VirusBurst help me #1 of 2

dsgaski · Oct 6, 2006

I followed all the instructions found on MAJORGEEKS. I think the problem is near an end. Attached are the logs of Bitdefender, PandaActiveScan. In a new thread I will post the GetRunKey, ShowNew and HijackThis logs. #021 in the HijackThis log is a problem. There may be more.

In the (Taskbar?) bar at the bottom of the page I still have a red circle with a red forward slash through it that cycles into a blue question mark and back and forth. Often there is a balloon popping up which if clicked takes me to the VirusBurst web-site and I am offered their product.

I am new to this but that doesn't excuse me for not following directions. I clicked 'show all files scanned' but I deleted all the 'clean files' in the log file after I saved it, so if it looks wierd, that's my fault.

I have a Dell Dimension 8300
Registered Microsoft Windows XP PRO Version 2002 Service Pack 2

Intel Pentium4 CPU 3.00GHz
2.99 GHz, 1.00GB of RAM
Dual Intel Pentium 4 CPU 3.00 GHz processors
Dual Monitors 1 default, 1 DELL W2300LCDTV(Digital)
Dual 128MB DDR ATI Radion 9800 PRO
Wireless-G PCI Adapter with SRX

IE latest version
Microsoft Office 2003
E-MAIL is through OUTLOOK
Norton Internet Security
Norton Antivirus

I do not have Norton Protected files in my Windows Recycle bin anymore. Don't know when it left. Would like to have it back. I did not delete Norton Protected files if there are any as I could not locate them.

Data Execution Prevention (DEP) for essential Windows programs and services is turned on.

dsgaski · Oct 6, 2006

VirusBurst help me #2 of 2

Attached are the GetRunKey, ShowNew logs and The HijackThis log.

dsgaski · Oct 6, 2006

coma computer

This AM my computer would do everything but let me go online. Data was sent and recieved but not at my request. I ran HijackThis and deleted a file, C:\WINDOWS\system32\gqagksr.dll, I thought was the culprit and now it works again.

I still can't get rid of the malware I believe this is related to. In my toolbar, there is a red circle with a slash through it that cycles to a blue question mark, back and forth. A balloon will come up that declares "Critical System Error!...". If I click the balloon it will take me to the VirusBurst page and offer their product.

HJT found something and I allowed it to "FIX IT",
O21 - SSODL: hydrodictyon - {b166be07-30a4-4d38-b781-44528a630706} - C:\WINDOWS\system32\gqagksr.dll
I think it's related.

If I go to the toolbar, right click, left click properties, check 'hide inactive icons', left click 'customize', I can 'always hide' the red-blue thing but if I reboot, it's right back again and my connection indicator is 'hidden' like they've traded spaces.

My other threads tell have run the READ AND RUN ME FIRST stuff and have uploaded all the required logs.

chaslang · Oct 7, 2006

Re: coma computer

Welcome to Majorgeeks!

Please rename HijackThis.exe to analyse.exe as requested in step 7 of the READ ME. This is critical! Then continue with the below steps!

I'm going to post two messages! This is the first! Complete this procedure completely including attaching the requested log before doing the second procedure.

First install the current version of Sun Java from: Sun Java Runtime Environment

Now Uninstall the below old software (some of these should have been uninstalled in step 0 of the READ ME):
J2SE Runtime Environment 5.0 Update 6

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!

chaslang · Oct 7, 2006

Re: coma computer

This is my second message. Make sure you have follow the first procedure before doing the below.

PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode per the safe directions in the READ & RUN ME.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.

Now also attach new logs from ShowNew and HJT!

dsgaski · Oct 7, 2006

*%#(%_)!@%&!)#%)_$%_@*!&_%)$*@

[QUOTE]I'm going to post two messages! This is the first! Complete this procedure completely including attaching the requested log before doing the second procedure.[/quote]

*($(_)#_+$Q)*$#*(%*()$%

I can't believe I didn't do that. You, of course, know how I screwed this up. I ran the second proceedure before sending the first rapport.txt file in a post. Then the first file was overwritten by the second proceedure. My fault!

I looked at the first file though, and it noted the now deleted file. There was some more stuff but I didn't get the impression it was critical. (Next time I restart my computer I'll probably blow the transformer down the street).

After looking at the HijackThis.log I see I probably still have issues, (beyond not being able to follow directions).

Anyway, the thing is gone and, chaslang, you are to thank.

If there is a way to get the old file back and it is necessary, you'll have tell me how to do it. But all appears well and fine and I do appreciate your help so very much. We 'dummies' (there are books written for us you know) need you good people to get us out of these jams we get ourselves in. I could go on and on here but without being able to give you a great big man-hug, well, bless you and yours.

Again and again, thank-you.

chaslang · Oct 8, 2006

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

After clicking Fix, exit HJT.

Other than those you are clean! Is everything working okay now.

If you are not having any other malware problems, it is time to do our final steps:

go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.

Then reboot and enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

dsgaski · Oct 9, 2006

Thanks so much for your patience and expertise. I followed the last details and this system is clean.

I expected to have to do the whole reinstall of my system procedure but you saved me from that.

I had to do it once before and it was easy except the files I saved to disc were encrypted and I don't know why or how so it was a brand new start. It was just the address book from OUTLOOK and there was a lot on it but I got back the ones from people as they sent me email and that cut it down to about a fifth the original size.

I tried the algorithms I found in this system to see if I could read the disc with them applied one by one. No luck.

chaslang · Oct 10, 2006

You're welcome. Surf safely!

Log in or Sign up

VirusBurst help me #1 of 2

dsgaski Private E-2

Attached Files:

Activescan.txt

bdscan.txt

dsgaski Private E-2

Attached Files:

runkeys.txt

newfiles.txt

hijackthis.log

dsgaski Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

dsgaski Private E-2

Attached Files:

rapport.txt

newfiles.txt

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

dsgaski Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member