TechSpot

Virus help needed

By impaq
Mar 23, 2008
  1. hi im having alot of trouble as i have my background screen changed to a "warning" message and i cant change it and my task manager has been disabled. I also get window warning pop ups can someone please help
     
  2. kritius

    kritius TS Guru Posts: 2,084

    Hi impaq, :wave:

    First please go to Start -> Control Panel -> Add/remove programs and uninstall Hijackthis.

    Next please follow these instructions. Your version of Hijackthis is out of date/installed in wrong folder

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically.

    I need you to follow all the steps HERE and then post back with the three requested logs as attachments
    • AVG antispyware
    • ComboFix
    • Hijackthis (step 15)

    Dont forget to make sure that AVG is set to quarantine the results, that HJT is the last step and to let us know the results of the antirootkit scan.

    Good luck and welcome to techspot.

    This thread is for the use of impaq only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    kritius, take a look at this:

    Name: antiviirus (note spelling)
    Filename: antiviirus.exe
    Command: C:\Program Files\antiviirus.exe
    Description: Identified as a variant of the Trojan-Downloader.Win32.Agent.keu malware.
    File Location: C:\Program Files\antiviirus.exe

    and 16 BHOs! Oh my!
     
  4. pimpmypc

    pimpmypc TS Rookie Posts: 111

    get spybot search and destroy, update it, immunize, then scan. I believe spybot finds that trojan its pretty popular. PimpMyPc
     
  5. kritius

    kritius TS Guru Posts: 2,084

    Hence the going through the cleanup process first.

    SDFix should also get rid of that one.
     
  6. impaq

    impaq TS Rookie Topic Starter

    sorry it took so long ive been busy and it took a while to do all the steps but i managed to do em all .. thanks and lol i know my computers in bad shape its been slow and crappy ever since my hard drive burned and i go a new one and got it fixed at a shop its been prone to this behavior
     
  7. kritius

    kritius TS Guru Posts: 2,084

    There are several problems with this computer.

    Its going to take me a while to write out a proper fix so please hold tight and dont try to fix anything in the meantime.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    In the meantime, while the malware is being rounded up:

    STOP these auto-updates:
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    You are way behind on the current Java and update. Current is v6/u5. So when you get clean, you can uninstall this version in the control Panel and install the current version- these later versions addressed some security issues:
    http://java.sun.com/javase/downloads/index.jsp

    Go to Start> Run> type in ;msconfig' without the quotes> enter> Selective Startup> Startup tab> uncheck all of the following programs:
    C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe>
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe> Global Startup:personal Coach.lnk
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe" /background

    IF any of the following show on Startup, uncheck them also:
    C:\Program Files\WinSecureAv\pgs.exe /min
    Description: Related to the rogue anti-spyware program called WinSecureAv. This program is installed via the use of malware and display false or exaggerated infection results.
    File Location: C:\Program Files\WinSecureAv\pgs.exe

    C:\Windows\System32\mszsrn32.dll
    Description: Added by the W32.Banwarum@mm mass-mailing worm.
    File Location: %System%
    Startup Type: This program uses the Winlogon Notify key to automatically start. This key is used to run certain programs when specific actions occur such as computer starting up, a user logging in or logging off, or a computer shutting down.

    O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\System32\mszsrn32.dll (file missing)
    O20 - Winlogon Notify: WLCtrl32 - WLCtrl32.dll (file missing)

    When finished unchecking: Apply> OK> Reboot>
    Close the nag message that comes up after checking 'don't show this message again.'

    These will not remove the files from your system. But it may keep them from doing more damage. If you see any of the processes listed in the Task Manager> highlight> End Task.

    kritius, I hope this will help out.
     
  9. kritius

    kritius TS Guru Posts: 2,084

    Its better to have everything enabled in MSCONFIG while doing a fix because you want everything visible, better to use spybot or Ccleaner to control the startups.

    The rest is grand though.
     
  10. kritius

    kritius TS Guru Posts: 2,084

    ok.

    Do you live in Canada? I need to know to check your IP settings are legit.

    Lets get started then,

    Before continuing, please download and install XP SP1a.

    Select the language of your operating system and click Go to download it.

    Restart the computer for changes to take effect.

    If you have problems downloading and installing, please let me know.

    Upload a File to Jotti
    Please visit http://virusscan.jotti.org/

    Copy/paste this file and path into the white box at the top:
    Press Submit - this will submit the file for testing.
    Please wait for all the scanners to finish then post the results in your next response.
    Do this for each file

    Fix entries with HijackThis

    Open up Hijackthis.
    Click on do a system scan only.
    Place a checkmark next to these lines(if still present).

    O4 - HKLM\..\Run: [yijfxmoo] C:\WINDOWS\system32\yijfxmoo.exe
    O4 - HKLM\..\Run: [wcdxjyyh] C:\WINDOWS\system32\wcdxjyyh.exe
    O4 - HKCU\..\Run: [AVSystemCare] C:\Program Files\AVSystemCare\pgs.exe /min
    O4 - HKLM\..\Policies\Explorer\Run: [YmbAAfe5dA] C:\WINDOWS\TEMP\comsvr32.exe
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
    O20 - AppInit_DLLs: C:\WINDOWS\System32\svch6ng.dll
    O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\System32\mszsrn32.dll (file missing)
    O20 - Winlogon Notify: WLCtrl32 - WLCtrl32.dll (file missing)
    O21 - SSODL: RunOnceSrv - {109fd9c6-7aea-478a-be60-5e6b3a7bbbab} - C:\WINDOWS\Installer\{109fd9c6-7aea-478a-be60-5e6b3a7bbbab}\RunOnceSrv.dll (file missing)
    O23 - Service: FireDaemon Service: events (events) - Unknown owner - C:\windows\system32\spool\printers\FireDaemon.exe (file missing)
    O23 - Service: Google Online Search Service - 2nd - Unknown owner - C:\WINDOWS\System32\winlast.exe (file missing)


    Then close all windows except Hijackthis (including this one) and click Fix Checked
    Close HijackThis.

    Delete files and folders

    • I need you to right click on the start button
      click on explore
      and navegate to and delete these files or folders (if present):


      C:\WINDOWS\system32\yijfxmoo.exe<-----This file
      C:\WINDOWS\system32\wcdxjyyh.exe<-------This file
      C:\Program Files\AVSystemCare\pgs.exe<----This folder
      C:\WINDOWS\TEMP\comsvr32.exe<------This file
      C:\WINDOWS\bdoscandel.exe<------This file
      C:\WINDOWS\System32\svch6ng.dll<-----This file
      C:\WINDOWS\System32\mszsrn32.dll<-------This file
      C:\windows\system32\spool\printers\FireDaemon.exe<------This file
      C:\WINDOWS\System32\winlast.exe<------This file


    Please go to Kaspersky website and perform an online antivirus scan. Please use Internet Explorer as it uses ActiveX.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an ActiveX from Kaspersky. Click Yes.
    3. When the downloads have finished, click on Next button.
    4. Click on Scan Settings button.
    5. Select extended under Scan using the following antivirus database:
    6. Check (tick) these boxes under Scan options:
      • Scan Archives
      • Scan Mail Bases
    7. Click OK
    8. Click on My Computer under Please select a target to scan:
    9. Once the scan is complete it will display if your system has been infected. Click on Save as text button and save it to your desktop.
    10. Copy and paste this log in your next reply.

    Run HijackThis again and post a fresh log

    In your next reply you should have,
    1)fresh HJT log
    2)Kaspersky log


    This thread is for the use of impaq only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. impaq

    impaq TS Rookie Topic Starter

    Yes i live in Canada

    also Kritius ive been told that i dont have a legit copy of windows xp on my hard drive. Prior to my computer being fried i had a legit copy then i went to get it fixed at a little shop and they put this copy i have now and i was also told that the SP1 would damage my computer if i dont have a legit copy of XP.. is that true? before i download it lol btw thanks alot for your help its appreciated.
     
  12. kritius

    kritius TS Guru Posts: 2,084

    Unfortunately I cant work on a non legit copy.

    If you go to the micsoft website and use the validation tool and it turns out that your copy is not legit then you will have to take that up with the shop that installed it for you.

    Sorry.
     
  13. impaq

    impaq TS Rookie Topic Starter

    sorry i havent been home in a while and i havent yet verified if my copy is legit or not but im planning on buying myself a laptop and fix this for my brother. Even if its not legit could you atleast help me get rid of the virus please
     
  14. kritius

    kritius TS Guru Posts: 2,084

    Download the diagnostic tool MGADiag and save it to your desktop.

    • Double-click on MGADiag.exe.
    • Click Run and Run again.
    • Click Continue, then Copy.
    • Next open Notepad, in the empty pane right click and select Paste. Save the file to your desktop so that you can attach it here
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...