Tough virus

Status
Not open for further replies.

bflotus

Posts: 9   +0
3 days ago I noticed that I was under a virus attack. The virus changed my desktop, disabled task manager and registry editing, and opened up pop-ups trying to sell me overpriced anti virus software. I managed to re enable the task manager and registry editing, and changed my desktop back. The virus appeared to be gone, but a number of symptoms still remain.

Anything I try to update fails, even things that have nothing to do with anti virus. My computer tells me that I am not connected to the internet, but I obviously am. USB drives won't work on the computer. The virus also disables windows firewall and windows updater.

I went through the eight steps, and had a bit of trouble: I get a blue screen when I run super anti virus, and when I tried to update java, the install said it could not continue with current internet connection settings.

Attached are the logs.

Any help would be appreciated.
 
Hello bflotus

You have two antivirus programs running - McAfee and Kaspersky-

"Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and will typically cause your computer to crash, and will provide less protection.
Not more."
Remove/uninstall from "add/remove programs" in controlpanel:
One of Your antivirus programs


Reboot.

Please download Combofix:
http://subs.geekstogo.com/ComboFix.exe
And save to the desktop.


Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
File::
c:\windows\system32\jugodika.dll,
C:\WINDOWS\system32\pureleye.dll

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post
 
Alright, that appears to have solved it. I can now update Kapersky. I though I had uninstalled McAfee, sorry about that. Here's the log.

On second thought - flash drives still aren't working, any ideas?
 
Found nothing on either of them.

Now I have a bit of a bigger problem - I figured now that I can update the software I re-did the eight steps. After updating and running super anti virus and rebooting, my computer wouldn't reboot, it just has the little animation with the bar going around for ever. I had to restart in safe mode. Any ideas?
 
Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
File::
c:\windows\SYSTEM32\lusonola.dll.tmp
c:\windows\SYSTEM32\relafako.dll.tmp
c:\windows\SYSTEM32\wopamiza.dll.tmp
c:\windows\system32\drivers\ovfsthvusmmpxlumejdpoapuykkwhsmttoitup.sys
c:\docume~1\Leonard\LOCALS~1\Temp\ovfsthdcrqlkicxt.tmp
c:\docume~1\Leonard\LOCALS~1\Temp\ovfsthhosevpdwop.tmp
c:\docume~1\Leonard\LOCALS~1\Temp\ovfsthrxtfhwlovb.tmp
c:\docume~1\Leonard\LOCALS~1\Temp\ovfsthx000
c:\windows\system32\ovfsthddylorfxkcuqadaaqaibryxyfxgwapvx.dat
c:\windows\system32\ovfsthgkxenhvcltbsseoxjdixlurctqgrdukv.dll
c:\windows\system32\ovfsthkbnfhxwbowrmuanomkveeyqghoqdralx.dll
c:\windows\system32\ovfsthmevappkwlappgrgdogtaumhevncuquaw.dat
c:\windows\system32\ovfsthuqagykpqjkiyxggvodugewyldflbgyfw.dl
Folder::
c:\docume~1\Leonard\LOCALS~1\Temp\ovfsthx000

FileLook::
c:\windows\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_18be6784.exe
Driver::
MrtRate

Registry::
[-HKEY_CLASSES_ROOT\clsid\{32099aac-c132-4136-9e9a-4e364a424e17}]
[-HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj.1]
[-HKEY_CLASSES_ROOT\TypeLib\{3E288F79-03E4-4983-A48E-0D879B51FF19}]
[-HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj]
[-HKEY_CLASSES_ROOT\clsid\{32099aac-c132-4136-9e9a-4e364a424e17}]
[-HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj.1]
[-HKEY_CLASSES_ROOT\TypeLib\{3E288F79-03E4-4983-A48E-0D879B51FF19}]
[-HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj]

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post
 
Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>

<<<- If you don´t use proxy server
……………………………………………………………………….
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-21-3968513137-102144374-2776227746-1006\..\Run: [dotnRXZmX] uma42chs.exe (User 'Diane')
O4 - HKUS\S-1-5-21-3968513137-102144374-2776227746-1006\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Diane')
O4 - HKUS\S-1-5-21-3968513137-102144374-2776227746-1006\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Diane')
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/99...W/win/019-0123.20031218.zes4d/iTunesSetup.exe


Reboot. Attach new hijacktis log.
 
Great :)


Now your computer problems are solved, it is time for the clean-up procedure.
You should Create a New Restore Point to prevent possible reinfection from an old one.
The easiest and safest way to do this is:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.


Please download OTCleanIt
Save it to desktop.
This will remove all the tools we used to clean your computer.
Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
How did I get infected in the first place

Keep safe :wave:
 
Status
Not open for further replies.
Back