Copy.exe Virus
Started by
valcandy
, Jan 03 2007 01:30 PM
#31
Posted 09 January 2007 - 04:46 PM
#32
Posted 09 January 2007 - 04:49 PM
Yes I found it....its a game that I installed (Counter Strike)
#33
Posted 10 January 2007 - 09:02 AM
valcandy,
Ok - thanks for letting me know. I'm on my way out the door but will be back later today.
sari
Ok - thanks for letting me know. I'm on my way out the door but will be back later today.
sari
#34
Posted 10 January 2007 - 09:04 AM
okay, is there a problem with it? i will delete it if there is.
#35
Posted 10 January 2007 - 09:08 AM
Nope - just didn't know what it was.
#36
Posted 10 January 2007 - 09:09 AM
okay, the question marks are actually chinese charactersNope - just didn't know what it was.
#37
Posted 12 January 2007 - 10:23 AM
valcandy,
I want you to follow all these instructions carefully (which you've been doing very so far ). You may want to print these out and save them to notepad for reference while you're in safe mode.
Step 1
Please download the Killbox by Option^Explicit.
Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop. Don't do anything with it yet.
Step 2
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Step 3
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
R3 - URLSearchHook: ContextSearch Class - {88351CEF-BAC0-4A9B-8380-31A173E2926F} - C:\PROGRA~1\yok\toolbar.dll
F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
O2 - BHO: Tencent Browser Helper - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\Adplus\SSAddr.dll
O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg_1069.dll
O2 - BHO: VeryCD超级搜索 - {75FE2B5A-D3A4-4EFA-AC11-ADC9C9459688} - C:\PROGRA~1\yok\toolbar.dll
O2 - BHO: PrjZKBaiduBHO.ZKBaiduBHO - {BBF3E65D-762A-41AC-BFDA-7C6D97E65A73} - C:\WINDOWS\System32\ZKBaiduBHO.dll
O4 - HKLM\..\Run: [stup.exe] C:\PROGRA~1\TENCENT\Adplus\stup.exe
O4 - HKLM\..\Run: [yok.exe] C:\PROGRA~1\yok\yok.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [fnbnko91] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\fnbnko91.dll,DllCanUnloadNow
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_1069.dll"
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O8 - Extra context menu item: VeryCD超级搜索 - C:\PROGRA~1\yok\yoksch.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Step 4
Please remove these entries from Add/Remove Programs in the Control Panel(if present):
Tencent or QQ
YOK Toolbar
For the next step, please make sure you have your D:\ drive connected, as there is a bad file on there as well.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
Reboot into normal mode.
1. Download ComboFix.exe using either of these links:
* bleepingcomputer.com
* [color="RED"]techsupportforum.com
2. Double click on combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Please include the combofix log and a new hijackthis log in your reply.
Thanks,
sari
I want you to follow all these instructions carefully (which you've been doing very so far ). You may want to print these out and save them to notepad for reference while you're in safe mode.
Step 1
Please download the Killbox by Option^Explicit.
Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop. Don't do anything with it yet.
Step 2
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Step 3
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
R3 - URLSearchHook: ContextSearch Class - {88351CEF-BAC0-4A9B-8380-31A173E2926F} - C:\PROGRA~1\yok\toolbar.dll
F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
O2 - BHO: Tencent Browser Helper - {0C7C23EF-A848-485B-873C-0ED954731014} - C:\Program Files\TENCENT\Adplus\SSAddr.dll
O2 - BHO: SafeGuard Protect PCShield - {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} - C:\WINDOWS\System32\sfg_1069.dll
O2 - BHO: VeryCD超级搜索 - {75FE2B5A-D3A4-4EFA-AC11-ADC9C9459688} - C:\PROGRA~1\yok\toolbar.dll
O2 - BHO: PrjZKBaiduBHO.ZKBaiduBHO - {BBF3E65D-762A-41AC-BFDA-7C6D97E65A73} - C:\WINDOWS\System32\ZKBaiduBHO.dll
O4 - HKLM\..\Run: [stup.exe] C:\PROGRA~1\TENCENT\Adplus\stup.exe
O4 - HKLM\..\Run: [yok.exe] C:\PROGRA~1\yok\yok.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [fnbnko91] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\fnbnko91.dll,DllCanUnloadNow
O4 - HKCU\..\Run: [PCShield] regsvr32 /s "C:\WINDOWS\System32\sfg_1069.dll"
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O8 - Extra context menu item: VeryCD超级搜索 - C:\PROGRA~1\yok\yoksch.htm
O8 - Extra context menu item: 上传到QQ网络硬盘 - C:\Program Files\Tencent\QQ\AddToNetDisk.htm
O8 - Extra context menu item: 添加到QQ自定义面板 - C:\Program Files\Tencent\QQ\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ彩信发送该图片 - C:\Program Files\Tencent\QQ\SendMMS.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra 'Tools' menuitem: 腾讯QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\Tencent\QQ\QQ.EXE
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
O9 - Extra 'Tools' menuitem: QQ炫彩工具条设置 - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\Program Files\Tencent\QQ\QQIEHelper.dll
Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Step 4
Please remove these entries from Add/Remove Programs in the Control Panel(if present):
Tencent or QQ
YOK Toolbar
For the next step, please make sure you have your D:\ drive connected, as there is a bad file on there as well.
- Please double-click Killbox.exe to run it.
- Select:
- Delete on Reboot
- then Click on the All Files button.
- Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Program Files\yok
C:\Program Files\Moyu
C:\copy.exe
C:\host.exe
C:\WINDOWS\system32\fnbnko91.dll
C:\WINDOWS\system32\gdktcrhr.dll
C:\WINDOWS\system32\rhogdxgx.dll
C:\WINDOWS\system32\temp1.exe
C:\WINDOWS\system32\temp2.exe
C:\WINDOWS\system32\moyusetup.exe
C:\WINDOWS\xcopy.exe
C:\WINDOWS\system32\ZYNun.exe
C:\WINDOWS\system32\drivers\ZYNfx_at.sys
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\scrax.dll
C:\WINDOWS\system32\ssup.dll
C:\WINDOWS\system32\ZKBaiduBHO.dll
C:\WINDOWS\system32\drivers\fnbnko91.sys
D:\copy.exe
- Return to Killbox, go to the File menu, and choose Paste from Clipboard.
- Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
Reboot into normal mode.
1. Download ComboFix.exe using either of these links:
* bleepingcomputer.com
* [color="RED"]techsupportforum.com
2. Double click on combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Please include the combofix log and a new hijackthis log in your reply.
Thanks,
sari
#38
Posted 12 January 2007 - 02:59 PM
Sari, After doing that its done something really weird to my computer
When I go onto this site e.g. the whole thing looks different
1. there are no frames
2. everything is in times new roman rather than what it was before
I've only done up to deleting the hijackfiles....however I cannot get onto safemode....I've been pressing f8 like crazy.
Btw QQ is a program that installed like MSN, but I dont remind removing it first.
When I go onto this site e.g. the whole thing looks different
1. there are no frames
2. everything is in times new roman rather than what it was before
I've only done up to deleting the hijackfiles....however I cannot get onto safemode....I've been pressing f8 like crazy.
Btw QQ is a program that installed like MSN, but I dont remind removing it first.
#39
Posted 12 January 2007 - 03:12 PM
now there's something wrong with my java script!!
If i click on a smilie it won't go on!!!
Sari, do you mind giving me your msn, this is really inconvenient thank you!
here is mine [email protected]
If i click on a smilie it won't go on!!!
Sari, do you mind giving me your msn, this is really inconvenient thank you!
here is mine [email protected]
#40
Posted 12 January 2007 - 03:13 PM
valcandy,
Are all websites not right? I've had Geeks to Go show up like that on occasion, and if I close it and come back it's fixed. Try that first. I'm not sure about not getting into safe mode - there's nothing that we've deleted that should cause that.
Parts of the QQ program are bundled with adware - I felt it was safer to remove the whole thing.
Let me look into that safe mode issue.
sari
Are all websites not right? I've had Geeks to Go show up like that on occasion, and if I close it and come back it's fixed. Try that first. I'm not sure about not getting into safe mode - there's nothing that we've deleted that should cause that.
Parts of the QQ program are bundled with adware - I felt it was safer to remove the whole thing.
Let me look into that safe mode issue.
sari
#41
Posted 12 January 2007 - 03:24 PM
Sari, the javascript part isn't working on any forum....
I got the safemode issue now............
I got the safemode issue now............
#42
Posted 12 January 2007 - 03:25 PM
I've restarted my computer and its still like this
Btw, for this part onwards should I still be in safemode, moreover is there internet on safemode?
For the next step, please make sure you have your D:\ drive connected, as there is a bad file on there as well.
* Please double-click Killbox.exe to run it.
* Select:
o Delete on Reboot
o then Click on the All Files button.
* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
Btw, for this part onwards should I still be in safemode, moreover is there internet on safemode?
For the next step, please make sure you have your D:\ drive connected, as there is a bad file on there as well.
* Please double-click Killbox.exe to run it.
* Select:
o Delete on Reboot
o then Click on the All Files button.
* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
#43
Posted 12 January 2007 - 03:27 PM
I've also noticed on many forums that my pictures are not loading e.g. if they were linked onto photobucket..................:-S
What's going on??
What's going on??
#44
Posted 12 January 2007 - 03:28 PM
So you haven't deleted anything, just done the removals in hijackthis? You haven't used killbox because you can't get into safemode?
#45
Posted 12 January 2007 - 03:29 PM
Cant do fast reply either now
No i got into safemode and deleted YOK and QQ
And I made removals on hijack this.......
No i got into safemode and deleted YOK and QQ
And I made removals on hijack this.......
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users