Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Your System is Infected! Now will not boot

Started by Kittenmeow , Jan 24 2010 09:31 PM

  • Please log in to reply

#1
Kittenmeow
Posted 24 January 2010 - 09:31 PM

Kittenmeow

    New Member

  • Member
  • Pip
  • 1 posts
Thank you in advance for your assistance.
Tonight my computer acquired the "Your system is Infected!" virus. I immediately ran spybot and removed some items, including a trojan. I then updated spybot, ran again and removed some additional stuff. I rebooted the computer, but now I have a far worse problem.
The system boots to the point where I select the user, then the system shuts down again. What can be done to fix and remove the virus? Please Help!!

Edited by Kittenmeow, 24 January 2010 - 09:35 PM.

  • 0

Advertisements

#2
RKinner
Posted 26 January 2010 - 10:42 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
IT's not easy but you can fix it.

Get PC Regedit
from the link on the lower half of this page:
http://www.raymond.c...ing-in-windows/

The page explains how to use it to fix a no logon condition. In your case netsky (which sounds like what you have) usually messes winlogon too but if userinit looks normal then check the value of shell which should be explorer.exe.

From a recent post we can see these Netsky infection points in an OTL log:

O4 - HKLM..\Run: [notepad] C:\WINDOWS\System32\notepad.DLL (Microsoft)
O4 - HKLM..\Run: [tqammy] C:\WINDOWS\System32\msaouahn.DLL (USA)

O4 - HKLM..\Run: [vodifatun] C:\WINDOWS\System32\guyewijo.DLL ()
O4 - HKLM..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe (cLAeVTkp)

(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run)

O4 - HKCU..\Run: [notepad] C:\Documents and Settings\Administrator\ntload.dll (Microsoft)

(HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run )

O20 - AppInit_DLLs: (yebesuna.dll) - C:\WINDOWS\System32\yebesuna.dll ()
O20 - AppInit_DLLs: (c:\windows\system32\guyewijo.dll) - C:\WINDOWS\system32\guyewijo.dll ()

(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\winlogon86.exe) - C:\WINDOWS\system32\winlogon86.exe (cLAeVTkp)

(HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit)

O21 - SSODL: luvehihoy - {5fb9c357-8436-4f7d-b86f-4c3d6ef35eec} - C:\WINDOWS\system32\guyewijo.dll ()

(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad )

O22 - SharedTaskScheduler: {5fb9c357-8436-4f7d-b86f-4c3d6ef35eec} - kupuhivus - C:\WINDOWS\system32\guyewijo.dll ()

(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler)

O32 - AutoRun File - [2009/12/21 11:30:12 | 00,034,308 | -H-- | M] () - E:\autorun.exe -- [ FAT32 ]

(possible infected file on USB drive or external drive)


NetSvcs: BtwSrv - C:\WINDOWS\system32\BtwSrv.dll (FTD2XX Software Technology)
NetSvcs: Iprip - C:\WINDOWS\system32\Ipripv32.dll ()

These last two will mess up your internet. See:

http://www.threatexp...74451a9e6c0b5ef

http://www.quickheal....Agent2.kuz.asp

If in doubt compare to a working system.

Ron

Edited by RKinner, 26 January 2010 - 10:44 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP