Virus Malware - Fighting like hell but loosing

Status
Not open for further replies.
M

mitixi

Posts: 6   +0
Hi,
somehove I got it, althougth I had Sophos - daily updated. Then I installed and updated AVG, Spybot, CounterSpy, CCleaner, Hijackthis, AD-aware SE, vundofix, virtmundobegone, smitfraudfix, look2me-destroyer.

Tried to boot in safe mode, but cant. 0x7B error, tried CHKDSK, no succes.

So in normal mode I run (several times) all of the above, but no luck. It did find many torjans, dialers, etc., but they are still here.
Sohops keep sending Troj/TrjDlDrp-B detected, I delete TMP and EXE (like srvepe[1].exe) files, cleant temp internet files, but its still here.

What to do?
 
Hello and welcome to Techspot.

Your system is infected with a couple of trojans.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of mitixi only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
howard may have more answers. but suggest that you run another scan
this is my findings
no info on this in bold, 'suspect'
O2 - BHO: (no name) - {0180F8E8-2958-1955-6724-006681605382} - C:\WINDOWS\system32\gqfkqig.dll

do you recognise this entry?
O16 - DPF: {FB30AAAF-143D-48F4-BD69-24D28E48D7F1} (CreaSignClientIE Object) - https://moja.posta.si/EpprAsp/Content/CreaSign/CreaSignClientIE.cab

this is slovenian origin. do you recognise them
O17 - HKLM\System\CCS\Services\Tcpip\..\{99E1E188-52B8-44C5-907B-D6C24513E1B5}: NameServer = 193.2.1.66

do you recognise the ones in bold
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE2ED36D-57A1-45C5-A9AA-6F82B205C1E6}: NameServer = 192.168.1.138,192.168.1.136,193.2.1.66

created by trojan
O20 - Winlogon Notify: winwxj32 - C:\WINDOWS\SYSTEM
32\winwxj32.dll
 
Hi tomrca:

The O2 - BHO: (no name) - {0180F8E8-2958-1955-6724-006681605382} - C:\WINDOWS\system32\gqfkqig.dll and the O20 - Winlogon Notify: winwxj32 - C:\WINDOWS\SYSTEM
32\winwxj32.dll are both part of the Virtumundo(Vundo) trojan. infection.

There may be other infections present that don`t show up in the HJT log. Hence the instructions.

Regards Howard :)

This thread is for the use of mitixi only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
here we are

CAN NOT BOOT IN SAFE MODE, so this is done in normal mode:
I did as adviced (network disconnected) and:
AVG Antirootkit did not find anything.
Combofix log attached (I run it 2 times since after the first time Kerio firewall blocked something so I did it second time with firewall disabled).
Sophos found NirCmd application in C:\combofix\TSF\nircmd.exe - and I deleted it manually since Sophos did not give me that option.
SpyBot only found Smitfraud-c.Toolbar888, Win32.agent.yr - FIXED
Ad-aware and AVG found nothing.
Other logs attached

Regards
Mitixi
 
Download Vundofix from HERE.

Double click the Vundofix.exe to run it.

Right click in the vundofix window and click add files.

Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

These are the filepaths you need to enter into Vundofix.

C:\WINDOWS\system32\gqfkqig.dll
C:\WINDOWS\SYSTEM32\winwxj32.dll

Then, do the following.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

websvcd.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {0180F8E8-2958-1955-6724-006681605382} - C:\WINDOWS\system32\gqfkqig.dll

O16 - DPF: {FB30AAAF-143D-48F4-BD69-24D28E48D7F1} (CreaSignClientIE Object) - https://moja.posta.si/EpprAsp/Content/CreaSign/CreaSignClientIE.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vus.uni-lj.si

O17 - HKLM\Software\..\Telephony: DomainName = vus.uni-lj.si

O17 - HKLM\System\CCS\Services\Tcpip\..\{99E1E188-52B8-44C5-907B-D6C24513E1B5}: NameServer = 193.2.1.66

O17 - HKLM\System\CCS\Services\Tcpip\..\{DE2ED36D-57A1-45C5-A9AA-6F82B205C1E6}: NameServer = 192.168.1.138,192.168.1.136,193.2.1.66

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vus.uni-lj.si

Only fix the above 017 entries if you don`t recognise the domain or they don`t belong to your ISP.

O20 - Winlogon Notify: winwxj32 - C:\WINDOWS\SYSTEM32\winwxj32.dll

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\websvcd.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of mitixi only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
finished?

Done as said.
AGAIN: I can not boot in safe mode - blue screen.
But I booted with CD with BartPE OS and deleted websvcd.exe
Log posted
 
The C:\WINDOWS\system32\websvcd.exe entry is still in your HJT log.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled.

Web Service Discovery (websvcd)<Disable the service name and/or the name in brackets.

Click apply/ok

Close the services window.

Run HJT and click the config button, followed by the Misc Tools button. Click the Delete an NT service button and type the following into the dialogue box and click ok and follow the prompts. websvcd

Once your system has rebooted, locate and delete the following bold files and/or directories(if there).
C:\WINDOWS\system32\websvcd.exe

Please attach a fresh HJT log.

Regards Howard :)

This thread is for the use of mitixi only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Your HJT log is now clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of mitixi only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.

Similar threads

S
Solved Issues with internet due to possible malware/virus
Replies
24
Views
5K
Broni
Broni
Fishhooky
Solved Troj/Miner-AB dwm malware removal required
2
Replies
27
Views
6K
Broni
Broni
J
Solved Virus/Malware Removal
2
Replies
33
Views
8K
Broni
Broni

Latest posts

Back