# Need help got "PornHub" virus



## giuliopulina (Jul 9, 2010)

Hi, I have the same virus described in 
http://forums.techguy.org/virus-other-malware-removal/931410-need-help-remove-virus.html
and
http://forums.techguy.org/virus-other-malware-removal/933204-need-help-got-virus.html.
The pc infected has Windows Vista installed and its brand is HP.

Thanks in advance
Giulio


----------



## NeonFx (Oct 22, 2008)

Hello there  Welcome to the TSG Forums. 
My name is *NeonFx*. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please refrain from doing any fixing of your own while I am assisting you with this problem. I need to keep track of what is going on as the order in which we do things can often be important.
If this is a company owned system or a work computer let me know.
Please reply to this thread. Do not start a new topic.

*Step 1*

Download *OTS* to your Desktop


Close *ALL OTHER PROGRAMS*.
Double-click on *OTS.exe* to start the program.
Check the box that says *Scan All Users*
Under Basic Scans please change the radio button under *Registry* from Safe List to *All*.
Under Additional Scans check the following:
Reg - Desktop Components
Reg - Disabled MS Config Items
Reg - NetSvcs
Reg - Shell Spawning
Reg - Uninstall List
File - Lop Check
File - Purity Scan
Evnt - EvtViewer (last 10)

Please paste the contents of the following codebox into the *Custom Scans* box at the bottom


```
%SYSTEMDRIVE%\*.*
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.dat
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
```

Now click the *Run Scan* button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete *Notepad* will open with the report file loaded in it.
Click the *Format* menu and make sure that *Wordwrap* is not checked. If it is then click on it to uncheck it.
Please *attach* the log in your next post. To do so click on the blue *"Reply"* button or *"Go Advanced"* and click on the "*Manage Attachments*" button

*Step 2*








*GMER Rootkit Scanner* 
Please download *GMER* from one of the following locations and save it to your desktop:
Main Mirror
_This version will download a randomly named file (Recommended)_
Zipped Mirror
_This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop._

Disconnect from the Internet and close all running programs. Make sure you disable your security programs as well, as they may interfere with the program. 
Double-click on the *randomly named* GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
_Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe._










GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. _(do not use the computer while the scan is in progress)_
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click *NO*.
Now click the *Scan* button. If you see a rootkit warning window, click OK.
When the scan is finished, click the *Save...* button to save the scan results to your Desktop. Save the file as *gmer.log*.
Click the *Copy* button and paste the results into your next reply.
Exit GMER and re-enable your security programs when done.

If you have trouble running GMER, please try running it in Safe Mode. To get to Safe Mode you'll need to repeatedly tap the F8 key on your keyboard as you turn your computer on until a black and white menu appears with the option.

If you continue to have trouble with it, try running it without the "Files" scan checked.

Again, if the results are really long, please *attach* them using the instructions I gave you at the end of step 1. This is to avoid having to scroll down the page too much and make the space cleaner.


----------



## giuliopulina (Jul 9, 2010)

Hi, thanks for the reply!
I found by myself that the virus was bldjad.exe, and i removed it from this pc. 
I did a complete scan with malwarebytes and avira and i have no more virus, a part some game.adware that I can't remove because pc is not mine 
However, after that, i did a scan with OTS (log attached). Gmer caused me some problems because, when running, I get blue screen from windows ( i tried 3 times, even in safe mode).

Bye
Giulio


----------



## NeonFx (Oct 22, 2008)

Could you run this program instead for me? GMER is the best antirootkit we have but it can be delicate. If anything at all interrupts it, it will make Windows crash.

Download *RootRepeal* from one of the following locations and save it to your desktop:
*Link 1*
*Link 2*
*Link 3*​
Double click







to start the program
Click on the *Report* tab at the bottom of the program window
Click the







button
In the *Select Scan* dialog, check:
*Drivers*
*Files*
*Processes*
*SSDT*
*Stealth Objects*
*Hidden Services*
*Shadow SSDT*

Click the *OK* button
In the next dialog, select *all drives* showing
Click *OK* to start the scan _Note: The scan can take some time. *DO NOT* run any other programs while the scan is running_​
When the scan is complete, click the







button and save the report to your Desktop as *RootRepeal.txt*
Go to *File*, then *Exit* to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. *If the report is very long*, it will not be complete if you post it, so please *attach* it to your reply instead.


----------



## giuliopulina (Jul 9, 2010)

HI, I tried the scan with rootrepeal but it stopped on the "Files" tab with the message "Could not read our index block".
However, I think that the pc is clean, and that you can close this topic, so I can leave more space to someone who needs help more than me.
Thanks for the help 

Giulio


----------



## NeonFx (Oct 22, 2008)

I would be glad to go over your computer for infections, don't worry. There still might be something lurking under the hood.

If you do want to end this here, feel free to mark it as Solved by clicking on the button at the top of this page.

Please try running this tool instead:

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the *Sysprot.exe* program.


Click on the *Log* tab.
In the *Write to* log box select *All* items.
Place a checkmark next to *Hidden Objects Only*
Click on the *Create Log* button on the bottom right.
After a few seconds a new Window should appear.
Make sure *Scan all drives* is selected and click on the Start button. 
_(Unless you have a floppy drive. In this case, please use "Scan Root Drive Only" and press Start)_
 When it is complete a new Window will appear to indicate that the scan is finished.
 The log will be created and saved automatically in the same folder. *Open the text file* and copy/paste the log here.


----------



## giuliopulina (Jul 9, 2010)

Thanks, the scan with sysprot was successful. I did it two times, because i didn't run it as administrator the first time  (Can this be the cause of the precedent failed attempts with other antirootkits?)
Log is attached below.
Thanks again!

Giulio


----------



## NeonFx (Oct 22, 2008)

Please do this for me:

*NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.*

Download ComboFix from one of these locations:

*Link 1*
*Link 2*

** IMPORTANT !!! Save ComboFix.exe to your Desktop*


*Disable your AntiVirus and AntiSpyware applications*, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. *Note*: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : *Disabling Security Programs*
Double click on ComboFix.exe & follow the prompts.

*Note:* Combofix will run without the Recovery Console installed.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.








Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:










Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the *C:\ComboFix.txt* in your next reply.

*Notes:*

1.* Do not mouse-click Combofix's window while it is running. That may cause it to stall.*
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of *ALL* CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea. 
4. *CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.*


----------



## giuliopulina (Jul 9, 2010)

Sorry, I don't have this pc anymore. My girlfriend's father needed it 
Thanks again for the help!

Giulio


----------



## NeonFx (Oct 22, 2008)

That's fine  Thanks for letting me know.


----------

