Critical Virus

marleyboy

I will give it a try, but your first link is a dead link, What is the Software called?

fwor

I think he means this:

http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

Beware though - some rootkits are apparently very good at hiding themselves - their activities might not show up in Process Explorer.

GreenNotM

hi marleyboy

Won't go deep into your log files but
best wait till PChelpman does a full analysis ... before you start removing nasties.

Are you doing MS Updates as you seem to be running IE6 not 7 ??

marleyboy

I tried a "Manual System Restore, to try n fix the problem, but the only Restore I could find was 2006, so I suspect thats the reason for it. Updates were running fine up until the infection, if I try updating windows, it crashes the update.

GreenNotM

One of your problems is
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtsr.exe but it is a backdoor/trojan - it may have bought you a few other problems and I don't really have the concentration at the moment to fully look ... Mr Keegan returning and all that

Not sure win.ini is touched by a system restore - so the infection would have stayed ...

marleyboy

Just bumping this thread, I am still having no joy.

pchelpman

sorry marelyboy. I have become extremely busy (frantic) with the day job right now. I can't spend time here as i would like.

As there doesn't seem to be anyone else helping you out I strongly suggest you post your problem on another more expert site such as Bleeping Computer or TSF (links below). They will be able to help you.

BC > http://www.bleepingcomputer.com/forums/forum22.html

TSF > http://www.techsupportforum.com/security-center/hijackthis-log-help/

Sorry I can't help more at this time.


PCH

Alfonso_Skinarelli

I've just spotted this topic. You have one of the new file infecting Vundo trojans.

Do you still need help with this Marleyboy?

marleyboy

Any help will be extremely appreciated, Im at a loss at what else to do, when I view the Event log it only tells me that explorer had a problem and needed to be restarted, and this just loops over and over until the system totally gives up.

Alfonso_Skinarelli

Ok, lets start with a few basics. Please delete your copy of HijackThis and download the latest version from HERE.

Now click Start then RUN

Now type Combofix /u in the runbox and click OK.



When shown the disclaimer, Select "2"

Now download ComboFix again to your DESKTOP:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

ComboFix is updated daily so you must be using the latest version.

========

Download RenV.exe by sUBs to your desktop.

Copy the entire contents of the Code Box below to Notepad.

Name the file as Log.txt ensuring you change the Save as Type to All Files
and Save it on the desktop:

----a-w           376,912 2008-01-09 14:36:51  C:\Program Files\BroadJump\Client Foundation\CFD .exe
----a-w            28,672 2008-01-09 14:55:04  C:\Program Files\Creative\SBLive\Program\ADGJDet .exe
----a-w           132,496 2008-01-09 14:36:45  C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
----a-w           401,667 2008-01-09 14:55:07  C:\Program Files\KEMailKb\KEMailKb .EXE
----a-w           310,000 2008-01-13 14:39:56  C:\Program Files\Virgin Broadband\PCguard\RPS .exe
----a-w            15,360 2008-01-16 18:10:14  C:\WINDOWS\system32\ctfmon .exe
----a-w            98,304 2008-01-09 14:36:48  C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIAIE .EXE

Refering to the picture above, drag Log.txt into RenV.exe and attach the resulting report to your next reply.

======

Now we go back to ComboFix but before doing so......

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

CLICK HERE to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts. Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Before you begin, close any open browsers.

Open notepad (Start > Run and type notepad) and copy/paste the text in the code box below to it:

KillAll::

File::
C:\WINDOWS\system32\efcyyyv.dll
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\mljjk.dll
C:\WINDOWS\Tasks\B1E341719088F639.job

Folder::
C:\WINDOWS\system32\pe2
C:\WINDOWS\system32\ka8
C:\WINDOWS\system32\edcA18
C:\TEMP\Ryuan1
c:\docume~1\rik\applic~1\upbags

ADS::
C:\windows\system32

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\!!72314282-0FC8-4732-9A91-92B76FF46AAE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcyyyv]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jw7ERkfqV]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load""
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "CFScript"



Refering to the picture above, drag CFScript into ComboFix.exe

Run ComboFix again and post the resultant log file along with the RenV log and a fresh HJT log.

Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.

You will need to make several posts as I doubt the forum software will allow all the information in one post.