Total Virus Protection Infection

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by kornilios, Apr 27, 2009.

  1. kornilios

    kornilios Private E-2

    For quite a while i was having a dodgy file that i couldn't delete.
    That file was: C:\Documents and Settings\ERIC\Local Settings\Temp\rvjrhqkz.dat. I did try to remove it in safe mode using several file unlockers but the file was very persistent. There were no obvious other probs with my computer so i didnt take any further measures and just left the file staying there. That was up to recently when "total virus protection" appeared out of nowhere in my computer. And at the same time i also noticed another persistent file that I cannot delete: C:\WINDOWS\system32\dmconfigf.dll (Trojan.BHO.H) .
    There were around 4-5 registry key entries affiliated with them also locked.
    This was an obvious problem and since then my access to the internet has been VERY unstable. I keep getting disconnected every few minutes. I believe the longer i managed to be online continuously without getting disconnected for the past 4-5 days was around 10 minutes...
    I believe I managed to remove(using information found in your site) Total Virus Protection but that didnt solve my connection probs, nor has improved them to the slightest.
    I am fairly confident my computer is still infected with malicious software and these are the cause for this, as my other computer that shares the same wireless connection it gets online with no problems at all.

    Since yesterday i followed all the initial steps u propose and i attached the logs u ask. (Some of the logs are before i completely updated my Java and before i set msconfig back to normal op.)The problem though is still here!!

    I created a Knoppix boot cd and through linux deleted:
    C:\WINDOWS\system32\dmconfigf.dll (Trojan.BHO.H) &
    C:\Documents and Settings\ERIC\Local Settings\Temp\rvjrhqkz.dat (Rootkit.Agent) but guess what .... Still nothing! Apart from that one of these 2 files must had been used by my ATI RADEON console and now i need probably to reinstall it.

    Can we get things sorted or format is the only option?

    Any kind of help will be much appreciated,
    Cheers
     

    Attached Files:

    kornilios, Apr 27, 2009
    #1
  2. kornilios

    kornilios Private E-2

    I uploaded a newer Malwarebytes scan for comparisons. Now all scans are after i updated java and reset msconfig to its default settings. I still havent singled out what the actual prob may be.
     

    Attached Files:

    kornilios, Apr 30, 2009
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to tell me why you are only running with SP1. I suspect that many of your problems could have been averted had you at least updated to SP2.

    Please use add/remove programs to uninstall:


    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * Avenger
    * C:\MGlogs.zip
     
    TimW, May 3, 2009
    #3
  4. kornilios

    kornilios Private E-2

    Thanks for your time and effort in this.

    Why I only have SP1?
    I used to have SP2 but i removed it. Long story short, I tried to remove the windows uploader from my machine in order not to let microsoft install the windows authenticity verification tool. I used to have it before on one of my pcs but it was so irritating and it took me forever to manage to get rid of. I am running genuine XP Operating systems in my other 2 computers but as i have lost the cd-keys i didnt install one of the genuine XP cds on this one. So after i managed to get rid the installer i naively decided to get rid of all other updates from SP2...
    Once i got rid of most updates i I started experiencing problems with SVChost . All the machine's memory was building up and was used by SVCHOST. Thats when i first noticed I was getting disconnected from the internet once every few minutes. Searching on google i found out that there is a patch about this in SP2...
    I tried to get the windows installer back and SP2 but I cant get neither the update to start working from the Microsoft page nor the installer to configure properly from manual download.

    I did what you asked and here are the results:

    Hijack this failed to remove this:

    O2 - BHO: (no name) - {3F975A65-67DF-42A6-A51C-AF60AB665F0C} - C:\WINDOWS\System32\dmconfigf.dll (file missing)

    I uploaded the other 2 logs u asked me to.
     

    Attached Files:

    Last edited: May 9, 2009
    kornilios, May 9, 2009
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I will continue to assist you with the virus removal, but you must realize that even when we get you clean, you will be open to numerous problems. So I am going to suggest that at some point, you contact Microsoft and see about getting a legit key.

    I strongly advise you to cleanup your Desktop. Remove everything but links to run programs. Do not download and save programs here and definitely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.


    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Driver::
djt60e2
fblfcc4
tpf268c

File::
C:\WINDOWS\system32\drivers\fblfcc4.sys
C:\WINDOWS\system32\drivers\tpf268c.sys

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3F975A65-67DF-42A6-A51C-AF60AB665F0C}]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    TimW, May 13, 2009
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds