Red biohazard

HJT report

here is the hjt report log
no red biohazard signs at all...no pop ups...everything seems to be running smoothly. When I was trying to do the SmitFraud...my Norton kept saying it was a possible malicious script. I allowed it once. I don't really use the Norton anyway, was going to uninstall that also
But look over the logs and if there is a better way to clean up, I'm all for it.

Remove bad HijackThis entries

• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed below (if present):
  
  O2 - BHO: (no name) - {1C2367B3-D766-4B1F-902C-CF838EBD630C} - C:\WINDOWS\system32\vtsqo.dll (file missing)
  O2 - BHO: (no name) - {36f9154c-bfd4-43d7-83d2-35f5c8aa17b1} - C:\WINDOWS\system32\dmptntc.dll (file missing)
  O2 - BHO: (no name) - {47EB908E-2B8D-416D-92D9-53191C619507} - C:\WINDOWS\system32\geebb.dll (file missing)
  O2 - BHO: (no name) - {4CD8D66E-BA52-4287-BBFA-BF48D90C484D} - C:\Program Files\Windows NT\tebomisyg83122.dll (file missing)
  O2 - BHO: (no name) - {555B48D8-BC88-4798-B6B2-ECE050664C34} - C:\Program Files\Windows NT\tebomisyg4444.dll (file missing)
  O20 - Winlogon Notify: geebb - C:\WINDOWS\system32\geebb.dll (file missing)
  O20 - Winlogon Notify: tuvtsro - tuvtsro.dll (file missing)
  O20 - Winlogon Notify: vtsqo - C:\WINDOWS\system32\vtsqo.dll (file missing)
  O20 - Winlogon Notify: xxyvwvs - xxyvwvs.dll (file missing)
  O20 - Winlogon Notify: yayvwuu - yayvwuu.dll (file missing)

• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

--------------------------------------------------------------------

We need to get rid of one of the services running on your machine. To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

Code:

@echo off
sc stop EscService
sc delete EscService
sc stop KcpService
sc delete KcpService
sc stop KrcWmiProviderSvc
sc delete KrcWmiProviderSvc
sc stop KUKA Scheduler Service
sc delete KUKA Scheduler Service
del service.cmd and exit

Save it to your desktop as File name: service.cmd
Save as type: All Files

Once done, double click service.cmd to run it. A command window will open briefly, then close. This is quite normal.

------------------------------------------------------------------------------

Run Smitfraudfix

• Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
• Delete this folder if there C:\KRC
• Double-click SmitfraudFix.exe
• Select 2 and hit Enter to delete infected files.
• You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
• The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
• A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

After reboot please run another Hijackthis from normal mode for me so that I can check everything, then you should be ok to go online - then we can update Java and get a good anti-virus on there

where would I find the C:\KRC folder? on the desk top or in cmd mode and look for it? I'm in safe mode now. I did a search for and file/folder KRC and have IMEKRCIC.DL, KrcEventLog.dll, KrcLog.evt (sameKrcLog with B,I,P,S,U)

Smitfraudfix rapport 2

Attatched is the smitfraud report number 2. It did not ask me to replace/fix/delete the win file mentioned. Rebooting now

Ok, sorry for the delay I have the flu, let me see a new hijackthis and we should be able to move on

Hjt #4

here is the HJT file from this morning. I'm online with this computer now. It seems to be working good. Sorry you had the flu. I took off yesterday at noon, and just got online again today. Look things over and let me know what else I need to do.
Again thanks for the help. as I mentioned in previous posts, I unistalled Norton. Any additional clean up would be good.

Thats a clean log!

I suggest you install an Anti-virus program now that you have uninstalled Norton - I see you have zone alarm for a firewall and that is good

These are both free - download one, update definitions and run a full scan - they both also have great real time protection

Anti-Virus
Avast Free
Avira Free <- My recommendation

-------------------------------------------------------------------------------

Update your Java Runtime Environment

• Click the following link
  Java Runtime Environment 6 Update 7
• The 5th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_07 folder

-------------------------------------------------------------------------------------

Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

----------------------------------------------------------------------------------------
Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

what is the red biohazard infection?

I am loading the Avira program. Is this something that I should leave active, or only use it periodically? especially since my Zone alarm had been working so good. I read some reviews of Avira. It received high marks for detection and removal, but lower ratings for infection treatment and self protection. I'll run the java runtime next. Are there reports that you would like to look at from these? And the Kaspersky is for ??what

Just so you know I run Avira Antivir on my systems - it does a good job - in my opinion it is currently the best free anti-virus available

Zone alarm = firewall
Avira = antivirus

you should run both

------------------------------------------------------------

Kaspersky is just an online scanner for a 2nd opinion - it will scan your system and may reveal things that I missed.

Regards,

BD

Thanks. When I'm trying to run a scan, it pops up a screen that says 'self test failed'. Did I load something wrong? It as 4 'error' 'guard' 'error detected' in the Events log.It has a successful update after an unsucessful update in the Reports log. We lost internet access for a minute here so i reupdated. It has a red! by AntiVirGuard, Last Completed scan, and Last Update. Edit: I re loaded the update and it cleared the AntiVir/Last update red '!' and is scanning now.It popped up two 'trojans' immediatley. I'll let you know how many others come through this scan.
If it has a report I'll send it if that will help at all.
Edit 2: 17 detections (quarentined) 2 warnings showing.
Question. Even thopugh I unistalled Norton...during the scanning, I noticed it scanning Norton files.

Avira scan

the scan finished with a total of 20 viruses or unwated programs found. They were quarentined, but I was never asked if I wanted them deleted. Are they removed automatically?

I have not done the Java or ATF cleaner yet. Waiting to hear back from you about the Avira. I've restarted my computer a couple of times though, and it's starting up slower than before. Not horrible, just slower.

Avira 3rd report

Rand Avira again and it picked up 3 viruses log report attached

well since blind dragon is sick I can help for now. The 3 viruses that avira found are located in the system restore

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP352\A0139250.dll
[DETECTION] Is the Trojan horse TR/Killav.28714
[NOTE] The file was moved to '48ac9ebb.qua'!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP352\A0139251.dll
[DETECTION] Is the Trojan horse TR/Trash.Gen
[NOTE] The file was moved to '48ac9ebd.qua'!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP352\A0139252.exe
[DETECTION] Contains detection pattern of the dropper DR/FraudTool.SpyVampire.A.1
[NOTE] The file was moved to '48ac9ebf.qua'!

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Beside the 3 viruses, as per an earlier posting, there were 20 found. I'm assuming that they will all be dealt with. I've started the AFT, system restore point, and cleanup.

alot of them were in the system restore after you have done the steps above do another scan

Thanks daniel - Im feeling a little better

Right click the red umbrella in the system tray and select start Antivir

Click on the Administrative tab in the left pane - this brings up quarantine

Highlight everything and click the trash can icon to delete from quarantine.

Then run ATF Cleaner, update java and run Kaspersky online scanner if possible.

I am surprised a few of those were missed in previous scans as they are usually picked up. Looks to me like you went to a site that was most likely through a search engine and it told you it needed to install a codec for you to continue - do you remember anything like this prior to becoming infected? Then you would have been forwarded to a legit looking site

Blind Dragon,
I ran the ATF, but haven't done anything else yet. I'll do it later today. Java and Kaspersky. That's exactly what happened though....a video sent to me. Zone Alarm flagged it as unknown, and it indicated I needed to update my media player/ActiveX or something. Since it was sent to me, I opened it. It had a real brief DOS run screen and then all **** broke loose. As I said before, it was my fault for allowing it. Just wasn't watching as close as I normally do. Thanks again for all your help. Oh I did do the system restore outlined above.

the activeX from Kaspersky is safe I give you my word.

If you want an extra layer of protection now from new startup registry entries and Active X -> install winpatrol from my signature - its free - you won't hardly notice it is there other than the scotty dog in your system tray.

Right click the scotty dog and select startup info... to control what programs load when you boot your computer - if there is something you don't need you can disable it so that you don't waste resources on it. Then you can select ActiveX to see what is installed on your machine and you can also disable ActiveX controls through there.

I usually recommend installing it after we are done cleaning as part of the cleanup secure process - but I think you should check it out


The reason the kaspersky scanner needs to install an ActiveX is because it scans your system without you having to download a scanner - the scanner is online

Attach the log here once done