TechSpot

Red biohazard

By EEI
Jul 11, 2008
  1. got the red biohazard infection 7/9/08. got online and saw similar issues. had to get off yesterday, but would like to resolve the issue today if I can. I need help in navigating the process. I'm using a second computer, have a flashdrive, and will start taking the steps directed.
    thanks
    I got the files from the Hijack this. Both on the 'result' page and then a 'notepad' popped up. Should I put them on the thumbdrive and attach here from another computer, or try to go online with the infected computer. What is the best way to attach so you can view and help.
     
  2. EEI

    EEI TS Rookie Topic Starter Posts: 47

    Hijackthis file

    Attatching notepad file. is this ok
     
  3. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    We can connect it to the internet soon, so that you don't have to keep transferring files

    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

      O3 - Toolbar: sqvgnrpx - {695AD9B9-B97E-4F91-8B6F-B1BD73937505} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\sqvgnrpx.dll (file missing)
      O4 - HKLM\..\Run: [DelayLoad] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\atmadm2.exe
      O4 - HKCU\..\Run: [InstallProgram] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\smcheck.exe
      O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
      O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
      O21 - SSODL: fdxbameg - {13D2D249-7D99-4002-8752-EE17CB1B2DBE} - C:\WINDOWS\fdxbameg.dll
      O21 - SSODL: fsrpknov - {4350C078-5ABF-4C95-80CC-6C5CC6EAA436} - C:\WINDOWS\fsrpknov.dll

    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    --------------------------------------------------------------------

    OTMoveit2 by OldTimer
    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      [b]%TEMP%\SMCHECK.EXE
      %TEMP%\atmadm2.exe
      C:\WINDOWS\fdxbameg.dll
      C:\WINDOWS\fsrpknov.dll[/b]
    • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt2
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    ---------------------------------------------------------------------------------

    I would download and install MBAM to the flash drive, then try to update it from there, then you may even be able to scan straight from that

    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


    I need to see the OTMoveit2 log and MBAM logs with a fresh Hijackthis
     
  4. EEI

    EEI TS Rookie Topic Starter Posts: 47

    there was a messaging that came up "Registry editing has been disabled by you administrator" when I hit the "Fix Checked" but when I re scanned it seems to have eliminated those items. I have not moved to the OT step yet...should I proceed?
     
  5. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    yes, just make sure you show me the fresh hjt log and otmoveit
     
  6. EEI

    EEI TS Rookie Topic Starter Posts: 47

    When I double click on the OTMoveIt, there is no exe file. It just has the OT Move it2 clipboard. Since I'm reading these posts on another computer, I typed in the Code you had under the Paste List of Files/Folders to move. When I hit the 'move it' , the transfered some. Also, it didn't seem to transfer everything. Do I have to do the copy and paste? I re typed it and it seemed to go through....but says files not found? I'll attatch the new HJT andthe OT2 file and send.
     
  7. EEI

    EEI TS Rookie Topic Starter Posts: 47

    hjt2 and OT2

    here is what I got



    Are you still there?
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    copy and paste the otmoveit2 code into notepad and save the notepad file on the connected computer flash drive

    Then plug your flash drive into the other computer and copy and paste it, I want to see another OTMoveit2 log
     
  9. EEI

    EEI TS Rookie Topic Starter Posts: 47

    when I place otmoveit2 on the flashdrive I can read it fine on the good computer, when i try to read it on the infected computer, it says the file is a text.docx file and won't read it. just tried it again. same thing.
    sorry....I was copying onto word. When I did it on notepad it worked. or at least I could read it. I'll try that on otmoveit2 and see what results I get.
    Also, on that computer, it keeps popping up the messages from the "spyware alert" , 'system alert' etc. But I noticed there's also a page trying to access the internet with a 'safewebnavigation' heading....I'm assuming that's also connected with the same infection.

    how do I get this file from c:\_OTMoveIt\MovedFiles where do I find it
     
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    I might as well post this and it should work no problem for you to transfer as I have done it many times.

    After you show me the OTMoveit log

    Run Smitfraudfix
    • Download Smitfraudfix by S!ri from HERE
    • Double-click SmitfraudFix.exe
    • Select 1 and hit Enter
    • The report can be found at the root of the system drive, usually at C:\rapport.txt

    Attach this here as well
     
  11. EEI

    EEI TS Rookie Topic Starter Posts: 47

    OT files

    this is what the moved files look like from the ot screen.
    Is running the smitfraudfix in place of the Malwarebytes? by the way, I'm getting your responses faster in my email than here on the post.
     
     
  12. EEI

    EEI TS Rookie Topic Starter Posts: 47

    by the way, if i start scanning with either of these, will they find them but not beable to remove them until I purchase their product? I had that happen to me once before after it took hours for the scan but I was not wanting to put cc nuimbers online with an infected system.
     
  13. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Anything I recommend will be completely free. There is different instructions for Smitfraudfix after I see the report
     
  14. EEI

    EEI TS Rookie Topic Starter Posts: 47

    I appreciate your help. I had already started running Malwarebytes when I got your post about smitfraudfix. It took 8 hrs to complete the scan. On reboot everything appears to be normal. I did get a message saying that
    "application or DLL c:\windows\system32\vtvlkdss.dll is not a valid windows image. Please check against your install disk" I copied the notepad of the Malwarebytes log.. I'll attatch it to a post reply following this.
    I had already downloaded the Smitfraudfix onto the thumb drive. So I have it availible if I need it. I'll try to do the OTMoveit on that computer now again if I need to. as stated in an earlier post, I couldn't find the location of the file. Maybe now with the virus gone (hopefully) I'll be able to find it and forward it also.
    Thanks for you help so far. It was a long process so far.
     
  15. EEI

    EEI TS Rookie Topic Starter Posts: 47

    Mal notepad list/log

    This is the log from ther Malwarebytes
     
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    I love that program - it just did a lot of work for us.

    Did you reboot before or after posting the log?

    ------------------------------------------------------

    I still want you to run Smitfraudfix option 1 -> it wont do anything except scan using a bunch of different types of scans then it will generate a report for me, telling me if we need to take further steps with it.
     
  17. EEI

    EEI TS Rookie Topic Starter Posts: 47

    I took the notepad log that it generated, copied it to the flashdrive. That's what I sent you. When I closed the notepad, it said to finish it needed to reboot, 'yes or no' , I chose yes. I sent you the log from the good computer. When it rebooted, that's when I got the 'application or DLL...' not valid message. After it rebooted, I also restored my desktop. I've shutdown and restarted several times with no problem. But I have not used the computer or gone online with it yet. I was wanting to hear back from you before I did. I will run the Smitfraudfix today and send you the report so you can look at it.
    Also, I have the programs above on my flash drive. So is it ok to 'uninstall' them from my computer when I'm done with the virus? I've heard pro's and con's of this.
    The virus that I got was my own fault allowing it in.
    By the way, thank you very much for your help. I'll finish filling out my profile, etc. and stay in touch with the site. I had just got an external hard drive that I was going to be backing up my computer with...so many things that would have really been sad to loose on my computer.
     
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    after the smitfruadfix you should be ok to go back online - but let me look through it first - as far as uninstalling these programs - you can remove them from the thumb drive, but we have a special way of removing most of the other tools from the cleaned computer -

    also post a fresh hijackthis log
     
  19. EEI

    EEI TS Rookie Topic Starter Posts: 47

    Smitfraudfix log

    attached is the rapport from Smitfraudfix. I haven't done the HJT yet.
     
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Let me see the HJT also, and is your desktop still have the red biohazard?
     
  21. EEI

    EEI TS Rookie Topic Starter Posts: 47

    HJT report

    here is the hjt report log
    no red biohazard signs at all...no pop ups...everything seems to be running smoothly. When I was trying to do the SmitFraud...my Norton kept saying it was a possible malicious script. I allowed it once. I don't really use the Norton anyway, was going to uninstall that also
    But look over the logs and if there is a better way to clean up, I'm all for it.
     
  22. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if present):

      O2 - BHO: (no name) - {1C2367B3-D766-4B1F-902C-CF838EBD630C} - C:\WINDOWS\system32\vtsqo.dll (file missing)
      O2 - BHO: (no name) - {36f9154c-bfd4-43d7-83d2-35f5c8aa17b1} - C:\WINDOWS\system32\dmptntc.dll (file missing)
      O2 - BHO: (no name) - {47EB908E-2B8D-416D-92D9-53191C619507} - C:\WINDOWS\system32\geebb.dll (file missing)
      O2 - BHO: (no name) - {4CD8D66E-BA52-4287-BBFA-BF48D90C484D} - C:\Program Files\Windows NT\tebomisyg83122.dll (file missing)
      O2 - BHO: (no name) - {555B48D8-BC88-4798-B6B2-ECE050664C34} - C:\Program Files\Windows NT\tebomisyg4444.dll (file missing)
      O20 - Winlogon Notify: geebb - C:\WINDOWS\system32\geebb.dll (file missing)
      O20 - Winlogon Notify: tuvtsro - tuvtsro.dll (file missing)
      O20 - Winlogon Notify: vtsqo - C:\WINDOWS\system32\vtsqo.dll (file missing)
      O20 - Winlogon Notify: xxyvwvs - xxyvwvs.dll (file missing)
      O20 - Winlogon Notify: yayvwuu - yayvwuu.dll (file missing)

    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    --------------------------------------------------------------------

    We need to get rid of one of the services running on your machine. To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

    Code:
    @echo off
    sc stop EscService
    sc delete EscService
    sc stop KcpService
    sc delete KcpService
    sc stop KrcWmiProviderSvc
    sc delete KrcWmiProviderSvc
    sc stop KUKA Scheduler Service
    sc delete KUKA Scheduler Service
    del service.cmd and exit

    Save it to your desktop as File name: service.cmd
    Save as type: All Files

    Once done, double click service.cmd to run it. A command window will open briefly, then close. This is quite normal.

    ------------------------------------------------------------------------------

    Run Smitfraudfix
    • Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    • Delete this folder if there C:\KRC
    • Double-click SmitfraudFix.exe
    • Select 2 and hit Enter to delete infected files.
    • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt


    After reboot please run another Hijackthis from normal mode for me so that I can check everything, then you should be ok to go online - then we can update Java and get a good anti-virus on there
     
  23. EEI

    EEI TS Rookie Topic Starter Posts: 47

    where would I find the C:\KRC folder? on the desk top or in cmd mode and look for it? I'm in safe mode now. I did a search for and file/folder KRC and have IMEKRCIC.DL, KrcEventLog.dll, KrcLog.evt (sameKrcLog with B,I,P,S,U)
     
  24. EEI

    EEI TS Rookie Topic Starter Posts: 47

    Smitfraudfix rapport 2

    Attatched is the smitfraud report number 2. It did not ask me to replace/fix/delete the win file mentioned. Rebooting now
     
  25. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Ok, sorry for the delay I have the flu, let me see a new hijackthis and we should be able to move on
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.