I Need Help Getting Rid of a Virus!

Status
Not open for further replies.
J

Jamie4br

Posts: 12   +0
Hi, I recently downloaded a virus and I'm having a hard time getting rid of it. I have already taken the following steps to try and get rid of it.

1) I downloaded a free trial of Kaspersky anti virus and ran it in safe mode.
2) Ran Ad Ware
3) Downloaded Spybot Search and Destroy and ran the program.

Any ideas?

Thanks
 
My desktop is constantly being changed to a blue background advertising anti-virus software, I get popups in my task bar saying I'm infected with a virus, pop-ups that look like windows security center saying that I'm infected, my task manager keeps restricting my access to it, etc...
 
At the top of the forum menu page (where you select the thread you want to read), there is a button at the top that says "New Thread". Click it and post away.
 
the message popping up in your taskbar. Type it into google search and it will give you a link to download a small until to remove it. This normally comes from crack sites if you don’t have a proper antivirus. Happened to me before as well. :mad:
 
I followed the instructions on the link you gave me and attached the requested logs. Other than running a little slow (I think it's because of the extra programs I have running) my computer seems fine. Let's hope this is the case!
 

Attachments

  • AVG REPORT.txt
    920 bytes · Views: 5
ok, few things.

1)The items found in your AVG log say -> No action taken.

AVG AntiSpyware
  • Launch AVG AntiSpyware
  • Click on the Update Icon at the top, then click Start Update in the left pane
  • After the update click on the Scanner Icon at the top, then select the settings tab, in the first section "How to act?" click on recommended actions and change it to delete.In the reports section make sure it is set to Automatically generate report after every scan
  • Click back to the Scan tab and select Complete System Scan
  • Finally, after the scan, select the Infections Icon at the top, click Select All at the bottom then Remove finally also at the bottom

2) Run Smitfraudfix
  • Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
  • Double-click SmitfraudFix.exe
  • Select 2 and hit Enter to delete infected files.
  • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
  • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
  • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

3) Run HiJackThis from normal mode and attach a fresh log, can you also run a fresh combofix after following the above and post that log.
 
Just so you know you are/were infected with a keylogger. What is a keylogger?

It is a program that runs in the background, recording all the keystrokes. Once keystrokes are logged, they are hidden in the machine for later retrieval, or shipped raw to the attacker. The attacker then peruses them carefully in the hopes of either finding passwords, or possibly other useful information that could be used to compromise the system or be used in a social engineering attack. For example, a key logger will reveal the contents of all e-mail composed by the user. Keylog programs are commonly included in rootkits and RATs (remote administration trojans).

You may want to read this thread Is your system infected? Read this before Cleaning or Formatting

Let me know if you would still like to attempt to clean your system, there is no guarantee that we can find 100% of the infection


If you decide that you would prefer to clean your system please post a new combofix log.
 
It appears this is a fairly new infection so please do the following

Upload a File to Virustotal
Please visit Virustotal found HERE
  • Click the Browse... button
  • Navigate to the file C:\bhka.exe
  • Click the Open button
  • Click the Send button
  • Copy and paste the results back here please.
 
Hmmmm, I can't seem to locate that file. I did a manual search and I did a search using the "find" tool. Any suggestions?
 
Go to Start, click Search, click All files and folders, and then click More advanced options. Click the check boxes to Search system folders and Search hidden files and folders.

In the search box for All or part of the file name please type bhka.exe it could also be under Wintel Update so search for that as well. if you find the path please use the same instructions to upload to Virus total.

If you cannot find either of them, then we just need to remove it from the registry. In this case just post a new Hijackthis log
 
Okay... I searched for both files (as per your instructions) and nothing came up. Here is my new hijack this log.
 
Ok, the file is gone, just need to kill the startup entry.

Run Hijackthis and select System Scan Only and put a check next to
O4 - HKCU\..\Run: [WintelUpdate] C:\bhka.exe

Select Fix Checked
--------------------------------------------------------------------------------------

Update your Java Runtime Environment
  • Click the following link
    Java Runtime Environment 6 Update 4
  • The 4th option down is the one you want
  • After the download locate and double click the installer jre-6u4-windows-i586-p-iftw.exe
  • Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions in your case Java 6 Update 3

----------------------------------------------------------------------------------------------

Go to start -> Run -> type in combofix /u
*note the space between
This will uninstall combofix
*remove vundofix backups
*remove quarentine files
*create a fresh clean restore point

Remove Hijackthis from Start-> control panel -> add/remove programs
Remove the 3 tools from step 10 (smitfraud, vundofix,virtumondobegone) by dragging to the recycle bin

I recommend you keep
1 anti virus program (AVG not anti spyware)
1 firewall
Spybot S&D, Adaware 2007, AVG Anti Spyware if you want but the version we downloaded is a 30 day trial

keep them updated.

Turn back on your resident protection for your anti-virus

You can also turn on tea timer in Spybot:
  • Click on Mode at the top and make sure that Advanced is checked
  • Expand the Tools tab in the left pane
  • Single click on the Resident Icon also in the left pane
  • check Resident "TeaTimer" (Protection of over-all system settings) Active
  • Close spybot

Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.
 
Hi... I just remembered that I forgot to thank you for your help. You definately saved the day. I was not looking forward to backing up 80gigs of files and then reformatting my laptop!

Thanks again!
 
No problem, is everything still going ok

and Java 6 update 5 just came out since we did this. This one can normally be done through the console

Update your Java Runtime Environment
  • First try going to Start -> Control Panel -> double click Java
  • Select the Update TAb at the top
  • Click the Check for Updates button at the bottom
  • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
  • After it installs the newest version Go back to Control Panel -> Add/remove programs
  • Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.
  • Click the following link
    Java Runtime Environment 6 Update 5
  • The 4th option down is the one you want (click Download)
  • Check the box to agree to terms of service
  • Check the box for your operating system and click 'Download selected'at the bottom
  • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
  • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder
 
Everything seems to be going well. I haven't noticed any of the indications of the virus that were apparent when I was infected. I was even able to get rid of the Virtualmode virus that was on my work computer by myself... well I went over some forums and saw the various ways other people got rid of it. People always use my PC while I'm away at lunch and they must have opened something they weren't supposed to and decided not to tell me about it.

But a long story short... everything is looking good. I will update JAVA when I get home tonight.

Thanks again!
 
Hello again,
My girlfriend's computer seems to have a virus on it. Basically, I get the blue screen of death whenever I load windows normally and in safemode. I've downloaded kaspersky antivirus on her computer and have tried running it several times. Yet each time I run it, I get the BSOD. I'm assuming the BSOD has something to do with the malware.

The error message is:

Driver_IRQL_NOT_LESS_OR_EQUIL

I've also updated her driver for her network and video cards.

Any ideas?

Thanks again.
 
Usually crashes come from an SDBot variant infection. Or it's not related to malware.

If the computer has XP on it try this, if it has vista let me know and we will try to find an alternative.

Download and Install SDFix
  • Download SDFix and save it to your Desktop.
  • Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

Run SDFix
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  • Attach Report.txt back here
 
Status
Not open for further replies.

Similar threads

learninmypc
Help with iTunes
Replies
0
Views
867
learninmypc
learninmypc
E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
475
eriksnyman1
E
dcovalencia
Solved Downloaded a .exe file from a copy of a website
Replies
23
Views
3K
Broni
Broni

Latest posts

Back