1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Extreme Virus Problem - Would not let me do the eight steps

By vernonv · 10 replies
Jun 17, 2009
  1. Hi Techspot,
    I have a pretty problematic virus going on in my computer and the symptoms are as follows;

    • Random audio clips playing that I’ve never ever heard of every 30 mins or so
    • Google ALWAYS redirecting me to other sites
    • Computer sometimes would freeze during the boot right before it gets to the password screen
    • Nero can't recognize my CD Drive saying "no devices detected"
    • Got a warning message saying Adobe has stopped a potentially dangerous file from playing
    • During shutdown, an error message pops up with the heading vsmon.exe

    In regards to the 8-step Preliminary Removal Instructions, I could not complete many of them because:
    • Malwarebyte will NOT respond and cannot be reinstalled
    • When trying to install SUPERAntiSpyware, an error message states that “SUPERAntiSpyware Free Edition has encountered a problem and needs to close. We are sorry for the inconvenience”
    • I didn’t DL and install Hijack This because it said to “Only do this step after completing the previous steps”

    I know how important these logs are to diagnose the problem but my computer simply will NOT let me do them. Any help would be extremely appreciated. Thanks in advance!

    UPDATE: Symptoms
  2. vernonv

    vernonv TS Rookie Topic Starter

    So, I saw in another topic where someone couldn't run the 8 steps as well and one of the experts suggested to run combofix so I tried it. However, when I did it gave a warning to turn off AVG but AVG was already off. It gave the warning again to turn off AVG so I restarted the computer unsure of what to do. Should I just run the program anyways?
  3. touch

    touch TS Rookie Posts: 978

    Hello vernonv

    Yes, just run the combofix with AVG enabled
  4. vernonv

    vernonv TS Rookie Topic Starter

    Okay I ran Combofix and I think it found a lot of rootkits and malware but I don't know if it removed everything. Here's the Combofix log.
  5. touch

    touch TS Rookie Posts: 978

  6. vernonv

    vernonv TS Rookie Topic Starter

    Okay I was finally able to run the 8 steps and here are my logs...
  7. touch

    touch TS Rookie Posts: 978

    Download: DelDomains.inf
    and save it to the desktop.

    Close all open browsers
    Right-click DelDomains.inf and select: Install

    Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
    O2 - BHO: (no name) - {19b67035-6802-4355-8aae-5e7eb4903731} - (no file)
    O2 - BHO: (no name) - {B81E9DF6-EB2C-4F9D-8DBC-9E47C25440D1} - (no file)
    O4 - HKLM\..\Run: [zebuzekefe] Rundll32.exe "C:\WINDOWS\system32\norereji.dll",s
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKCU\..\Run: [WinRoll] C:\Program Files\WinRoll\winroll.exe
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
    O4 - HKCU\..\Run: [MntWeb] C:\WINDOWS\system32\tkbsbezi.exe
    O4 - HKCU\..\Run: [MntAdmInfo] C:\WINDOWS\system32\henkdwhg.exe
    O4 - HKCU\..\Run: [ComWinAct] C:\WINDOWS\system32\izkfgfyf.exe
    O4 - HKCU\..\Run: [CmdMon] C:\WINDOWS\system32\wxifwfch.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [actmnt] C:\WINDOWS\system32\fsjibsvq.exe

    Reboot. Attach new hijackthis log and tell how things are running ?
  8. vernonv

    vernonv TS Rookie Topic Starter

    How exactly do I download the DelDomains.inf file from that link?

    And the computer is running much better now, thanks!
  9. touch

    touch TS Rookie Posts: 978

    That´s good news :)

    Looks like you are using firefox ? Then, rightclick on the link - save as.
  10. vernonv

    vernonv TS Rookie Topic Starter

    Okay I ran HJT again and I only found the first two files listed and removed it. Here's a new log and thanks once again! The computer is running better than ever!
  11. touch

    touch TS Rookie Posts: 978

    Clean log - good job :)

    Now your computer problems are solved, it is time for the clean-up procedure
    You should Create a New Restore Point to prevent possible reinfection from an old one.
    The easiest and safest way to do this is:
    Go to Start > All Programs > Accessories > System Tools > System Restore
    Select Create a restore point, and Ok it.
    Next, go to Start > Run and type in cleanmgr
    Select the More options tab
    Choose the option to clean up system restore and OK it.

    This will remove all restore points except the new one you just created.

    Click START then RUN
    Now type Combofix /u in the runbox and click OK.
    Note the space between the X and the U, it needs to be there.
    The above procedure will:
    Delete the following:
    ComboFix and its associated files and folders.
    VundoFix backups, if present.
    The C:\Deckard folder, if present.
    The C:_OtMoveIt folder, if present.
    Reset the clock settings.
    Hide file extensions, if required.
    Hide System/Hidden files, if required.

    To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
    How did I get infected in the first place?

    Keep safe :wave:
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...