TechSpot

i have JS/PSYME and EXPLOIT virus'

By davidstl
Jul 10, 2007
  1. Dear Techspot,
    My computer is infected with the js/psyme and the exploit viruses. I tried to remove them with AVG antivirus and AVG antispy programs and also ran RemoveIt Pro with NO luck. If you can help rid my computer of these infections I'd appreciate it. I'll attach a AVG and HJT log for you to see.
    thank you,
    david
     
  2. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Don't just do so yet. Please read the following.

    Very Important: Malware infections can possibly lead to identity theft, loss of funds from bank accounts, misuse of credit card information etc. Therefore I strongly encourage you to please read this thread HERE before deciding what course of action to take regarding your infection.

    Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. Do follow all the instructions exactly. They will provide logs for analysis of your system so I will know how to instruct you to proceed.

    Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste your logs if not it will be ignored and/or removed.

    Also, please let me know the results of the AVG Antirootkit scan


    Regards,
    Your friendly momok =)

    This thread is for the use of davidstl only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    JS\PSYME and EXPLOIT viruses

    Dear Momok,
    Okay, thanks. Give me an hour or so to run the tools and scan everything; and I will post another reply with my attachments. I can't quite remember how to put the logs and scan reports on my Desktop into the e-mail posting though.
    These two viruses are causing pop-ups, screen freezing, and automaticly redirects your internet page to one of its choosing. It sucks.
    Thank you,
    davidstl
     
  4. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    JS\PSYME and EXPLOIT viruses

    dear Momok, I am now sending you my fresh AVG spy scan redults, my combofix results, and my HJT log. I ran all the tools, having opened all hidden files, and rebooting into safe mode, plus i remembered to rename HJT to analyze.exe, So I think I did this all correct. Let me know if you see anything wrong.
    Thanks
    Davidstl
     
  5. momok

    momok TS Rookie Posts: 2,265

    Hi,

    However I noticed that your AVG log displays 'No Action Taken' for all the files detected.
    I require you to run AVG again and quarantine the files. Pictorial instructions HERE.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE
    Next turn on "Show all files and folders, including hidden and system". See how HERE

    1. Please run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

      R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

      Close HJT.

    2. Navigate in Windows Explorer and delete the following files and folders in bold.

      C:\DOCUME~1\THECUR~1\Application Data\Viewpoint
      C:\DOCUME~1\THECUR~1\Application Data\iconcache.db
      C:\DOCUME~1\THECUR~1\Application Data\dcbc2a71-70d8-4dan-ehr8-e0d61dea3fdf.ini

    3. Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of davidstl only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    JS\PSYME and EXPLOIT viruses

    Dear Momok, Okay, I have followed your instructions and I am posting the fresh logs and scan reports; and I removed the 3 BOLD entries, they are in my Recycle Bin.
    Davidstl
     
  7. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You are still running an outdated version of HijackThis.
    You can obtain the latest version from the link in my signature.

    Your logs look clean. Post a new HijackThis log, then kitty500cat will provide you some final cleaning instructions. I'll be going overseas now, sorry the for inconvenience caused.

    Regards,
    Your friendly momok =)

    This thread is for the use of davidstl only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    JS\PSYME and EXPLOIT viruses

    Dear Momok or Kitty500cat,
    I and sending you the updated HJT log. And thank you. My system seems free and clear of threats. I think the SmitFraud, ComboFix, and the other tools provided must have done the trick. Thank you for your support especially with the HJT stuff.
    Davidstl
     
  9. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Run HijackThis and do a system scan. Place a check in the box next to the following entries (if there):

    O4 - HKUS\S-1-5-18\..\Run: [Microsoft Updates] wkssvr.exe (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\Run: [Microsoft Updates] wkssvr.exe (User 'Default user')

    Click the Fix Checked button. After it's done fixing, close HJT.

    In Windows Explorer, turn on "show all files and folders, including hidden and system." See how HERE.

    Search your system for the filename wkssvr.exe and then post here all the locations where it was found.

    Regards :)

    This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  10. davidstl

    davidstl TS Rookie Topic Starter Posts: 94

    JS\PSYME and EXPLOIT viruses

    dear kitty500cat, Thanks, Why did I FIX those two items? What were they? And the only thing my system found even close to wkssvr.exe was a file: wkssvc.dll is this anything to be concerned about? There were 7 files with wkssvc.dll in it.
    thanks,
    davidstl
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...