Virus infection

By lanimal
Jan 12, 2007
Topic Status:
Not open for further replies.
  1. Hi guyz, this is my first thread. I have a serious problem, my computer has been infected and i feel my computer dying every day. I don't know what virus it is but it's disabled a lot of things: no more task manager, no Search, Run; i cannot right-click on a file in my computer, even system restore has been disabled. I've tried to clean using McAfee enterprise without any success.
    Pleeeeeeeeeeeeeeease help , i'd really appreciate if someone could come to my rescue.
    Thanks in advance
  2. raybay

    raybay TechSpot Evangelist Posts: 10,716   +6

    Tell us computer brand and model, OS, Internet connection, computer age and configuration. How valuable is the data on the drive?
    What makes you think it is a virus? Have you tried external scans from Panda and elsewhere?
    Have you tried running Windows in repair mode?
    What spyware blocker do you use, or is it only McAfee?
  3. lanimal

    lanimal Newcomer, in training Topic Starter Posts: 27

    My computer is a built one, i bought it in 03 and upgraded the processor and the memory. the OS is XP SP2, i use a high speed from Comcast.
    I'm still trying Trend Micro HouseCall and AVG, they've been running for about 4 hours now . I tried the new McAfee but nothing
    I think it's a virus because some functions have been disabled and i'm not able to reverse any of them; and when i type my cursor just goes wherever it wants except where i want it to go. I also tried HJT but nothing.

    It might not be a virus after i don't really know, all i know is that it's malicious. I don't know much about the configuration, and my data is very important
  4. raybay

    raybay TechSpot Evangelist Posts: 10,716   +6

    I doubt that it is a virus or spyware infestation based on what you have told us.
    I would boot to the Windows XP disc and run it in repair mode... there may be previous damage from an infestation, though.
  5. lanimal

    lanimal Newcomer, in training Topic Starter Posts: 27

    Unfortunately i don't have the cd for XP. I did restart the computer after the AVG scan which found 4 threaths, but it's still the same, i do not know what to do. Maybe this would help, i had to disable IE because after i tried to install the McAfee program from where it all started, pop-ups would just open riciculously, now i'm only using Firefox

    If someone can tell me how to activate my Run and Search options i think that can be the start of something. Because i don't think i can reboot in safe mode withouth the Run

    I went to this site and it helped enable my Task Mngr
    http://www.dougknox.com/xp/utils/xp_taskmgrenab.htm
    Please help me for the rest, i'm trying real hard
  6. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Hello and welcome to Techspot.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. lanimal

    lanimal Newcomer, in training Topic Starter Posts: 27

    Scan

    Here's the Hijackscan, i don't know how to get the log for AVG. Also, sorry for the delay and thanks for your help. However, i'm still not able to access the right click menu when in Explorer nor the Search menu in Explorer
  8. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Your system is badly infected.

    You need to follow the instructions in the link I gave you exactly. This includes renaming HijackThis and running an AVG Antispyware scan. Instructions on how to save the AVG Antispyware scan are in the link. Once you`ve completed that, post fresh HJT and AVG Antispyware logs.

    Regards Howard :)

    This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. lanimal

    lanimal Newcomer, in training Topic Starter Posts: 27

    Quickly tell me where i should go to rename Hijack. Is it on the desktop or elsewhere
  10. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    All the instructions you need are in this link HERE.

    Regards Howard :)

    This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. lanimal

    lanimal Newcomer, in training Topic Starter Posts: 27

    Avg

    For some reasons i cannot find these on my AVG: Click 'Scanner'. Then click 'Complete System Scan' and Recommended Action' and change it to 'Quarantine not even Apply all actions'. that's why i told you i couldn't find the report. I only have a report for Hijack and i changed the name but i'm not sure i did it right because when i try to download i'm not able to see Hijackthis.exe in my Program files. I'm going to post my new Hijack though.
     
  12. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Just to be sure, we are talking about the same programme aren`t we? The AVG Antispyware programme, is not the same as the AVG free antivirus programme.

    Here are the full instructions for AVG Antispyware.

    Download and install AVG Antispyware(formerly Ewido) from http://www.ewido.net/en/download/
    Double-click the icon on your desktop to run it.
    On the top of the main screen click Shield. Click the word active to change it to inactive.
    On the top of the main screen click 'Update'. Then click on 'Start update'. The update will start and a progress bar will show the updates being installed.
    If you are having problems with the updater, you can get the manual update at http://download.ewido.net/ewido-sign...ll-current.exe
    When you have finished updating, exit AVG Antispyware.

    Make sure all windows are closed. Run AVG Antispyware..
    Click 'Scanner'. Then click 'Complete System Scan' to begin scanning.
    When the scan is complete click 'Recommended Action' and change it to 'Quarantine'.
    Then click 'Apply all actions'.

    Once finished, click the save scan report button, followed by the Save report as button and save it to your desktop.

    Regards Howard :)

    This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  13. lanimal

    lanimal Newcomer, in training Topic Starter Posts: 27

    Indeed, i downloaded the antivirus, now i'm working with the antispyware
  14. Rik

    Rik Banned Posts: 4,985

    Perhaps this will give you a clue on how to save an AVG anti-spyware log.

    [​IMG]


    This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  15. lanimal

    lanimal Newcomer, in training Topic Starter Posts: 27

    Here are the two logs. However, the Apply All Actions button doesn't get highlighted

    I was able to figure it out, here's the new AVG log after putting everything in quarantine, if that'll help
  16. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Excellent.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

    Disable Spybot's TeaTimer. This is a two step process.
    First:
    - Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    - Choose Exit Spybot S&D Resident
    Second:
    - Open Spybot S&D
    - Click Mode, check Advanced Mode
    - Go To Left Panel, Click Tools, then also in left panel, click Resident
    - If your firewall raises a question, say OK
    - Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    - Use File, Exit to terminate Spybot
    - Reboot your machine for the changes to take effect.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Delete all files in AVG Antispyware quarantine.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Microsoft authenticate service (MsaSvc)<Disable both the service name and or the name in brackets, if there.

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    msasvc.exe
    bundle.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

    O2 - BHO: (no name) - {41F328E2-5E46-F5B8-0160-020188931F32} - C:\WINDOWS\system32\imtqodk.dll (file missing)

    O2 - BHO: EoRezoBHO - {64F56FC1-1272-44CD-BA6E-39723696E350} - (no file)

    O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\nfleyyqg.dll (file missing)

    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

    O4 - HKLM\..\Run: [EoEngine] -

    O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Administrator\Local Settings\Temp\bundle.exe

    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

    O11 - Options group: [INTERNATIONAL] International*

    Fix all the 018-Protocol: Logitech entries.

    O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll

    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

    O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\msasvc.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\bundle.exe

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    This is the filepath you need to enter into killbox.

    c:\windows\system32\ldcore.dll

    Once your system has rebooted, rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  17. lanimal

    lanimal Newcomer, in training Topic Starter Posts: 27

    New Log

    Here's the new log
  18. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Microsoft authenticate service

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    msasvc.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O18 - Protocol: offline-8876480 - {9D3C3977-5841-455E-BAE0-EAEA0DFE7420} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

    O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\msasvc.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  19. lanimal

    lanimal Newcomer, in training Topic Starter Posts: 27

    Thanks for your help, i sincerely appreciate

    But i still cannot access the right click menu on files nor access the Search on Windows Explorer
  20. tomrca

    tomrca Newcomer, in training Posts: 1,051

    your hjt is identical to the previous one. after dioing repairs you need to run a fresh hjt scan
  21. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    There`s something weird going on here, as the O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) is still there, when it shouldn`t be.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Microsoft authenticate service (MsaSvc)<Look for and disable the servicename and/or the name in brackets.

    Close the services window.

    Reboot your system and post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  22. lanimal

    lanimal Newcomer, in training Topic Starter Posts: 27

    Hjt log

    I did run a fresh one, but here's another one
  23. Rik

    Rik Banned Posts: 4,985

    Right at the beginning of all of this you were given a set of instructions to follow. In those instructions you were told to rename hijackthis.exe to analyze.exe.

    You have not done so and it's very important that you do!!!!!!



    This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  24. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    You really do need to rename HJT as per the instructions in this thread HERE.

    Also, the nasty 023 entry is still in your HJT log. Are you sure you`ve followed the instructions for disabling and deleting it properly?

    Regards Howard :)

    This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  25. lanimal

    lanimal Newcomer, in training Topic Starter Posts: 27

    Like i said before for some reasons in my HijackThis folder all i have is the shortcut and the uninstall icon and the path is different from what you have on your message; here's mine:C:\Documents and Settings\All Users\Start Menu\Programs\Hijackthis, no .exe file.
    For the services.mscon i can't find it on the my Taskmngr and the other one you suggested i erase. I'm going to try one more time, but please don't lose patience because i need my computer to be performing well, and right now it's a nightmare.

    This one should be good...i think
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.