Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

RE GreyKnight Pre .. VirusRemover 2008 problem [Solved]


  • This topic is locked This topic is locked

#61
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
Hi Fenz

I posted the combo log to you direct

do you also want me to finsh off the other instructions that you gave me or do you think it may be okk now I am back online in normal mode..


it will be later today or early Saturday before I repost,

I may have to go out in next hour all day.

cheers dowsp

------------


Note: When you run the script, your PC will be restarted

Click Run

Restart your PC if it doesn't do it automatically, and post back with a new virusinfo_syscheck.htm.





NEXT



After that, please restart AVZ again,
From the "File" menu, choose "Standard Scripts"
Put a check next to item 2: Advanced System Investigation
Click Execute selected scripts
At the next prompt, click the OK button
Let the scan run and click "OK" when the completion prompt pops up
Now Close out of the Standard Scripts window, and exit AVZ
Navigate to the avz4 folder and locate the folder LOG
Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
Attach virusinfo_syscheck.htm to your next reply
  • 0

Advertisements


#62
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
PS,

I am not sure where my new virusinfo_syscheck.htm. file will be,

I am not sure if it over rides the previous one

I couldnt see a new log file in my AVZ folder...

otherwise I will have to research.
  • 0

#63
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Got your pm.. here's the next step...


1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

NetSvc::
AshEvtSvc

Driver::
AshEvtSvc

Rootkit::
c:\windows\SYSTEM32\AshEvtSvc.exe

File::
c:\windows\ukinenorixat.dll
c:\windows\Bvawakusadiyure.dat
c:\windows\uyuzidijibazo.dll
c:\windows\SYSTEM32\AshEvtSvc.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AshEvtSvc]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#64
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
Hi Fenz

I followed your instructions, but after dragging and placing the CFScript.txt into combofix.exe, it started the process, BUT nothing seemed to happen, it just showed Dells background blue screen .. I gave it over 2 hrs, maybe 3 and no log was formed.

I am unsure what to do now as the CFScript.txt was placed into Combo.exe..

unless I should rerun it by clicking on it... or delete and start again.
  • 0

#65
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Run ComboFix again normally (double-click it) and post the log here.. :)
  • 0

#66
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
Here is the latest Hijack this log..


many thanks


----------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:37:22, on 07/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\Program Files\Tesco internet phone\TescoIP.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.group...oo.com/group/d/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [Tesco internet phone] "C:\Program Files\Tesco internet phone\TescoIP.exe" /autostart
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1E76C8A-BF62-4277-8664-3395D74E0128}: NameServer = 212.139.132.73 212.139.132.75
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: StumbleUponUpdateService - stumbleupon.com - C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe

--
End of file - 7075 bytes
  • 0

#67
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello.. Your AVG7 is outdated and no longer supported by Grisoft.. It has been replaced by AVG8.. I strongly suggest you to uninstall AVG7.5 and replace it with AVG8.. More info below..

AVG Anti-Virus Free Edition 8.0



Please download FileAssassin and unzip it to your Desktop.
  • Double-click FileASSASSIN and tick on Attempt FileASSASSIN's method of file processing
  • Make sure ALL four options are selected (including "Delete file")
  • Copy/paste below file to the box
    • c:\windows\ukinenorixat.dll
  • Press Execute button..

Repeat FileASSASSIN step with this file

c:\windows\uyuzidijibazo.dll

Tell me whether FileASSASSIN manage to delete those files..



Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

How's the computer now? :)
  • 0

#68
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
Hi Fenz

just before I do online scan..

YES Both Files were deleted successfully !...

--------------------------


Please download FileAssassin and unzip it to your Desktop.

Double-click FileASSASSIN and tick on Attempt FileASSASSIN's method of file processing
Make sure ALL four options are selected (including "Delete file")
Copy/paste below file to the box
c:\windows\ukinenorixat.dll
Press Execute button..


Repeat FileASSASSIN step with this file

c:\windows\uyuzidijibazo.dll

Tell me whether FileASSASSIN manage to delete those files..
  • 0

#69
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
Hi Fenz

since the deletion of those files,

the computer seems slower and icons on this site take a long time to show.

It may just be an initial responce and if I was to restart things may be back to normal

I am not sure if I should restart before I do the full scan. otherwise it may take a long time.

Edited by dowsp, 06 March 2009 - 02:53 PM.

  • 0

#70
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
Some weeks ago , I went on a website and somehow I seem to have gained a unusual type of problem,

When I am on a yahoo page be it my email or sometimes the main yahoo page, I was getting a regular
banner advert header appear... It was saying that I may have won £10,000 and is shown as a company called

www.selected-winner.co.uk and on the banner there is reference to something called service of Planet 49.

Sometimes it appears , sometimes NOT.... BUT I never used to get it..

I ran various AV scans inc online ones , to try and get rid of it and at one point I thought that I had.

But it came back on and off...and sometimes was of a slighly different banner or wording...

For some weeks I had not noticed it .... Then Today It was back...

I did a google search and didnt find much about it... but I did note one or two mentions about it.

I also did try and find out who the company were and tried to contact them to complain and ask How I could get rid of the banner as it was really annoying me..

Then one day I got an email from Planet 49 saying to beware of a company who was trying to immitate them.

I did write back to them to ask further info, but had no reply..

there may be a genuiene company and one that is a scam..

I just wondered if you have ever come across it before or something similar.

so far all the scans we have done dont seem to have fully got rid of it if it is some sort of malware or spyware.


I have attached an image of what I see...

...

Attached Thumbnails

  • select_winner_banner.GIF

  • 0

Advertisements


#71
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
Actually I just found this about that banner ad I get...

I recall now it was from a well known Film information website imdb.com ( BEST NOT VISIT IT UNTIL ONE IS SURE IT IS OK TO DO SO)

what ever if they were aware of it, it is criminal in my opinion that they allow them to advertise.

Unless they did not know about it at the time.


http://groups.google...323910650e32793
  • 0

#72
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Don't click on unknown banners.. That's not a good habit..

Please reboot the computer and do the ESET Online Scanner step :)
  • 0

#73
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
Hi Fenz

As far as I recall I did'nt click on the actual banner but somehow it got into my yahoo pages.

it may have been a popup that was not even shown as the same as what was on the later banners that appears in yahoo...and when I close it, it gets activated... I think thats how it works.

I did reboot and I have ran the online AV checker for over an hour, maybe 2 hrs ... it seems its nearly finished judging by the position of the blue line.
  • 0

#74
dowsp

dowsp

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 544 posts
Hi Fenz

heres the log file from Eset...

it actually took 3 hrs.40 mins to run it.


As far as I know some viruses were quarenteened when I had AVG and some of the various programmes that I have run have detected them, and some have been deleted... some not or maybe were with a different AV programme later on.

Fingers Crossed It has got rid of most if not all of the Nasties... and Cured it....

I may have to reboot it to see if the speed is back to normal as It was running slow after using file assassin.



------------------

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3914 (20090306)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=23fa16eff5c70345a308eeca0f0e6367
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-03-08 12:53:33
# local_time=2009-03-08 12:53:33 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=592853
# found=4
# scan_time=13248
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jixhkyor.dll.vir Win32/TrojanDownloader.Agent.ONC trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qsttnoja.dll.vir Win32/TrojanDownloader.Agent.ONC trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wpv601235665998.cpx.vir a variant of Win32/Kryptik.JU trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\UGV0ZXIgTmlnaHRpbmdhbGU\o3pXtrK0nA5BuJlDvAx1v3o.vbs.vir Win32/Adware.ISearch application (unable to clean - deleted) 00000000000000000000000000000000
  • 0

#75
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Reboot the computer and run ComboFix again... Post the log here for my final review.. Please tell me, how's the computer now? :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP