Need Help!! (Virus hijacks PC as soon as I connect to internet)

Viruses and worms
21

I really need to see what processes are running so to that end I will ask you to something a bit weird

I would like you to download AVPTool and run the first part disconnected from the net. However, for the second, analysis part I would like you to connect before running the programme so that I can then see all processes that are active whilst it is running

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPfront.gif

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpsettings.gif

Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post

Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPAnalysis.gif

On completion click the link to locate the zip file to upload and attach to your next post

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPZiplocation.gif

Megaupload

22

The initial Kaspersky report took over 10 hours to complete, but it did finally finish. It found 2 trojans in what looks like email folders. Report attached.

I’ll run the second scan right now and post the results when I can. :slight_smile:

23

make sure u keep the net connected while doing the manual disinfection process as essex told. :wink:

24

I did. Problem is… like I described above, connecting to the 'net freezes the computer. So the scan didn’t get far. Woke up to a frozen computer.

25

Since my last post, I’ve been patiently waiting for my laptop to come out of ‘sleep’ mode from the overnight scan… I had to unplug the ethernet to get any action at all.

It finally just popped up now… two MS-Dos looking windows were first to come up…

They are blank-black… but the top-left of one of the windows has the C:\ logo followed by “_uninst_33346271” they just disappeared as I was copying them down, but the other number was similar… they disappeared right as Kaspersky re-opened.

Kaspersky then asked for a system reboot with a little pop up window that said “error message is” but no error message was listed… and the install window is up, why Kasperksy needs to re-install is beyond me.

I’ll let it re-install and see if it managed to create any logs. I’m guessing the entire system crashed soon after plugging into the 'net.

26

Okey Dokey

Could you download and run the latest aswMBR please and also run a fresh OTL scan with all users selected. I now have a possible inkling about this

27

Cool — Re-downloaded ASW from the link you provided on page 1 and it shows a new File Version #. About to run it and then OTL as suggested.

I did manage to reboot a few times and get to Kasperskey’s aborted log. Looks like it shut off a few minutes after I started it, long before any sleep mode kicks in (I ran it and went to bed for the night, sleep mode kicks in after an hour or two).

Unfinished log attached, just in case it shows anything useful…

28

ASW Finished… here’s the scan log (seems like it found 2 things).

Do I click “Fix MBR”?

29

No it is not an MBR problem

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Files ipconfig /flushdns /c C:\Users\Joe\AppData\Local\Google\Update\1.3.21.79\GoogleCrashHandler.exe

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

30

Here’s the OTL log… seemed to run as planned. I haven’t tried connecting to the 'net though… waiting to hear back first, just in case.

31

Could you try a connection please and let me know the result

32

Hey… was about to plug-in just like you asked, but noticed my ‘thinking light’ was buzzing a bit… opened up Task Manager and see that SearchFilterHost.exe is taking bit of power. It goes up to 50 CPU and calms down to 4-5, then back up to 50, then back down, etc.

Just wanted to get your thoughts and see if I should still plug-in.

33

This process is used by the windows search and indexing service. It is indexing all the files on your computer in case you want to search for them … I have turned mine off ;D

34

Skynet itself must have hijacked my computer… cause it’s still slowing to a stop as soon as I plug in the ethernet cable.

35

Could you re-run the AVP analysis scan only - disconnected this time and then upload the entire zip file to either mediafire or magaupload or similar so that I can download it

Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPAnalysis.gif

On completion click the link to locate the zip file to upload and attach to your next post

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPZiplocation.gif

Megaupload

36

OK… here it is:

http://www.megaupload.com/?d=7Q1N3YX4

37

I notice that you have YouSendIt.com installed - this is a file uploader, did you install it … It is running

[*]Re-run AVPTool
[*]Select the Manual Disinfection tab and press Script execution

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpmanual.gif

[*]Where it states Insert text script in the following box copy the below script and press Run script
Copy from Begin until End

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpscript.gif

begin
 DelBHO('{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}');
 DelBHO('{219C3416-8CB2-491a-A3C7-D9FCDDC9D600}');
 DeleteService('ASKUpgrade');
 SetServiceStart('ASKUpgrade', 4);
 DeleteService('ASKService');
 SetServiceStart('ASKService', 4);
 DeleteFile('C:\Program Files\AskBarDis\bar\bin\AskService.exe');
 BC_DeleteFile('C:\Program Files\AskBarDis\bar\bin\AskService.exe');
 DeleteFile('C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe');
 BC_DeleteFile('C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe');
 DeleteFile('C:\Program Files\Norton Internet Security\MUI\16.7.2.11\09\01\rcSvcHst.dll');
 BC_DeleteFile('C:\Program Files\Norton Internet Security\MUI\16.7.2.11\09\01\rcSvcHst.dll');
 DeleteFile('C:\Users\Joe\AppData\Local\Temp\_uninst_56657627.bat');
 BC_DeleteFile('C:\Users\Joe\AppData\Local\Temp\_uninst_56657627.bat');
end.

[]Your system will reboot on completion, if it does not please do so yourself
[]On completion please run another analysis scan and attach the zip file

38

Yeah, I installed that several years ago… haven’t used it in about a year though, had no idea it was running.

I’ll run the script and report back… in the meantime, should I attempt an internet connection after rebooting before reporting back?

ADDED: Whoops, just noticed the ‘run new scan and post the log’. Will do.

39

Here’s the newest new log…

http://www.megaupload.com/?d=NQ3LBVZ7

40

FYI — Connection to internet still results in PC locking up.