Did 8 steps, help needed

By kishke
Jun 21, 2009
  1. Apparently I got infected with a virus yesterday.
    At the moment it seem to have spread allover the computer.
    I cant open internet explorer anymore(using firefox at the moment), whenever I open firefox i get an avg warning about some script being blocked. For some reason there are always 1-2 iexplorer process running that doesn't matter if i shut down they keep popping back.
    It has gotten so worse that windows DEP didn't let my computer load or even use the task manager cuz of the infection until i logged on safe mode and enabled them.
    While doing the 8 steps i had to use safe mode because every time i run superspyware on normal mode I had a blue screen.
    I added the needed file+my avg safe mode scan log.

    I hope u can help me and i wont have to reinstall windows or even format my computer

    Help appreciated, Ben.

    Edit: I forgot mentioning that somthing is blocking a few site, like avg and mbam and superantispyware, i couldnt get them updated.
    I cant access avg site on my computer but on my brothers computer on the lan its possible. also i couldnt get both programs from your site link so I had to google them.
  2. ChrisDown

    ChrisDown TS Rookie Posts: 125

    Okay, all of the following are malicious:

    R3 - URLSearchHook: (no name) - *CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
    Your logs also show that some Windows files are infected, although as far as I can tell from the AVG log, it didn't quarantine them (for obvious reasons, they are critical system files).

    The first thing I would recommend doing would be to run ComboFix. Download ComboFix from here, and put it on your desktop, then rename it to something like ComboxxFix.exe so that it isn't picked up by malware. Then, open up notepad, and paste the following into it:

    Then save this as CFScript. Now, drag the file onto ComboFix, as shown below.


    Please do not click the window when ComboFix is running, as ComboFix has been known to stall on occasions if you do this.

    The next thing to do is to copy files from your Windows XP disc over to your /system32/ directory to replace the system files with viruses.

    The following files need to be replaced (if you can't find the files on your XP disc for some of them, still replace as many as you can):

    C:\WINDOWS\system32\dfrgfat.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\diskperf.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\dllcache\bootok.exe Virus found Win32/Virut Object was moved to Virus Vault.
    C:\WINDOWS\system32\dllcache\lpq.exe Virus found Win32/Virut Object was moved to Virus Vault.
    C:\WINDOWS\system32\dllcache\regwiz.exe Virus found Win32/Heur Object was moved to Virus Vault.
    C:\WINDOWS\system32\dpnsvr.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\esentutl.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\eudcedit.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\gpresult.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\lodctr.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\logman.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\mobsync.exe Virus found Win32/Virut Object was moved to Virus Vault.
    C:\WINDOWS\system32\mountvol.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\mqtgsvc.exe Virus found Win32/Virut Object was moved to Virus Vault.
    C:\WINDOWS\system32\nvsvc32.exe Virus found Win32/Heur Object was moved to Virus Vault.
    C:\WINDOWS\system32\odbcconf.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\osk.exe Virus found Win32/Virut 
    C:\WINDOWS\system32\powercfg.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\qappsrv.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\qwinsta.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\regsvr32.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\relog.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\route.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\shutdown.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\spoolsv.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\taskkill.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\tscon.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\tscupgrd.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\tskill.exe Virus found Win32/Heur 
    C:\WINDOWS\system32\WinFXDocObj.exe Virus found Win32/Heur 
    Also, you should redownload and reinstall both .NET frameworks 1 and 2, since they have infected files too.

    Once you have done this, would you please upload the ComboFix log for us to see? Thanks. :)
  3. kishke

    kishke TS Rookie Topic Starter

    thx for the help but i actually managed to fix the problem a few days ago
    i thought u missed my thread because there was no reply.
    apparently i had the reader_s virus which is a very tricky 1.
    i couldnt use combofix because it would just give and error about being infected when loaded(the virus infects every exe file it can reach).
    i tried reinstalling windows to replace all the files, of course that didnt work due to the virus settling in almost any other exe file on the system.

    eventually i found somewhere about an anti virus called dr.web which actually solved the problem really quickly, found all traces of the virus and healed the files.

    again thx for your help
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...