MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: sister has one of the worst viruses I have seen
June 02, 2020, 09:31:43 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 02, 2020, 09:31:43 PM

Login with username, password and session length
 Featured Sites:
News
12th Anniversary Celebrating 12 Years! (1997 - 2009) 12th Anniversary
Thanks to ALL that make this site what it is!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: sister has one of the worst viruses I have seen  (Read 1566 times)
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« on: June 29, 2008, 02:52:44 AM »

I was at my sisters house today and she has one of the worst viruses I have seen on a computer and I thought I had seen some bad ones. when you boot into windows everything dissapears. All icons and task bar. You can't run anything. I booted into safe mode and was able to access my flash drive to run some scans but every 5 seconds a window pops up and lets you know your in safe mode and wants to know if you want to continue in safe mode or restore to a previous time. When it does this you have to try to access the flash drive all over again so you have to be really quick in running the virus scan. I luckily managed to run HJT and Combo Fix. Here are the scans.

Logfile of HijackThis v1.99.1
Scan saved at 10:22:52 PM, on 6/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
J:\Virus\HiJack This\HijackThis.exe
C:\WINDOWS\explorer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v44/scrabblecubes/scrabblecubes.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe

Logged

 
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #1 on: June 29, 2008, 02:53:27 AM »

Here is the Combo Fix log

ComboFix 07-08-17.2 - "bonnie" 2008-06-28 21:55:40.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1790 [GMT -4:00]


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\asembl~1
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\curity~1
C:\Program Files\Common Files\ecurit~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\icroso~1
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Common Files\ppatch~1\?explore.exe
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\racle~2
C:\Program Files\Common Files\scurit~1
C:\Program Files\Common Files\sks~1
C:\Program Files\Common Files\sks~2
C:\Program Files\Common Files\smante~1
C:\Program Files\Common Files\tsks~1
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\Common Files\ystem3~1
C:\Program Files\crosof~1
C:\Program Files\crosof~1.net
C:\Program Files\crosof~1\??crosoft\
C:\Program Files\crosof~1\smss.exe
C:\Program Files\dobe~1
C:\Program Files\fnts~1
C:\Program Files\fnts~2
C:\Program Files\icroso~1
C:\Program Files\icroso~1.net
C:\Program Files\ISM
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\mantec~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\pppatc~1
C:\Program Files\racle~1
C:\Program Files\sks~1
C:\Program Files\smante~1
C:\Program Files\sstem3~1
C:\Program Files\stem~1
C:\Program Files\tsks~1
C:\Program Files\ymante~1
C:\Program Files\ymbols~1
C:\WINDOWS\appatc~1
C:\WINDOWS\asks~1
C:\WINDOWS\curity~1
C:\WINDOWS\dobe~1
C:\WINDOWS\fnts~1
C:\WINDOWS\fnts~2
C:\WINDOWS\IA
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\icroso~1
C:\WINDOWS\icroso~1.net
C:\WINDOWS\icroso~2
C:\WINDOWS\mbols~1
C:\WINDOWS\ppatch~1
C:\WINDOWS\racle~1
C:\WINDOWS\scurit~1
C:\WINDOWS\sembly~1
C:\WINDOWS\ssembl~1
C:\WINDOWS\stem~1
C:\WINDOWS\stem32~1
C:\WINDOWS\system32\bddccnu.dll
C:\WINDOWS\system32\curity~1
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\drfecl.dll
C:\WINDOWS\system32\ecurit~1
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\icroso~1
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\sks~1
C:\WINDOWS\system32\smbols~1
C:\WINDOWS\system32\sstem~1
C:\WINDOWS\system32\sstem3~1
C:\WINDOWS\system32\tsks~1
C:\WINDOWS\system32\wnsinticomsv.exe
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\system32\x64
C:\WINDOWS\system32\ymbols~1
C:\WINDOWS\system32\ystem3~1
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\wnsxs~1
C:\WINDOWS\ystem~1
D:\Autorun.inf


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService


(((((((((((((((((((((((((   Files Created from 2008-05-28 to 2008-06-29  )))))))))))))))))))))))))))))))


2008-06-28 21:55   51,200   --a------   C:\WINDOWS\nircmd.exe
2008-06-28 21:32   <DIR>   d--hs----   C:\WINDOWS\CSC
2008-06-26 08:29   318,368   --a------   C:\WINDOWS\system32\fccabBQj.dll
2008-06-26 08:29   12,322   --ahs----   C:\WINDOWS\system32\jQBbaccf.ini2
2008-06-26 08:24   25,520   --a------   C:\WINDOWS\system32\ssqOhhET.dll
2008-06-24 20:50   <DIR>   d--------   C:\Program Files\BChanger
2008-06-12 18:24   <DIR>   d--------   C:\DOCUME~1\Danielle\APPLIC~1\a?sembly
2008-06-11 16:29   <DIR>   d--------   C:\DOCUME~1\Danielle\APPLIC~1\
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #2 on: June 29, 2008, 05:41:51 AM »

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote

File::
C:\WINDOWS\system32\fccabBQj.dll
C:\WINDOWS\system32\jQBbaccf.ini2
C:\WINDOWS\system32\ssqOhhET.dll
 
Folder::
 C:\DOCUME~1\Danielle\APPLIC~1\a?sembly
C:\DOCUME~1\Danielle\APPLIC~1\
Logged

An Australian Member of

EDDY
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #3 on: June 29, 2008, 10:15:23 PM »

Here is the combofix log after the repair

ComboFix 07-08-17.2 - "bonnie" 2008-06-29 17:52:39.3 - NTFSx86 NETWORK
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1750 [GMT -4:00]
Command switches used ::  C:\Documents and Settings\bonnie\Desktop\CFScript.txt

FILE::
C:\WINDOWS\system32\fccabBQj.dll
C:\WINDOWS\system32\jQBbaccf.ini2
C:\WINDOWS\system32\ssqOhhET.dll


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\BChanger
C:\Program Files\BChanger\bchanger.dll
C:\Program Files\BChanger\data.dat
C:\Program Files\BChanger\Uninstall.exe
C:\WINDOWS\system32\fccabBQj.dll
C:\WINDOWS\system32\jQBbaccf.ini2
C:\WINDOWS\system32\ssqOhhET.dll


(((((((((((((((((((((((((   Files Created from 2008-05-28 to 2008-06-29  )))))))))))))))))))))))))))))))


2008-06-28 21:55   51,200   --a------   C:\WINDOWS\nircmd.exe
2008-06-28 21:32   <DIR>   d--hs----   C:\WINDOWS\CSC
2008-06-12 18:24   <DIR>   d--------   C:\DOCUME~1\Danielle\APPLIC~1\a?sembly
2008-06-11 16:29   <DIR>   d--------   C:\DOCUME~1\Danielle\APPLIC~1\
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #4 on: June 29, 2008, 11:54:14 PM »

Glad its all working now but just as a cleanup can you find these folders and remove them.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

a?sembly
Logged

An Australian Member of

EDDY
Christina
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 1


Bookmark and Share

View Profile
« Reply #5 on: July 02, 2008, 01:27:20 PM »

Hi toppro77, i'm glad that Pancake had resolved you the problem encountered with the virus!! But apart from this now i would suggest you to download an anti-virus software, a free one or a trial version as you wish. AVG and AVAST are very recommended by most users, but you can download others, check out this link: http://en.wikipedia.org/wiki/List_of_antivirus_software,  where you find a whole list of anti-virus software you can download to your pc for better safety. It informs you with and virus encountered, detects it and even it can remove it.
Logged

Christina
www.gfi.com
toppro77
Sr. Member
****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 129


Bookmark and Share

View Profile
« Reply #6 on: July 02, 2008, 06:54:02 PM »

Thank you for the extra information. All seems to be running like new for her now so until more problems arise, I think we are good to go.
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #7 on: July 02, 2008, 10:36:15 PM »

Ok. Good.

This will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted text below  and click OK.

Quote

ComboFix /u







Now that you are clean,and If you wish to do so, here are a few things that you can do that will help keep your computer a bit more clean and secure..they can be done at your leisure.

Download and scan with CCleaner from http://www.ccleaner.com/downloadbuilds.asp

1. Starting with v1.27.260, http://www.ccleaner.com/downloadbuilds.asp installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free Basic or Slim versions instead of the Standard Build.

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Logged

An Australian Member of

EDDY
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page August 07, 2017, 01:58:14 PM