearing

t1123d
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-22
OS OS : windows xp
Points Points : 29080
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help please with a virus

Post by Belahzur on 23rd December 2008, 12:00 am

Sorry about that, but I wasn't expecting this neither.
We disabled the big problem with no damage, but removing leftovers does this? Shocking Whoa

If it's not explorer, it maybe something else.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help please with a virus

Post by t1123d on 23rd December 2008, 4:47 am

Good evening. So I've tried ctrl + alt + del and and new task but it says explorer.exe cannot be found. Any suggestions? Indifferent or Blank

t1123d
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-22
OS OS : windows xp
Points Points : 29080
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help please with a virus

Post by Belahzur on 23rd December 2008, 2:27 pm

Explorer.exe may have been trashed when CF was run.
Open the Task Manager again.
Look on the "processes" tab this time, locate explorer.exe and kill it.
Now go back to the "Applications tab" and try loading explorer again.

If that doesn't work
Start another new task, but this time, type this in:
sfc /scannow <== note the space between the c and /
Press okay.

Allow the system file protection to scan and it might replace a missing explorer.exe
Once it's done, reboot and try again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help please with a virus

Post by t1123d on 23rd December 2008, 6:50 pm

I've tried the new task but it only shows the scan window briefly before it disappears. I don't think it has scanned the computer.

t1123d
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-22
OS OS : windows xp
Points Points : 29080
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help please with a virus

Post by Belahzur on 23rd December 2008, 6:54 pm

Hello.
Will safe mode work?
Start tapping F8 after the post beep to access the advanced menu and boot to "Safe Mode"
Does explorer work in safe mode?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help please with a virus

Post by t1123d on 24th December 2008, 6:07 am

No, explorer in safe mode doesn't work either. Although, after I tapped f8 there were a lot more options than usually such as reboot and return to last known good configuration.


Last edited by t1123d on 24th December 2008, 6:19 am; edited 1 time in total (Reason for editing : more information)

t1123d
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-22
OS OS : windows xp
Points Points : 29080
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help please with a virus

Post by Belahzur on 24th December 2008, 1:35 pm

Ah, good.
Do the F8 boot again, but choose the last known good configuration.
See what happens.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help please with a virus

Post by t1123d on 24th December 2008, 5:51 pm

Ok. I've tried the last known good configuration and there's no difference.

t1123d
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-22
OS OS : windows xp
Points Points : 29080
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help please with a virus

Post by Belahzur on 24th December 2008, 7:24 pm

Hello.
Do you have your XP disc?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help please with a virus

Post by t1123d on 24th December 2008, 8:24 pm

No I do not.

t1123d
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-22
OS OS : windows xp
Points Points : 29080
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help please with a virus

Post by Belahzur on 24th December 2008, 8:58 pm

Hold tight, having a colleague looking at this.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help please with a virus

Post by t1123d on 24th December 2008, 10:54 pm

Ok, thank you very much.

t1123d
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-22
OS OS : windows xp
Points Points : 29080
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help please with a virus

Post by Belahzur on 26th December 2008, 1:35 am

Hello.
Sorry for the delay, but most the staff are offline with it being christmas.
Another idea.

Open the Task Manager again, and launch this new task.
regedit
This should open the registry editor.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe"

Locate the winlogon key by following the key path above, then on once you have located it, click it and on the right side pane, have a look at the value of "Shell"
Is it "explorer.exe"?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help please with a virus

Post by t1123d on 26th December 2008, 5:30 am

Hello. I'm very sorry that this problem had to stretch out through Christmas. Yes, the data for shell is Explorer.exe.

t1123d
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-22
OS OS : windows xp
Points Points : 29080
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help please with a virus

Post by Belahzur on 26th December 2008, 12:43 pm

Okay.
Lets try this.
Reboot your computer, after the beep, start tapping the F12 key.
This should open an advanced menu, and will have a few choices.

Select "Internal Hardrive" and it will boot normally from using this option, does explorer work now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help please with a virus

Post by t1123d on 26th December 2008, 6:36 pm

For some reason the F12 key opens up a different menu with last known configuration on it.


Here's another log from Hijackthis if it helps:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:13, on 2008-12-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Danny Y\Desktop\hijackgpthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
O2 - BHO: (no name) - {ee66d157-7fe2-4cef-8f34-f1ad99ba6849} - C:\WINDOWS\system32\yabajuku.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF3653.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\Run: [CPM53cb1096] Rundll32.exe "c:\windows\system32\gomuliwe.dll",a
O4 - HKLM\..\Run: [yojefuyoki] Rundll32.exe "C:\WINDOWS\system32\tuligudo.dll",s
O4 - HKLM\..\RunOnce: [combofix] C:\WINDOWS\system32\CF3653.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - AppInit_DLLs: c:\windows\system32\gomuliwe.dll,C:\WINDOWS\system32\jinuyeju.dll,C:\WINDOWS\system32\boluvuza.dll
O21 - SSODL: Wizfmmp - {50F823A6-FA52-890C-9518-8A2C721214A5} - C:\WINDOWS\system32\jip.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gomuliwe.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gomuliwe.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

--
End of file - 4241 bytes


Last edited by t1123d on 28th December 2008, 4:15 am; edited 2 times in total (Reason for editing : mistake/more info)

t1123d
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-22
OS OS : windows xp
Points Points : 29080
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help please with a virus

Post by t1123d on 28th December 2008, 7:00 am

also there is no my computer icon.

t1123d
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-22
OS OS : windows xp
Points Points : 29080
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help please with a virus

Post by Belahzur on 28th December 2008, 1:28 pm

We can restore the my computer.
Lets use MBAM this time.


  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help please with a virus

Post by Doctor Inferno on 8th February 2009, 9:32 am

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104620
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum