My hijackthis log; also need help with something called disk knight

[needhelphere]

my hijackthis log file is attached or should be attached..

i would also like to get some help on the following:

1. "TAGA LIPA ARE" appears on my internet explorer, how do I remove it?

2. Once in awhile I see a Disk Knight appearing in my task manager, it even installed itself and I removed it by using Add/Remove programs in Control Panel but I think it's still in my computer.

3. I also get problems during startup, I get a pop up error message about svchost.exe, then I click Ok and my computer seems to be working fine, except for these 4 problems included in this message.

Would appreciate any help. Thank you.

 

[Rik]

Hi needhelphere and welcome to TechSpot.:wave:

You need to have a read of this - If your system is infected. Read this before deciding whether to CLEAN or REFORMAT.

Then if you should wish to proceed with cleaning your system you need to go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, Combofix, and AVG Antispyware logs as ATTACHMENTS into this thread, only after doing the above.
We also need to know the result of Panda Antirootkit.


This thread is for the use of needhelphere only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Download this TOOL. Extract it and run the Noob_kill.

Then, follow the rest of the instructions as given by rik.

Regards Howard :wave: :wave:

This thread is for the use of needhelphere only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[needhelphere]

logs:

first of all thank you..

I've gotten rid of most of the bugs I think.. No more taga lipa on my explorer and I don't get the svchost.exe error message during startup anymore..

anyway i've attached the logs..

also, the Panda Antiroot Kit did not find anything.

 

[howard_hopkinso]

Delete all files in AVG Antispyware quarantine.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\WINDOWS\My Documents.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\Knight.exe
C:\Documents and Settings\Jat\Application Data\wklnhst.dat
F:\SCVVHSOT.exe
F:\krag.exe

Folder::
C:\DOCUME~1\Jat\APPLIC~1\STOREF~1
C:\VundoFix Backups
C:\qoobox
C:\Documents and Settings\All Users\Application Data\Stupid Vc Soft Defy
C:\Documents and Settings\Jat\Application Data\Store first

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AASecuUFD"=-
"System File"=-
"Disk Knight"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mp3 send"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Disk Knight]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23c68e5e-0aac-11da-83a6-000e35d782f4}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a254b40-6284-11dc-b18c-00014a1723ac}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b606faf-b1b0-11db-857a-000e35d782f4}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76f72344-a76e-11da-8480-00014a1723ac}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7aa48229-a390-11db-8570-00014a1723ac}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{903e93c7-5a9e-11dc-b181-00014a1723ac}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf6ab54e-f645-11da-8510-000e35d782f4}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbed118e-19bb-11dc-b146-00014a1723ac}]

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard

This thread is for the use of needhelphere only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[needhelphere]

new combofix and HJT logs

the logs are attached

 

[howard_hopkinso]

Please download Flash_Disinfector.exe by sUBs and save it to your desktop:
Note: Please delete any existing copy of Flash Disinfector(if any) on your pc and download this one.

* Double-click Flash_Disinfector.exe to run it.
* Follow any prompts that may appear.
* Wait until the program has finished scanning, then please exit the program.
* Restart your computer and see if problem still persists.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

4 - HKLM\..\Policies\Explorer\Run: [PolicyRun] C:\WINDOWS\svchost.exe

O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} - http://www.andromedanet.com/media//tvants.cab

O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\WINDOWS\svchost.exe
C:\qoobox

Reboot into normal mode and rehide your protected OS files.

Post fresh HJT and Combofix logs.

Regards Howard

This thread is for the use of needhelphere only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[needhelphere]

okay

i didn't find the svchost.exe in my drive c:\ however here are the logs..

 

[howard_hopkinso]

Your system has a very nasty and dangerous infection.

I don`t know if we`re going to be able to remove this fully and you may end up having to reformat the system.

Go and download and run Curerit.exe.

Update the programme and run the scan.

Let me know the results and post a fresh Combofix log.

Regards Howard

This thread is for the use of needhelphere only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[needhelphere]

uh oh

huh? oh no!! what do you mean? what kind of infection? it seems to be working alright...

 

[howard_hopkinso]

Your system is infected with the W32/Agent-FOW infection. This is a flash drive infection and can be very difficult to get rid of.

Lack of sysmptoms doesn`t necessarily mean your system is clean and in this instance it isn`t clean.

Please run the Curerit.exe, then post a fresh Combofix log.

Regards Howard

This thread is for the use of needhelphere only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[needhelphere]

latest

here's the latest combofix log file

 

[howard_hopkinso]

Well, the infection is still there.

I think we need to see if we can manually delete this bugger.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

krag.exe
New Folder.exe
New Document.exe
ie.exe
SCVVHSOT.exe
RavMon.exe

Close task manager.

Click start/run and type regedit into the run box and hit the enter key.

Navigate to the following regkeys and delete the bold portions.

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23c68e5e-0aac-11da-83a6-000e35d782f4}

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a254b40-6284-11dc-b18c-00014a1723ac}

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b606faf-b1b0-11db-857a-000e35d782f4}

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76f72344-a76e-11da-8480-00014a1723ac}

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{903e93c7-5a9e-11dc-b181-00014a1723ac}

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf6ab54e-f645-11da-8510-000e35d782f4}

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbed118e-19bb-11dc-b146-00014a1723ac}

Close regedit.

Search your system for the following files and delete them if found.


krag.exe
New Folder.exe
New Document.exe

ie.exe
SCVVHSOT.exe
RavMon.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh Combofix log.

Regards Howard

This thread is for the use of needhelphere only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[needhelphere]

is that really scvvhsot.exe? or svchost.exe?

 

[howard_hopkinso]

It`s really SCVVHSOT.exe and it`s nasty.

Your log file is now clean.

Unless you`re still having problems, you should be good to go.

Delete the following folder.

C:\qoobox

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of needhelphere only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[needhelphere]

wow! thank you so much for the help!

Yey! Thank you so much for the help!

One last thing, which of the various anti-spyware, anti-virus programs I downloaded should I keep and which should I delete?

 

[howard_hopkinso]

Keep AVG Antivirus/Ccleaner/SS&D/Ad-aware get rid of the rest.

I recommend you install a firewall programme.

Zonealarm Kerio or Comodo free firewall programmes.

Regards Howard

This thread is for the use of needhelphere only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.