reformatted 3rd time - killer spyware

Hewlett-packard / Hp compaq dx6100 st(pk868...
May 20, 2009 at 10:04:34
Specs: Microsoft Windows XP Professional, 3.194 GHz / 503 MB
Hi,

This is the 3rd time i've reformatted my computer due to some virus called 'autorun' ..'global.exe' or SmitFraud infection...

What happens is my administrator controls are gradually disabled, i can't use windows media player, microsoft word etc. afterwards.

Then my CD keeps ejecting itself!
Then i keep on hearing this indigo 'beep' noise every 5 seconds.
Then this flying banner keeps coming onto the screen every 10 seconds that say 'this computer is being attacked'

Not only that, all the files associated with the computer is ENTIRELY INFECTED, every single file.. and as soon as a plug in a USB stick or external harddrive, the virus automatically copies itself straight away without me even copying anything. It's extremely frustrating!

I remember asking in this thread the 2nd time i reformatted, a person did say they could help me.. but then they said something like it was 'deeply entrenched in the system' or something when i showed them my hijackthis log..

I guess the reason why he said that is because i've used 'system restore' several times to make the computer more functional... only to return to its annoying dysfunctional state a few days later, faster than before.

I've reformatted, i've inserted some USB sticks that DID have the virus, but only after i've formatted the USB sticks as well..

I've tried finding the registry keys and tried modifying some like somebody instructed me to, i think they were the cntrlpanel registry keys that i had to change the numbers to, i tried deleting some other registry keys.. it really didn't work =/

Can someone help me please? Exam time is coming up in 3 weeks and i need my computer working properly again.

tea


See More: reformatted 3rd time - killer spyware

Report •


#1
May 20, 2009 at 11:07:58
Hey,
Follow these steps:

1) Download and run Kaspersky AVP tool:

http://devbuilds.kaspersky-labs.com...

Once you download and start the tool select all the objects/places to be scanned and hit Scan. Fix what it detects and at the end of the scan post screen shot/log of detected items that is fixed and which it could not fix.

Once you post the log we will proceed from there.

--------------------------------------------
To Private Message me Click Here


Report •

#2
May 23, 2009 at 19:41:22
Hey,

I've scanned my computer over night (except for my cd drive, i hope it doesn't make a difference) in safe mode.
Took longer than i expected, after 1 hour it was still scanning 1% of my PC, so i slept while it scanned the rest.. it must have sped up a bit.

It detected 18 viruses, i tried to neutralize them all.

After i restarted the computer though, i can still hear the noise in the background, my cd still ejects and the banner is still floating now.

the whole log file is huge, so i can't post it on this thread so if you want, i can just copy and paste the virus bit.


Start of the logfile:

Scan
----
Scanned: 377216
Detected: 18
Untreated: 0
Start time: 5/24/2009 4:06:28 AM
Duration: 08:00:30
Finish time: 5/24/2009 12:06:58 PM


Detected
--------
Status Object
------ ------
will be deleted when the computer is restarted: virus Worm.Win32.AutoRun.eee File: C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
will be deleted when the computer is restarted: virus Worm.Win32.AutoRun.eee File: C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
will be deleted when the computer is restarted: virus Worm.Win32.AutoRun.eee File: C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
deleted: virus Worm.Win32.AutoRun.eee File: c:\ms-dos.com
deleted: virus Worm.Win32.AutoRun.eee File: c:\windows\pchealth\global.exe
deleted: virus Worm.Win32.AutoRun.eee File: c:\windows\fonts\fonts.exe
deleted: virus Worm.Win32.AutoRun.eee File: c:\windows\system\keyboard.exe
deleted: virus Worm.Win32.AutoRun.eee File: c:\windows\system32\dllcache\default.exe
deleted: virus Worm.Win32.AutoRun.eee File: c:\windows\pchealth\helpctr\binaries\helphost.com
deleted: Trojan program Trojan.VBS.Runner.be File: c:\windows\cursors\boom.vbs
deleted: virus Worm.Win32.AutoRun.eee File: c:\windows\system32\drivers\drivers.cab.exe
deleted: virus Worm.Win32.AutoRun.eee File: c:\windows\media\rndll32.pif
deleted: virus Worm.Win32.AutoRun.eee File: c:\windows\fonts\tskmgr.exe
deleted: Trojan program Trojan-Downloader.Win32.Agent.bxoj File: C:\Documents and Settings\sophannara\My Documents\Azureus Downloads\Cyberlink PowerDVD 8.3 Multilangual + KeyMaker-CORE\Cyberlink PowerDVD 8.3 Multilangual + KeyMaker-CORE.exe//data0000.cab/downloader.exe
deleted: virus Worm.Win32.AutoRun.eee File: C:\WINDOWS\Help\microsoft.hlp
deleted: virus Worm.Win32.AutoRun.eee File: C:\WINDOWS\system32\regedit.exe
deleted: virus Worm.Win32.AutoRun.eee File: C:\WINDOWS\system32\dllcache\Global.exe
deleted: virus Worm.Win32.AutoRun.eee File: C:\WINDOWS\system32\dllcache\svchost.exe

and this part was at the end of the logfile.

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll ok scanned
5/24/2009 7:36:03 AM File: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2.3_x-ww_468466a7\dxmrtp.dll ok scanned
5/24/2009 7:36:03 AM File: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2.3_x-ww_d6bd8b95\rtcdll.dll ok scanned
5/24/2009 7:36:04 AM File: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2.3_en_16a24bc0\rtcres.dll ok scanned
5/24/2009 7:36:04 AM File: c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\global.exe detected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:00 PM File: c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\global.exe backed up
5/24/2009 12:00:00 PM File: c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\global.exe will be deleted on system restart
5/24/2009 12:00:08 PM File: c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\svchost.exe detected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:08 PM File: c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\svchost.exe backed up
5/24/2009 12:00:08 PM File: c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\svchost.exe will be deleted on system restart
5/24/2009 12:00:08 PM File: c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\system.exe detected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:08 PM File: c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\system.exe backed up
5/24/2009 12:00:08 PM File: c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\system.exe will be deleted on system restart
5/24/2009 12:00:08 PM File: c:\ms-dos.com detected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:08 PM File: c:\ms-dos.com backed up
5/24/2009 12:00:08 PM Startup object: c:\autorun.inf\autorun\Open disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:08 PM Startup object: c:\autorun.inf\autorun\Shellexecute disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:08 PM Startup object: c:\autorun.inf\autorun\Shell\Open\command disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:08 PM Startup object: c:\autorun.inf\autorun\Shell\Explore\command disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:09 PM File: c:\ms-dos.com deleted
5/24/2009 12:00:09 PM File: c:\windows\pchealth\global.exe detected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:09 PM File: c:\windows\pchealth\global.exe backed up
5/24/2009 12:00:09 PM Startup object: HKEY_LOCAL_MACHINE\Software\Classes\regfile\shell\open\command\ disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:09 PM File: c:\windows\pchealth\global.exe deleted
5/24/2009 12:00:09 PM File: c:\windows\fonts\fonts.exe detected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:09 PM File: c:\windows\fonts\fonts.exe backed up
5/24/2009 12:00:09 PM Startup object: HKEY_LOCAL_MACHINE\Software\Classes\MSCFile\shell\open\command\ disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:09 PM Startup object: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\sys disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:09 PM Startup object: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:09 PM Startup object: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:09 PM Startup object: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:09 PM File: c:\windows\fonts\fonts.exe deleted
5/24/2009 12:00:09 PM File: c:\windows\system\keyboard.exe detected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:09 PM File: c:\windows\system\keyboard.exe backed up
5/24/2009 12:00:09 PM Startup object: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:10 PM File: c:\windows\system\keyboard.exe deleted
5/24/2009 12:00:10 PM File: c:\windows\system32\dllcache\default.exe detected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:10 PM File: c:\windows\system32\dllcache\default.exe backed up
5/24/2009 12:00:10 PM Startup object: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\ disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:10 PM Startup object: HKEY_USERS\S-1-5-21-1409082233-1123561945-725345543-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce\ disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:10 PM File: c:\windows\system32\dllcache\default.exe deleted
5/24/2009 12:00:10 PM File: c:\windows\pchealth\helpctr\binaries\helphost.com detected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:10 PM File: c:\windows\pchealth\helpctr\binaries\helphost.com backed up
5/24/2009 12:00:11 PM Startup object: HKCU\S-1-5-21-1409082233-1123561945-725345543-1003\Control Panel\Desktop\SCRNSAVE.EXE disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:11 PM Startup object: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessManager.exe\Debugger disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:11 PM Startup object: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:11 PM File: c:\windows\pchealth\helpctr\binaries\helphost.com deleted
5/24/2009 12:00:11 PM File: c:\windows\cursors\boom.vbs detected Trojan program 'Trojan.VBS.Runner.be'
5/24/2009 12:00:11 PM File: c:\windows\cursors\boom.vbs backed up
5/24/2009 12:00:11 PM Startup object: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown\0\0\Script disinfected Trojan program 'Trojan.VBS.Runner.be'
5/24/2009 12:00:11 PM Startup object: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts\Startup\0\0\Script disinfected Trojan program 'Trojan.VBS.Runner.be'
5/24/2009 12:00:11 PM Startup object: HKEY_USERS\S-1-5-21-1409082233-1123561945-725345543-1003\Software\Policies\Microsoft\Windows\System\Scripts\Logoff\0\0\Script disinfected Trojan program 'Trojan.VBS.Runner.be'
5/24/2009 12:00:11 PM File: c:\windows\cursors\boom.vbs deleted
5/24/2009 12:00:11 PM File: c:\windows\system32\drivers\drivers.cab.exe detected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:11 PM File: c:\windows\system32\drivers\drivers.cab.exe backed up
5/24/2009 12:00:11 PM Startup object: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:11 PM Startup object: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:11 PM Startup object: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:12 PM File: c:\windows\system32\drivers\drivers.cab.exe deleted
5/24/2009 12:00:12 PM File: c:\windows\media\rndll32.pif detected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:12 PM File: c:\windows\media\rndll32.pif backed up
5/24/2009 12:00:12 PM Startup object: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:12 PM File: c:\windows\media\rndll32.pif deleted
5/24/2009 12:00:12 PM File: c:\windows\fonts\tskmgr.exe detected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:12 PM File: c:\windows\fonts\tskmgr.exe backed up
5/24/2009 12:00:12 PM Startup object: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger disinfected virus 'Worm.Win32.AutoRun.eee'
5/24/2009 12:00:12 PM File: c:\windows\fonts\tskmgr.exe deleted
5/24/2009 12:00:12 PM File: c:\documents and settings\sophannara\my documents\azureus downloads\cyberlink powerdvd 8.3 multilangual + keymaker-core\cyberlink powerdvd 8.3 multilangual + keymaker-core.exe archive Rsrc-Package
5/24/2009 12:02:27 PM File: c:\documents and settings\sophannara\my documents\azureus downloads\cyberlink powerdvd 8.3 multilangual + keymaker-core\cyberlink powerdvd 8.3 multilangual + keymaker-core.exe//data0000.cab archive CAB
5/24/2009 12:02:32 PM File: c:\documents and settings\sophannara\my documents\azureus downloads\cyberlink powerdvd 8.3 multilangual + keymaker-core\cyberlink powerdvd 8.3 multilangual + keymaker-core.exe//data0000.cab/downloader.exe detected Trojan program 'Trojan-Downloader.Win32.Agent.bxoj'
5/24/2009 12:04:06 PM File: c:\documents and settings\sophannara\my documents\azureus downloads\cyberlink powerdvd 8.3 multilangual + keymaker-core\cyberlink powerdvd 8.3 multilangual + keymaker-core.exe backed up


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------
All objects 377216 18 5 13 0 3083 2399 471 2
System memory 994 3 3 3 0 0 0 0 0
Startup objects 641 10 0 10 0 0 117 0 0
Disk boot sectors 2 0 0 0 0 0 0 0 0
My Documents 24035 1 1 0 0 259 41 157 0
Mail databases 2 0 0 0 0 1 0 0 0
My Computer 176548 4 4 0 0 1412 1179 157 1
3.5 Floppy (A:) 0 0 0 0 0 0 0 0 0
Local Disk (C:) 174994 0 0 0 0 1411 1062 157 1


Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology No
Enable iSwift technology No
Show detected threats on "Detected" tab Yes
Rootkits search Yes
Deep rootkits search No
Use heuristic analyzer Yes


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----
Infected: virus Worm.Win32.AutoRun.eee c:\windows\system\keyboard.exe 220 KB
Infected: virus Worm.Win32.AutoRun.eee c:\windows\pchealth\helpctr\binaries\helphost.com 220 KB
Infected: Trojan program Trojan-Downloader.Win32.Agent.bxoj c:\documents and settings\sophannara\my documents\azureus downloads\cyberlink powerdvd 8.3 multilangual + keymaker-core\cyberlink powerdvd 8.3 multilangual + keymaker-core.exe 156 MB
Infected: virus Worm.Win32.AutoRun.eee c:\windows\media\rndll32.pif 220 KB
Infected: virus Worm.Win32.AutoRun.eee c:\windows\system32\dllcache\default.exe 220 KB
Infected: virus Worm.Win32.AutoRun.eee c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\svchost.exe 220 KB
Infected: virus Worm.Win32.AutoRun.eee c:\windows\fonts\tskmgr.exe 220 KB
Infected: virus Worm.Win32.AutoRun.eee c:\windows\fonts\fonts.exe 220 KB
Infected: virus Worm.Win32.AutoRun.eee c:\windows\pchealth\global.exe 220 KB
Infected: virus Worm.Win32.AutoRun.eee c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\system.exe 220 KB
Infected: virus Worm.Win32.AutoRun.eee c:\windows\system32\drivers\drivers.cab.exe 220 KB
Infected: virus Worm.Win32.AutoRun.eee c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\global.exe 220 KB
Infected: Trojan program Trojan.VBS.Runner.be c:\windows\cursors\boom.vbs 4.3 KB
Infected: virus Worm.Win32.AutoRun.eee c:\ms-dos.com 220 KB


Could i just ask, have you ever met anybody faced with this problem before? I think this virus must be spreading pretty quickly, it's infected all my usb drives i've connected with.. all the files on my comp, i think i received the virus this time through downloading an infected file! I saw in the log that one of the files in my downloaded programs folder was infected..

tea


Report •

#3
May 23, 2009 at 19:55:26
Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again.

1) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.

Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

--------------------------------------------
To Private Message me Click Here


Report •

Related Solutions

#4
May 24, 2009 at 02:29:09
hey.
Thanks for replying so fast all the time, i'm surprised how quick you always get back to me!

here's the link:
http://rapidshare.com/files/2366214...


Report •

#5
May 24, 2009 at 05:15:21
Run this script in AVZ. Your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('C:\WINDOWS\Fonts\Fonts.exe','');
 QuarantineFile('C:\WINDOWS\system32\dllcache\Default.exe','');
 QuarantineFile('C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com','');
 QuarantineFile('C:\WINDOWS\system\KEYBOARD.exe','');
 QuarantineFile('c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\system.exe','');
 QuarantineFile('c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\svchost.exe','');
 QuarantineFile('c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\global.exe','');
 DeleteFile('c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\global.exe');
 DeleteFile('c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\svchost.exe');
 DeleteFile('c:\windows\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\system.exe');
 DeleteFile('C:\WINDOWS\system\KEYBOARD.exe');
 DeleteFile('C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com');
 DeleteFile('C:\WINDOWS\system32\dllcache\Default.exe');
 DeleteFile('C:\WINDOWS\Fonts\Fonts.exe');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After Reboot Follow these steps carefully.
Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.

--------------------------------------------
To Private Message me Click Here


Report •

#6
May 24, 2009 at 07:50:26
hey,
Ok i've printed out the steps you've told me, i read about disabling any antispyware/antivirus programs.. the only one i have is that 'KASPERSKY ANTIVIRUS' tool program you sent me. I'm not sure exactly if it installed it or not.. but i can't find it on my system tray to 'right click' on it and 'pause protection'...

I can start it up, but all it lets me do is pretty much scan and save logs.

Does that mean it's already disabled if it's not shown on the system tray or 'start' menu?


Report •

#7
May 24, 2009 at 08:02:37
Yes AVP tool doesn't run in background.

--------------------------------------------
To Private Message me Click Here


Report •

#8
May 24, 2009 at 09:30:48
wow. i cannot believe this! After i ran the script the banner stopped flying, the sound stopped beeping.. and also now i can use my CD drive =D

I've had this problem virus/spyware on my computer for at least 4 months and i've had several IT mods tell me that it's too hard to get rid of...

here's my logfile.

http://rapidshare.com/files/2367573...

i hope i'm not getting my hopes up.. i remember how it came back after i reformatted.


Report •

#9
May 24, 2009 at 11:18:10
Follow these steps in order numbered:

1) Run this script in AVZ. Your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\huadio.tmp','');
QuarantineFile('c:\windows\system32\drivers\49122841.sys','');
DeleteFile('c:\windows\system32\drivers\49122841.sys');
QuarantineFile('c:\windows\system32\dllcache\svchost.exe','');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

2) Run this script in AVZ:

begin
CreateQurantineArchive('c:\quarantine.zip');
end.

3) A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file.

4) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok.

Yeh follow these steps for removal at the end i will answer your questions on how to keep malware out of your system for good.

--------------------------------------------
To Private Message me Click Here


Report •

#10
May 27, 2009 at 22:29:30
Hey sorry i haven't been replying back, i've just been occupied at uni - i've been cramming homework from 9am -5pm and studied from 11pm - 2.30am in the morning sometimes.. it's really intense this week, afterwards it's all just studying for exams in 3 weeks.

I'll be following your steps shortly.

Also, i really want to show my appreciation somehow. Do you have a paypal account? I want to donate some money to you for your help.

I really wonder what kind of people out there actually do these things voluntarily and take up their own time just to help others..


Report •

#11
May 28, 2009 at 06:20:44
Try to complete Response Number 9 as soon as possible before files get moved/altered.

--------------------------------------------
Donate


Report •

#12
May 28, 2009 at 07:37:26
Hey, here is my uploaded file.

http://rapidshare.com/files/2381820...

i have many friends who have been living in the UK and studying there on student VISA and they have loved it. I heard it's pretty dangerous there though.

Anyways i heard things are pretty expensive over there.. i haven't been working recently, i hope my donation can at least buy you a filling lunch somehow, so i apologise if it's very small.


Report •

#13
May 28, 2009 at 07:47:29
Thanks. I am not doing this for getting something back, however i greatly appreciate it thanks again. Response Number 9 Step 1, 2 and 3 are missing some files, Especially c:\quarantine.zip. Try not to paste link here as it might have active virus and other people viewing this thread might get infected if they download it.

-------------------------------------------------


Report •

#14
May 28, 2009 at 08:46:45
Thanks for the files. Please follow these steps in order numbered and post summary log after each step.

1) If you use Windows System restore, turn it off > reboot. How to turn it off/on: http://support.kaspersky.com/faq/?q... Run a full scan with:

Download and run Kaspersky AVP tool:

http://devbuilds.kaspersky-labs.com...

Once you download and start the tool select all the objects/places to be scanned and hit Scan. Fix what it detects and at the end of the scan post screen shot/log of detected items that is fixed and which it could not fix.

2) Run a full scan with http://www.eset.eu/online-scanner

# Check the box next to YES, I accept the Terms of Use.
# Click Start
# When asked, allow the activex control to be installed.
# Click Start
# Check below options:

    * Remove found threats
    * Scan unwanted applications.

# Click Scan
# Wait for the scan to finish
# When it finishes it will create a log file here: C:\Program Files\EsetOnlineScanner\log.txt
# Attach this logfile to your next message.

Note: Turn system restore back on, if you wish; this to remove malware from system volume information files.

3) Install, update and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, but Please Don't fix anything yet, until the log is reviewed.

4) House cleaning [Optional]. Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

-------------------------------------------------


Report •


Ask Question