TechSpot

My Pc's Infected With Vb.ckt Virus.. Pls Help!!!!

By sherwyn
Nov 12, 2007
  1. i ve infected by the vb.ckt virus.. i got it thru msn messebger.. waz chattin wit my frnd whn i suddenly got a link from him.. i clicked on it.. den he said he dint send it.. now i cant access run command, task manager, registry editor, cant change my home page(set to "thecoolpics" (the forum doesnt allow me to post links).. i can re-activate them but it keeps happenning again.. avg detects vb.ckt virus in 6 different locations.. pls pls help me..
     
  2. evilfantasy

    evilfantasy Banned Posts: 428

    Hello and welcome to Techspot.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read this thread HERE and follow the instructions exactly. Post the requested log files once done.

    Regards

    This thread is for the use of sherwyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. sherwyn

    sherwyn TS Rookie Topic Starter

    HOWARD PLS HELP.. i went thru ur procedure.. now wht?

    i went thru howards etire procedure.. now how do i kno if the virus has bin removed? i cant attach the reports as the attach button s not workin.. please help me..
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Threads merged.

    In that case, copy and paste your log files and I`ll remove them once I`ve finished with them.

    Regards Howard :wave: :wave:

    This thread is for the use of sherwyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. sherwyn

    sherwyn TS Rookie Topic Starter

  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I see you have managed to attach some log files.

    However, you didn`t attach the AVG Antispyware log that was asked for, but instead attached an VBG.tx that wasn`t asked for. Nor did you let us know the results of the Panda Antirootkit scan. Also, you haven`t renamed HijckThis.exe as per the instructions.

    Unless you follow instructions properly, it`s just going to make it that much harder for us to help you effectively.

    Make sure you follow these instructions properly.

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:



    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    Make sure you rename HijackThis.exe.

    Also, post an AVG Antispyware log as well as the results of the Panda Antirootkit scan.

    Regards Howard :)

    This thread is for the use of sherwyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. sherwyn

    sherwyn TS Rookie Topic Starter

    Logs attached

    hi,
    i renamed hijackthis n posted the log file..
    i ve also attached the combofix log file..
    the panda software says no rootkits found & dint save a log the first time.. i ran it again jus to b sure..
    i could not save a log for avg anti-spyware since i had to run it in safe mode n some options wer out of the screen.. but it found 4 items n fixed all..
    wht do i do now?
    n dude thanks so much for the help.. really appreciate it man..
    sherwyn
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    svchost32.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O4 - HKLM\..\Run: [Yahoo Messenger] C:\WINDOWS\system\svchost32.exe

    O9 - Extra button: RadarSync Website - {29F02F90-D4AE-4c9a-82D2-D8DCDD507F33} - C:\Program Files\RadarSync\RadarSync Website.lnk

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\WINDOWS\system\svchost32.exe
    C:\qoobox

    Reboot into normal mode and rehide your protected OS files.

    Post fresh HJT and Combofix logs.

    Regards Howard :)

    This thread is for the use of sherwyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. sherwyn

    sherwyn TS Rookie Topic Starter

    hi

    hi,
    my account is the administrator.. wht to do?
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Use your normal account name.

    Regards Howard :)

    This thread is for the use of sherwyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. sherwyn

    sherwyn TS Rookie Topic Starter

    hi,
    i did as u said. whn i opened the processes tab under task manager, there were 3 files named svchost. when i clicked on end process, the shutting down in 1 min dialog box opened. so i stopped the shutdown and closed the remaining svchost's..
    then i ran hjt.
    O4 - HKLM\..\Run: [Yahoo Messenger] C:\WINDOWS\system\svchost32.exe wasnt detected.
    then i deleted qoobox but C:\WINDOWS\system\svchost32.exe want present.
    i ve enclosed my hjt log & combo log.
    thenks,
    sherwyn.

    i still ve svchost running.. i also ve some more wierd processes.. i ve attached a pic of my processes tab under task manager..
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You`ve posted your HJT log from safe mode. I need to see it from normal mode as per the instructions I gave you in my post#8

    Regards Howard :)

    This thread is for the use of sherwyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. sherwyn

    sherwyn TS Rookie Topic Starter

    sorry.. :)
    i ve attached the right one now.
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    svchost32.exe

    Close task manager.

    Click start/run and type regedit intio the run box and hit the enter key.

    Navigate to the following regkey and delete the bold portion.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messenger

    Close regedit.

    Locate and delete the following bold files and/or folders(if there).

    C:\WINDOWS\system\svchost32.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh Combofix log.

    Regards Howard :)

    This thread is for the use of sherwyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. sherwyn

    sherwyn TS Rookie Topic Starter

    hi,
    pc was shuttin down again when i tried ending svchost.
    there is no yahoo under run in registry editor..
    there is no file c:\.... svchost.exe..
    the cope of combofix which i downloaded has expired.. how can i get another 1?
    thanks,
    sherwyn
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    C:\WINDOWS\system\svchost32.exe Is the process you`re supposed to end if there, not svchost.exe, which is a legit process and is needed by your system.

    Delete all versions of Combofix and download the latest version from here. combofix.exe

    Regards Howard :)

    This thread is for the use of sherwyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. sherwyn

    sherwyn TS Rookie Topic Starter

    this version is out of date too..
    wht to do?
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`ve just tried it and am getting the same results as you. There`s obviously some problem with Combofix at the moment.

    Try this instead.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

    Regards Howard :)

    This thread is for the use of sherwyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. sherwyn

    sherwyn TS Rookie Topic Starter

    there was an error..
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That looks like it`s because the registry key is no longer there.

    If that`s the case, then you should be good to go.

    Your task manager pic doesn`t show any nasty processes running.

    Uninstall AVG Antispyware.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of sherwyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. sherwyn

    sherwyn TS Rookie Topic Starter

    thanks so much dude..
    what shud i do bout the other softwares u told me to install?
    also, my comp s much slower den it waz before the infection? can i do somethin about that?
     
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You should uninstall AVG Antispyware as that is taking a sizable portion of your systems resources.

    You can also get rid of all the tools we used during cleanup.

    For info on how to speed up your system, see HERE.

    Regards Howard :)

    This thread is for the use of sherwyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  23. sherwyn

    sherwyn TS Rookie Topic Starter

    awrite.. will do.. once again.. thanks a lot.. appreciate it..
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...