Kerespup's problems thread

By kerespup
Feb 24, 2007
Topic Status:
Not open for further replies.
  1. kerespup

    kerespup Newcomer, in training Topic Starter Posts: 52

    Here you go:
  2. momok

    momok Newcomer, in training Posts: 2,272

    Hi,

    Have HijackThis fix the following entries:

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    Apart from that, your logs are clean.

    Delete all files in AVG Antispyware Quarantine folder.

    Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of kerespup only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. kerespup

    kerespup Newcomer, in training Topic Starter Posts: 52

    Internet Problem

    I don't know why but all of a sudden my internet is acting goofy.
    I'm using firefox. Just a while ago everything was fine.

    I can't seem to go to some websites anymore (actually most websites)

    wikipedia, gaiaonline, etc. The only sites I can seem to come on is this site and google.

    Here are my HiJackThis logs, both in Safe Mode and in Normal Mode.
  4. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Your HJT log is clean.

    Run the Ccleaner programme as per step9 of this thread HERE and see if that helps.

    I also suggest you move HJT to the proper location as per this thread HERE.

    Regards Howard :)

    This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. kerespup

    kerespup Newcomer, in training Topic Starter Posts: 52

    Already did the CCleaner deal.

    I'm using FireFox and it seems like it only goes up to the "Looking Up..." part. Not at all to the connecting or waiting. It always ends up with the Problem Loading Page.

    I've also noticed that when I open the task manager, CPU Usage spikes to 100% for some milliseconds. When look at it again and again. It doesn't spike anymore. But if I close it then open it again, it spikes to 100% once more for a few milliseconds.

    Also, even if I moved the HJT. Everything in the log is still the same.

    I ran my AVG, and this is all they could find and delete:
  6. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Nothing nasty there.

    It`s important that you put HJT in the proper location, just for future reference.

    Post a Combofix log and I`ll take a look at it.

    Regards Howard :)

    This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. kerespup

    kerespup Newcomer, in training Topic Starter Posts: 52

    Okay, before I start running Combofix. I ran that Panda Anti-Rootkit.

    it found some Unknown thing called LOGOOS.EXE

    in C:\WINDOWS\system32
  8. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    LOGOOS.EXE is a modified ntsokernel file for modifying boot screens.

    Regards Howard :)
  9. kerespup

    kerespup Newcomer, in training Topic Starter Posts: 52

    Here's my combofix log, and still no improvement.
  10. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh Combofix log.

    Regards Howard :)

    This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. kerespup

    kerespup Newcomer, in training Topic Starter Posts: 52

    Okay, attached down below are my ComboFix and Avenger logs.

    One thing troubles me though. In the ComboFix log, it says something about files in drive F... but fact of the matter is... I don't have a drive F.
  12. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    You didn`t have any kind of usb flash drive attached did you? or perhaps a card reader with a card in it?

    Let me know, then we`ll sort it.

    Regards Howard :)
  13. kerespup

    kerespup Newcomer, in training Topic Starter Posts: 52

    For the past few days no.

    When I used all those stuff (scanning tools) no flash drives were attached.

    Though the printer is attached through a USB port. But there's no drive F in My Computer anywhere.
     
  14. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Ok, let`s do the following.

    After some research, it looks like your system is infected with a very nasty worm/virus.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type regedit into the run box and hit the enter key.

    Navigate to the following regkeys and delete them.

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a7f6dc3-d5a0-11db-8417-c9194954320d}]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a7f6dc7-d5a0-11db-8417-c9194954320d}]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{807ba0b0-194f-11dc-85a6-ce54ecde7b70}]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab097adb-01b9-11dc-8528-a0ba3cab1f3b}]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caf90d20-da0c-11db-842c-893c2c407a10}]

    Close regedit.

    Search your system for these files and dlete them if found.

    INFO.exe
    tel.xls.exe
    sxs.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh Combofix log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  15. kerespup

    kerespup Newcomer, in training Topic Starter Posts: 52

    Okay, here's the latest ComboFix one.

    Also, when I checked the Registry editor.

    In the MountPoints2 part... in the F part... it seems to have an _Autorun under it and
    under _Autorun is DefaultIcon which has some sort of file related to F:\USBNB.exe

    I also noticed that this started when I saw my "Connect To The Internet"'s icon saying that it has no firewall, but when I check the firewall, it's actually on. (It's showing that red X)

    Also, I was unable to find those files (not even 1 of those 3 files)
  16. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Your Combofix log is now clean.

    Download this TOOL. Extract it and run the Noob_kill.

    the USBNB.exe file appears to be legit, but why it`s running from there I don`t know. Kill it.

    Regards Howard :)

    This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  17. kerespup

    kerespup Newcomer, in training Topic Starter Posts: 52

    "the USBNB.exe file appears to be legit, but why it`s running from there I don`t know. Kill it."

    How do I do that? There's no drive F.
  18. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    From regedit which is where you found it right?

    Regards Howard :)

    This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  19. kerespup

    kerespup Newcomer, in training Topic Starter Posts: 52

    Bah, it's so hard to download since the pages won't load either. I can only download stuff from this site.
  20. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    That`s very odd, since your system looks clean. I`m afraid, I don`t know what`s causing your problem,.

    I suggest you start a new thread in our Storage and Networking forum.

    Regards Howard :)

    This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  21. kerespup

    kerespup Newcomer, in training Topic Starter Posts: 52

    I've been searching around some places.

    Do you think I should use WinSockFix?
  22. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    That`s definitely a good idea. It certainly can`t do any harm.

    1.) Download WinsockFix.zip. (by: Option^Explicit)
    2.) UnZip WinsockFix.zip (Pay close attention to where the file is extracted to.)
    3.) Run WinsockFix.exe.
    4.) Click the Fix button.

    Regards Howard :)

    This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  23. kerespup

    kerespup Newcomer, in training Topic Starter Posts: 52

    Awww... it's not working. Still getting those "Problem Loading Page".

    I'm going to try the Ctrl+R technique that my 13 year old sister is doing.

    How about LSP fix?

    Okay, I attached a new hjt log and a screenshot of an error that appeared.

    Also, I noticed when i tried opening an image in my documents with firefox/ie. Some weird: "Cannot be found" thing appeared, but when I cancelled it, it appeared on the browser anyways.

    Seems like that it only happens on the first try... When I put a URL in the Address Bar up there, and press enter. It won't load. But if I keep on Reloading it, it will eventually load. (Nothing -> Just Text -> With Images -> Fully Loaded). Usually on the 4th to 5th try.
  24. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Your HJT log is clean.

    That error message pic looks more like a Windows problem than anything else.

    Try doing a Windows repair as per this thread HERE and see if it helps.

    If it doesn`t, you really need to open a new thread in the appropriate forum.

    Regards Howard :)

    This thread is for the use of kerespup only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  25. kerespup

    kerespup Newcomer, in training Topic Starter Posts: 52

    Well, that error hasn't been appearing anymore.

    But when I do a ComboFix scan, this error appears: sed.cfexe.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.