TechSpot

My hijackthis log; also need help with something called disk knight

By needhelphere
Nov 6, 2007
  1. my hijackthis log file is attached or should be attached..

    i would also like to get some help on the following:

    1. "TAGA LIPA ARE" appears on my internet explorer, how do I remove it?

    2. Once in awhile I see a Disk Knight appearing in my task manager, it even installed itself and I removed it by using Add/Remove programs in Control Panel but I think it's still in my computer.

    3. I also get problems during startup, I get a pop up error message about svchost.exe, then I click Ok and my computer seems to be working fine, except for these 4 problems included in this message.

    Would appreciate any help. Thank you.
     
  2. Rik

    Rik Banned Posts: 3,814

    Hi needhelphere and welcome to TechSpot.:wave:

    You need to have a read of this - If your system is infected. Read this before deciding whether to CLEAN or REFORMAT.

    Then if you should wish to proceed with cleaning your system you need to go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, Combofix, and AVG Antispyware logs as ATTACHMENTS into this thread, only after doing the above.
    We also need to know the result of Panda Antirootkit.


    This thread is for the use of needhelphere only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Download this TOOL. Extract it and run the Noob_kill.

    Then, follow the rest of the instructions as given by rik.

    Regards Howard :wave: :wave:

    This thread is for the use of needhelphere only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  4. needhelphere

    needhelphere TS Rookie Topic Starter

    logs:

    first of all thank you..

    I've gotten rid of most of the bugs I think.. No more taga lipa on my explorer and I don't get the svchost.exe error message during startup anymore..

    anyway i've attached the logs..

    also, the Panda Antiroot Kit did not find anything.
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Delete all files in AVG Antispyware quarantine.

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:

    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    Regards Howard :)

    This thread is for the use of needhelphere only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. needhelphere

    needhelphere TS Rookie Topic Starter

    new combofix and HJT logs

    the logs are attached
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please download Flash_Disinfector.exe by sUBs and save it to your desktop:
    Note: Please delete any existing copy of Flash Disinfector(if any) on your pc and download this one.

    * Double-click Flash_Disinfector.exe to run it.
    * Follow any prompts that may appear.
    * Wait until the program has finished scanning, then please exit the program.
    * Restart your computer and see if problem still persists.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    4 - HKLM\..\Policies\Explorer\Run: [PolicyRun] C:\WINDOWS\svchost.exe

    O16 - DPF: {4C833081-D026-4FF8-968F-7EAB660D2FBA} - http://www.andromedanet.com/media//tvants.cab

    O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\WINDOWS\svchost.exe
    C:\qoobox

    Reboot into normal mode and rehide your protected OS files.

    Post fresh HJT and Combofix logs.

    Regards Howard :)

    This thread is for the use of needhelphere only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. needhelphere

    needhelphere TS Rookie Topic Starter

    okay

    i didn't find the svchost.exe in my drive c:\ however here are the logs..
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system has a very nasty and dangerous infection.

    I don`t know if we`re going to be able to remove this fully and you may end up having to reformat the system.

    Go and download and run Curerit.exe.

    Update the programme and run the scan.

    Let me know the results and post a fresh Combofix log.

    Regards Howard :)

    This thread is for the use of needhelphere only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. needhelphere

    needhelphere TS Rookie Topic Starter

    uh oh

    huh? oh no!! :( what do you mean? what kind of infection? it seems to be working alright...
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system is infected with the W32/Agent-FOW infection. This is a flash drive infection and can be very difficult to get rid of.

    Lack of sysmptoms doesn`t necessarily mean your system is clean and in this instance it isn`t clean.

    Please run the Curerit.exe, then post a fresh Combofix log.

    Regards Howard :)

    This thread is for the use of needhelphere only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. needhelphere

    needhelphere TS Rookie Topic Starter

    latest

    here's the latest combofix log file
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Well, the infection is still there.

    I think we need to see if we can manually delete this bugger.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    krag.exe
    New Folder.exe
    New Document.exe
    ie.exe
    SCVVHSOT.exe
    RavMon.exe

    Close task manager.

    Click start/run and type regedit into the run box and hit the enter key.

    Navigate to the following regkeys and delete the bold portions.

    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23c68e5e-0aac-11da-83a6-000e35d782f4}

    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a254b40-6284-11dc-b18c-00014a1723ac}

    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b606faf-b1b0-11db-857a-000e35d782f4}

    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76f72344-a76e-11da-8480-00014a1723ac}

    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{903e93c7-5a9e-11dc-b181-00014a1723ac}

    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf6ab54e-f645-11da-8510-000e35d782f4}

    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbed118e-19bb-11dc-b146-00014a1723ac}

    Close regedit.

    Search your system for the following files and delete them if found.


    krag.exe
    New Folder.exe
    New Document.exe

    ie.exe
    SCVVHSOT.exe
    RavMon.exe


    Reboot into normal mode and rehide your protected OS files.

    Post a fresh Combofix log.

    Regards Howard :)

    This thread is for the use of needhelphere only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. needhelphere

    needhelphere TS Rookie Topic Starter

    is that really scvvhsot.exe? or svchost.exe?
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It`s really SCVVHSOT.exe and it`s nasty.

    Your log file is now clean.

    Unless you`re still having problems, you should be good to go.

    Delete the following folder.

    C:\qoobox

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of needhelphere only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. needhelphere

    needhelphere TS Rookie Topic Starter

    wow! thank you so much for the help! :D

    Yey! Thank you so much for the help!

    One last thing, which of the various anti-spyware, anti-virus programs I downloaded should I keep and which should I delete?
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Keep AVG Antivirus/Ccleaner/SS&D/Ad-aware get rid of the rest.

    I recommend you install a firewall programme.

    Zonealarm, Kerio or Comodo free firewall programmes.

    Regards Howard :)

    This thread is for the use of needhelphere only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...