Hi just looking for help as i have a serious virus on my laptop, running windows 7.
Only thing i noticed at first was i could not get on to any anti virus web pages, so downloaded Avast in safe mode and it has detected the following:

Threat: rootkit Hidden Service
Threat: JS:ScriptPE-inf (trj)

Can’t delete or move to chest. Not sure what to do now as i can’t seem to get rid of these viruses and i’m guessing it’s going to be a complicated process! Can anyone help me get rid of this? Ps i am not an IT wizard, i know the basics (pretty much) but need something easy to follow if possible?

any help would be greatly appreciated!

Thanks

Can't delete or move to chest

Hi there lets take a look to see what you have

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

Hi i have done the below, here is the log… i think!! Computer so slow today it took forever hope it did it right…

I am not sure if OTL is man enough to totally kill this but lets see

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL SRV:64bit: - [2012/06/21 18:17:02 | 000,074,184 | ---- | M] () [Unknown (-1) | Unknown] -- C:\Windows\SysNative\drivers\b2892b92cea0254.sys -- (b2892b92cea0254) SRV - [2012/06/27 18:15:58 | 000,415,232 | ---- | M] (Spec-Research) [Auto | Stopped] -- C:\Windows\Installer\{3D92EB45-C121-74B5-AACD-54E48AAB5FB9}\syshost.exe -- (syshost32) DRV:64bit: - [2012/06/21 18:17:02 | 000,074,184 | ---- | M] () [Unknown (-1) | Unknown (-1) | Unknown] -- C:\Windows\SysNative\drivers\b2892b92cea0254.sys -- (b2892b92cea0254) O4 - HKCU..\Run: [NujNcvln] C:\Users\Amy\AppData\Local\forbovcw\nujncvln.exe () O20 - HKLM Winlogon: UserInit - (C:\Users\Amy\AppData\Local\forbovcw\nujncvln.exe) - C:\Users\Amy\AppData\Local\forbovcw\nujncvln.exe () [2012/06/21 18:05:41 | 000,000,000 | ---D | C] -- C:\Users\Amy\AppData\Local\forbovcw [2012/06/21 18:17:02 | 000,074,184 | ---- | M] () -- C:\Windows\SysNative\drivers\b2892b92cea0254.sys [2012/06/21 18:16:38 | 000,008,212 | ---- | M] () -- C:\Windows\mfebcdata [2012/06/21 18:05:40 | 000,092,004 | --S- | M] () -- C:\Users\Amy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nujncvln.exe [2012/06/21 18:05:41 | 000,092,004 | --S- | C] () -- C:\Users\Amy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nujncvln.exe

:Files
ipconfig /flushdns /c
C:\Windows\Installer{db024cfd-9b50-aaad-5a89-233f6a4a0f83}
C:\Windows\SysWOW64\config\systemprofile\AppData\Local{db024cfd-9b50-aaad-5a89-233f6a4a0f83}
C:\Windows\System32\config\systemprofile\AppData\Local{db024cfd-9b50-aaad-5a89-233f6a4a0f83}

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Hi - i did the run fix on OTL and have attached the log produced from that…
I did the Combo fix and followed the steps above, it came up with “Administrator: Auto Scan” box… it completed up to stage 50 and then said

“system file infected, attempting to restore c:/windows/system32/services.exe”

Did it complete that ?

No it just went to that last stage saying system file infected, and i left it for an hour and nothing happened!

OK run OTL with the following script and run a quick scan

/md5start
services.*
/md5stop

hi - sorry for the delays in responding i’m so busy at the moment but trying to get on here as much as possible to see your replies - thanks so much for trying to help me!
I did the below and have attached the log that came from it…

We may have to work outside of windows for this as the small combofix run revealed the real culprit

Are you able to burn a CD or have a spare USB drive

1. Please download The Avenger by Swandog46 to your Desktop.

[*]Right click on the Avenger.zip folder and select “Extract All…”
[*] Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to delete:
C:\Windows\system32\drivers\b2892b92cea0254.sys

Drivers to delete:
b2892b92cea0254

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

https://dl.dropbox.com/u/73555776/Avenger%20icon.GIF

[*]Accept the disclaimer

https://dl.dropbox.com/u/73555776/Avenger%20disclaim.GIF

[*] Right click on the window under Input script here:, and select Paste.

https://dl.dropbox.com/u/73555776/Avenger%20run.GIF

[*] You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
[*] Click on Execute

[*] Answer “Yes” twice when prompted.

4. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

SORRY for the delay here - is it still ok to get your help with this? Bad form on my part, i’ve gotten into the habit of using my partners laptop and forgotten about fixing mine :o

I did the last bits, used Avenger, it prompted the reboot which i did and it rebooted but nothing then happened and i didnt see the black screen pop up…?

Not a problem, could you run a fresh OTL log for me please and update me on the current problems

Hi here it is

Did you run Avenger ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
SRV:64bit: - [2012/06/21 18:17:02 | 000,074,184 | ---- | M] () [Unknown (-1) | Unknown] -- C:\Windows\SysNative\drivers\b2892b92cea0254.sys -- (b2892b92cea0254)
DRV:64bit: - [2012/06/21 18:17:02 | 000,074,184 | ---- | M] () [Unknown (-1) | Unknown (-1) | Unknown] -- C:\Windows\SysNative\drivers\b2892b92cea0254.sys -- (b2892b92cea0254)
[2012/09/01 13:33:46 | 000,000,000 | ---D | C] -- C:\Users\Amy\AppData\Roaming\Ocbu
[2012/09/01 13:33:46 | 000,000,000 | ---D | C] -- C:\Users\Amy\AppData\Roaming\Ocaxc
[2012/09/01 13:33:46 | 000,000,000 | ---D | C] -- C:\Users\Amy\AppData\Roaming\Daytte
[2012/09/01 16:59:51 | 000,061,440 | ---- | C] () -- C:\Windows\SysWow64\drivers\bvljyyp.sys
[2010/02/07 16:17:01 | 000,000,000 | -HSD | M] -- C:\Users\Amy\AppData\Roaming\.#

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Hi i did that fix in OTL and then did quick scan, here is todays log… hope we can fix this! I’ve tried to log in to my online banking and i’m now getting a dodgy screen that comes up asking for ALL my card details, account number and passwords… virus ridden much!!

OK I will have to use AVP for this I feel as that service/driver is still there. Once the analysis scan is completed it will generate a zip file, if you could upload that to a file sharing site for me to collect please

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right

http://dl.dropbox.com/u/73555776/Kas%20front.JPG

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

http://dl.dropbox.com/u/73555776/Kas%20Scan%20area.JPG

Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post

Now the Analysis

Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information

http://dl.dropbox.com/u/73555776/kas%20manual.JPG

On completion click the link to locate the zip file to upload and attach to your next post

http://dl.dropbox.com/u/73555776/Kas%20Zip.JPG

Hiya - more problems! I ran AVP, did the full scan as indicated and it threw up 10 threats found and i clicked to delete them all as they popped up - then something went a bit wrong and it started trying to do a system repair (this was windows trying to do something, not AVP), then it got stuck in a loop of restarting but it would not boot up properly and kept throwing up a blue screen saying there was a problem restarting. Eventually it did restart but i think it had done a system restore!!! So now i’m kinda back to square one with it before i did the AVP scan… I dont even have AVP installed, i dont know where it has restored back to.

Should i try the AVP scan again? For the record the scan took absolutely hours i left it overnight and all day at work…

That sounds to me like it either fixed an MBR infection or found a rooted driver.

Could you run an OTL with the standard scan first and we will then progress from there

Ok i’ve done a standard OTL scan and attached the log - i’m so glad you can make sense of all this! Hope we can fix it, i’ll try to be more prompt in checking for your responses really need to fix this. Thanks so much for continued support!