"Your computer is infected" but a little different

Status
Not open for further replies.
Hi, I've sent you Combofix via email. Try running it and see if it works. Hopefully the autodetections will clear some of the obstacles so you can run HijackThis etc.
 
No luck, momok. Downloaded it and saved to desktop. When I open and hit "run" it does exactly what HJT does - nothing. Blinks and does nothing.
 
You need to run SmitfraudFix. I can't upload my compy because this sites doesn't allow exe files to be uploaded. But it's easy to find using Google. Run that and then Spybot afterwards.

Repost with results.

Best,
-- Andy
 
Download Smitfraud Fix
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Clean:

Reboot your computer in Safe Mode
(before the Windows icon appears, tap the F8 key continually)

Double-click SmitfraudFix.exe

Select 2 and hit Enter to delete infected files.

You will be prompted: Do you want to clean the registry ? answer Y (yes)
and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if you are infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.

A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
 
I seldom use HijackThis.
HijackThis is best used as a follow up to cleaning programs such as Malwarebytes and SuperAntispyware. It is not meant to be used as a full cleaning program but rather to find any additional entries that may be resent. It can be a valuable tool, but only when used and interpreted correctly.
 
UPDATE: I know it's been a few days since I got back on here with any news, but I've been pretty busy lately. This might be long, but I want to make sure that everyone knows where I've gone/been since my last post.

I think the first area where I got anywhere meaningful was going with Tw0rld's advice on the RIES resetting. I did that. While it didn't help dramatically, it allowed me to be able to download/install "some" programs that I hadn't been able to get to previously. The first one was Malwarebytes. So, as soon as I was able to do that, I went into Safe mode and ran Malwarebytes. It found a bunch of things and cleaned up the computer a little bit. When I booted back normally, my Norton icon came back but the red X was still there. At least this was progress. I was able to run another program that momok advised me on called ComboFix. I ran that program and it really did some progress. I think it was at that point that the red X disappeared for good. Was really starting to feel good at this point. I think everything was restored back to normal and I could gain access to all websites I typed in and to download any programs. So, once I was to that point, I ran the other programs: Spybot S/D, SuperAntiSpyware, and HJT. Once I did that all those scans (I only did smart scans), I saved those logs (which will be attached). Oh, and I got my Norton back up to speed and did a recovery backup (remember this later on in this post).

Well, things were okay for a little bit but on cosecutive days I've had serious Windows Errors. When my computer had problems to begin with, it started with my computer rebooting itself on its own. That's happened at least 2 or 3 times since I've run all the programs. But the red X has never come back since and I still have access to whatever websites. So, today I thought I'd run full scans on all the programs (probably what I should've done earlier). I ran full scans with Malwarebytes, Ad-Aware, and Superantispyware. Also ran Spybot once again. The only program I didn't run again was ComboFix. All the scans completed after about 7 hours and found more stuff. Now, back to the 'backup" I did with Norton. The things (aside from tracking cookies) that they found this time was a backdoor that I guess was a part of the backup I did with Norton because the file path was "Norton Backup". And the common file or word association all the programs came up with is something to do with "TDSS". Of course, on all the programs, I took the means to remove all the bad files again. I've done all that and have gotten the second set of logs for Superantispyware and HJT. The Malwarebytes were in the process of removing and cleaning my system when - of course - my system rebooted itself on its own. Also, while I was running those programs, my Norton came up and wanted me to reboot to remove a virus as well "the same TDSS" one. I kept pushing that off until I could get the programs to get done doing what they were doing, but that's when I got involuntarily rebooted.

That probably was a lot of babble, but I hope you have a better understanding of where I am now. Also, I should note that ComboFix (that log is attached, too) found the trojan "brastk" and removed it and that's when I started seeing the most dramatic improvement. Haven't seen that virus come back, but I'm at a loss for what's causing my Windows errors and unwanted reboots.

My logs attached are numbered. Anything with a "1" next to it, are the first set of logs I ran after all the smart scans when I first made progress. Anything with a "2" next to it, are the full scans I ran today and most recent. Hope to hear from you all soon.

I'd also like to thank momok, Tw0rld, bobbye, and almcneil for contributing to this thread and getting me as far as I've gotten. Can't thank you enough.

I couldn't attach more than 5 files, so I'm attaching the ComboFixLog in case anyone wants to see it.

Thanks again, and hope to hear back from someone soon.

This TDSS virus/trojan seems to be dormant. I'm curious whether it's because I backed it up with Norton that day and maybe it's really gone now? Or if it's multiplying itself and I'm still infected.

Just a curious post here. I went in just to do searches on my computer for the brastk trojan I had found and am pretty sure I got rid of. The search result came back with one hit. It reads as follows:

Path: C:\Qoobox\Quarantine\Registry_backups

Filename: MSConfigStartUp-brastk.reg

Seems to be a backup of a removal I did when I got rid of it. Should I be concerned with this? Should I delete this backup or leave it be?
 
I'm afraid you're far from clean yet. In fact your logs show one of the worst cases of infection I've seen.

Please temporarily disable turn off AVG's and SpyBot's real-time monitoring function (in your windows system tray bottom right) before you commence with the following instructions.

  1. Open notepad and copy/paste the text in the entire code box (scroll down) below into it (these are bad items to be removed):

    Code:
    Files::
    C:\WINDOWS\system32\deploytk.dll
    C:\WINDOWS\system32\hajujum.reg
    C:\Program Files\Common Files\adanufu.com
    C:\WINDOWS\system32\nyxerihuf.reg
    C:\WINDOWS\akydojova._sy
    C:\Program Files\Common Files\wemagibyhu.pif
    C:\Documents and Settings\All Users\Application Data\zusikiba.com
    C:\Documents and Settings\All Users\Application Data\urojus.pif
    C:\Documents and Settings\All Users\Application Data\ohiz.pif
    C:\WINDOWS\system32\lugem.dl
    C:\WINDOWS\system32\amome.sys
    C:\Program Files\Common Files\vyxef.com
    C:\WINDOWS\system32\gyvozytu.scr
    C:\Documents and Settings\Will\Application Data\vejumo.pif
    C:\WINDOWS\vasa.lib
    C:\Program Files\Common Files\ukygymyvi.reg
    C:\Documents and Settings\Will\Application Data\oqyge.scr
    C:\WINDOWS\umiticyduz.lib
    C:\WINDOWS\leragog.com
    C:\WINDOWS\efowoso._dl
    C:\Documents and Settings\All Users\Application Data\nyliliv.bin
    C:\Documents and Settings\All Users\Application Data\ajireh.dll
    C:\WINDOWS\system32\lifuk.pif
    C:\Program Files\Common Files\vufomom.vbs
    C:\WINDOWS\emyjaryr.com
    C:\WINDOWS\libimulu.pif
    C:\WINDOWS\ydetaqu.sys
    C:\WINDOWS\teniryn.pif
    C:\Documents and Settings\Will\Application Data\zaci.pif
    C:\Program Files\Common Files\biqolakas.pif
    C:\WINDOWS\system32\TBD111.tmp
    C:\WINDOWS\system32\TBD112.tmp
    C:\Program Files\Common Files\pijuw._dl
    C:\Program Files\Common Files\turahy.db
    C:\Program Files\Common Files\ohiguneqek.lib
    C:\Program Files\Common Files\eqygilubil.lib
    C:\WINDOWS\system32\hizu.bin
    C:\WINDOWS\hejepa.sys
    C:\WINDOWS\imaroc.com
    C:\WINDOWS\majy.sys
    C:\WINDOWS\izudykuhyh.com
    C:\WINDOWS\system32\orunoku.bat
    C:\Program Files\Common Files\gexugorel.dl
    C:\WINDOWS\kafehijili.bin
    C:\WINDOWS\famihihari.bin
    C:\WINDOWS\system32\c_980399.nls
    C:\WINDOWS\system32\c_980419.nls
    C:\WINDOWS\system32\c_980449.nls
    
    Folder::
    C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
    
    Registry::
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoLogOff"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "wave1"=-
    "mixer1"=-
    "wave2"=-
    "mixer2"=-
    "aux2"=-
    "midi1"=-
    "aux1"=-
    "midi2"=-
  2. Save this as "CFScript.txt" on the desktop.
  3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
    CFScript.gif

  4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
    Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang
Paste the new Combofix log in your next reply.

Also let me know what is in this folder; what is it used for:
C:\Program Files\Common Files\xing shared

Next run HijackThis and fix these:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.gimail.af.mil/
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

Post a fresh HJT log as well as the resultant combofix log from the above instructions in your next reply.
 
I do not have AVG. I downloaded it once to attempt to install it, but never did (because the bugs I had wouldn't let me do any of that). Where are you seeing anything about AVG? I'll turn off the Spybot thing, though, and proceed with the rest of what you said.

I probably should've run ComboFix again today to post a good log. The ComboFix log you are looking at, as I explained in the message, is that of the a week ago and before I ran Superantispyware, Ad-Aware, and other things.

I'll get back to you soonest.
 
I see. Then we may need to repeat the CFScript a 2nd time with updated instructions later. There are several items which remain even after your scans.
But do go ahead with what I've posted. Its better to remove as much bad items as we can asap.
 
Momok,

I did everything with dragging the script over the .exe file and it opened a box for me to "Run", I clicked that and it did nothing after that. Sounded like something was working (maybe something still is), but it's been over 5 minutes and I have yet to see the program actually open up. Does it run in the background and I can see it for a while or something?

Do I need to disable anything in Norton? I didn't get any messages from Norton or anything. I shut off the Spybot before doing that, also.
 
Hm did you name the notepad file correctly -> "CFScript.txt" ? Is the script file in the same folder as which combofix is saved?
Have you tried this in safe mode?
 
It worked this time....

Momok,

I gave it a minute and just tried it again and it worked this time. The program loaded, did it's thing and gave me the log. I'm attaching the newest ComboFix and HJT logs.

As far as the xing folder you're talking about, I went to look at it and it has a subfolder called "mpeg encode" under it. In that folder is one file which is a .dll file. Not sure what it is or what program it has to do with - I'm not familiar with it.

Also, just curiosity: I noticed that you had me delete my startup page R0. Was just curious why that was a problem? Also, I've noticed there are 2 other R0 startup pages for google.net-studio org or something like that. I think that's either a Spybot or Malwarebytes start page that it does when you run the program. Do I need those lines?

Hope to hear soon!
 
Nope you don't need those pages, so feel free to delete them. I was concerned about your startpage because when I visited it IE showed problems with its certificate. But since you're fine with it then I guess there shouldn't be a problem.

Please run CFScript in the same way again, but this time replace the text in CFScript with these:
File::
C:\WINDOWS\system32\deploytk.dll
C:\Program Files\Common Files\pijuw._dl
C:\Program Files\Common Files\turahy.db
C:\Program Files\Common Files\ohiguneqek.lib
C:\Program Files\Common Files\eqygilubil.lib
C:\WINDOWS\system32\hizu.bin
C:\WINDOWS\hejepa.sys
C:\WINDOWS\imaroc.com
C:\WINDOWS\majy.sys
C:\WINDOWS\izudykuhyh.com
C:\WINDOWS\system32\orunoku.bat
C:\Program Files\Common Files\gexugorel.dl
C:\WINDOWS\kafehijili.bin
C:\WINDOWS\famihihari.bin
C:\WINDOWS\system32\hajujum.reg
C:\Program Files\Common Files\adanufu.com
C:\WINDOWS\system32\nyxerihuf.reg
C:\WINDOWS\akydojova._sy
C:\Program Files\Common Files\wemagibyhu.pif
C:\Documents and Settings\All Users\Application Data\zusikiba.com
C:\Documents and Settings\All Users\Application Data\urojus.pif
C:\Documents and Settings\All Users\Application Data\ohiz.pif
C:\WINDOWS\system32\lugem.dl
C:\WINDOWS\system32\amome.sys
C:\Program Files\Common Files\vyxef.com
C:\WINDOWS\system32\gyvozytu.scr
C:\Documents and Settings\Will\Application Data\vejumo.pif
C:\WINDOWS\vasa.lib
C:\Program Files\Common Files\ukygymyvi.reg
C:\Documents and Settings\Will\Application Data\oqyge.scr
C:\WINDOWS\umiticyduz.lib
C:\WINDOWS\leragog.com
C:\WINDOWS\efowoso._dl
C:\Documents and Settings\All Users\Application Data\nyliliv.bin
C:\Documents and Settings\All Users\Application Data\ajireh.dll
C:\WINDOWS\system32\lifuk.pif
C:\Program Files\Common Files\vufomom.vbs
C:\WINDOWS\emyjaryr.com
C:\WINDOWS\libimulu.pif
C:\WINDOWS\ydetaqu.sys
C:\WINDOWS\teniryn.pif
C:\Documents and Settings\Will\Application Data\zaci.pif
C:\Program Files\Common Files\biqolakas.pif
C:\WINDOWS\system32\TBD111.tmp
C:\WINDOWS\system32\TBD112.tmp
and post the resultant Combofix log your next reply.
 
nope that's fine. Let's settle combofix first. I think there may be some problems removing those items. If it fails again, I'll have to use avenger (haven't used it in a very long time)
 
I had to try again. It started to work fine and got through the scan. Then it got to where it was opening the log report and froze for 10 minutes (hung up). So, I had to reboot to get out of it and am going to try again. Be back soon, hopefully.

Here it is. Took unusually long to come up with the report again, but I waited it out and it finally came through.

Standing by...
 
Hi all, I would just like to add a few possible tips/things.

I too, have had these Rogue AntiVirus programs run on start-up, and prevented me from accesing certain websites.

I downloaded and installed Firefox and the Opera browsers, rotating them, off and on until eventually i was able to access ComboFix and SmitFraud and save them to my desktop. ((its always a good idea to have these programs already saved on your desktop in case of infection, not forgeting to update them periodaclly))

Always run these programs in safe-mode!

Ive heard that showing hidden files and turning off System Restore never hurts either.

Make sure and check C: program files, for any Rogue folders of the like. Also check add/remove programs.

Check Registry(regedit) for Browser Helper Objects!

Windows live one care is a powerful Anti-Virus program(must remove SBS&D) that can remove powerful Trojans. Might try this later on!
 
To clarify:
Always run these programs in safe-mode!
Most program should be run in Normal Mode unless 1. specifically instructed to run in Safe Mode or 2. they can't be run in Normal Mode due to the malware.

Ive heard that showing hidden files and
Some program will specifically direct the user to show hidden files and folders.

turning off System Restore never hurts either.
We usually leave System Restore on but will caution the user not to use it. At then end of the cleaning process, the old restore points are removed and a clean new on is created. SuperAntispyware will show infected System Volume files which are the restore points.

Check Registry(regedit) for Browser Helper Objects!
We remove these entries through HijackThis. Rarely is a user sent to do a regedit.
 
Thanks Xfactor and Bobbye for the clarification. Yeah, after my system gets cleared up, I'm going to make sure to hang on to my programs. Its seems that just when I get rid of them when I'm in a stretch of not having problems for awhile, that's when I get hit up again and then I'm searching to get the downloads again. Best bet is to keep them on-hand.
 
Hi,

Things are looking better, though seems like it takes a little time to remove some of the more tricky items. Try running Combofix in safe mode this time, with this CFScript:
File::
C:\WINDOWS\system32\ejujovaba.lib
C:\WINDOWS\pogerabex.lib
C:\WINDOWS\system32\nysyruhoca.dl
C:\WINDOWS\unulyl._sy
C:\WINDOWS\ilequt._dl
C:\WINDOWS\system32\c_980399.nls
C:\WINDOWS\system32\c_980419.nls
C:\WINDOWS\system32\c_980449.nls

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=-
"wave1"=-
"mixer2"=-
"midi2"=-
"aux2"=-
"midi1"=-
"mixer1"=-
"wave2"=-
Hopefull the next log will be fully clean.
 
ComboFixLog4

Hey Momok,

Ran it in Safe mode with the new script. Here's the new log.

Awaiting instructions...
 
Hi Will,

The new log shows all the old bad items have been removed. However, I'm very perplexed by the fact that new files and different variants of malware have appeared on your logs. I also see new programs installed when I see your new log.

Are you actively using the internet or seeking help elsewhere? If you are, please halt immediately as I am finding it difficult to clean your system thoroughly as it seems to have been reinfected by new sources.

That said, I believe you are almost clean now, except for the new infection.

Please run Combofix once again in safe mode with this new CFScript:
File::
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\IEDFix.C.exe
C:\WINDOWS\system32\404Fix.exe
C:\WINDOWS\.compaq.bak
C:\WINDOWS\compaq.reg

Then boot in normal mode, and save a fresh log from HJT. Post the 2 logs back here; hopefully this time the cleaning would be complete before I can issue a clean bill of health for your system.
 
Latest ComboFix and HJT

Hi Momok,

My apologies. Yes, I was still using the internet in between you helping me (I wasn't aware that I shouldn't have been doing that). With the new programs, I downloaded and ran the SmithFraud per almcneil in between your last post and this one. The only other thing I downloaded was a program that gives me system configuration easily - SIW (System Information for Windows). I'm running off of 512MB of RAM and wanted to see what kind of RAM I run off of without opening the case and that program helped me do that - so that I can go buy some more RAM today. Definitely not seeking any other help than what's provided in this thread, though.

My apologies, though. Didn't realize I wasn't supposed to surf or download anything else in between. My bad.

I did what you've asked and have posted a new HJT and ComboFix Log.

Curiosity - I think I might have more startup processes running when I probably don't need that many. Seems like my computer drags at startup for about 3-5 minutes trying to stabilize. I noticed in the HJT a lot of things about ActiveCardGold. That's a program that I'm no longer using at the moment, so if any of those are in my startup or running, I can disable them - you just may need to tell me how (which I'm sure you would've done anyway). Thanks again, Momok.

Awaiting instruction...
 
I see.

In that case, please fix these entries in HJT:
O23 - Service: ActivCard Authentication Service (ACachSrv) - ActivCard - C:\Program Files\Common Files\ActivCard\acachsrv.exe
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe

Be sure to visit Control Panel > Remove programs and uninstall it too.

I would say the main source of your slow start up would possibly be these:
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailAdvisor.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
There's Norton in there which is notorious for being labelled 'bloatware', as it takes up space, resources on your system, and just doesn't do that good a job as freeware out there.

Apart from that, your system is looking clean now =)

Now that you're gd to go,
  1. Please download and run CCleaner via step 3 of the instructions HERE.

  2. Clear your existing System Restore points and establish a new clean restore point:
    Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.

    Next, go to Start > Run > cleanmgr
    Select the More options tab > Choose the option to clean up System Restore and OK.
    This will remove all restore points except the new one you just created.

  3. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.
 
As far as Norton, I could see that being most of the slow startup. You mentioned about it being freeware, but I bought this 360 at the store. I've always heard it's the best anti-virus protection around. Do you recommend trying something else that's a little less bloaty? I'd sacrifice slow startup over protection any day of the week, however.

I had Yahoo Toolbar before but I uninstalled it (I thought). It definitely does not run in my IE browser, so those listings in your second set seem like they shouldn't be there, either. Are those running at startup? If so, what should I do to disable them? MyspaceIM is a program that I use, but I've disabled it from startup - only to run when I click on the shortcut/executable. Is it secretly running still in startup though?

I will do the remaining steps with the restore point and what not. Look forward to your reply on the Norton and Yahoo things, though.

You've been great, Momok. Absolutely fantastic guidance and help. I hope you know that you're appreciated extremely.
 
Status
Not open for further replies.
Back