help for a friend

Hi, after successfully receiving your help to fix Vanti-BK/ Besso and a host in Mexico on my notebook… I’ve come to work and find that three computers are infected with something that is not showing up on what they use here, which is McAfee… would it be too much to ask you to analyze this HiJack this log for them? (Maybe they will be convinced and switch to Avast) :slight_smile:

they can’t tell me a specific file name, just that it came through messenger and every time messenger is opened it starts transmitting files, one of which deleted the antivirus program from one of the computers. It was called “fotos_zip” and another received one referring to “fotos de Italia”

I was wondering if it might be something obvious that shows up right away on Hijack this, also about to run Dr. Web cure it for them. thanks!!

I’d recommend investigating these files:

C:\WINDOWS\system32\yixv.exe
%SystemRoot%\System32\syssetup.dll

Please disable ‘Hide protected operating system files’ and enable ‘View Hidden Files and Folders’, and upload the above files to VirusTotal for analysis.

Thanks!

um… can you tell me where in the computer I would find those commands… besides the fact that I don’t do this much, my friend’s compu works on a spanish-language operating system which complicates things for me :wink:
thanks

VirusTotal will give you an option to browse to the files.

Hi Sonichko,

If you use the Firefox browser and install this add-on into it:
https://addons.mozilla.org/en-US/firefox/addon/3361
then you could translate English into Spanish v.v almost on the fly,

Con Dios,

polonus

Thanks Polonus!

we will have to get Firefox then! actually I do speak Spanish but as a second language so it slows me down a bit with technical terms. (Hey, are you really from Poland? Do you speak Polish? do you understand Russian then too?) :slight_smile:

anyway: the first link is definitely a virus, it got a 9 out of 32 score on VirusTotal. Can I just Fix it on HiJack this or do I need to copy paste all that information here so as not to delete something important?

The second file that you gave me, Frank, to look for in my computer - I can’t find it! It starts with a percentage sign - where would that be? :slight_smile: thanks…

Con Dios/ S Bogom,

Sonichko

Same place I think:

C:\WINDOWS\system32

Could you post the results here, just out of interest?

Kill the process C:\WINDOWS\system32\yixv.exe in Task Manager.

Run HijackThis! again, tick the following entry, close all other Windows, then click ‘Fix’. Reboot into Safe Mode and delete the file.

O4 - HKLM..\Run: [yixv] C:\WINDOWS\system32\yixv.exe \u

Hi Frank,

Here are the reports from Virus Total…

ok, can you tell me how to get to task manager? I think I usually press contr alt delete on my own notebook, but here nothing happens, there must be another way!

Hi Sonichko,

For the first found irc.bot.dgu you will find a removal routine in Spanish here:
http://www.forospyware.com/t173691.html

polonus

The second file seems to be an innocent Widows upgrade file.

ok, can you tell me how to get to task manager? I think I usually press contr alt delete on my own notebook, but here nothing happens, there must be another way!

Are you running as Admin? It’s possible the malware disabled Task Manager.

Try fixing the entry in HijackThis! and rebooting: that may be enough to get rid of it.

Couple of links regarding restoring Task Manager here if needed:

http://ask-leo.com/why_is_my_task_manager_disabled_and_how_do_i_fix_it.html
http://www.pchell.com/support/taskmanagerdisabled.shtml

ahh good question! well, I passed along your link (Polonus) to Claudia so she can continue work in Spanish tomorrow. I can’t come in tomorrow and her office is all locked up now, so I can’t try your suggestion for now, Frank (or for a few days probably!) but we did try to delete it in Hijack and we will see what happens…

thanks!!