Virus Troubles - Am I virus free?

Status
Not open for further replies.

JuliusCaesar

Posts: 73   +0
Today I got a virus, it was some sort of fake security virus.I don't recall the name, but it was pretty serious. It completely shut down MBAM, wouldn't let me use Spybot S&D, and made avast be sluggish. SuperAntiSpyware didn't detect anything. The first thing I did was disable my wireless connection, so the virus couldn't download anything more (I'm not sure how to re-enable it, but that could be dealt with once I am virus free.) I found some handy advice on the internet (different computer), started in safe mode, deleted a few files, rebooted and got rid of the program. SpyBot S&D now works (good thing I updated it just last night) and it got rid of 7 or so trojans, the usual suspects, FireWall Bypasser, ect. There's one virus that I can't seem to get rid of though. It is Virtumonde.sdn. I deleted it, ran another S&D scan, which took about an hour, but then I pressed something and it started a new scan. I don't want to wait another hour or so, although I will run another scan tomorrow. I just want to know, where is this virus? How do I remove it manually? Avast didn't detect anything, neither did SuperAntiSpyware. I think Malwarebytes was completely gutted by the first virus. I can't use it at all. I will run CC cleaner before I go to bed. Attached is the Hijack this log. Many thanks to whoever helps me.

-Edit: I remember, the phony antivirus was called Security Tool. -
 
I think I may have gotten rid of it by moving it to my flash drive, the trouble is that I believe the flash drive to be infected now...I used a micro SD card to transport the latest Hijackthis log, the computer is still not connected to the internet. Attached is the latest Hijackthis log, I would really appreciate some help.
 
I connected to the internet, and then Avast caught a virus. I don't know why Avast isn't cathing whatever is causing the virus. I can't download MBAM either. Please someone help!
 
The name of the file in which the virus is stored is called "geyozesa" I can't delete it, I have tried many things but it just comes back. S and D deletes it, it comes back. Super Anti Spyware says it's clean, and Avast! won't scan it for some reason. Again, I cannot use or download MBAM. This is the latest Hijack this log (attached)
 
Ok I have read the logs. I'll review it in-depth later. I'll see what I can do.

[add'l]

Launch Explorer
Type this at the address bar:
C:\Documents and Settings\All Users\Application Data\17603421

E-mail me a copy of 17603421.exe. This is how you do it. ZIp it with a password 1234 and attach it.
 
I suggest fixing these; they're all bad:

O2 - BHO: (no name) - {2fc01d2a-bd29-44b0-bb3a-5b8b45054743} - rizepato.dll (file missing)
O4 - HKLM\..\Run: [17603421] C:\DOCUME~1\ALLUSE~1\APPLIC~1\17603421\17603421.exe
O4 - HKLM\..\Run: [hopepubisu] Rundll32.exe "lotakine.dll",s
O20 - AppInit_DLLs: GRA~1\Google\GOOGLE~1\GOEC62~1.DLL sumonibe.dll c:\windows\system32\barihuye.dll,wavenimu.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: ruyayeyew - {33d38132-5d08-428d-b216-54aec7e1d936} - c:\windows\system32\barihuye.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {33d38132-5d08-428d-b216-54aec7e1d936} - c:\windows\system32\barihuye.dll (file missing)

Are you able to run mbam and SAS after that?
 
@ WinXPert

Get rid of your e mail address.

@ momok

There will be a patched windows file that may be blocking MBAM.
 
Julius:

Please download Combofix from HERE and save it to your desktop.

Rename it to "momok.exe" and run it. Don't do anything else on your system during the scan.

Post your log C:\combofix.txt back here after you're done with the scan.
 
Thanks, I will download it when I get home tonight. I will download the exe to a diff comp, and save it to my flash drive, which I will open on the computer, to avoid connecting that computer to the internet.

note: When I turn on my computer, it displays a message that says something like "lotakine.dll has failed to initialize." I know that lotakine is a virus. Here is the combofix log:
 

Attachments

  • combofix log.txt
    16.1 KB · Views: 8
hi sorry for the late reply. your log is looking alot cleaner. are you facing any peculiar problems?

Please download and run ATF Cleaner from HERE to clear your temp files.

Next, run mbam again to let me see your fresh log.

Then, please update your Java Run time environment here.

Finally, please run an online scan with Kasperspy here and post back with the results.
 
Hi, I will download the AFT Cleaner, but MBAM still isn't working, although I will try downloading it again. Do you think its safe to connect to the internet? Last time I did my comp downloaded a whole bunch of malware.

-Edit- The "geyozesa" file still won't leave, and Spybot says that that is a trojan.

ReEdit: After running AFT, I don't see geyozesa :) I will run a spybot s and d while I wait for your response.
 
Alright, thats good to hear. Do follow through with the steps i provided earlier before posting back with your results.
 
The kapersky link isn't working, I get this message (I am of course online) :

Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program. You must be online to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: Key is expired]

That was with internet explorer, it doesn't seem to work with Google chrome.

Edit: grr... I thought I was virus free. See MBAM log

edit: I think that got all of the viruses though.
 

Attachments

  • hijackthis.log
    11.4 KB · Views: 5
  • mbam-log-2009-10-20 (21-44-14).txt
    1.1 KB · Views: 7
I ran another scan, it's clean and I am virus free. Thank you so much for your help momok. Your suggestions really helped, thanks to everyone else as well. I will in turn try to help others with computer problems on this site (the more simple problems.)
 
Kritius is right on the 2 files in your mbam. One belongs to the quarantine folder from combofix, and the other is your system restore point.

Your looking good to go, please go to start>run> combofix /u
Then go to system restore, disable then enable it again. This will clear your previous restore points and the nasties residing in them.
 
Thanks, I followed your instructions. Thanks for all your help, I will try to help with some of the more simple problems on this site if I can. Can you recommend a good firewall? I was using Windows Firewall, which isn't so good.
 
Here are two software firewall recommendations> both good, both free> use only one!:wave:

I recommend either of these software firewalls.- both are free:
You should have only one software firewall. You may also use a router. Most routers have a hardware firewall in them. You can use both hardware and software firewalls together, but use only one software firewall.
 
Status
Not open for further replies.
Back