Hellppppp!! Bad virus attack?

raz_uk

Hi all,

Some badnews - my AVG picked up a 'trojan hider' which it was unable to remove.

God only knows what happened, but as a result - I cannot open spybot - search and destory on my machine, NOR can I access any websites such as Sophos, Comodo, AVG, Norton etc. the virus is literally blocking it on my browser!!!

As a result, ran a hijackthis log and came across the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,,C:\Documents and Settings\Funny Man\Local Settings\Application Data\djxqlrla\lmmdvurq.exe
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: eSnipBHO - {B530A9A4-1722-4D16-AAD6-AA85E3AD2ADE} - C:\Program Files\Logia\eSnipsDownloader\eSnipsBHO.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LmmDvurq] C:\Documents and Settings\Funny Man\Local Settings\Application Data\djxqlrla\lmmdvurq.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download using LeechGet - [URL]file://C:\Program[/URL] Files\LeechGet 2007\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - [URL]file://C:\Program[/URL] Files\LeechGet 2007\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - [URL]file://C:\Program[/URL] Files\LeechGet 2007\\Parser.html
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

This has really upset me as i'm normally alert with security on my machine. Can anyone please help on what I can do?

Many thanks,

closed

kill this task in task manager if you can


C:\Docu ments and Settings\Funny Man\Local Settings\Application Data\djxqlrla\lmmdvurq.exe

scan with malwarebytes if you can

start in safe mode, delete the C:\Documents and Settings\Funny Man\Local Settings\Application Data\djxqlrla folder

waddler_8

C:\Documents and Settings\Funny Man\Local Settings\Application Data\djxqlrla

....would be the folder to delete? Funny Man would be the user profile folder?

closed

true, not concentrating, corrected it, hopefully in time.

waddler_8

Lol, it's late (early?). Need sleep.

Assuming no other malware present - and that is actually a running process - another way is to do a system scan only from the main menu with HijackThis, place a tick in the boxes against those 2 highlighted entries (the F2 and the O4. This will restore the default userinit value and delete the O4 load point too) REBOOT and then delete the folder.

http://helpdesk.malwarebytes.org/forums/21647438-Chameleon

raz_uk

Hi all, deleted the file - but then the AVG virus popup came again saying a 'trojan hider' is on my system. Was unable to move the file to quarantine. Any next steps?

waddler_8

download this and save it to your desktop.

http://public.avast.com/~gmerek/aswMBR.exe

When you've downloaded it...

• Double click aswMBR.exe to run it (XP), or right click & choose "Run as Administrator" (Vista, Win7)
• Click Yes when prompted to scan with Avast virus definitions
  
• With the AVscan set to Quick Scan, click the Scan button.
  
  
• When the scan reports "Scan finished successfully", click Save log & save the log to your desktop.
• Click OK when prompted. aswMBR.txt & MBR.dat will be appear on your desktop.
• Click EXIT.
• Copy & paste the contents of aswMBR.txt & post it here.

Don't click to fix anything yet, just post the log.

I'm off to bed - I'll take a look in the morning.

raz_uk

waddler_8 wrote: »

download this and save it to your desktop.

http://public.avast.com/~gmerek/aswMBR.exe

When you've downloaded it...

• Double click aswMBR.exe to run it (XP), or right click & choose "Run as Administrator" (Vista, Win7)
• Click Yes when prompted to scan with Avast virus definitions
  
• With the AVscan set to Quick Scan, click the Scan button.
  
  
• When the scan reports "Scan finished successfully", click Save log & save the log to your desktop.
• Click OK when prompted. aswMBR.txt & MBR.dat will be appear on your desktop.
• Click EXIT.
• Copy & paste the contents of aswMBR.txt & post it here.

Don't click to fix anything yet, just post the log.

I'm off to bed - I'll take a look in the morning.

Sorry no can do - this is a nasty piece of malware/virus.

Blocks my access to any antiviruts site - got a message in my browser saying:
Internet Explorer cannot display the webpage


Very upsetting - what to do against this stubborn beast?

Thanks,

bluesnake

download the avira boot cd, burn it to a physical disk and boot from it

try this http://62.146.210.52/en/download/product/avira-antivir-rescue-system

raz_uk

waddler_8 wrote: »

download this and save it to your desktop.

http://public.avast.com/~gmerek/aswMBR.exe

When you've downloaded it...

• Double click aswMBR.exe to run it (XP), or right click & choose "Run as Administrator" (Vista, Win7)
• Click Yes when prompted to scan with Avast virus definitions
  
• With the AVscan set to Quick Scan, click the Scan button.
  
  
• When the scan reports "Scan finished successfully", click Save log & save the log to your desktop.
• Click OK when prompted. aswMBR.txt & MBR.dat will be appear on your desktop.
• Click EXIT.
• Copy & paste the contents of aswMBR.txt & post it here.

Don't click to fix anything yet, just post the log.

I'm off to bed - I'll take a look in the morning.

Hi,

Was able to log in under the administrator and profile and conduct the scan (hurrah!).

Please see below:

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-06-22 23:28:10

---

23:28:10.390 OS Version: Windows 5.1.2600 Service Pack 2
23:28:10.390 Number of processors: 1 586 0x408
23:28:10.390 ComputerName: NONE-Z8FONJOYNX UserName: Administrator
23:28:12.265 Initialize success
23:33:00.421 AVAST engine defs: 13062201
23:34:14.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
23:34:14.546 Disk 0 Vendor: ST380011A 3.04 Size: 76319MB BusType: 3
23:34:16.359 Disk 0 MBR read successfully
23:34:16.359 Disk 0 MBR scan
23:34:16.703 Disk 0 Windows XP default MBR code
23:34:16.718 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76308 MB offset 63
23:34:16.734 Disk 0 scanning sectors +156280320
23:34:17.312 Disk 0 scanning C:\WINDOWS\system32\drivers
23:35:53.578 Service scanning
23:37:57.703 Modules scanning
23:38:24.984 Disk 0 trace - called modules:
23:38:25.000 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll prosync1.sys atapi.sys viaide.sys PCIIDEX.SYS
23:38:25.000 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82d79ab8]
23:38:25.015 3 CLASSPNP.SYS[f858605b] -> nt!IofCallDriver -> \Device\0000006f[0x82d56f18]
23:38:25.015 5 ACPI.sys[f83fc620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82d45d98]
23:38:25.015 \Driver\atapi[0x82d3e7e0] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> prosync1.sys[0xf8a2f6c1]
23:38:26.625 AVAST engine scan C:\WINDOWS
23:38:46.312 AVAST engine scan C:\WINDOWS\system32
23:43:43.968 AVAST engine scan C:\WINDOWS\system32\drivers
23:44:15.609 AVAST engine scan C:\Documents and Settings\Administrator
23:45:06.500 AVAST engine scan C:\Documents and Settings\All Users
23:46:14.890 Scan finished successfully
23:46:39.453 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
23:46:39.468 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"


Many thanks,

bluesnake

and try http://91.213.143.7/~gmerek/aswMBR.exe