Red biohazard

[EEI]

got the red biohazard infection 7/9/08. got online and saw similar issues. had to get off yesterday, but would like to resolve the issue today if I can. I need help in navigating the process. I'm using a second computer, have a flashdrive, and will start taking the steps directed.
thanks
I got the files from the Hijack this. Both on the 'result' page and then a 'notepad' popped up. Should I put them on the thumbdrive and attach here from another computer, or try to go online with the infected computer. What is the best way to attach so you can view and help.

 

[EEI]

Hijackthis file

Attatching notepad file. is this ok

 

[Blind Dragon]

We can connect it to the internet soon, so that you don't have to keep transferring files

Remove bad HijackThis entries

• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed below (if present):
  
  O3 - Toolbar: sqvgnrpx - {695AD9B9-B97E-4F91-8B6F-B1BD73937505} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\sqvgnrpx.dll (file missing)
  O4 - HKLM\..\Run: [DelayLoad] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\atmadm2.exe
  O4 - HKCU\..\Run: [InstallProgram] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\smcheck.exe
  O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
  O21 - SSODL: fdxbameg - {13D2D249-7D99-4002-8752-EE17CB1B2DBE} - C:\WINDOWS\fdxbameg.dll
  O21 - SSODL: fsrpknov - {4350C078-5ABF-4C95-80CC-6C5CC6EAA436} - C:\WINDOWS\fsrpknov.dll

• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

--------------------------------------------------------------------

OTMoveit2 by OldTimer
Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  [b]%TEMP%\SMCHECK.EXE
  %TEMP%\atmadm2.exe
  C:\WINDOWS\fdxbameg.dll
  C:\WINDOWS\fsrpknov.dll[/b]

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

---------------------------------------------------------------------------------

I would download and install MBAM to the flash drive, then try to update it from there, then you may even be able to scan straight from that

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware to your desktop.
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach this log with your reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

I need to see the OTMoveit2 log and MBAM logs with a fresh Hijackthis

 

[EEI]

there was a messaging that came up "Registry editing has been disabled by you administrator" when I hit the "Fix Checked" but when I re scanned it seems to have eliminated those items. I have not moved to the OT step yet...should I proceed?

 

[Blind Dragon]

yes, just make sure you show me the fresh hjt log and otmoveit

 

[EEI]

When I double click on the OTMoveIt, there is no exe file. It just has the OT Move it2 clipboard. Since I'm reading these posts on another computer, I typed in the Code you had under the Paste List of Files/Folders to move. When I hit the 'move it' , the transfered some. Also, it didn't seem to transfer everything. Do I have to do the copy and paste? I re typed it and it seemed to go through....but says files not found? I'll attatch the new HJT andthe OT2 file and send.

 

[EEI]

hjt2 and OT2

here is what I got



Are you still there?

 

[Blind Dragon]

copy and paste the otmoveit2 code into notepad and save the notepad file on the connected computer flash drive

Then plug your flash drive into the other computer and copy and paste it, I want to see another OTMoveit2 log

 

[EEI]

when I place otmoveit2 on the flashdrive I can read it fine on the good computer, when i try to read it on the infected computer, it says the file is a text.docx file and won't read it. just tried it again. same thing.
sorry....I was copying onto word. When I did it on notepad it worked. or at least I could read it. I'll try that on otmoveit2 and see what results I get.
Also, on that computer, it keeps popping up the messages from the "spyware alert" , 'system alert' etc. But I noticed there's also a page trying to access the internet with a 'safewebnavigation' heading....I'm assuming that's also connected with the same infection.

how do I get this file from c:\_OTMoveIt\MovedFiles where do I find it

 

[Blind Dragon]

I might as well post this and it should work no problem for you to transfer as I have done it many times.

After you show me the OTMoveit log

Run Smitfraudfix

• Download Smitfraudfix by S!ri from HERE
• Double-click SmitfraudFix.exe
• Select 1 and hit Enter
• The report can be found at the root of the system drive, usually at C:\rapport.txt

Attach this here as well

 

[EEI]

OT files

this is what the moved files look like from the ot screen.
Is running the smitfraudfix in place of the Malwarebytes? by the way, I'm getting your responses faster in my email than here on the post.

 

[EEI]

by the way, if i start scanning with either of these, will they find them but not beable to remove them until I purchase their product? I had that happen to me once before after it took hours for the scan but I was not wanting to put cc nuimbers online with an infected system.

 

[Blind Dragon]

Anything I recommend will be completely free. There is different instructions for Smitfraudfix after I see the report

 

[EEI]

I appreciate your help. I had already started running Malwarebytes when I got your post about smitfraudfix. It took 8 hrs to complete the scan. On reboot everything appears to be normal. I did get a message saying that
"application or DLL c:\windows\system32\vtvlkdss.dll is not a valid windows image. Please check against your install disk" I copied the notepad of the Malwarebytes log.. I'll attatch it to a post reply following this.
I had already downloaded the Smitfraudfix onto the thumb drive. So I have it availible if I need it. I'll try to do the OTMoveit on that computer now again if I need to. as stated in an earlier post, I couldn't find the location of the file. Maybe now with the virus gone (hopefully) I'll be able to find it and forward it also.
Thanks for you help so far. It was a long process so far.

 

[EEI]

Mal notepad list/log

This is the log from ther Malwarebytes

 

[Blind Dragon]

I love that program - it just did a lot of work for us.

Did you reboot before or after posting the log?

------------------------------------------------------

I still want you to run Smitfraudfix option 1 -> it wont do anything except scan using a bunch of different types of scans then it will generate a report for me, telling me if we need to take further steps with it.

 

[EEI]

I took the notepad log that it generated, copied it to the flashdrive. That's what I sent you. When I closed the notepad, it said to finish it needed to reboot, 'yes or no' , I chose yes. I sent you the log from the good computer. When it rebooted, that's when I got the 'application or DLL...' not valid message. After it rebooted, I also restored my desktop. I've shutdown and restarted several times with no problem. But I have not used the computer or gone online with it yet. I was wanting to hear back from you before I did. I will run the Smitfraudfix today and send you the report so you can look at it.
Also, I have the programs above on my flash drive. So is it ok to 'uninstall' them from my computer when I'm done with the virus? I've heard pro's and con's of this.
The virus that I got was my own fault allowing it in.
By the way, thank you very much for your help. I'll finish filling out my profile, etc. and stay in touch with the site. I had just got an external hard drive that I was going to be backing up my computer with...so many things that would have really been sad to loose on my computer.

 

[Blind Dragon]

after the smitfruadfix you should be ok to go back online - but let me look through it first - as far as uninstalling these programs - you can remove them from the thumb drive, but we have a special way of removing most of the other tools from the cleaned computer -

also post a fresh hijackthis log

 

[EEI]

Smitfraudfix log

attached is the rapport from Smitfraudfix. I haven't done the HJT yet.

 

[Blind Dragon]

Let me see the HJT also, and is your desktop still have the red biohazard?

 

[EEI]

HJT report

here is the hjt report log
no red biohazard signs at all...no pop ups...everything seems to be running smoothly. When I was trying to do the SmitFraud...my Norton kept saying it was a possible malicious script. I allowed it once. I don't really use the Norton anyway, was going to uninstall that also
But look over the logs and if there is a better way to clean up, I'm all for it.

 

[Blind Dragon]

Remove bad HijackThis entries

• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed below (if present):
  
  O2 - BHO: (no name) - {1C2367B3-D766-4B1F-902C-CF838EBD630C} - C:\WINDOWS\system32\vtsqo.dll (file missing)
  O2 - BHO: (no name) - {36f9154c-bfd4-43d7-83d2-35f5c8aa17b1} - C:\WINDOWS\system32\dmptntc.dll (file missing)
  O2 - BHO: (no name) - {47EB908E-2B8D-416D-92D9-53191C619507} - C:\WINDOWS\system32\geebb.dll (file missing)
  O2 - BHO: (no name) - {4CD8D66E-BA52-4287-BBFA-BF48D90C484D} - C:\Program Files\Windows NT\tebomisyg83122.dll (file missing)
  O2 - BHO: (no name) - {555B48D8-BC88-4798-B6B2-ECE050664C34} - C:\Program Files\Windows NT\tebomisyg4444.dll (file missing)
  O20 - Winlogon Notify: geebb - C:\WINDOWS\system32\geebb.dll (file missing)
  O20 - Winlogon Notify: tuvtsro - tuvtsro.dll (file missing)
  O20 - Winlogon Notify: vtsqo - C:\WINDOWS\system32\vtsqo.dll (file missing)
  O20 - Winlogon Notify: xxyvwvs - xxyvwvs.dll (file missing)
  O20 - Winlogon Notify: yayvwuu - yayvwuu.dll (file missing)

• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

--------------------------------------------------------------------

We need to get rid of one of the services running on your machine. To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

@echo off
sc stop EscService
sc delete EscService
sc stop KcpService
sc delete KcpService
sc stop KrcWmiProviderSvc
sc delete KrcWmiProviderSvc
sc stop KUKA Scheduler Service
sc delete KUKA Scheduler Service
del service.cmd and exit

Save it to your desktop as File name: service.cmd
Save as type: All Files

Once done, double click service.cmd to run it. A command window will open briefly, then close. This is quite normal.

------------------------------------------------------------------------------

Run Smitfraudfix

• Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
• Delete this folder if there C:\KRC
• Double-click SmitfraudFix.exe
• Select 2 and hit Enter to delete infected files.
• You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
• The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
• A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

After reboot please run another Hijackthis from normal mode for me so that I can check everything, then you should be ok to go online - then we can update Java and get a good anti-virus on there

 

[EEI]

where would I find the C:\KRC folder? on the desk top or in cmd mode and look for it? I'm in safe mode now. I did a search for and file/folder KRC and have IMEKRCIC.DL, KrcEventLog.dll, KrcLog.evt (sameKrcLog with B,I,P,S,U)

 

[EEI]

Smitfraudfix rapport 2

Attatched is the smitfraud report number 2. It did not ask me to replace/fix/delete the win file mentioned. Rebooting now

 

[Blind Dragon]

Ok, sorry for the delay I have the flu, let me see a new hijackthis and we should be able to move on