infected computer?

Status
Not open for further replies.
Yesterdey after downloading a fake program file, mi computer stop working normally, now i have no icons nor taskbar on the desktop. Everything is running ok, I can launch programs from the task manager, except the explorer.exe that is immediately closed. I scanned the file before executing it with AVG and its lasts definitions and it didnt detect anything, then I scanned with A-Squared and ADaware 2007 and nothing was detected.
The only info I can post right now is the file I´ve downloaded because right now I´m at the office.
This is the file:
[CRACK NOCD] Colin McRae Dirt by Razor1911.zip (1058kb)
This zip contains: install.exe 1.127kb
Razor 1911.nfo 3kb

Can somenone help me?
 
Hi dkaox and welcome to techspot. =)

Important: Please read this thread HERE before you decide whether to clean or reformat your system.

Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. Do follow all the instructions exactly. They will provide logs for analysis of your system so I will know how to instruct you to proceed.

Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste your logs if not it will be ignored and/or removed.

Also, please let me know the results of the AVG Antirootkit scan


Regards,
Your friendly momok =)

This thread is for the use of dkaox only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thanks for the answer here I attached the HJT log.

Well, it seems that COMBOFIX repaired the infection.
after it scanned my computer, it rebooted and then everything seems to be working fine.
The program detected some DLL's and other files and then they were putted on a quarantine folder.
I've attached the combofix log to help other people cleaning this annoyance.

Moderator Edit: Please do not copy and paste the log. Instead attach the .log or .txt files in your replies.
 
Hi,

Your system is most definitely not clean yet. Please do the following.

You may wish to copy and paste these instructions on notepad for easier reference later.

Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

DirectX Service
Creative Service for CDROM Access


After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: (no name) - {90F75E47-94D2-48AC-8D32-863356FA6578} - C:\WINDOWS\SYSTEM32\urqqnnk.dll
O2 - BHO: (no name) - {EF0EE45B-EB21-4B8F-A4C1-101628FFFC30} - C:\WINDOWS\system32\jkhhg.dll
O4 - Global Startup: Logitech SetPoint.lnk = ?
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted IP range: http://10.0.0.2
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O20 - Winlogon Notify: jkhhg - C:\WINDOWS\system32\jkhhg.dll
O20 - Winlogon Notify: urqqnnk - C:\WINDOWS\SYSTEM32\urqqnnk.dll
O23 - Service: Creative Service for CDROM Access - Unknown owner - (no file)
O23 - Service: DirectX Service (DirectSang) - Unknown owner - (no file)

Close HJT.

Drag the Combofix-Do.txt that you downloaded earlier over on to Combofix.exe and release.

This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of dkaox only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
svchost using 100% cpu

Hi, I have a problem with a computer. it seems that svchost is draining 100% cpu, it happens from time to time. and it happens randomly. I am attaching HJT and combofix log. Hope it helps.
 
results

well, I followed your last instructions. and it seems that combofix detected new infections. I am attaching you the first 2 logs.
 
Hi,

No worries about the deletions by ComboFix. They were carried out from my instructions in the script I provided you. I've also merged your posts here.

Your logs look clean now.

Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.

After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.

With regards to your svchost.exe taking up all resources, please see post #9 in HERE.

Should you have any further problems, please post in this thread.


Regards,
Your friendly momok =)

This thread is for the use of dkaox only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.
Back