Solve : MASSIVE virus?

1.	Solve : MASSIVE virus?
Answer» EDIT: nvm it finally finished. here it is: [attachment deleted by admin]Give it a little while longer. 10 minutes or so. If it doesn't create the log then look for it in C:\combofix.txt. If needed the restart the computer manually. Give it a few more minutes though first.i just edit my above post since it finished very shortly after i posted the message.Are these yours? Quote 2009-05-29 14:42 . 2009-05-29 14:42--------d-----wc:\users\admin\AppData\Roaming\KillProcess 2009-05-29 14:41 . 2009-05-29 14:41--------d-----wc:\program files\KillProcess 2009-05-29 12:05 . 2009-05-29 12:05--------d-----wC:\Kelahx the top two are. theres nothing in the bottom folder but i can delete it if i need to. i never made it. The top two is a program i installed to kill multiple processes at once. came in handy when i had to delete 400 processes otherwise it would have been one at a time. im also on chat so if you think it would be quicker talking there then thats fine. OK. I just need to know what I'm seeing. Also let me know how the computer is running now? Delete these files/folders, as follows: 1. Go to Start > Run > type Notepad.exe and click OK to open Notepad. It must be Notepad, not Wordpad. 2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C Code: [Select]KillAll:: Folder:: C:\Kelahx Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\whtcg] 3. Go to the Notepad window and click Edit > Paste 4. Then click File > Save 5. Name the file CFScript.txt - Save the file to your Desktop 6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully! ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it will produce a log for you. Post that log (Combofix.txt) in your next reply. Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeWell my pc seems to be running fine. Nothing suspicious seems to be running in the process list. And some of my taskbar icons are gone. But thats cool. They are the one i wanted gone :p attached is the new log [attachment deleted by admin]OK you should run a full virus scan now to make sure nothing is hiding. First... Go to Start > Run and type notepad.exe then click OK Copy and paste the below into Notepad and save as fixme.reg to Your Desktop Code: [Select]REGEDIT4 [-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] [-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry. Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work. Delete the fixme.reg from the Desktop. ---------- Click START then RUN Now type Combofix /u in the runbox Make sure there's a space between Combofix and /u Then hit Enter. . The above procedure will: Delete the following: ComboFix and its associated files and folders. Reset the clock settings. Hide file extensions, if required. Hide System/Hidden files, if required. Set a new, clean Restore Point. . ---------- Download ATF Cleaner by Atribune to your Desktop. Alternate download link Note: Vista users must use Run As Administrator Under Main: Select Files to Delete choose: Select All. Click the Empty Selected button. If you use Firefox browser click Firefox at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords click No at the prompt. If you use Opera browser click Opera at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords click No at the prompt. Click Exit on the Main MENU to close the program. . Note that your system will run slower for a reboot or two after having used this tool so don't panic. ---------- Run the F-Secure Online Scanner for Viruses, Spyware and RootKits. Note: This Scanner is for Internet Explorer Only! Click on Online Services and then Online Scanner Accept the License Agreement. Once the ActiveX installs,Click Full System Scan Once the download completes,the scan will begin automatically. The scan will take some time to finish,so please be patient. When the scan completes, click the Automatic cleaning (recommended) button. Click the Show Report button and Copy&Paste the entire report in your next reply. ok here it is: Scanning Report Friday, May 29, 2009 15:26:56 - 18:27:52 Computer name: HOME Scanning type: Scan system for malware, spyware and rootkits Target: C:\ D:\ E:\ 10 malware found TrackingCookie.2o7 (spyware) * System (Disinfected) TrackingCookie.Advertising (spyware) * System (Disinfected) TrackingCookie.Atdmt (spyware) * System (Disinfected) Client-IRC.Win32.mIRC (spyware) * System (Disinfected) TrackingCookie.Doubleclick (spyware) * System (Disinfected) TrackingCookie.Webtrends (spyware) * System (Disinfected) RiskTool.Win32.PsKill (spyware) * System (Disinfected) TrackingCookie.Tradedoubler (spyware) * System (Disinfected) TrackingCookie.Statcounter (spyware) * System (Disinfected) TrackingCookie.Yieldmanager (spyware) * System (Disinfected) Statistics Scanned: * Files: 253041 * System: 7246 * Not scanned: 24 Actions: * Disinfected: 10 * Renamed: 0 * Deleted: 0 * Not cleaned: 0 * Submitted: 0 Files not scanned: * C:\HIBERFIL.SYS * C:\PAGEFILE.SYS * C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS * C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT * C:\WINDOWS\SYSTEM32\CONFIG\SAM * C:\WINDOWS\SYSTEM32\CONFIG\SECURITY * C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE * C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM * C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS * C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT * C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY * C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM * C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE * C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM * C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB * C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB * C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D170E603AFD15CC2442279AF79CB9C32_76A95DD8-23B2-4EC8-AC8E-0362A6DCF90D * C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\HSPERFDATA_ADMIN\6032 * C:\SYSTEM VOLUME INFORMATION\{0C9FEA18-4534-11DE-BF67-001BB9FB9F7A}{3808876B-C176-4E48-B7AE-04046E6CC752} * C:\SYSTEM VOLUME INFORMATION\{3507940F-4B85-11DE-BAAD-001BB9FB9F7A}{3808876B-C176-4E48-B7AE-04046E6CC752} * C:\SYSTEM VOLUME INFORMATION\{0C9FEAA0-4534-11DE-BF67-001BB9FB9F7A}{3808876B-C176-4E48-B7AE-04046E6CC752} * C:\SYSTEM VOLUME INFORMATION\{BDDD2F1F-4598-11DE-9989-001BB9FB9F7A}{3808876B-C176-4E48-B7AE-04046E6CC752} * C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D170E603AFD15CC2442279AF79CB9C32_76A95DD8-23B2-4EC8-AC8E-0362A6DCF90D * C:\BOOT\BCD Options Scanning engines: Scanning options: * Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR * Use advanced heuristics Copyright © 1998-2009 Product support \| Send virus sample to F-Secure F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide WEB pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability. That didn't find anything unexpected. Is the computer running OK now?it seems like it is. Running normal speed right now. So i guess its gone. Iv run scans with everything i can think of.I think it's gone. Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.I've done a little studying with your virus, so all I am asking is to go to my computer>c:\ and look for some EXE files that are labeled with number and have a picture on them of a colorful baby with weird blue eyes. When i was reaserching I saw about 40000 files like that.

Answer»

EDIT: nvm it finally finished. here it is:

[attachment deleted by admin]Give it a little while longer. 10 minutes or so. If it doesn't create the log then look for it in C:\combofix.txt.

If needed the restart the computer manually. Give it a few more minutes though first.i just edit my above post since it finished very shortly after i posted the message.Are these yours?

Quote

2009-05-29 14:42 . 2009-05-29 14:42--------d-----wc:\users\admin\AppData\Roaming\KillProcess
2009-05-29 14:41 . 2009-05-29 14:41--------d-----wc:\program files\KillProcess
2009-05-29 12:05 . 2009-05-29 12:05--------d-----wC:\Kelahx

the top two are. theres nothing in the bottom folder but i can delete it if i need to.
i never made it.

The top two is a program i installed to kill multiple processes at once. came in handy when i had to delete 400 processes otherwise it would have been one at a time.

im also on chat so if you think it would be quicker talking there then thats fine. OK. I just need to know what I'm seeing.

Also let me know how the computer is running now?

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]KillAll::

Folder::
C:\Kelahx

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\whtcg]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freezeWell my pc seems to be running fine. Nothing suspicious seems to be running in the process list.

And some of my taskbar icons are gone. But thats cool. They are the one i wanted gone :p

attached is the new log

[attachment deleted by admin]OK you should run a full virus scan now to make sure nothing is hiding.

First...

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

----------

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
----------

Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

Under Main: Select Files to Delete choose: Select All.
Click the Empty Selected button.
If you use Firefox browser click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
If you use Opera browser click Opera at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
Click Exit on the Main MENU to close the program.

.
Note that your system will run slower for a reboot or two after having used this tool so don't panic.

----------

Run the F-Secure Online Scanner for Viruses, Spyware and RootKits.

Note: This Scanner is for Internet Explorer Only!

Click on Online Services and then Online Scanner
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

ok here it is:

Scanning Report
Friday, May 29, 2009 15:26:56 - 18:27:52

Computer name: HOME
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ D:\ E:\
10 malware found
TrackingCookie.2o7 (spyware)

* System (Disinfected)

TrackingCookie.Advertising (spyware)

* System (Disinfected)

TrackingCookie.Atdmt (spyware)

* System (Disinfected)

Client-IRC.Win32.mIRC (spyware)

* System (Disinfected)

TrackingCookie.Doubleclick (spyware)

* System (Disinfected)

TrackingCookie.Webtrends (spyware)

* System (Disinfected)

RiskTool.Win32.PsKill (spyware)

* System (Disinfected)

TrackingCookie.Tradedoubler (spyware)

* System (Disinfected)

TrackingCookie.Statcounter (spyware)

* System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

* System (Disinfected)

Statistics
Scanned:

* Files: 253041
* System: 7246
* Not scanned: 24

Actions:

* Disinfected: 10
* Renamed: 0
* Deleted: 0
* Not cleaned: 0
* Submitted: 0

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
* C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
* C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
* C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D170E603AFD15CC2442279AF79CB9C32_76A95DD8-23B2-4EC8-AC8E-0362A6DCF90D
* C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\HSPERFDATA_ADMIN\6032
* C:\SYSTEM VOLUME INFORMATION\{0C9FEA18-4534-11DE-BF67-001BB9FB9F7A}{3808876B-C176-4E48-B7AE-04046E6CC752}
* C:\SYSTEM VOLUME INFORMATION\{3507940F-4B85-11DE-BAAD-001BB9FB9F7A}{3808876B-C176-4E48-B7AE-04046E6CC752}
* C:\SYSTEM VOLUME INFORMATION\{0C9FEAA0-4534-11DE-BF67-001BB9FB9F7A}{3808876B-C176-4E48-B7AE-04046E6CC752}
* C:\SYSTEM VOLUME INFORMATION\{BDDD2F1F-4598-11DE-9989-001BB9FB9F7A}{3808876B-C176-4E48-B7AE-04046E6CC752}
* C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\D170E603AFD15CC2442279AF79CB9C32_76A95DD8-23B2-4EC8-AC8E-0362A6DCF90D
* C:\BOOT\BCD

Options
Scanning engines:

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use advanced heuristics

Copyright © 1998-2009 Product support | Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide WEB pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

That didn't find anything unexpected. Is the computer running OK now?it seems like it is. Running normal speed right now. So i guess its gone. Iv run scans with everything i can think of.I think it's gone.

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.I've done a little studying with your virus, so all I am asking is to go to my computer>c:\ and look for some EXE files that are labeled with number and have a picture on them of a colorful baby with weird blue eyes.

When i was reaserching I saw about 40000 files like that.

Solve : MASSIVE virus?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment