Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Got A Virus


  • This topic is locked This topic is locked
4 replies to this topic

#1 sandorman

sandorman

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 09 September 2008 - 10:54 AM

Ok, I have a nasty virus on my computer - which I have almost completely eliminated with combofix, but I see with hijackthis that there is one last trace left and it's always running so I can't destroy it. It's called iiFwxXQg.dll in windows/system32. I know you're all about to ask me to post logs but I REALLY don't want to turn that computer back on since I am reasonably confident that the file and the entry in the registry that makes it start up when the computer starts up are all that are left, and I don't know what it will do if I turn the computer back on (to show you the logfiles) and I don't want to risk it. I know that hijackthis classified that process in the same category as winlogon and it was the ONLY thing alongside winlogon. I bought a hard drive enclosure yesterday, hoping that I could access the hard drive with my laptop but apparently because it's a multipartition drive it won't work with that. Nor will any of my OLDER (120 MHz era) computers acknowledge the existence of the drive when I try to use it as a slave. Or rather, one of them does - and it refuses to even boot up with it there as a slave.

I do however have the virus on my external hard drive in a contained form (winrared) if anyone wants it to look at or something, maybe the people who made and improve combofix so that they can make it able to destroy the rat entirely. It's an e-book called "asteroids, comets, and meteors". You can extract the files but do NOT run the password generator to extract the locked rar file within the rar file. I don't know if it's a real book within that or it's just more of the virus or what, but it's the password generator program which put the virus on my computer - I know because as soon as I ran it and it told me the password was BOOGER suddenly my computer started telling me "should I allow these changes to the registry" and I kept telling it no. But apparently Spybot teatimer didn't stop all of them, because I certainly never answered yes to any of them but there it was on my computer. Someone please suggest what I should do.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,121 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:10 AM

Posted 10 September 2008 - 10:47 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 sandorman

sandorman
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 12 September 2008 - 12:42 PM

I'm really, really not interested in your favorite spyware/antivirus program. If combofix won't kill it, then what I need is something designed to take out this particularly or particular advice for this particular virus. People will tell me "oh, use spyware doctor, it's great", "superantispyware is all you need", or "spybot search and destroy is the way to go", but I am absolutely certain they won't get rid of it - they're at best capable of stopping it in the first place, and they certainly failed in that. Did I mention it made it by spybot teatimer and superantispyware while they were running?

I also see I was wrong, combogix DIDN'T get rid of everything except iiFwxXQg.dll. It left a bunch of stuff. Particularly this wpa thing. I can actually delete the iiFwxXQg entries from the registry, but not the wpa ones - and the iiFwxXQg entries are back when the computer is restarted. Also, it did a nice little rude trick on me since last time. Now any time I start up windows in regular mode, it insists I have not registered windows with Microsoft and insists I call up microsoft, give them a code and get an activation code again. Then when it's actually running, it very strongly tries to persuade me to connect to the internet (I have that cable firmly uprooted from the back of the cable and it is NOT going back in) - I have a feeling the virus is trying to connect to the internet to download its components that I was able to remove successfully. It doesn't normally actually TELL me in a popup window that the internet connection is gone and ask me if I want to connect or work in offline mode - it just has a "network cable unplugged" in the bottom right corner. But when I start in windows safe mode, it doesn't require that I reregister windows, it's only normal mode. From the combofix log. Everything on this list from September 4 through 2 am on September 5 is a part of the virus, by the way. Everything else is legitimate stuff.

((((((((((((((((((((((((( Files Created from 2008-08-11 to 2008-09-11 )))))))))))))))))))))))))))))))
.

2008-09-10 23:44 . 2008-09-10 23:44 2,364 --a------ C:\WINDOWS\system32\wpa.bak
2008-09-10 23:37 . 2008-09-10 23:44 2,364 --a------ C:\WINDOWS\system32\wpa.dbl
2008-09-05 06:09 . 2008-09-05 06:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-09-05 06:02 . 2008-09-05 06:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-09-05 06:01 . 2007-10-05 13:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-09-05 06:01 . 2008-09-05 06:01 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-05 05:56 . 2008-09-05 10:39 6,995 --a------ C:\1.nri
2008-09-05 01:18 . 2008-09-05 01:18 34,176 --a------ C:\WINDOWS\system32\iiFwxXQg.dll
2008-09-05 01:17 . 2008-09-04 19:51 86,016 --a------ C:\WINDOWS\sxmaokgf.exe
2008-09-04 21:59 . 2008-09-04 21:59 264,629 --a------ C:\WINDOWS\version.exe
2008-08-29 10:43 . 2008-08-29 10:43 <DIR> d-------- C:\Program Files\Common Files\Bcgsoft
2008-08-29 10:43 . 2008-08-29 10:43 <DIR> d-------- C:\Documents and Settings\User\Application Data\Global Forex Trading
2008-08-29 10:34 . 2008-08-29 10:34 <DIR> d-------- C:\Program Files\DealBook 360
2008-08-29 10:34 . 2008-08-29 10:34 <DIR> d-------- C:\Documents and Settings\User\Application Data\InstallShield Installation Information
2008-08-18 19:29 . 2008-08-18 19:29 <DIR> d-------- C:\Program Files\Wisdom-soft AutoScreenRecorder Free
2008-08-18 10:47 . 2008-08-18 10:53 9,624,587 --a------ C:\creationistsilliness3.mp4
2008-08-18 10:28 . 2008-08-18 10:45 25,219,690 --a------ C:\creationistsilliness2.mp4
2008-08-18 10:20 . 2008-08-18 10:26 8,898,985 --a------ C:\creationistsilliness1.mp4
2008-08-12 08:43 . 2008-08-12 08:43 <DIR> d-------- C:\Program Files\DVD Decrypter

.

#4 sandorman

sandorman
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 12 September 2008 - 12:47 PM

Well, no, I guess not everything is legitimate. The 1.nri was the DVD I set burning when I went to bed that night, but it looks like it may be that EVERYTHING from Sept. 4 and 5 and indeed Sept. 10 is part of the virus. It says Sept. 10 because I'd remove it and it would come back....

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,121 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:10 AM

Posted 12 September 2008 - 03:40 PM

Please note the message text in blue at the top of this forum.

ComboFix logs should not to be posted outside the HijackThis forums and then only when requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

I'm really, really not interested in your favorite spyware/antivirus program. If combofix won't kill it, then what I need is something designed to take out this particularly or particular advice for this particular virus

I made no mention of a favorite spyware/antivirus program. I was providing advice on how to deal with your issues.

Since you chose not to follow that advice and posted a ComboFix log instead, we cannot continue here.

If you want further assistance, please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 9 there are instructions for downloading the HijackThis Installer and creating a log. This is an automatic setup version which will install the program in the proper location.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. You may also post your combofix log there as that is the proper forum for them.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

This topic is now closed. If you have any questions, please PM me or another Moderator.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users