Virus infection

Status
Not open for further replies.
L

lanimal

Posts: 27   +0
Hi guyz, this is my first thread. I have a serious problem, my computer has been infected and i feel my computer dying every day. I don't know what virus it is but it's disabled a lot of things: no more task manager, no Search, Run; i cannot right-click on a file in my computer, even system restore has been disabled. I've tried to clean using McAfee enterprise without any success.
Pleeeeeeeeeeeeeeease help , i'd really appreciate if someone could come to my rescue.
Thanks in advance
 
Tell us computer brand and model, OS, Internet connection, computer age and configuration. How valuable is the data on the drive?
What makes you think it is a virus? Have you tried external scans from Panda and elsewhere?
Have you tried running Windows in repair mode?
What spyware blocker do you use, or is it only McAfee?
 
My computer is a built one, i bought it in 03 and upgraded the processor and the memory. the OS is XP SP2, i use a high speed from Comcast.
I'm still trying Trend Micro HouseCall and AVG, they've been running for about 4 hours now . I tried the new McAfee but nothing
I think it's a virus because some functions have been disabled and i'm not able to reverse any of them; and when i type my cursor just goes wherever it wants except where i want it to go. I also tried HJT but nothing.

It might not be a virus after i don't really know, all i know is that it's malicious. I don't know much about the configuration, and my data is very important
 
I doubt that it is a virus or spyware infestation based on what you have told us.
I would boot to the Windows XP disc and run it in repair mode... there may be previous damage from an infestation, though.
 
Unfortunately i don't have the cd for XP. I did restart the computer after the AVG scan which found 4 threaths, but it's still the same, i do not know what to do. Maybe this would help, i had to disable IE because after i tried to install the McAfee program from where it all started, pop-ups would just open riciculously, now i'm only using Firefox

If someone can tell me how to activate my Run and Search options i think that can be the start of something. Because i don't think i can reboot in safe mode withouth the Run

I went to this site and it helped enable my Task Mngr
http://www.dougknox.com/xp/utils/xp_taskmgrenab.htm
Please help me for the rest, i'm trying real hard
 
Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

Regards Howard :wave: :wave:

This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Scan

Here's the Hijackscan, i don't know how to get the log for AVG. Also, sorry for the delay and thanks for your help. However, i'm still not able to access the right click menu when in Explorer nor the Search menu in Explorer
 
Your system is badly infected.

You need to follow the instructions in the link I gave you exactly. This includes renaming HijackThis and running an AVG Antispyware scan. Instructions on how to save the AVG Antispyware scan are in the link. Once you`ve completed that, post fresh HJT and AVG Antispyware logs.

Regards Howard :)

This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
All the instructions you need are in this link HERE.

Regards Howard :)

This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Avg

For some reasons i cannot find these on my AVG: Click 'Scanner'. Then click 'Complete System Scan' and Recommended Action' and change it to 'Quarantine not even Apply all actions'. that's why i told you i couldn't find the report. I only have a report for Hijack and i changed the name but i'm not sure i did it right because when i try to download i'm not able to see Hijackthis.exe in my Program files. I'm going to post my new Hijack though.
 
Just to be sure, we are talking about the same programme aren`t we? The AVG Antispyware programme, is not the same as the AVG free antivirus programme.

Here are the full instructions for AVG Antispyware.

Download and install AVG Antispyware(formerly Ewido) from http://www.ewido.net/en/download/
Double-click the icon on your desktop to run it.
On the top of the main screen click Shield. Click the word active to change it to inactive.
On the top of the main screen click 'Update'. Then click on 'Start update'. The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can get the manual update at http://download.ewido.net/ewido-sign...ll-current.exe
When you have finished updating, exit AVG Antispyware.

Make sure all windows are closed. Run AVG Antispyware..
Click 'Scanner'. Then click 'Complete System Scan' to begin scanning.
When the scan is complete click 'Recommended Action' and change it to 'Quarantine'.
Then click 'Apply all actions'.

Once finished, click the save scan report button, followed by the Save report as button and save it to your desktop.

Regards Howard :)

This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Perhaps this will give you a clue on how to save an AVG anti-spyware log.

avg.jpg



This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Here are the two logs. However, the Apply All Actions button doesn't get highlighted

I was able to figure it out, here's the new AVG log after putting everything in quarantine, if that'll help
 
Excellent.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Delete all files in AVG Antispyware quarantine.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Microsoft authenticate service (MsaSvc)<Disable both the service name and or the name in brackets, if there.

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

msasvc.exe
bundle.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O2 - BHO: (no name) - {41F328E2-5E46-F5B8-0160-020188931F32} - C:\WINDOWS\system32\imtqodk.dll (file missing)

O2 - BHO: EoRezoBHO - {64F56FC1-1272-44CD-BA6E-39723696E350} - (no file)

O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\nfleyyqg.dll (file missing)

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKLM\..\Run: [EoEngine] -

O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Administrator\Local Settings\Temp\bundle.exe

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O11 - Options group: [INTERNATIONAL] International*

Fix all the 018-Protocol: Logitech entries.

O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\msasvc.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\bundle.exe

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

This is the filepath you need to enter into killbox.

c:\windows\system32\ldcore.dll

Once your system has rebooted, rehide your protected OS files.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Microsoft authenticate service

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

msasvc.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O18 - Protocol: offline-8876480 - {9D3C3977-5841-455E-BAE0-EAEA0DFE7420} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\msasvc.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thanks for your help, i sincerely appreciate

But i still cannot access the right click menu on files nor access the Search on Windows Explorer
 
your hjt is identical to the previous one. after dioing repairs you need to run a fresh hjt scan
 
There`s something weird going on here, as the O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) is still there, when it shouldn`t be.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Microsoft authenticate service (MsaSvc)<Look for and disable the servicename and/or the name in brackets.

Close the services window.

Reboot your system and post a fresh HJT log.

Regards Howard :)

This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Right at the beginning of all of this you were given a set of instructions to follow. In those instructions you were told to rename hijackthis.exe to analyze.exe.

You have not done so and it's very important that you do!!!!!!



This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
You really do need to rename HJT as per the instructions in this thread HERE.

Also, the nasty 023 entry is still in your HJT log. Are you sure you`ve followed the instructions for disabling and deleting it properly?

Regards Howard :)

This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Like i said before for some reasons in my HijackThis folder all i have is the shortcut and the uninstall icon and the path is different from what you have on your message; here's mine:C:\Documents and Settings\All Users\Start Menu\Programs\Hijackthis, no .exe file.
For the services.mscon i can't find it on the my Taskmngr and the other one you suggested i erase. I'm going to try one more time, but please don't lose patience because i need my computer to be performing well, and right now it's a nightmare.

This one should be good...i think
 
Status
Not open for further replies.

Similar threads

M
Virus warning popup
Replies
1
Views
531
Mark Fuller
M
H
Freezes after BSOD
Replies
10
Views
1K
bazz2004
B
Cal Jeffrey
Hackers used Ars Technica and Vimeo to deliver malware using obfuscated binary instructions...
Replies
0
Views
131
Cal Jeffrey
Cal Jeffrey

Latest posts

Back