Only the best

Status
Not open for further replies.
J

JaimeDavid

Posts: 13   +0
I need help. My pc is infected with some kind of virus. I understand someone savy needs to tell me what to remove using the hijackt this software.

Thanks,
 

Attachments

  • hijackthis.txt
    6.6 KB · Views: 7
You have a bunch of them!

Go here first:Trendmicro scanner for ALL browsers:
http://uk.trendmicro-europe.com/consumer/products/housecall_launch.php

Then here:
To fix Trojans, see How to remove Trojans and its ilk!

Finally for the finishing touch:
Boot in Safe Mode, see how here.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
ietv32.exe
appch32.exe
ds.nono.rss.exe
ylr.nono.wlzadm.exe

Next, click Start/Run and type services.msc and click OK. Look for the service:
ds.nono.rss.exe
ylr.nono.wlzadm.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.

Next, click on Start/Run and type in (followed by press Enter):
regsvr32 /u C:\WINDOWS\iqvmy.dll
regsvr32 /u C:\WINDOWS\javafj32.dll

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\iqvmy.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iqvmy.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\iqvmy.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\iqvmy.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iqvmy.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\iqvmy.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\iqvmy.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {395654E0-C152-DEFC-F1D5-D4ED74FC94EC} - C:\WINDOWS\javafj32.dll
O4 - HKLM\..\Run: [appch32.exe] C:\WINDOWS\system32\appch32.exe
O4 - HKLM\..\RunServices: [WSAConfiguration] ds.nono.rss.exe
O4 - HKLM\..\RunServices: [8F6031A9] C:\WINDOWS\System32\ylr.nono.wlzadm.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {7D6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Homepage Protector - {7D6BEC01-15E2-46F0-8ED3-D715DE09A8F9} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: officelink.bcainc.com
Fix ALL your O16 - DPF: entries
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
XP only: Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal. When all OK, switch System Restore back on.

You should seriously consider a better AntiVirus package! (not from Symantec or McAfee either!).
See e.g. www.virus.gr or roam around this forum.
Most people (including me) are happy with free AVG from http://free.grisoft.com and e.g. free Sygate firewall from http://soho.sygate.com

And stop using that bleedin' Internet Explorer!
Go to www.getfirefox.com
 
Another Push

I think I'm getting somewere. Had trouble installing the JVM to make the Trend House Call run, so I went on with the rest of the instructions. The ewido scan kept closing, so I did it by parts. I figured that when it is scanning the registry something seems to kill it.
After I finished with the rest of the instructions and still in SAfe mode, I tried to run Ewido again, but it is still being closed/killed scanning the registry.
Finally I was able to install JVM and decided to try the first step again.
It scans and finds TROJ_STARTPAG.RE C:\WINDOWS\SYSTEM32\jmgst.dll
I click Clean or Delete and asks for a Ticket. I put in my information to get the ticket, but nothing happens it looks like it stalls. I'm including my HT log again.

Thanks,
 
Boot in Safe Mode, see how here.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Next, open Windows Task Manager by pressing CTRL+ALT+DELETE.
Click the Processes tab, select the process (if there) and click End Process for:
sdkcf32.exe
iemb32.exe

Next, click on Start/Run and type in (followed by press Enter):
regsvr32 /u C:\WINDOWS\system32\jmgst.dll
regsvr32 /u C:\WINDOWS\system32\ipix.dll

Next, run a HJT scan and (if still there) place a tick-mark in the little square before:
...................................................................................................
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jmgst.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jmgst.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jmgst.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jmgst.dll/sp.html#12047
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jmgst.dll/sp.html#12047
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jmgst.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jmgst.dll/sp.html#12047
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {05DA21C0-E89B-F673-539B-7408A5D9D6BF} - C:\WINDOWS\system32\ipix.dll
O4 - HKLM\..\Run: [iemb32.exe] C:\WINDOWS\iemb32.exe
O4 - HKLM\..\RunOnce: [sdkcf32.exe] C:\WINDOWS\system32\sdkcf32.exe
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ietv32.exe (file missing)
...................................................................................................
Now click on the Fix Checked button in HJT. Exit HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Rightclick IE on the desktop, select Properties, click on Delete Cookies, and Delete Files.
Delete ALL files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
XP only: Delete ALL files from C:\WINDOWS\Prefetch.
Boot normal. When all OK, switch System Restore back on.
 
Thanks A lot

Finally I was able to get rid of those viruses. After following the last instructions I ran the Ewido in safe mode logged in as each existing user. Each time it seemed to find more viruses. Once booted in normal mode and able to log in to the internet and using Firefox instead fo the bleeding IE, was able to run the House call from Trend with No virus found.
I still have one question. Ewido found something that seems to be related to Firefox. Are this real spyware?
..Application Data\\Mozilla\Firefox\Profiles\uhktx5b1.default\cookies.txt
Infected with Spiware.Cookie.Atdmt
Spiware.Cookie.Doubleclick
Spiware.Cookie.Tribalfusion
Spiware.Cookie.Tribalfusion
Is it just a matter of time before we start having to deal with viruses in Firefox?

Thanks for your help and the info.
 
JaimeDavid said:
Is it just a matter of time before we start having to deal with viruses in Firefox?
Click to expand...
The more popular it gets the more it will be targeted, although the developers are doing a pretty good job of updating Firefox to plug holes once found/exploited.
 
QuickScan

Doing a quick scan with Ewido, got a virus. I remember this one coming up with a scan I did in safe mode for every single user. What may be triggering it to show up again? Please advice. I'm including Ewido's log.
 
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.[/b]

Do a Find on that file, it may have been 'hiding' inside a restore point, in windows\prefetch, or in windows\system32\dllcache.
Delete them all.
 
Status
Not open for further replies.

Similar threads

A
Please help: Intel Core i9-11900KF with a H510M H V2 motherboard
Replies
2
Views
292
HardReset
H
E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
475
eriksnyman1
E
hdeveci
Sound comes 1 sec delayed in the beginnig
Replies
2
Views
139
hdeveci
hdeveci

Latest posts

Back