Huge virus/spyware infection

[khalilcs]

I open a crack site and i got a huge virus/spyware that started installing programs like yahoo toolbar, blocked my taskmanager, changed my desktop to a blue screen saying you got spywares..... man, what a nightmare.

I ran most of Viruses/Spyware/Malware, preliminary removal instructions and my computer is back to a usable level but Im still infected, as I can see strange running programs on the task manager (kzqneboh.exe, brctren.exe, ihgdkbkn.exe, and others...)

I have attached the HJT log and combofix, i dont have the avg because my trial version expired...

I appreciate SO much for anyone looking at my problem and trying to help me!!! God Bless you!

 

[khalilcs]

I JUST ran a Malwarebytes' Anti-Malware scan and clean up, so imma add the log here

im also going to add a HJT log after this scan and clean

PLZ somebody take a look at my logs plz, i really need expert help :blackeye:

 

[Blind Dragon]

No firewall and Java being out of date is almost garunteed you to become infected. Let's secure these first.

You aren't running Firewall Software. Please download and install one of these first!

Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
Comodo
Kerio
Online Armor
Zonealarm
-----------------------------------------------------------------------------------------------------------


Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update Tab at the top of the Java console
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.

• Click the following link
  Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05
  folder

------------------------------------------------------------------------------------------------------

CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\WINDOWS\ogxtsepr.dll
C:\WINDOWS\system32\ihgdkbkn.exe
C:\WINDOWS\system32\yayaAtQJ.dll.vir

Folder::
C:\Documents and Settings\All Users\Application Data\qxmlujsr

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pucfsdxf"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"Kb4SsFlfXg"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

 

[khalilcs]

Thank you so much for answering Blind Dragon!

I did

I installed Online Armor firewall and updated it my Java to java 6 Update 5.

I did the CFScript and the combofix

Im pretty sure I did everything right

here are the logs

am I still infected?

 

[Blind Dragon]

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components :

1. Click Start, point to Settings, and then click Control Panel.
2. In Control Panel, double-click Add or Remove Programs.
3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
   
   How to prevent it from being recreated every time you run the AOL software:
   • Open AOL
   • Go to Help on the toolbar
   • Select About AOL
   • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.

Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[kritius]

Woops, didnt realise Bind had posted. Sorry

 

[khalilcs]

Ok, I unistalled ViewPoint and ran ATF cleaner

I ran the Kaspersky Online AV Scanner and im attaching the log here

Thanks YOU VERY MUCH

 

[Blind Dragon]

CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

Folder::
C:\Documents and Settings\Khalil San Martin\.housecall6.6\Quarantine
C:\Documents and Settings\Khalil San Martin\My Documents\WPatcherP5575987.rar
C:\Program Files\mIRC
D:\Fraps
D:\Install Programs\Fraps.v2.6.3.Build.4961.Retail [www.yahaa.org]
D:\Install Programs\Fraps.v2.6.3.Build.4961.Retail [www.yahaa.org]
D:\Install Programs\Fraps.v2.6.3.Build.4961.Retail [www.yahaa.org].rar
D:\Install Programs\WPatcherP5575987.rar
C:\Documents and Settings\Khalil San Martin\Local Settings\Application Data\Mozilla\Firefox\Profiles\y21n6r2f.default\Cache\7F7C1E07d0
C:\Documents and Settings\Khalil San Martin\Local Settings\Application Data\Mozilla\Firefox\Profiles\y21n6r2f.default\Cache\63329BDCd01

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.


Afterwards,

Clear Firefox cache
* Click Edit from the Mozilla menubar.
* Click Preferences... from the Edit menu.
* Expand the Advanced menu by clicking the plus sign.
* Click Cache.
* Click the Clear Cache button.


For Internet Explorer 7

* Click Start, click Control Panel, and then double-click Internet Options.
* On the General tab, click Delete... under Browsing History.
* Next to Temporary Internet Files, click Delete files, and then click OK.
* Next to Cookies, click Delete cookies, and then click OK.
* Next to History, click Delete history, and then click OK.
* Click the Close button.
* Click OK.

 

[khalilcs]

Ok, I did the new combofix, here is the log

I also did the clean for firefox and internet explorer

how are things looking?

 

[Blind Dragon]

Looking Good from this end, how is your computer running? any symptoms?


Lets secure the work we have done so far, then run one more kaspersky scan and see if anything turns up.

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------
Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

* When finished exit out of OTMoveIt2

Set correct settings for files

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please check Hide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

clear system restore points

• 
  This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  This will remove all restore points except the new one you just created.

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[khalilcs]

ok, I did all those things and here is the report!

thanks a lot, how am i looking?

 

[Blind Dragon]

Getting better, A lot of the same files are back, and Smitfraudfix tool is still showing as installed please go to your Anti-Spyware folder you made on your desktop and remove it

Navigate to and delete these Folders
C:\Documents and Settings\Khalil San Martin\My Documents\WPatcherP5575987.rar
D:\Install Programs\Fraps.v2.6.3.Build.4961.Retail www.yahaa.org.rar
D:\Install Programs\WPatcherP5575987.rar

Then empty your recycle bin.

After run 1 more Kaspersky scan and a fresh Hijackthis