Support Forums Categories Virus Protection, Removals, and HJT Team Virus Removal, Hijack This Logs, and Support
[HJT Log] Suspected virus.

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Threaded Mode
[HJT Log] Suspected virus.
TheGeniusism Offline
Scientia Potentia Est
**
Posts: 51
Threads: 6
Joined: May 2010
Reputation: 0
#1
11-11-2010, 12:41 PM (This post was last modified: 11-12-2010, 04:27 AM by TheGeniusism.)
1.My issues are: The Windows Security Center Service cannot be started and random pop-ups, pop-up in IE.

2.My MBAM log:
Spoiler (Click to View)

3.My HJT log:
Spoiler (Click to View)

4.My DDS log:
Spoiler (Click to View)

Issues encountered:
Find
Reply
Quintus Offline
New Leaf
****
Posts: 528
Threads: 3
Joined: Oct 2009
Reputation: 31
#2
11-12-2010, 07:42 AM
Greetings,

Whilst I am in the process of scrutinizing your complete set of provided logs for any possible infections or problems, I ask for your forbearance. Understand that the process of analysis requires time and careful examination hence the need for a cautious response. Accuracy is of the essence. Once I come across infections, I shall present the finest methods of removal for your convenience.

In return for this service, I propose to you two conditions:
  1. You are not to create any new threads regarding the similar topic as it will waste another helper's time.
  2. You are not to install any new software in your system, as it may hinder our process thus making this futile.
In accordance to my terms, I also ask of you five things, stated below:
  1. You are not to modify the logs in any way. Failure to do so will instantly deprive you of this service.
  2. You are to paste each log separately at PasteBin as it is. That is correct, no syntax highlighting, no editing - just the log purely. Post back the links for each log. You shall not hide them under spoiler codes.
  3. You are to provide the complete set of requested logs.
  4. You are to respond to every step I ask you to do using the format provided at the end of my post.
  5. You agree that I have the right to discontinue the analysis at any time, upon a violation of a single rule.
Provided that you will continue with this service, you hereby agree to the above statements. If you deem the conditions are portraying equality, I will willingly perform the analysis without further delay. Should you have any concerns or problems with the above conditions, or if you feel that I have overlooked your log, do inform me through a Private Message by clicking 'this'.

Thank you.

Genuinely yours,
Quintus
  • Prerequisite

    If you are having a problem running HijackThis as Administrator, please follow the steps below.
    • Go to My Computer and navigate to your default disc drive (C: is the most common).
    • Go to Program Files > Trend Micro > HijackThis.
    • Right-click HiJackThis.exe and run it as Administrator.
  • Step 1

    Please run HijackThis. Click 'Do a system scan only' and place a check next to the following line(s) if present:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=14302&l=dis
    R3 - URLSearchHook: (no name) - - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O4 - HKLM\..\Run: [V0640Pin.dll] RunDLL32.exe V0640Pin.dll,RunDLL32EP 514,/d:2
    O4 - HKCU\..\Run: [U36VRSFLG6] C:\Users\Uzair\AppData\Local\Temp\Bqd.exe
    O4 - Startup: DesktopVideoPlayer.LNK = C:\Program Files\vghd\vghd.exe

    Then, close all other open windows and click 'Fix Checked'. You are to reboot your system afterwards.
  • Step 2

    Please download Combofix from one of the following locations:

    'Link 1'
    'Link 2'

    **IMPORTANT!**

    Let me give you a warning beforehand. I am instructing you to use one of the most powerful removal tool created. A simple mistake of running ComboFix without a helper's advice might render your machine unbootable. Do note that the steps below are crucial for the success of the clean-up you are currently undergoing. If by any chance you failed to meet any of them, I can almost guarantee a dreadful occurrence happening. See to it that you read the instructions first up to the very end and follow them accordingly after to ensure the best possible performance.
    • Save ComboFix to your Desktop.
    • Disable your anti-virus and anti-spyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix. If you have difficulty properly disabling your protective programs, refer to 'this' link.

      Please open Notepad and copy and paste this code.

      Code:
      File::
      C:\Users\Uzair\AppData\Local\Temp\Bqd.exe

      Save this as CFScript.txt and change the Save As Type to All Files and place it on your Desktop. Make sure your security programs are disabled while we do this.

      [Image: CFScript.gif]

      Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

      ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
Reminders:
  1. Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
  2. Do not "re-run" ComboFix. If you have a problem, reply back for further instructions.
  3. ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
  4. ComboFix prevents autorun of all CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you - please tell me.
  5. ComboFix disconnects your machine from the Internet. The connection is automatically restored before ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  • In your next post, please provide the following:
    • A Fresh HijackThis (HJT) Log
    • ComboFix Log
    • Deckard's System Scanner (DDS) Logs
      • DDS.txt
      • Attach.txt
  • Format of Response

    Code:
    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Link To Requested Logs:[/b][/color]
Find
Reply
TheGeniusism Offline
Scientia Potentia Est
**
Posts: 51
Threads: 6
Joined: May 2010
Reputation: 0
#3
11-14-2010, 04:56 AM (This post was last modified: 11-14-2010, 05:29 AM by TheGeniusism.)
Step 1
Problems Encountered: None.

Step 2
Problems Encountered: None.



Link To Requested Logs:

HiJackThis: (PasteBin didn't seem to work for this log) http://fixee.org/view_raw/2suzo6q
ComboFix: http://pastebin.com/cKMtnMAS
DDS: http://pastebin.com/0uE3zNhw
Attach: http://pastebin.com/NLtVnL3i
Find
Reply
Quintus Offline
New Leaf
****
Posts: 528
Threads: 3
Joined: Oct 2009
Reputation: 31
#4
11-15-2010, 04:48 AM (This post was last modified: 11-15-2010, 04:49 AM by Quintus.)
  • Step 3

    My analysis shows me that you have Ask Toolbar installed in your system.

    I strongly recommend you remove the program from your system for the following reasons:
    • It promotes its toolbars on sites targeted at kids.
    • It promotes its toolbars through ads that appear to be part of other companies' sites.
    • It promotes its toolbars through other companies' spyware.
    • It is installed without any disclosure whatsoever and without any consent from the user whatsoever thereby considering it as foistware.
    • It solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
    • It makes confusing changes to user's browsers - increasing Ask Toolbar's revenues while taking users to pages they didn't intend to visit.

    You can view more of that from 'this' site. Another recommended read would be 'this' article.

    Now in accordance to these facts, I will now present to you the proper way of removal.
    • Click Start > Control Panel > Programs > Uninstall A Program.
    • Locate and select AskBarDis or Ask Toolbar on the list and click the Uninstall button. Press Continue for the next prompt.
    • Follow the on-screen steps which concerns the removal.
    • Now delete the following folder C:\Program Files\AskBarDis or C:\Program Files\AskToolbar and empty your Recycle Bin.
  • Step 4

    Besides compromising network security, their association with illegal file-sharing creates legal liabilities for their employers. More often than not, companies aren't aware of software license violations and other infractions their workers commit through file-sharing.

    More from 'this' article.

    I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer. Your system is at risk. Even if you are using a safe P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

    I strongly recommend that you uninstall the following program(s) present in your system through Add or Remove Programs for Windows XP and Programs and Features for Vista and Windows 7:
    • µTorrent
    • FrostWire 4.21.1
    • LimeWire 5.5.16
    • Vuze

    Note: If you choose not to remove the program(s), please do not use them until this computer is clean.

    Here is the list of Safe and Unsafe P2P Programs.

    Clean
    • Ares
    • Azureus 2.5.0.0
    • BitComet
    • Bittorrent
    • E-Mule
    • Frostwire
    • Limewire
    • µTorrent

    Unsafe
    • Azureus Vuze
    • BearShare
    • Bitlord
    • BittorrentUltra
    • iMesh

    You can see more of that 'here'.
  • Step 5

    "Yuna Software, the creator of Messenger Plus! Live, currently bundles optional adware software developed by Circle Development Ltd. Some software review websites criticized the user agreement, stating that the 'sponsorship agreement', which authorized the installation of the optional adware software, was misleading because it looked like a standard EULA, and was only available in English. McAfee SiteAdvisor warns that the website is linked with adware Adware-Lop/Swizzor."

    More from 'this' article.

    ► Visit McAfee's Website 'here'.
    ► Visit Web of Trust 'here'.

    You seem to have Messenger Plus! Live installed in your system.

    I strongly recommend that you uninstall this program by:
    • Going to Control Panel.
    • Select Programs and Features.
    • Wait for the list to populate.
    • Navigate to Messenger Plus! Live and Messenger Plus! Live Toolbar if present.
    • Uninstall the program.
  • Step 6

    Please run HijackThis. Click 'Do a system scan only' and place a check next to the following line(s) if present:

    O3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\\Program Files\\Ask.com\\GenericAskToolbar.dll

    Then, close all other open windows and click 'Fix Checked'. You are to reboot your system afterwards.
  • Step 7

    I assume you still have ComboFix on your system.

    Please open Notepad and copy and paste this code:

    Code:
    File::
    c:\windows\Brerea.exe

    Firefox::
    FF - ProfilePath - c:\users\uzair\appdata\roaming\mozilla\firefox\profiles\vvf95d25.default\
    FF - prefs.js: browser.search.selectedEngine -
    FF - prefs.js: keyword.URL -

    Save this as CFScript.txt and change the Save As Type to All Files and place it on your Desktop. Make sure your security programs are disabled while we do this.

    [Image: CFScript.gif]

    Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

    ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

Then, close all other open windows and click 'Fix Checked'. You are to reboot your system afterwards.[/list]
  • Step 8

    Please run a free online scan with ESET Online Scanner by downloading ESET Smart Installer 'here'. Save it to your Desktop.
    • Double-click esetsmartinstaller_enu.exe to execute the program.
    • Tick 'YES, I accept the Terms of Use'.
    • Click 'Start'.
    • If this is your first time installing the scanner, allow the 'ActiveX Control' to install.
    • Database download may take some time.
    • When done, make sure that the option 'Remove found threats' is ticked. Under the and 'Advanced Settings', please put a check on the following options:
      • Scan for potentially unwanted applications
      • Enable Anti-Stealth Technology
    • Click 'Start'.
    • Wait for the scan to finish.
    • Once it is finished, use Notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt.
    • Copy and paste that log as a reply to this topic.
  • In your next post, please provide the following:
    • A Fresh HijackThis (HJT) Log
    • ComboFix Log
    • Deckard's System Scanner (DDS) Logs
      • DDS.txt
      • Attach.txt
    • ESET Scan Log
  • Comments:
    • Please find V0640Pin.dll in your system. Upload it if found.
  • Format of Response
    Code:
    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Link To Requested Logs:[/b][/color]
Find
Reply
TheGeniusism Offline
Scientia Potentia Est
**
Posts: 51
Threads: 6
Joined: May 2010
Reputation: 0
#5
11-15-2010, 05:02 PM (This post was last modified: 11-15-2010, 05:03 PM by TheGeniusism.)
Step # 3-8
Problems Encountered: No problems encountered.


Link To Requested Logs:

ComboFix: http://pastebin.com/bvWnjbmB
HJT: http://fixee.org/view_raw/5k7n1jj
DDS: http://pastebin.com/3GQXLCib
Attach: http://pastebin.com/4TgNZqsa
ESET: http://pastebin.com/azfBjRNM
V0640Pin.dll: http://www.mediafire.com/?uo17f094g16dydx
Find
Reply
Quintus Offline
New Leaf
****
Posts: 528
Threads: 3
Joined: Oct 2009
Reputation: 31
#6
11-17-2010, 08:31 AM
How is your system running?
  • Step 9

    I assume you still have ComboFix on your system.

    Please open Notepad and copy and paste this code:

    Code:
    DDS::
    mURLSearchHooks: H - No File
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

    Save this as CFScript.txt and change the Save As Type to All Files and place it on your Desktop. Make sure your security programs are disabled while we do this.

    [Image: CFScript.gif]

    Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

    ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
  • In your next post, please provide the following:
    • A Fresh HijackThis (HJT) Log
    • ComboFix Log
    • Deckard's System Scanner (DDS) Logs
      • DDS.txt
      • Attach.txt
  • Format of Response

    Code:
    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Link To Requested Logs:[/b][/color]
Find
Reply
TheGeniusism Offline
Scientia Potentia Est
**
Posts: 51
Threads: 6
Joined: May 2010
Reputation: 0
#7
11-20-2010, 06:05 AM
Thank you, but my system seems to be running fine now.

Many thanks Para.
Find
Reply
Quintus Offline
New Leaf
****
Posts: 528
Threads: 3
Joined: Oct 2009
Reputation: 31
#8
11-21-2010, 02:34 AM
That is required to ensure all traces of malware are gone. It displeases me when people refuse to take further instructions after their respective systems have been restored, as if they are certain that it already implies their systems are clean when it is not the case. Have it your way, sir.
Find
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Active HJT Graduate/Malware Remover now Brandenx781 2 1,551 02-19-2012, 05:38 PM
Last Post: Retribute
  Hooot.com redirect virus sarasmile 6 2,548 01-22-2012, 01:19 PM
Last Post: RDCA
  Many missing files - Hijackthis log kdang2 27 19,524 01-05-2012, 05:10 AM
Last Post: King
  i may be infected can you analyze this otl log please helpplease 6 2,727 11-23-2011, 08:58 PM
Last Post: Brandenx781
  Suspected RAT. TheGeniusism 6 1,864 08-05-2011, 04:39 AM
Last Post: Vexna

Forum Jump:


Users browsing this thread: 1 Guest(s)