Huge computer problem (DHL e-mail virus)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Spinser, Apr 5, 2011.

  1. Spinser

    Spinser Private E-2

    First of all, sorry about my English. Second: This is my first post so if there are any problems with it I'm sorry.

    Now this is my problem: Earlier today i received e-mail from DHL saying: your parcel has been sent, it will arrive... Then I opened attachment (I didn't know about all that problems about DHL mail viruses) and I unzipped, start icon and then AVG report Malware alert. AVG quarantine that and requires restarting computer. When computer restarted I normally log in, BUT when I try starting programs it say: "Application not found", or Open with screen pops out. Also I can't install any program or delete because: Control panel ("application not found") and any program I want to start (Open with) aren't working... That is the reason I can' t follow instructions from "READ & RUN ME FIRST".

    I will appreciate any help.
    Thank you in advance.
     
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Try this.

    Please download RogueKiller.exe and save it to your desktop.
    • Now quit all running programs.
    • Double click RogueKiller.exe to run it.
    • When prompted, type 1 and hit Enter.
    • A RKreport.txt should appear on your desktop.
    • Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe .
    • Please post the contents of the RKreport.txt in your next Reply.

    Now see if you can work your way through this. READ & RUN ME FIRST. Malware Removal Guide
     
  3. Spinser

    Spinser Private E-2

    Here is report


    Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
    Started in : Normal mode
    User: stefan [Admin rights]
    Mode: Scan -- Date : 04/05/2011 18:08:13

    Bad processes: 0

    Registry Entries: 8
    [APPDT/TMP/DESKTOP] HKCU\[...]\Run : Octoshape Streaming Services ("C:\Documents and Settings\stefan\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun) -> FOUND
    [APPDT/TMP/DESKTOP] HKUS\S-1-5-21-117609710-1454471165-725345543-1003[...]\Run : Octoshape Streaming Services ("C:\Documents and Settings\stefan\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun) -> FOUND
    [FILEASSO] HKCU\[...]Software\Classes\.exe\shell\open\command : ("C:\Documents and Settings\stefan\Local Settings\Application Data\oqc.exe" -a "%1" %*) -> FOUND
    [FILEASSO] HKCU\[...]Software\Classes\exefile\shell\open\command : ("C:\Documents and Settings\stefan\Local Settings\Application Data\oqc.exe" -a "%1" %*) -> FOUND
    [FILEASSO] HKCR\[...]exefile\shell\open\command : ("C:\Documents and Settings\stefan\Local Settings\Application Data\oqc.exe" -a "%1" %*) -> FOUND
    [FILEASSO] HKCR\[...].exe\shell\open\command : ("C:\Documents and Settings\stefan\Local Settings\Application Data\oqc.exe" -a "%1" %*) -> FOUND
    [FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command : ("C:\Documents and Settings\stefan\Local Settings\Application Data\oqc.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") -> FOUND
    [FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command : ("C:\Documents and Settings\stefan\Local Settings\Application Data\oqc.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") -> FOUND

    HOSTS File:
    127.0.0.1 www.audio4fun.com


    Finished : << RKreport[1].txt >>
    RKreport[1].txt
     
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK, remember what I said about attaching items and not posting inline like you did. I gave you a link on how to do this.

    Now continue to work your way through what you can of the R&R.
     
  5. Spinser

    Spinser Private E-2

    Ok, thanks. I'll try to work my way trough and I'll post replay when i finish (probably tomorrow).
     
  6. Spinser

    Spinser Private E-2

    Ok guys. I tried again to follow READ & RUN but i can't get any application working. I can't get in control panel as well so i can't go to Add/Remove programs. When I try to start any kind of application (including CCleaner, or any other it just pop up "Open with" window. And this is 3rd day that my computer having virus and i now start feeling that he runs quite slowly. I hope you have some kind of advice.
     
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Try and at least get Combofix and MGTools run in safe mode.
     
  8. Spinser

    Spinser Private E-2

    Hahaha this is great. I started MGtools and here is log from it. But then i tried to start ComboFix but he said that i must uninstall AVG. I did that with AVG remover and when it was competed suddenly everything comes back to normal. I didn't scanned with ComboFix. It can be possible that malware was hidden in quarantine folder of AVG and then it was destroyed in the process. I want to know what do you think about that and to say me am I safe now.
     

    Attached Files:

  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    What is this file?
    C:\Documents and Settings\stefan\check.bat

    Ask Toolbar <--- Uninstall this.

    Please go to virustotal and upload the following files for analysis, and let me know the results.
    • C:\windows\_WiseFW.ini
    • C:\Documents and Settings\stefan\check.bat

    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.

    Code:
    :files
    C:\Documents and Settings\stefan\Local Settings\Application Data\823844su6067g748f301q48vje741lv7bwcg7wj
    C:\Documents and Settings\All Users\Application Data\823844su6067g748f301q48vje741lv7bwcg7wj
    C:\Documents and Settings\stefan\Templates\823844su6067g748f301q48vje741lv7bwcg7wj
    C:\windows\ka.ini
    C:\WINDOWS\system32\Access.dat
    
    :Commands
    [emptytemp]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

    You need to download Ccleaner if you have not already done so and run it to clear out temp files which have gathered.

    Are you still having problems? If so then you will need to run Combofix and attach the log from doing so.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  10. Spinser

    Spinser Private E-2

    I don't have any problems now. Thanks for your help. Can you just tell me how to close this thread?
     
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Attach the requested logs first. ;)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds