TechSpot

Tough virus

By bflotus
May 1, 2009
  1. 3 days ago I noticed that I was under a virus attack. The virus changed my desktop, disabled task manager and registry editing, and opened up pop-ups trying to sell me overpriced anti virus software. I managed to re enable the task manager and registry editing, and changed my desktop back. The virus appeared to be gone, but a number of symptoms still remain.

    Anything I try to update fails, even things that have nothing to do with anti virus. My computer tells me that I am not connected to the internet, but I obviously am. USB drives won't work on the computer. The virus also disables windows firewall and windows updater.

    I went through the eight steps, and had a bit of trouble: I get a blue screen when I run super anti virus, and when I tried to update java, the install said it could not continue with current internet connection settings.

    Attached are the logs.

    Any help would be appreciated.
     
  2. touch

    touch TS Rookie Posts: 978

    Hello bflotus

    You have two antivirus programs running - McAfee and Kaspersky-

    "Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and will typically cause your computer to crash, and will provide less protection.
    Not more."
    Remove/uninstall from "add/remove programs" in controlpanel:
    One of Your antivirus programs


    Reboot.

    Please download Combofix:
    http://subs.geekstogo.com/ComboFix.exe
    And save to the desktop.


    Open notepad and copy/paste the text in the quotebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    http://www.fromsej.saknet.dk/billeder/cfscript.gif

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post
     
  3. bflotus

    bflotus TS Rookie Topic Starter

    Alright, that appears to have solved it. I can now update Kapersky. I though I had uninstalled McAfee, sorry about that. Here's the log.

    On second thought - flash drives still aren't working, any ideas?
     
  4. touch

    touch TS Rookie Posts: 978

    You still have some infections there can be the cause to the Flash drives problem.


    First, can you please check these files ->

    Upload and have this file scanned:
    c:\windows\SYSTEM32\userinit.exe
    c:\windows\ServicePackFiles\i386\userinit.exe

    Here:

    http://virusscan.jotti.org/ Or here: http://www.virustotal.com/en/indexf.html


    Post back the results
     
  5. bflotus

    bflotus TS Rookie Topic Starter

    Found nothing on either of them.

    Now I have a bit of a bigger problem - I figured now that I can update the software I re-did the eight steps. After updating and running super anti virus and rebooting, my computer wouldn't reboot, it just has the little animation with the bar going around for ever. I had to restart in safe mode. Any ideas?
     
  6. touch

    touch TS Rookie Posts: 978

    Open notepad and copy/paste the text in the quotebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    http://www.fromsej.saknet.dk/billeder/cfscript.gif

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post
     
  7. bflotus

    bflotus TS Rookie Topic Starter

    Windows managed to boot again normally, should I continue with your last post?
     
  8. touch

    touch TS Rookie Posts: 978

    Yes, please do
     
  9. bflotus

    bflotus TS Rookie Topic Starter

    Working good so far, thank you very much. Here's the latest log.
     
  10. touch

    touch TS Rookie Posts: 978

    Sounds good.

    Combofix log looks clean.

    Please attach a fresh hijackthis log
     
  11. bflotus

    bflotus TS Rookie Topic Starter

    Here you go.
     
  12. touch

    touch TS Rookie Posts: 978

    Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

    <<<- If you don´t use proxy server
    ……………………………………………………………………….
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKUS\S-1-5-21-3968513137-102144374-2776227746-1006\..\Run: [dotnRXZmX] uma42chs.exe (User 'Diane')
    O4 - HKUS\S-1-5-21-3968513137-102144374-2776227746-1006\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Diane')
    O4 - HKUS\S-1-5-21-3968513137-102144374-2776227746-1006\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Diane')
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...W/win/019-0123.20031218.zes4d/iTunesSetup.exe


    Reboot. Attach new hijacktis log.
     
  13. bflotus

    bflotus TS Rookie Topic Starter

    Here's a new one.
     
  14. touch

    touch TS Rookie Posts: 978

    It looks clean. And your computer are still running fine ?
     
  15. bflotus

    bflotus TS Rookie Topic Starter

    Everything appears to be working good, thank you.
     
  16. touch

    touch TS Rookie Posts: 978

    Great :)


    Now your computer problems are solved, it is time for the clean-up procedure.
    You should Create a New Restore Point to prevent possible reinfection from an old one.
    The easiest and safest way to do this is:
    Go to Start > All Programs > Accessories > System Tools > System Restore
    Select Create a restore point, and Ok it.
    Next, go to Start > Run and type in cleanmgr
    Select the More options tab
    Choose the option to clean up system restore and OK it.

    This will remove all restore points except the new one you just created.


    Please download OTCleanIt
    Save it to desktop.
    This will remove all the tools we used to clean your computer.
    Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
    When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
    Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

    To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
    How did I get infected in the first place

    Keep safe :wave:
     
  17. bflotus

    bflotus TS Rookie Topic Starter

    Ran it, everything worked as expected. Thank you very much touch.
     
  18. touch

    touch TS Rookie Posts: 978

    Great. It was my pleasure to help :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...