TechSpot

Only the best

By JaimeDavid
Sep 6, 2005
  1. I need help. My pc is infected with some kind of virus. I understand someone savy needs to tell me what to remove using the hijackt this software.

    Thanks,
     

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    You have a bunch of them!

    Go here first:Trendmicro scanner for ALL browsers:
    http://uk.trendmicro-europe.com/consumer/products/housecall_launch.php

    Then here:
    To fix Trojans, see How to remove Trojans and its ilk!

    Finally for the finishing touch:
    Boot in Safe Mode, see how here.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

    Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
    Click the Processes tab, select the process (if there) and click End Process for:
    ietv32.exe
    appch32.exe
    ds.nono.rss.exe
    ylr.nono.wlzadm.exe

    Next, click Start/Run and type services.msc and click OK. Look for the service:
    ds.nono.rss.exe
    ylr.nono.wlzadm.exe
    Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

    Next, click on Start/Run and type in (followed by press Enter):
    regsvr32 /u C:\WINDOWS\iqvmy.dll
    regsvr32 /u C:\WINDOWS\javafj32.dll

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    ...................................................................................................
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\iqvmy.dll/sp.html#12047
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iqvmy.dll/sp.html#12047
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\iqvmy.dll/sp.html#12047
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\iqvmy.dll/sp.html#12047
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iqvmy.dll/sp.html#12047
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\iqvmy.dll/sp.html#12047
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\iqvmy.dll/sp.html#12047
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {395654E0-C152-DEFC-F1D5-D4ED74FC94EC} - C:\WINDOWS\javafj32.dll
    O4 - HKLM\..\Run: [appch32.exe] C:\WINDOWS\system32\appch32.exe
    O4 - HKLM\..\RunServices: [WSAConfiguration] ds.nono.rss.exe
    O4 - HKLM\..\RunServices: [8F6031A9] C:\WINDOWS\System32\ylr.nono.wlzadm.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: (no name) - {7D6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Homepage Protector - {7D6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O15 - Trusted Zone: officelink.bcainc.com
    Fix ALL your O16 - DPF: entries
    ...................................................................................................
    Now click on the Fix Checked button in HJT. Exit HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
    Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    XP only: Delete ALL files from C:\WINDOWS\Prefetch.
    Boot normal. When all OK, switch System Restore back on.

    You should seriously consider a better AntiVirus package! (not from Symantec or McAfee either!).
    See e.g. www.virus.gr or roam around this forum.
    Most people (including me) are happy with free AVG from http://free.grisoft.com and e.g. free Sygate firewall from http://soho.sygate.com

    And stop using that bleedin' Internet Explorer!
    Go to www.getfirefox.com
     
  3. JaimeDavid

    JaimeDavid TS Rookie Topic Starter

    Another Push

    I think I'm getting somewere. Had trouble installing the JVM to make the Trend House Call run, so I went on with the rest of the instructions. The ewido scan kept closing, so I did it by parts. I figured that when it is scanning the registry something seems to kill it.
    After I finished with the rest of the instructions and still in SAfe mode, I tried to run Ewido again, but it is still being closed/killed scanning the registry.
    Finally I was able to install JVM and decided to try the first step again.
    It scans and finds TROJ_STARTPAG.RE C:\WINDOWS\SYSTEM32\jmgst.dll
    I click Clean or Delete and asks for a Ticket. I put in my information to get the ticket, but nothing happens it looks like it stalls. I'm including my HT log again.

    Thanks,
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Boot in Safe Mode, see how here.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.

    Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
    Click the Processes tab, select the process (if there) and click End Process for:
    sdkcf32.exe
    iemb32.exe

    Next, click on Start/Run and type in (followed by press Enter):
    regsvr32 /u C:\WINDOWS\system32\jmgst.dll
    regsvr32 /u C:\WINDOWS\system32\ipix.dll

    Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
    ...................................................................................................
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jmgst.dll/sp.html#12047
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jmgst.dll/sp.html#12047
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jmgst.dll/sp.html#12047
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jmgst.dll/sp.html#12047
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jmgst.dll/sp.html#12047
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jmgst.dll/sp.html#12047
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jmgst.dll/sp.html#12047
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {05DA21C0-E89B-F673-539B-7408A5D9D6BF} - C:\WINDOWS\system32\ipix.dll
    O4 - HKLM\..\Run: [iemb32.exe] C:\WINDOWS\iemb32.exe
    O4 - HKLM\..\RunOnce: [sdkcf32.exe] C:\WINDOWS\system32\sdkcf32.exe
    O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ietv32.exe (file missing)
    ...................................................................................................
    Now click on the Fix Checked button in HJT. Exit HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
    Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    XP only: Delete ALL files from C:\WINDOWS\Prefetch.
    Boot normal. When all OK, switch System Restore back on.
     
  5. JaimeDavid

    JaimeDavid TS Rookie Topic Starter

    Thanks A lot

    Finally I was able to get rid of those viruses. After following the last instructions I ran the Ewido in safe mode logged in as each existing user. Each time it seemed to find more viruses. Once booted in normal mode and able to log in to the internet and using Firefox instead fo the bleeding IE, was able to run the House call from Trend with No virus found.
    I still have one question. Ewido found something that seems to be related to Firefox. Are this real spyware?
    ..Application Data\\Mozilla\Firefox\Profiles\uhktx5b1.default\cookies.txt
    Infected with Spiware.Cookie.Atdmt
    Spiware.Cookie.Doubleclick
    Spiware.Cookie.Tribalfusion
    Spiware.Cookie.Tribalfusion
    Is it just a matter of time before we start having to deal with viruses in Firefox?

    Thanks for your help and the info.
     
  6. TS | Thomas

    TS | Thomas TS Rookie Posts: 1,319

    The more popular it gets the more it will be targeted, although the developers are doing a pretty good job of updating Firefox to plug holes once found/exploited.
     
  7. JaimeDavid

    JaimeDavid TS Rookie Topic Starter

    QuickScan

    Doing a quick scan with Ewido, got a virus. I remember this one coming up with a scan I did in safe mode for every single user. What may be triggering it to show up again? Please advice. I'm including Ewido's log.
     
  8. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.[/b]

    Do a Find on that file, it may have been 'hiding' inside a restore point, in windows\prefetch, or in windows\system32\dllcache.
    Delete them all.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...