Viruses and Malware (With HJT Log)

Status
Not open for further replies.
P

PrandialMan

Posts: 8   +0
I've been having a lot of trouble with my computer. I tried following the preliminary removal instructions, but once I got to step 10 my computer stopped allowing me to download things. Also, I would attach an AVG log, but my computer keeps crashing just as it's finishing up the scan. Please Help!
 
Hi PrandialMan and welcome to techspot. =)

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

nosvida.exe
ApachInc

Go to start > Control Panel > Add and Remove Programs.
Remove anything related to the following:

novsvida.exe

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O2 - BHO: (no name) - {9CCCC7E0-EF0B-4D37-B81C-6850CAF989D3} - C:\WINDOWS\system32\awtss.dll
O2 - BHO: (no name) - {B71FA585-B351-4E48-8DA8-22F6F705EC73} - C:\WINDOWS\system32\opnllij.dll

O4 - HKLM\..\Run: [novsvida.exe] C:\Documents and Settings\All Users\Application Data\novsvida.exe
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\kbiqubjq.dll",realset

O20 - Winlogon Notify: awtss - C:\WINDOWS\system32\awtss.dll
O20 - Winlogon Notify: opnllij - C:\WINDOWS\SYSTEM32\opnllij.dll
O20 - Winlogon Notify: winiap32 - C:\WINDOWS\SYSTEM32\winiap32.dll
O23 - Service: crd - Unknown owner - C:\DOCUME~1\JEFF'S~1\LOCALS~1\Temp\IXP001.TMP\poststp.exe (file missing)

Close HJT.


Navigate in Windows Explorer and delete the following files and folders in bold.

C:\WINDOWS\system32\awtss.dll
C:\WINDOWS\system32\opnllij.dll
C:\WINDOWS\system32\kbiqubjq.dll
C:\WINDOWS\SYSTEM32\winiap32.dll
C:\DOCUME~1\JEFF'S~1\LOCALS~1\Temp\IXP001.TMP\

Reboot into normal mode and rehide your protected OS files.

Please try and go back to the preliminary removal thread like before and see if you can complete the remaining steps.

Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of PrandialMan only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thanks momok! Unfortunately I ran into a few problems. First of all, when I boot into safe mode, I get a black screen with safe mode written in the four corners and message telling me that I'm booting in safe and asking if I'm sure I really want to. When I say "yes" my desktop appears (explorer.exe opens) and then disappears again 3-10 seconds later. I then get the message asking me whether I want safe mode again. When this happens, most of the programs I had open get closed. I got around this mostly by bringing up task manager with ctrl+alt+delete and run programs without the desktop. So, I got through most of the stuff I was supposed to do in safe mode, but the next problem I encountered was that when I navigated Windows Explorer, it wouldn't let me delete C:\WINDOWS\system32\awtss.dll or C:\WINDOWS\system32\opnllij.dll. It said that they were currently in use. (This was still while in safe mode). As for the rest of the preliminary steps, I was able to download the rest of the programs, but virtumundobegone just made my computer freeze and AVG root kit wouldn't run. I haven't tried Combofix yet because I can't get into safe mode to run it like the preliminary steps post tells me to. I have a new AVG and HJT log attached.
Thanks for all the help!
 
Hi,

I noticed that your AVG log displays 'No Action Taken' for all the files detected.
I suggest you run AVG again and quarantine the files. Pictorial instructions HERE.

Please follow these instructions carefully.

1. Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached "avengerscript.txt" (from my attachment) and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the attachment avengerscript.txt you have just downloaded, click on it and press open.
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Please go ahead and run ComboFix after you are done with the above.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT, ComboFix and AVG Antispyware log.


Regards,
Your friendly momok =)

This thread is for the use of PrandialMan only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I've just started your instructions, but before I go on I want to report the preliminary results.
I had already set AVG to quarantine under the how to act section of the settings tab in the scanner section. When I checked, it was still set to quarantine.
As for Avenger, I extracted it to my desktop and downloaded avengerscript.txt, but when I ran it, the machine only reset once, the command window had several messages about things that it "could not find" and the avenger.txt that it generated was blank. Any suggestions?
Thanks momok, you're the best!
PrandialMan
 
No worries about that. Just post the required logs (fresh ones) and I'll see what else needs removing.

Regards,
Your friendly momok =)

This thread is for the use of PrandialMan only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I've attached new combofix and HJT logs. When I tried running AVG it froze again. It tends to slow down quite a lot once it gets about halfway through the scan and often freezes. My blank avenger.txt that I mentioned earlier seems to have disappeared since the last time I restarted my computer. Hope this gives some more hints about what I need to do.
Thanks
-PrandialMan
 
Hi,

Please post your avenger log.

Regards,
Your friendly momok =)

This thread is for the use of PrandialMan only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I tried running avenger again and it seemed to work a bit better this time! AVG still keeps freezing. Here are some new logs. Thanks!
-PrandialMan
 
Hi,

Yes it ran well this time. =)

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

ctqbgngx.exe

Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

ctqbgngx.exe

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
O2 - BHO: (no name) - {2F04C07A-303D-4B1B-B7ED-5DEDDA84DC57} - C:\WINDOWS\system32\awtss.dll (file missing)
O4 - HKLM\..\Run: [ctqbgngx.exe] C:\Documents and Settings\All Users\Application Data\ctqbgngx.exe
O20 - Winlogon Notify: awtss - C:\WINDOWS\system32\awtss.dll (file missing)
O20 - Winlogon Notify: opnllij - opnllij.dll (file missing)
O20 - Winlogon Notify: winiap32 - C:\WINDOWS\SYSTEM32\winiap32.dll

Close HJT.


Navigate in Windows Explorer and delete the following files and folders in bold.

C:\WINDOWS\system32\sstwa.bak1
C:\DOCUME~1\ALLUSE~1\APPLIC~1\ctqbgngx.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\novsvida.exe
C:\WINDOWS\system32\winiap32.dll

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of PrandialMan only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Here are the new logs. The only thing that didn't work was deleting C:\WINDOWS\system32\winiap32.dll. I got the message
"Cannot delete winiap32: Access is denied.
Make sure the disk is not full or write protected and that the file is not currently in use."
Thanks!
 
Hi,

Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.
Drag the Combofix-Do.txt over on to Combofix.exe and release.

This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.


Regards,
Your friendly momok =)

This thread is for the use of PrandialMan only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Hi,

Your logs look clean now.

Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

You may also delete the avenger folder and its contents.

Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.

After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
Your friendly momok =)

This thread is for the use of PrandialMan only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.

Similar threads

midian182
Neuralink video shows quadriplegic patient who can play chess and video games with his...
Replies
15
Views
248
quadibloc
quadibloc
Scorpus
Nvidia app launches in beta: Nvidia's new GPU control panel is much faster, no log in...
2
Replies
28
Views
621
RaXelliX
R
yRaz
Opinion: AI is a lot closer to being conscious than many people predict and we need to talk about that.
Replies
0
Views
1K
yRaz
yRaz

Latest posts

Back