hey guys i am currently new here so whats up! I have a huge problem on my computer and was hoping someone could help, i accidentally clicked on an icon and got a virus, i put it in the chest, but every time i turn on my computer this virus keeps on reappearing on the avast scanner and it says its in the temp file, but after i cleaned out the temp file the virus is still there. The virus haven’t caused many problems yet except pop ups while on the internet, and i tried scanning but it wont detect it and i have tried other internet scannings and even brought spyware doctor but it doesnt work. i think the virus is in my hidden temp file, but i dont know how to get rid of it!!! HELP PLEASE!!! i dont really know anything about computers so when replying please tell the solution step by step. thank you!!
Hi eliza6,
What’s the name and location of the file detected by avast!, and what’s the name of the malware detected?
For example:
24exhdda.9.exe > C:\DOCUME~1\Julie\lOCALS~1\Temp > 31/05/2007 12:51:22, Win32:Horst-GZ [Trj]
(This will be recorded in the avast! log.)
If a virus is replicant (coming and coming again), I always suggest:
-
Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3).
-
Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.
-
Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
-
It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than. -
If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.
-
After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.
If you need more help, just let us know.
hey this is Eliza6, i just want to that you guys for the help thats been generously given to me. I will go on vacation in a couple of days (hopefully forget about the problem on my computer) and i will try fixing it as soon as possible, and once again, thank you for all your help, keep up the good work and post more solutions for me PLEASE!!! Have a great summer!!!
You need to try the others first 8)
Enjoy your vacations 8)
Thanks! I just finished packing for my vacation and suddenly remembered the virus's name. The virus is called
Win 32:VBStat-C, and the pop ups are mostly from winantivirus or something like that, I think the virus is a vundo, and the pop ups are possibly rogue spyware. so PLEASE reply for more info, and don't tell me its hopeless, and that the virus is indestructable, thank you times a million!!!
Download ComboFix from Here or Here to your Desktop.
[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall
THEN
- Click here to download HJTsetup.exe
[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Logs required are Combofix and hijackthis
The winantivirus reference is I believe almost certainly a scumware scam.
A new tool RogueRemover, available here http://www.malwarebytes.org/rogueremover.php
just one question, why do i have to download HJT high jack this (since i have absolutely no idea how to do that anyways), and how is it going to help? Is there any way where i don’t have to download that in order to fix my computer. It looks AWFULLY complicated, HELP!!! And i think all i have to do is get a vundo fix thing and the virus will hopefully be gone. Please forgive me for my lack of understanding on computers, i only know how to get on the internet and check e-mails, as for other things i have no idea!
Sometimes a single solution isn’t enough. Some malware is particularly good at hiding or reinstalling itself and other malware. This is what is happening on your computer.
The ComboFix tool recommended by Essexboy will likely clean a lot of the problem files from your computer including those that are downloading other malware. It will also give some information about recently created files that can help narrow down the problem.
The HijackThis log will then list the processes running on your computer and some registry information that will help determine if more cleaning is needed. Downloading this, running it, copying and pasting the log is really quite easy. Interpretting the information is a little complicated sometimes, but you don’t need to worry about doing that yourself. You only need to post the information.
Info for removal: http://encyclopedia.thefreedictionary.com/Vundo
Is there any way where i don't have to download that in order to fix my computerNO
And i think all i have to do is get a vundo fix thing and the virus will hopefully be gone.Just Virtumondo but not the re-inforcements it called in
It looks AWFULLY complicated, HELP!!!!!!!!Just follow our instructions they will be simple and step by step
hey this is me again, sorry for freaking out about this and I will be sure to try the combofix and the HJT.
Okay guys, just to be on the safe side, all i have to do is to copy and paste the logs from both programs onto this forum and all will be well? wish me luck and thanks!
The logs will be long so you may need to use more than one post to fit everything. If you copy the first half of the HijackThis log (roughly down to the lines that start with 04) and post that, then post the second half, you should be fine. Same for the ComboFix log. Use as many posts as you need - just make sure to include everything in the correct order.
hey this is me again, sorry for freaking out about thisA natural reaction the first time you hit a trojan 8)
could anyone tell me all the specific steps on what to do for the combofix thing for it to scan, and for me to post the results on this forum, thanks a dozen!
Surely essexboy does this in his post, reply #6 of this very topic ?
http://forum.avast.com/index.php?topic=28900.msg237418#msg237418
this is my ComboFix results.
“Wendi” - 2007-06-25 17:22:11 - ComboFix 07-06-25.3 - Service Pack 1 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\apnkwami.dll
C:\WINDOWS\system32\fmvphtel.dll
C:\WINDOWS\system32\fqqewpcj.dll
C:\WINDOWS\system32\hrlhflvb.dll
C:\WINDOWS\system32\kgxiliiq.dll
C:\WINDOWS\system32\ldvetrvn.dll
C:\WINDOWS\system32\nivaxmje.dll
C:\WINDOWS\system32\njffqecj.dll
C:\WINDOWS\system32\oocwbatp.dll
C:\WINDOWS\system32\scpkewwn.dll
C:\WINDOWS\system32\vmhraasn.dll
C:\WINDOWS\system32\vytbgoss.dll
C:\WINDOWS\system32\wfcoecnv.dll
C:\WINDOWS\system32\wlqywstd.dll
C:\WINDOWS\system32\xhyjrowl.dll
C:\WINDOWS\system32\ssogbtyv.ini
C:\WINDOWS\system32\dtswyqlw.ini
C:\WINDOWS\system32\aybay.bak1
C:\WINDOWS\system32\aybay.bak2
C:\WINDOWS\system32\aybay.ini
C:\WINDOWS\system32\aybay.ini2
C:\WINDOWS\system32\aybay.tmp
C:\WINDOWS\system32\aybay.bak1
C:\WINDOWS\system32\aybay.bak2
C:\WINDOWS\system32\aybay.ini
C:\WINDOWS\system32\aybay.ini2
C:\WINDOWS\system32\aybay.tmp
C:\WINDOWS\system32\yabya.dll
C:\WINDOWS\system32\ssqnllk.dll
-
-
- POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
-
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\temp\17o7
C:\WINDOWS\b136.exe
C:\WINDOWS\retadpu2000219.exe
C:\WINDOWS\system32\j3291136.dll
C:\WINDOWS\wr.txt
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 )))))))))))))))))))))))))))))))
2007-06-25 17:19 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-25 17:11 d-------- C:\Program Files\RogueRemover
2007-06-25 17:08 122,900 --a------ C:\WINDOWS\system32\shudqcet.exe
2007-06-25 17:08 d-------- C:\WINDOWS\LastGood.Tmp
2007-06-25 17:07 4,628 --a------ C:\WINDOWS\system32\pbojfbna.exe
2007-06-09 11:13 2,580 --a------ C:\WINDOWS\system32\lyyueayl.exe
2007-05-30 14:20 14,868 --a------ C:\WINDOWS\system32\dybmdfxj.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-28 15:00:39 -------- d-----w C:\Program Files\Ad-aware 6
2007-05-24 01:02:14 -------- d-----w C:\Program Files\Spyware Doctor
2007-05-24 00:20:50 0 ----a-w C:\WINDOWS\system32\SBRC.dat
2007-05-24 00:20:50 0 ----a-w C:\WINDOWS\system32\SBFC.dat
2007-05-24 00:14:59 -------- d-----w C:\Program Files\Sunbelt Software
2007-05-23 22:05:04 -------- d-----w C:\DOCUME~1\Wendi\APPLIC~1\PC Tools
2007-05-18 00:30:36 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-26 01:29:03 -------- d-----w C:\DOCUME~1\Wendi\APPLIC~1\AdobeUM
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
Note empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{00000000-0007-5041-4354-0020e48020af}=C:\Program Files\12Ghosts\12popup.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 01:47]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}=C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll [2006-05-05 13:55]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}=C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll [2006-05-05 13:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2006-10-25 19:58]
“BJCFD”=“C:\Program Files\BroadJump\Client Foundation\CFD.exe” [2002-09-10 21:26]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 11:42]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2006-10-30 10:36]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-03-13 17:53]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” [2002-08-29 08:00]
“Spyware Doctor”=“C:\Program Files\Spyware Doctor\swdoctor.exe” [2006-07-19 09:57]
[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
“Spyware Doctor”=“C:\Program Files\Spyware Doctor\swdoctor.exe” /Q
Contents of the ‘Scheduled Tasks’ folder
2007-02-12 02:58:42 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-25 17:35:51
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
Completion time: 2007-06-25 17:39:06 - machine was rebooted
C:\ComboFix-quarantined-files.txt … 2007-06-25 17:38
--- E O F ---
after i ran combo fix my computer seems to be working fine, i will run HJT to make sure of that. Thanks a million!
Hi eliza when Hijackthis opens select the option that says do a system scan and save a log file
http://img389.imageshack.us/img389/6687/untitledam6.th.jpg
On completion a notepad file will open which you can copy and paste to this thread