 |
 |
| Virus disabled safe mode, keeps closing tsk manager, msconfig and anything related to anti virus |
| 
soulji
New Member
Date Joined Jan 2007
Total Posts : 12
| Posted 1-7-2007 1:16 (GMT +1) |   | | hi, ive searched thru the forums and ive only found the solution to stop the virus from closing the tASk manager. the solution given was to load windows in safe mode with networking and to install all those free softwares(ccleaner, hijackthis)..
my problem is, windows won't load in safe mode.. when i select any of the three options to start in safe mode, the screen displays drivers loading and then it stops there not doing anything and i have to push the reset button to start again..
btw, windows loads just fine.. i can do the stuff i used to do before except that i have no anti virus running (because it closes it) and i can,t open the task manager and msconfig or regedit.. the virus closes any window that is related with an anti virus (eg. when i open the folder containing the antivirus program) or even if i instll a new one..
help please.... | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14325
| Posted 1-7-2007 1:38 (GMT +1) | | | Hi soulji
Let´s hope You can run hijackthis and post a logfile -
1. Get this version of Hijackthis from http://danborg.org/spy/hjt/alternativ.exe
2 Save it in a permanent folder of your choice, such as C:\HJT\. To create this specific folder on your hard drive: Double click the 'My Computer' icon on your desktop, then under the category hard disk drives: double click Local Disk:, then select file->New -> Folder and name it HJT
3 Run hijackthis. (alternativ exe).
Choose the "Do a system scan and save a log file" option to perform your scan.
HijackThis will analyze your system, and automatically open a notepad textfile containing the HijackThis log when the scan is finished.
Open the text files containing the logs with a text editor and click Edit -> Select All, followed by Edit -> Copy.
From within the browser window and with the message body text box selected, click Edit -> Paste.
Post hijackthis log
Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention.
Do not PM me with logfiles. They will be deleted
| | Back to Top | | |
|
soulji
New Member
Date Joined Jan 2007
Total Posts : 12
| Posted 1-7-2007 2:34 (GMT +1) | | oh man.. this virus is tough...
it also closes alternativ HJT... although i was able to scan a little but it did not have time to finish.. i was doing it like fifty times but the virus wsa too fast... also before that, i had to download msvbvm60.dll because it was missing ang hJT cant start..
i can't even access this website (because its related to an antivirus software) to post a reply.. its closes the browser automatcally...
btw, i was able to peek in the task manager and there was lsass.exe, services.exe, winlogon.exe and some other .exe (some are numbers so i cant memorise it) run by my username aside from the ones ran by the system... ive been infected by this before )i think it was brontok or explorasi but i was able to clean it with AVG Free but now i can' even open it... also, i can see two "desktop" named folders but actually application (size is 42kb)
good thing a have a PC (its my laptop who got infected)
what should i do??? please help.. | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14325
| Posted 1-7-2007 2:49 (GMT +1) | | | It sounds like a rootkit You´ve got.
Please Download: Gmer Zip:
Unzip/extract it to desktop
Run gmer.exe, select Rootkit tab and click the "Scan" button.
When scan have finished, click on Copy button, and post this log
Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention.
Do not PM me with logfiles. They will be deleted
Post Edited (Touch) : 1/7/2007 1:50:38 PM GMT | | Back to Top | | |
|
soulji
New Member
Date Joined Jan 2007
Total Posts : 12
| Posted 1-7-2007 5:08 (GMT +1) | | | hi.
uhmm.. the gmer.exe did run and was able to scan but everytime it scans on \Device\{576D289D-F42A-4212-97E7-6EB65DB53672} it gets stuck... its still responding but its no moving on...
btw, on the processes tab, i can see the virus running and its brontok about 7 of them...
Process: C:\WINDOWS\system32\n5883\winlogon.exe Parameters: ~Brontok~Is~The~Best~
C:\WINDOWS\system32\n5883\services.exe ~Brontok~Serv~
C:\WINDOWS\system32\n5883\csrss.exe ~Brontok~SpreadMail~
C:\WINDOWS\system32\n5883\lsass.exe ~Brontok~Network~
C:\WINDOWS\Ja13386\ib6207.exe ~Brontok~Back~Log~
C:\WINDOWS\system32\n5883\b6207.exe ~Brontok~Back~Log~
C:\WINDOWS\system32\n5883\lsass.exe ~Brontok~To~LoadingInfo~
and also, theres a kill process option in the program... should i select all these virus and kill the process? and then run a Virus scan? would it harm my laptop if i do this?
thanks for all the help... | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14325
| Posted 1-7-2007 5:38 (GMT +1) | | I´m not sure about these files, as they looks like legal files
It´s better You download and catchme exe from:
run catchme exe: Post the log/s it produce in this thread
Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention.
Do not PM me with logfiles. They will be deleted
| | Back to Top | | |
|
soulji
New Member
Date Joined Jan 2007
Total Posts : 12
| Posted 1-7-2007 6:30 (GMT +1) | | i think they'r not legal files because duplicates of these programs are also running at the same time but without the "brontok" in the parameters and are directly located in the system32 folder and not within another folder like n5883...
anyway.. heres the log file
catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\system.sav\CTO.TXT 4096 bytes
C:\system.sav\CTOHW.TXT 16 bytes
C:\system.sav\DAYLGSAV.reg 320 bytes
C:\system.sav\delink.log 200 bytes
C:\system.sav\dnetwork.log 224 bytes
C:\system.sav\DNSP1.LOG 16384 bytes
C:\system.sav\highgost.flg 32 bytes
C:\system.sav\info.bom 16384 bytes
C:\system.sav\INFO.US 4096 bytes
C:\system.sav\ISLOGCHK.LOG 4096 bytes
C:\system.sav\logoff.bat 112 bytes
C:\system.sav\logoff.reg 288 bytes
C:\system.sav\Logs
C:\system.sav\Logs\Cia.ini 77824 bytes
C:\system.sav\Logs\Info.bom 16384 bytes
C:\system.sav\Logs\Install.log 335872 bytes
C:\system.sav\Logs\Preinchk.log 4096 bytes
C:\system.sav\Logs\Sysinfo.log 311296 bytes
C:\system.sav\mszone.log 16384 bytes
C:\system.sav\PREINCHK.log 4096 bytes
C:\system.sav\REBOOT.ME 48 bytes
C:\system.sav\REGDEV.LOG 40 bytes
C:\system.sav\REGFLUSH.LOG 4096 bytes
C:\system.sav\RegionCF
C:\system.sav\RegionCF\euro.reg 216 bytes
C:\system.sav\RegionCF\SFr.reg 232 bytes
C:\system.sav\RmDev.log 8192 bytes
C:\system.sav\SYSINFO.LOG 311296 bytes
C:\system.sav\util
C:\system.sav\util\AppEvBk1.old 65536 bytes
C:\system.sav\util\bcr.cmd 232 bytes
C:\system.sav\util\bootldr.flg 0 bytes
C:\system.sav\util\BOOTSEC.NT4 512 bytes
C:\system.sav\util\brand.exe 184320 bytes
C:\system.sav\util\BrandIt.Log 12288 bytes
C:\system.sav\util\BRAND_1.FLG 16 bytes
C:\system.sav\util\CHKIMAGE.exe 122880 bytes
C:\system.sav\util\CIA.CDC 65536 bytes
C:\system.sav\util\CIA.INI 77824 bytes
C:\system.sav\util\CLEARTYP.REG 496 bytes
C:\system.sav\util\CMDOOBE.CMD 72 bytes
C:\system.sav\util\CMDSWSET.CMD 64 bytes
C:\system.sav\util\cpqci.dll 122880 bytes
C:\system.sav\util\cpqsm.exe 86016 bytes
C:\system.sav\util\cvacompg.exe 118784 bytes
C:\system.sav\util\cvacompg.tmp 168 bytes
C:\system.sav\util\delcia.flg 32 bytes
C:\system.sav\util\DelDir.exe 36864 bytes
C:\system.sav\util\delmodem.bat 128 bytes
C:\system.sav\util\delmodem.ini 184 bytes
C:\system.sav\util\DelWLAN.reg 320 bytes
C:\system.sav\util\DETECTOS.EXE 98304 bytes
C:\system.sav\util\DETECTOS.INI 408 bytes
C:\system.sav\util\dmiuia.cmd 136 bytes
C:\system.sav\util\DNSP1.LOG 16384 bytes
C:\system.sav\util\DQM_MRK.exe 323584 bytes
C:\system.sav\util\EISDTICON.log 32 bytes
C:\system.sav\util\EISFE.log 32 bytes
C:\system.sav\util\FB_EIS.log 32 bytes
C:\system.sav\util\hpqnt.dll 77824 bytes
C:\system.sav\util\infobomg.exe 172032 bytes
C:\system.sav\util\INSTALL.LOG 335872 bytes
C:\system.sav\util\ISLOGCHK.EXE 110592 bytes
C:\system.sav\util\ISLOGCHK.INI 4096 bytes
C:\system.sav\util\make_rtr.flg 136 bytes
C:\system.sav\util\mobproc.flg 136 bytes
C:\system.sav\util\oobe.min 144 bytes
C:\system.sav\util\oobe.wpe 4096 bytes
C:\system.sav\util\osexclude.txt 176 bytes
C:\system.sav\util\PININST.INI 120 bytes
C:\system.sav\util\PININST.LOG 168 bytes
C:\system.sav\util\POSTOOBE.CMD 4096 bytes
C:\system.sav\util\POSTOOBE.LOG 24 bytes
C:\system.sav\util\postproc.ini 552 bytes
C:\system.sav\util\powerset.log 88 bytes
C:\system.sav\util\PREINCHK.BAT 216 bytes
C:\system.sav\util\PREINFO.INI 152 bytes
C:\system.sav\util\PREINFO2.EXE 102400 bytes
C:\system.sav\util\qlb.log 176 bytes
C:\system.sav\util\random.ini 40 bytes
C:\system.sav\util\REGDEV.EXE 106496 bytes
C:\system.sav\util\REGDEV.INI 560 bytes
C:\system.sav\util\RMDEV.CMD 512 bytes
C:\system.sav\util\RMIRDEV.CMD 112 bytes
C:\system.sav\util\RunCType.REG 392 bytes
C:\system.sav\util\SecEvBk1.old 65536 bytes
C:\system.sav\util\sedinst.log 168 bytes
C:\system.sav\util\SWSETDIR.exe 118784 bytes
C:\system.sav\util\SWSETUP.BTO 424 bytes
C:\system.sav\util\SWSETUP.CMD 136 bytes
C:\system.sav\util\SWSET_B.INI 4096 bytes
C:\system.sav\util\SysEvBk1.old 65536 bytes
C:\system.sav\util\touchpad.log 192 bytes
C:\system.sav\util\uiadump32.exe 32768 bytes
C:\system.sav\util\uiautil.exe 57344 bytes
C:\system.sav\util\WINDVD.LOG 168 bytes
C:\system.sav\util\WMI.BAT 48 bytes
C:\system.sav\WINDVD.LOG 168 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 98 | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14325
| Posted 1-7-2007 7:54 (GMT +1) | | It looks You´re right 
Please download:
by Swandog46 to your Desktop.
Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste all the text in the quote box below.
Quote:
|
Files to delete:
C:\WINDOWS\system32\n5883\winlogon.exe
C:\WINDOWS\system32\n5883\services.exe
C:\WINDOWS\system32\n5883\csrss.exe
C:\WINDOWS\system32\n5883\lsass.exe
C:\WINDOWS\Ja13386\ib6207.exe
C:\WINDOWS\system32\n5883\b6207.exe
C:\WINDOWS\system32\n5883\lsass.exe
Folders to delete:
C:\WINDOWS\system32\n5883
|
Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.
After the reboot,
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
Please copy/paste the content of C:\avenger.txt into your reply and tell how things are runng now
Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention.
Do not PM me with logfiles. They will be deleted
| | Back to Top | | |
|
soulji
New Member
Date Joined Jan 2007
Total Posts : 12
| Posted Yesterday 7:20 (GMT +1) | | hi! remember the plan i had to kill the process with brontok using gmer.exe? well i did that and it did stop those virus running so i was able to run task manager again and my anti virus program... i was able to run HJT and scan the PC.. i used AVG Free but it did not find any viruses so i installed kaspersky.. and it did find those viruses and was able to delete it.. BUT theres another big big problem!! i cant log in to any of the usernames!! i click one fo the names and its says logging in.. but it eventually logs out without displaying any icon or the task bar... its back on the welcome screen again... i can see the Kaspersky anti virus running on the upper right corner of the screen... help!
this is the HJT log file:
Logfile of HijackThis v1.99.1
Scan saved at 1:58:26 PM, on 1/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\gmer.exe
C:\hjt\alternative.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/wdgt3/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/wdgt3/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.upm.edu.ph:3128
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\o4307927.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\j6307922.exe
O1 - Hosts: 127.0.0.22 mcafee.com
O1 - Hosts: 127.0.0.22 www.mcafee.com
O1 - Hosts: 127.0.0.22 mcafee.net
O1 - Hosts: 127.0.0.22 www.mcafee.net
O1 - Hosts: 127.0.0.22 mcafee.org
O1 - Hosts: 127.0.0.22 www.mcafee.org
O1 - Hosts: 127.0.0.22 mcafeesecurity.com
O1 - Hosts: 127.0.0.22 www.mcafeesecurity.com
O1 - Hosts: 127.0.0.22 mcafeesecurity.net
O1 - Hosts: 127.0.0.22 www.mcafeesecurity.net
O1 - Hosts: 127.0.0.22 mcafeesecurity.org
O1 - Hosts: 127.0.0.22 www.mcafeesecurity.org
O1 - Hosts: 127.0.0.22 mcafeeb2b.com
O1 - Hosts: 127.0.0.22 www.mcafeeb2b.com
O1 - Hosts: 127.0.0.22 mcafeeb2b.net
O1 - Hosts: 127.0.0.22 www.mcafeeb2b.net
O1 - Hosts: 127.0.0.22 mcafeeb2b.org
O1 - Hosts: 127.0.0.22 www.mcafeeb2b.org
O1 - Hosts: 127.0.0.22 nai.com
O1 - Hosts: 127.0.0.22 www.nai.com
O1 - Hosts: 127.0.0.22 nai.net
O1 - Hosts: 127.0.0.22 www.nai.net
O1 - Hosts: 127.0.0.22 nai.org
O1 - Hosts: 127.0.0.22 www.nai.org
O1 - Hosts: 127.0.0.22 vil.nai.com
O1 - Hosts: 127.0.0.22 www.vil.nai.com
O1 - Hosts: 127.0.0.22 vil.nai.net
O1 - Hosts: 127.0.0.22 www.vil.nai.net
O1 - Hosts: 127.0.0.22 vil.nai.org
O1 - Hosts: 127.0.0.22 www.vil.nai.org
O1 - Hosts: 127.0.0.22 grisoft.com
O1 - Hosts: 127.0.0.22 www.grisoft.com
O1 - Hosts: 127.0.0.22 grisoft.net
O1 - Hosts: 127.0.0.22 www.grisoft.net
O1 - Hosts: 127.0.0.22 grisoft.org
O1 - Hosts: 127.0.0.22 www.grisoft.org
O1 - Hosts: 127.0.0.22 kaspersky-labs.com
O1 - Hosts: 127.0.0.22 www.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 kaspersky.com
O1 - Hosts: 127.0.0.22 www.kaspersky.com
O1 - Hosts: 127.0.0.22 kaspersky.net
O1 - Hosts: 127.0.0.22 www.kaspersky.net
O1 - Hosts: 127.0.0.22 kaspersky.org
O1 - Hosts: 127.0.0.22 www.kaspersky.org
O1 - Hosts: 127.0.0.22 downloads1.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 www.downloads1.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 downloads1.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.downloads1.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 downloads1.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.downloads1.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 downloads2.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 www.downloads2.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 downloads2.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.downloads2.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 downloads2.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.downloads2.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 downloads3.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 www.downloads3.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 downloads3.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.downloads3.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 downloads3.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.downloads3.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 downloads4.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 www.downloads4.kaspersky-labs.com
O1 - Hosts: 127.0.0.22 downloads4.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.downloads4.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 downloads4.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.downloads4.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 download.mcafee.com
O1 - Hosts: 127.0.0.22 www.download.mcafee.com
O1 - Hosts: 127.0.0.22 download.mcafee.net
O1 - Hosts: 127.0.0.22 www.download.mcafee.net
O1 - Hosts: 127.0.0.22 download.mcafee.org
O1 - Hosts: 127.0.0.22 www.download.mcafee.org
O1 - Hosts: 127.0.0.22 norton.com
O1 - Hosts: 127.0.0.22 www.norton.com
O1 - Hosts: 127.0.0.22 norton.net
O1 - Hosts: 127.0.0.22 www.norton.net
O1 - Hosts: 127.0.0.22 norton.org
O1 - Hosts: 127.0.0.22 www.norton.org
O1 - Hosts: 127.0.0.22 symantec.com
O1 - Hosts: 127.0.0.22 www.symantec.com
O1 - Hosts: 127.0.0.22 symantec.net
O1 - Hosts: 127.0.0.22 www.symantec.net
O1 - Hosts: 127.0.0.22 symantec.org
O1 - Hosts: 127.0.0.22 www.symantec.org
O1 - Hosts: 127.0.0.22 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.0.0.22 www.liveupdate.symantecliveupdate.com
O1 - Hosts: 127.0.0.22 liveupdate.symantecliveupdate.net
O1 - Hosts: 127.0.0.22 www.liveupdate.symantecliveupdate.net
O1 - Hosts: 127.0.0.22 liveupdate.symantecliveupdate.org
O1 - Hosts: 127.0.0.22 www.liveupdate.symantecliveupdate.org
O1 - Hosts: 127.0.0.22 liveupdate.symantec.com
O1 - Hosts: 127.0.0.22 www.liveupdate.symantec.com
O1 - Hosts: 127.0.0.22 liveupdate.symantec.net
O1 - Hosts: 127.0.0.22 www.liveupdate.symantec.net
O1 - Hosts: 127.0.0.22 liveupdate.symantec.org
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [A4893r] "C:\WINDOWS\j6307922.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [y1992Jas] "C:\WINDOWS\system32\n5883\sv711243830r.exe"
O4 - Startup: Startup.exe
O4 - Global Startup: Startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
and this is the AVENGER log file: i used avenger but the virus kept running after a restart... i used this before i did HJT..
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Error: could not create zip file.
Error code: 1813
//////////////////////////////////////////
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kpsgcwsv
*******************
Script file located at: \??\C:\Program Files\iqgonnyd.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\n5883\winlogon.exe deleted successfully.
File C:\WINDOWS\system32\n5883\services.exe deleted successfully.
File C:\WINDOWS\system32\n5883\csrss.exe deleted successfully.
File C:\WINDOWS\system32\n5883\lsass.exe deleted successfully.
File C:\WINDOWS\Ja13386\ib6207.exe deleted successfully.
File C:\WINDOWS\system32\n5883\b6207.exe deleted successfully.
File C:\WINDOWS\system32\n5883\lsass.exe not found!
Deletion of file C:\WINDOWS\system32\n5883\lsass.exe failed!
Could not process line:
C:\WINDOWS\system32\n5883\lsass.exe
Status: 0xc0000034
Folder C:\WINDOWS\system32\n5883 deleted successfully.
Completed script processing.
*******************
Finished! Terminate. | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14325
| Posted Yesterday 8:18 (GMT +1) | | Before we continue, please tell - can You boot to safe mode now ?
Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention.
Do not PM me with logfiles. They will be deleted
| | Back to Top | | |
|
soulji
New Member
Date Joined Jan 2007
Total Posts : 12
| Posted Yesterday 8:38 (GMT +1) | | | no.. oh my... does it really takes long to boot in safe mode? do i have to wait? | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14325
| Posted Yesterday 8:50 (GMT +1) | | Never mind, we´ll some of the infections manually -
Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.
Click fix checked:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.upm.edu.ph:3128
<<If You don´t use proxy server
----------------------------------------
F2 - REG:system.ini: Shell=Explorer.exe "C:\WINDOWS\o4307927.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\j6307922.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [A4893r] "C:\WINDOWS\j6307922.exe"
O4 - HKCU\..\Run: [y1992Jas] "C:\WINDOWS\system32\n5883\sv711243830r.exe"
O4 - Startup: Startup.exe
O4 - Global Startup: Startup.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste all the text in the quote box below.
Quote:
|
Files to delete:
C:\WINDOWS\o4307927.exe
C:\WINDOWS\j6307922.exe
C:\WINDOWS\j6307922.exe
C:\WINDOWS\system32\n5883\sv711243830r.exe
|
Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.
After the reboot,
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
Please copy/paste the content of C:\avenger.txt into your reply along with a fresh HJT log and tell how things are running
Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention.
Do not PM me with logfiles. They will be deleted
| | Back to Top | | |
|
soulji
New Member
Date Joined Jan 2007
Total Posts : 12
| Posted Yesterday 9:24 (GMT +1) | | | uhmm. you seem to forgot that i cannot log in? so i cant run HJT.. how do i get in? pleaaseeeee......... | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14325
| Posted Yesterday 9:46 (GMT +1) | | No I have not forget it, just curios - how can You post a hiajckthis log, if You can´t run it ?
Run the avenger part
Reboot and tell how things are running now
Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention.
Do not PM me with logfiles. They will be deleted
| | Back to Top | | |
|
soulji
New Member
Date Joined Jan 2007
Total Posts : 12
| Posted Yesterday 9:52 (GMT +1) | | | i was able to run it before im not able to log in.. i ran hijack this then saved the log file on my usb then posted it on the other PC then i ran kaspersky anti virus.. then it deleted those virus.. then it automatically restarted (maybe to fully delete some viruses) after that i cant log in anymore so now im stuck at the welcome page with usernames....
(edited)
oh.. a window comes up just after i click a username its says SAS window: winlogon.exe - Corrupt file the file or directory C: is corrupt and unreadable. Please run the Chkdsk utility.
this message flashed even before.. when im still running gmer.exe and killed the processes... eg. gmer.exe - corrupt file as the heading with the same message but this did not do anything strange.. it popped up a couple of times but gmer is still running... i was even able to restart when i installed kaspersky... but as i said, this started after i ran a scan on the critical areas... Post Edited (soulji) : 1/8/2007 8:54:24 AM GMT | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14325
| Posted Yesterday 10:00 (GMT +1) | | I hate that anti spam filter 
Sorry, I should have read Your last post more carefully. The infections can have corrupted some systemfiles, that´s why You can´t log in. I therefore suggest You do a repair without loss of data -
Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention.
Do not PM me with logfiles. They will be deleted
| | Back to Top | | |
|
soulji
New Member
Date Joined Jan 2007
Total Posts : 12
| Posted Yesterday 11:05 (GMT +1) | | | hi. i followed the repair instructions an was able to run the repair until it tells me to reboot... so i did.. the instructions says NOT to press any key to boot from CD when asked.. so i followed it and then windows loaded and im back in the welcome page but i still can't log in... the instructions says on no.6 setup will continue as if it were doing a clean install, but your applications will remain intact... this did not happen... so what will i do now? do the repair again? | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14325
| Posted Yesterday 1:46 (GMT +1) | | | Unfortunality have I bad news for You -
"Some infections are specifically designed to hide the activities of other viruses and worms, and compromise the operating system so that it may not be repaired. If your machine is infected with such an infection, you will very likely not be able to regain complete control of the system. Reinstallation is highly recommended."
Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention.
Do not PM me with logfiles. They will be deleted
| | Back to Top | | |
|
soulji
New Member
Date Joined Jan 2007
Total Posts : 12
| Posted Yesterday 2:09 (GMT +1) | | ohh... well do you have any suggestion how to recover my files? please...
would it work if id get the hard drive from my laptop and buy an external case so that i could just plug it in to my PC and recover my files? | | Back to Top | | |
|
Touch
Forum Moderator
Date Joined Jun 2004
Total Posts : 14325
| Posted Yesterday 2:36 (GMT +1) | | To tell the truth - I don´t know 
Do NOT post your problem in someone elses thread.
Start a new topic so that it may receive proper attention.
Do not PM me with logfiles. They will be deleted
| | Back to Top | | |
|
soulji
New Member
Date Joined Jan 2007
Total Posts : 12
| Posted Yesterday 2:42 (GMT +1) | | oh man...
well.. thank you for all your help..
its been a tough battle but i guess we lost..
at least now i have some things to guard myself for future attacks...
ill be posting some other issues soon...
thanks again... | | Back to Top | | |
| |
