Virus Help Please

Printable View

21.01.2009, 21:23
daventnnk

Вложений: 3

Virus Help Please

I believe I got a virus yesterday morning somehow, I cant do alot of thing on my computer. I cant run IE, it opens for a split second and that's it. I also cant run numerous other programs. I tried to system restore, but when it said click to system restore, I clicked and nothing happened. I tried to follow the directions for the logfiles, I appreciate any help that I get thank you. I can however run firefox.
21.01.2009, 23:53
drongo

Well, at least you did a logs- it is almost victory :)
Please disconnect form internet, disable your antivirus:
Execute this script in avz: ( [url]http://virusinfo.info/showthread.php?t=9207[/url] )
[code]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DelBHO('{C5BF49A2-94F3-42BD-F434-3604812C8955}');
QuarantineFile('C:\WINDOWS\system32\nwiz.exe','');
QuarantineFile('C:\WINDOWS\system32\hgfdge4unjdfdg.dll','');
QuarantineFile('C:\WINDOWS\system32\Updater.exe','');
QuarantineFile('C:\WINDOWS\Installer\{1ABD3BEB-2717-4BCC-8809-6A93777A8179}\_18be6784.exe','');
QuarantineFile('C:\WINDOWS\9129837.exe','');
QuarantineFile('C:\Program Files\MySpace\IM\MySpaceIM.exe','');
QuarantineFile('C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL','');
QuarantineFile('C:\DOCUME~1\home\LOCALS~1\Temp\winlogin.exe','');
QuarantineFile('C:\DOCUME~1\home\LOCALS~1\Temp\csrssc.exe','');
QuarantineFile('C:\WINDOWS\Tpujakamode.dll','');
DeleteFile('C:\WINDOWS\Tpujakamode.dll');
DeleteFile('C:\DOCUME~1\home\LOCALS~1\Temp\csrssc.exe');
DeleteFile('C:\DOCUME~1\home\LOCALS~1\Temp\winlogin.exe');
DeleteFile('C:\WINDOWS\9129837.exe');
DeleteFile('C:\WINDOWS\system32\Updater.exe');
DeleteFile('C:\WINDOWS\system32\hgfdge4unjdfdg.dll');
BC_ImportAll;
ExecuteSysClean;
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
ExecuteRepair(17);
BC_Activate;
RebootWindows(true);
end.
[/code]
Please upload the quarantine according to our rules (please read appendix 3)
Use this link: [url]http://virusinfo.info/upload_virus_eng.php?tid=37955[/url]
Did you run automatic scan of avptool or cureit in safe mode ? It is good idea to do it :)
After all, please make a new logs according to our rules [url]http://virusinfo.info/showthread.php?t=9184[/url]

Did you edited an addresses in hosts file, or you don't know ?
22.01.2009, 00:40
daventnnk

I did run avptool in safe mode first like it said, but it found one thing, then computer froze up at 82%.
I uploaded the quarantined files got this, not sure if you needed it or not.
File saved as 090122_003633_virus_49779561bed07.zip
File size 6085932
MD5 aea9a30d3c2f9e7b1ce6945ff4ed1684

I dont know about editing addresses in host file, not sure what that is.
Should I make new logs now to look at?
Should I run avptool in safe mode again and follow the steps again. Mostly everything is working now except IE, it just pops up a very slight second. Thanks for all your help so far.
22.01.2009, 01:29
drongo

I see, in this case, please execute this script:
[code]
begin
ExecuteRepair(1);
ExecuteRepair(2);
ExecuteRepair(3);
ExecuteRepair(4);
ExecuteRepair(5);
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
ExecuteRepair(12);
ExecuteRepair(13);
RebootWindows(true);
end.
[/code]
Try to run in safe mode cureit.( [url]ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe[/url] ) choose all drivers and make a full scan.
After that start in normal mode and start an Internet Explorer and make an another virusinfo_syscure.zip ;)

C:\WINDOWS\Tpujakamode.dll - it is a new trojan, kaspersky will call it
as Trojan.Win32.Agent.bkad
Thank you for assistance :)
Also i have noticed traces of psw-trojan - but it is no more in your system,but i am quite sure that it did stalled all your passwords.
Good idea to change all your passwords from e-mail,ftp,forums, user accounts, IM,Bank account, etc.
22.01.2009, 16:47
daventnnk

Вложений: 3

OK, I ran cureit, not sure if it worked, it ran for about 40 minutes, then it restarted itself.
I did run avz and here are the new zip files.
Everytime the computer start up, a window pops up that says " Error Loading
C:\WINDOWS\TPUJAKAMODE.DLL
THE SPECIFIED MODULE COULD NOT BE FOUND."
Thanks again for all your help. P.S. Explorer still wont work.
22.01.2009, 21:42
drongo

Strange... Did you run a cureit in safe mode ?
Remember disable avira abtivirus temporary, or uninstall it before execution scripts.
Lets try in other way:
Fix only these lines in hijack this in normal mode:
[code]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 155.179.105.180 tipa1101.sbc.com
O1 - Hosts: 155.179.105.180 optiswsouth.sbc.com
O1 - Hosts: 132.201.85.86 cipa1401.sbc.com
O1 - Hosts: 132.201.85.85 cipa1101.sbc.com
O1 - Hosts: 132.201.85.85 optiswnorth.sbc.com
O1 - Hosts: 144.155.215.19 odmsvr.sbc.com
O1 - Hosts: 132.201.30.19 odmsvr.sbc.com
O1 - Hosts: 150.234.64.52 odmsvr.sbc.com
O1 - Hosts: 150.235.35.25 odmsvr.sbc.com
O1 - Hosts: 155.179.77.25 odmsvr.sbc.com
O1 - Hosts: 132.201.10.52 Cipc2508.sldc.sbc.com
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Nminij] rundll32.exe "C:\WINDOWS\Tpujakamode.dll",e
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab[/code]

don't restart, execute this script in avz:
[code]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFile('C:\WINDOWS\Tpujakamode.dll');
BC_ImportAll;
ExecuteSysClean;
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
ExecuteRepair(17);
BC_Activate;
RebootWindows(true);
end.
[/code]

about explorer, i think the better way to repair it - > go to add/remove programs and unistall IE7, restart, then go to official microsoft site and install IE7, restart :)
Then in proxy settings insert 0.0.0.0:80 and forget about it :)

Let us know, how is going.
22.01.2009, 21:58
daventnnk

When I run cureit in safe mode, should it be safe mode with networking, also should I disconnect from internet before i run the script in hijack then avz? thanks
22.01.2009, 22:37
drongo

1.disable internet connection before execution scripts.
2.cureit don't needs internet, so choose without internet support :)
23.01.2009, 16:26
daventnnk

Вложений: 3

I did everything you said. I cant figure out whats with IE but thats no big deal right now, I just want to make sure my computer is clean. Here are the new logs. I reinstalled Avira, but it wont update, says internet connection failed, so I uninstalled it and tried AVG, and when I tried to update it did the same thing. I can however get online with FireFox or my CAD program OPTI. Thanks again for all your help, most best tech help I have ever recieved. :thumbsup: I also have a ton of popups now, but that error message on start up is gone.
23.01.2009, 19:22
drongo

What pop-ups? Please make a screenshot of your popups and attach it.
Do you use this C:\Program Files\MySpace\IM\MySpaceIM.exe ? Go to add/remove programs and uninstall it, perhaps it is the cause of your popups.
Please download special avz in my signature, put in some new folder (for ex. on desktop)
Install avzpm(in the main menu @ avz, click on AVZPM ->install an extra monitoring driver), restart windows, after that create a new virusinfo_syscure.zip , attach it to next post.