# So infected, can't even run Hijackthis!



## LANDROVER (Dec 31, 2005)

Hi there

I am dealing with a computer which is so infected that I can't even run Hijackthis! It originally gave me an error message (msvbvm60.dll missing) when I tried to run HJT but I have now downloaded the DLL file and saved it to windows/system. However, Hijackthis, Killbot, CWShredder and many other programmes close down a few seconds after I open them. Even task manager stays open for just a few seconds before closing.

I can't install Ewido, TM PC-cillin etc, as they cut out a few seconds into installation. I can't even do a TM Housecall scan, as IE closes after a few seconds. Oddly enough, I could install Spybot and download updates, but it finds no malware! I was also able to install and run Cleanup.

I have attached screen shots of task manager processes running, in case this helps. It took some fancy fingerwork and a number of tries to get these before task manager closed!

Is there any way forward, other then reformatting the hard drive????

I am emailing from another machine.

Thanks
Landrover


----------



## Guest (Oct 4, 2006)

Restart, Keep pressing F8 until it gives you a list of booting options. Boot in SafeMode then run HijakThis & post a log. 
NOTE: in regular safemode you can not connect to the internet so if you have a diffrent computer & a flahdisk then put the on the flash disk then go to the other computer & post it from there. or else boot into safemode with networking but first try the first option.

hope this helps


----------



## LANDROVER (Dec 31, 2005)

Hi Abustiaf

Rebooted in safe mode, but still no joy. Both Hijackthis and CWShredder just close/disappear after a few seconds.

???


----------



## Guest (Oct 4, 2006)

in safemode please post another pic of the taskmanager.


----------



## LANDROVER (Dec 31, 2005)

Task manager is disappearing too quickly now for me to get a screen shot. However, I ran Combofix and saved the log file to my flashdrive. When I plugged it into this computer, I scanned it with Ewido and AVG. Ewido found Trojan.Disabler and AVG found I-Worm/Brontrok. I cleaned/deleted the infected files. At least we now have some idea of what we are dealing with!

Where to now?


----------



## Guest (Oct 5, 2006)

Please download *SmitfraudFix* (by *S!Ri*)
Extract the content (a folder named *SmitfraudFix*) to your Desktop.

Open the *SmitfraudFix* folder and double-click *smitfraudfix.cmd*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present). We'll get them next step.
Please copy/paste the content of that report into your next reply.

instructions for smitfraudfix: http://siri.geekstogo.com/SmitfraudFix.php


----------



## LANDROVER (Dec 31, 2005)

I tried, but like so many other porgrammes, Smitfraudfix closes as soon as I open it, before I can do anything. These viruses keep shut down whatever I open!!

rrrggggghhh!


----------



## Guest (Oct 5, 2006)

Are you *SURE* you are in safemode? how did you open combofix? can you post the log from it?


----------



## LANDROVER (Dec 31, 2005)

Absolutely sure. The screen background is black and the icons are extra big and coarse resolution - definitely in Safe Mode (typed f8 when I booted and chose safe mode). However, I loaded Smitfraudfix while in safe mode - perhaps I should reboot in safe mode again?

Anyhow, here is the combofix log. Not sure why it was not shut down.

***************

wits - 06-10-05 11:05:07.46 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Program Files"

((((((((((((((((((((((((((((((( Files Created from 2006-09-05 to 2006-10-05 ))))))))))))))))))))))))))))))))))

2006-09-25	10:47	10,240	--a------	C:\WINDOWS\system32\rundll.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-05 10:28	45120	-r-hs----	C:\WINDOWS\o4461827.exe
2006-10-05 10:28	45120	-r-hs----	C:\WINDOWS\j6461822.exe
2006-10-05 10:28	45120	-r-hs----	C:\WINDOWS\_default46182.pif
2006-10-05 10:28	45120	--a------	C:\WINDOWS\system32\c_46182k.com
2006-10-05 09:49	342656	--a------	C:\Program Files\shisa.exe.exe
2006-10-05 08:44	105984	--a------	C:\Program Files\something.exe.exe
2006-10-05 07:53	276526	--a------	C:\Program Files\combofix.exe
2006-10-04 17:54	--------	d--------	C:\Program Files\Windows Media Player
2006-10-04 11:26	--------	d--------	C:\Program Files\kazaabegone
2006-10-04 11:14	42840	--a------	C:\Program Files\kazaabegone.zip
2006-10-04 11:13	161714	--a------	C:\Program Files\startuplist.zip
2006-10-04 11:10	532480	--a------	C:\Program Files\cwshredder.exe
2006-10-04 10:53	--------	d--h-----	C:\Program Files\InstallShield Installation Information
2006-10-04 10:53	--------	d--------	C:\Program Files\SoftwareDoctor
2006-10-04 10:51	--------	d--------	C:\Program Files\AnVir Virus Destroyer
2006-10-04 10:41	311682	--a------	C:\Program Files\anvirstp.exe
2006-10-02 14:43	6020448	--a------	C:\Program Files\Ewido.exe.exe
2006-10-02 14:11	46667672	--a------	C:\Program Files\PCcillin.exe.exe
2006-10-02 10:03	339257	--a------	C:\Program Files\CleanUp452.exe
2006-10-02 08:43	335192	--a------	C:\Program Files\Autoruns.zip
2006-08-21 14:21	16896	--a------	C:\WINDOWS\system32\fltlib.dll
2006-08-21 11:14	23040	--a------	C:\WINDOWS\system32\fltmc.exe
2006-08-21 11:14	128896	--a------	C:\WINDOWS\system32\drivers\fltmgr.sys

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_0"
"y1530wit"="\"C:\\WINDOWS\\system32\\n4959\\sv71966630r.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="\"C:\\Program Files\\Trend Micro\\OfficeScan Client\\pccntmon.exe\" -HideWindow"
"A7458r"="\"C:\\WINDOWS\\j6461822.exe\""
"RavAV"="C:\\WINDOWS\\RavMonE.exe"
"Update"="C:\\Program Files\\Common Files\\UPDATE2\\Update.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"y3114SYS"="\"C:\\WINDOWS\\system32\\n8127\\sv711917030r.exe\""

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"y3114SYS"="\"C:\\WINDOWS\\system32\\n8127\\sv711917030r.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableRegistryTools"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"y1530wit"="\"C:\\Documents and Settings\\wits\\Local Settings\\Application Data\\dv696660x\\yesbron.com\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"A7458r"="\"C:\\WINDOWS\\_default46182.pif\""

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableRegistryTools"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"y3114SYS"="\"C:\\Documents and Settings\\LocalService\\Local Settings\\Application Data\\dv6191700x\\yesbron.com\""

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableRegistryTools"=dword:00000001

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
"y3114SYS"="\"C:\\Documents and Settings\\LocalService\\Local Settings\\Application Data\\dv6191700x\\yesbron.com\""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At2.job

Completion time: Thu 10/05/2006 11:05:51.03 
ComboFix.txt
ComboFix2.txt


----------



## Guest (Oct 5, 2006)

I am better at HJT logs but here we go.

Create a folder on your desktop called "Malware" or something similar.
move the first 6 files 
(o4461827.exe
j6461822.exe
_default46182.pif
c_46182k.com
something.exe.exe) 

under "Find3M Report",

also "yesbron.com" which is placed in (C:\Documents and Settings\LocalService\Local Settings\Application Data\dv6191700x\)

also "sv71966630r.exe" which is placed in (C:\WINDOWS\system32\n4959\)

to the "Malware" folder and add a ".bad" extension.

reboot into safemode then try to open SmitfraudFix & HJT then tell me what happens.

hope this helps


----------



## Cookiegal (Aug 27, 2003)

abustiaf,

You've been advised that you need to be qualified for malware removal before you can assist with security matters, which you acknowledge, yet you continue.

This is a final warning. If you continue despite the warnings your account will be disabled.


----------



## Cookiegal (Aug 27, 2003)

This worm has set policies to restrict the use of registry tools and to force other programs to run. Are you comfortable editing the registry manually?


----------

