Jump to content
Sign in to follow this  
ameeeeeee

Need help with virus - keeps coming back!

Recommended Posts

Tonight my computer wouldn't stop running, clicking, whatever... I did a scan (after downloading updates) and it found several Trojans... I didn't think to copy them all down because I've never had a problem with the software not removing everything before... Anyway, when I rebooted (as it told me I needed to), the same pop-up window appeared (about ActiveX), it wouldn't let me access the internet via Firefox -- I was able to access via IE, BUT it kept taking me to a 'Jump' page to buy some sort of anti-virus software (that seems suspect!). Anyway, when I scanned again, same trojans showed up... Rebooted with same results again... In safe mode (did this through SAS) the trojans are not showing up in a scan.

Please tell me what to do... I work from home on this computer -- I can't keep it in safe mode all the time -- I can't access my work files!! Help, please!!

Ameeeeeee

Share this post


Link to post
Share on other sites

Would you please copy/paste back here the SAS scan log that shows the infections being found and quarantined. Also what Windows Operating System are you running and is it a 32-bit or 64-bit version?

Share this post


Link to post
Share on other sites

Would you please copy/paste back here the SAS scan log that shows the infections being found and quarantined. Also what Windows Operating System are you running and is it a 32-bit or 64-bit version?

I can't post a copy of the SAS scan log because when I scanned in safe mode, it didn't find anything... The virus keeps freezing SAS if I don't reboot in safe mode...

How do I know if it's 32-bit or 64-bit? Where do I look? Sorry, my tech knowledge is minimal...

A technical friend told me to try and 'restore' my computer to a previous date... I tried several dates in the last two weeks, but it kept saying it could not restore to that date and no changes were made... I'm now trying to restore to March 5th... It started the restore process about 4 hours ago and I'm still looking at a black screen with an arrow (the light on the tower is blinking)... Not sure what I should do from that point (as I'd like to try and run annother scan to send you the log)... Can I just shut the computer off and try again?

I'm on a different computer now, hoping to figure out a solution before long -- I really can't afford to take another day off of work because of this :( Can you help?

Share this post


Link to post
Share on other sites

Attempting a system restore on an infected system isn't recommended. The restore points are often infected as well, and you'll re-infect the computer or cause it to not start. At this point, your system restore isn't working, so you have no choice but to turn off the computer by holding down the power button.

If the computer starts following that, click on your "start" circle or Window's icon in the bottom left,right click on Computer or My computer, and choose Properties. The Properties screen will show the version of Windows, and if it's 32 bit or 64 bit. If it doesn't show 32 or 64, then it's a 32 bit version of Windows. Please post that info.

You don't need to run a scan to post the scan log. The log(s) can be found in SAS's Prefernces-->Statistics/Logs. In your next reply, copy and paste the whole log that shows the infections that were removed.

Share this post


Link to post
Share on other sites

Edit to prior post:

Since you mentioned that you updated SAS before running it, and you need the computer disinfected ASAP for work purposes, then do the following:

Download ComboFix from here:

http://www.bleepingcomputer.com/download/anti-virus/combofix

Boot into Safe Mode With Networking and run ComboFix. If you're prompted to update ComboFix or the Recovery Console, then do so. If you get a message that your antivirus is running, click to ignore the message and proceed with ComboFix. Once the program begins the disinfection, don't touch the computer until the ComboFix log appears (usually within 20 minutes). The only exception to not touching the computer, is if Combo Fix needs to restart the computer and you have to click on your login name.

Once the ComboFix log appears, close it, and IE should be fine.

Note to other members: Yes, CF is now compatible with Vista/7/32/64

Share this post


Link to post
Share on other sites

Hello, thanks for posting the info in how to find this -- I learned something new about the logs :)

It appears that it's 32-bit (it didn't say either)

Here is a copy of the log from last night:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 03/23/2011 at 11:29 PM

Application Version : 4.50.1002

Core Rules Database Version : 6666

Trace Rules Database Version: 3728

Scan type : Quick Scan

Total Scan Time : 00:16:19

Memory items scanned : 737

Memory threats detected : 0

Registry items scanned : 2069

Registry threats detected : 1

File items scanned : 7204

File threats detected : 9

Trojan.Agent/Gen-AdsBrite

[tukdtjsr] C:\WINDOWS\SYSTEM32\TUKDTJSR.EXE

C:\WINDOWS\SYSTEM32\TUKDTJSR.EXE

C:\WINDOWS\Prefetch\TUKDTJSR.EXE-1847591A.pf

Adware.Tracking Cookie

C:\Documents and Settings\Brea\Cookies\brea@doubleclick[1].txt

www.webhostrevenue.com [ C:\Documents and Settings\Brea\Application Data\Macromedia\Flash Player\#SharedObjects\JX365UUV ]

C:\Documents and Settings\NetworkService\Cookies\system@clicks.fastgetonline[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@oddcast[1].txt

Trojan.Agent/Gen

C:\WINDOWS\SYSTEM32\DGJASR46W.EXE

C:\WINDOWS\Prefetch\DGJASR46W.EXE-02E8F278.pf

Trojan.Agent/Gen-Virut

C:\WINDOWS\SYSTEM32\SERVICE.SYS

***To update, a tech assistant from work had me boot up in safe mode and download MBAM and run the full scan while in safe mode. After the scan finished (and found alot of what is posted above again), it rebooted. Everything appeared to be clear (don't see the dgjasr46w.exe or tukdtjsr.exe showing up in Windows Task Manager). However, about 15 minutes after I opened Mozilla, I got another pop-up box (the same as the first one I saw last night) -- I have NOT clicked on anything on it or tried to X out of it since I'm not sure what to do... The box looks like a Windows Message (exactly) and says:

Generic Host Process for Win32 Services

Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.

If you were in the middle of something, the information you were working on might be lost.

Please tell Microsoft about this problem.

We have created an error report that you can send to help us improve Generic Host Process for Win32 Services. We will treat this report as confidential and anonymous.

To see what date this error report contains, click here (***THIS IS A BLUE LINK***)

There are THREE clickable boxes across the bottom... Debug, Send Error Report, Don't Send

Based on what happened to me last night -- If you click to see what the error report contains, it does show you something similar to what Windows Messaging would actually show you... If you click Send Error Report, the little 'connecting to server' box shows as well (just as if you were really sending the report).

Since I have not clicked anything on the box (it's just still floating around on my screen), nothing has shown up in my Task Manager still and my computer seems to be running normally.

Any and all help is greatly appreciated. I sincerely appreciate you taking the time to help me (and explain things for me). Thank you.

By the way, I do have the log for the SAS scan run in safe mode last night too -- But nothing was found. Let me know if you need that as well.

Share this post


Link to post
Share on other sites

You're welcome.

Go ahead and restart the computer. Is everything fine now?

Also, you should purge the system restore points. I'll post the instructions for that when you let me know what version of Windows you use. Example, XP, Vista, Window's 7 ?

Share this post


Link to post
Share on other sites

You're welcome.

Go ahead and restart the computer. Is everything fine now?

Also, you should purge the system restore points. I'll post the instructions for that when you let me know what version of Windows you use. Example, XP, Vista, Window's 7 ?

Seth,

Other than that pop-up box that came up (see my post above UNDER where the scan log is), it seems okay... It's already been restarted (that's when the pop-up came)... Should I restart again? What should I do about that pop up? Any ideas?

I have XP on this computer...

Additionally, since I said something about the restore earlier, no changes were made to the computer in the restore (at least that's what the computer said)... There was only a message that it could not be restored to the date I selected.

Thanks again. :)

Share this post


Link to post
Share on other sites

No need to restart again, but you should purge the restore points, as they are infected/corrupt:

To clear existing restore points.

1.Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.

2.Click to add a check mark beside Turn off System Restore on all Drives, and click Apply.

3.When you are warned that all existing Restore Points will be deleted, click Yes to continue.

All system restore points are deleted. Now you should manually create a restore point.

1.Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.

2.Click Create a Restore Point, and then click Next.

Post back if that Win32 error appears again.

Share this post


Link to post
Share on other sites

2.Click to add a check mark beside Turn off System Restore on all Drives, and click Apply.

I did not have an option for this??? Step one worked. My choices were on the left side 'System Restore Settings' (a link) and on the right side 'Restore my computer to and earlier time' OR 'Create a restore point'

Share this post


Link to post
Share on other sites

My mistake.

Click on "System Restore Settings" and you'll see the option to turn off system restore. Once it's off, turn it back on.

Share this post


Link to post
Share on other sites

My mistake.

Click on "System Restore Settings" and you'll see the option to turn off system restore. Once it's off, turn it back on.

Ok. That worked. Then I turned it back on and clicked apply (that's correct, right?). I did not Create a new point though. Still do that? Or I'm good?

BTW, mozilla crashed and I had to shut down... Of course, it wouldn't restart... I had to manually turn it off and then back on... Since then, it seems like everything has cleared up... I did, however, get redirected to Firefox when I opened my browser to upgrade to Firefox4... Is this whole virus thing a Firefox problem??? Or are IE users experiencing it too?

Share this post


Link to post
Share on other sites

You're good for the restore points now.

Go ahead and upgrade Firefox. The upgrade will take you to the Firefox site as you noted.

Share this post


Link to post
Share on other sites

Lol. You're welcome.

Feel free to ask if you need further help.

Share this post


Link to post
Share on other sites

Boo hoo... I'm already back :(

I updated Firefox as suggested. I'm still getting that Generic Host pop-up. I'm still getting new tabs open for surveys and garbage when my browser is open. I'm still being redirected from the search page (when I put in SAS, the search page shows you guys, but I'm being redirected to stopzilla)... Ran another scan (details below). Rebooted as suggested... Same problems all over. PLEASE HELP!! Thank you. :)

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 03/25/2011 at 09:49 AM

Application Version : 4.50.1002

Core Rules Database Version : 6666

Trace Rules Database Version: 3728

Scan type : Quick Scan

Total Scan Time : 00:13:44

Memory items scanned : 685

Memory threats detected : 1

Registry items scanned : 2084

Registry threats detected : 5

File items scanned : 7248

File threats detected : 99

Trojan.Agent/Gen-Downloader[FakeSoft]

C:\WINDOWS\SYSTEM32\ITLNFW32.DLL

C:\WINDOWS\SYSTEM32\ITLNFW32.DLL

Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\itlnfw32

Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\itlntfy

Adware.Tracking Cookie

C:\Documents and Settings\Brea\Cookies\brea@tribalfusion[1].txt

C:\Documents and Settings\Brea\Cookies\brea@invitemedia[2].txt

C:\Documents and Settings\Brea\Cookies\brea@stopzilla[2].txt

C:\Documents and Settings\Brea\Cookies\brea@collective-media[2].txt

C:\Documents and Settings\Brea\Cookies\brea@mediaplex[1].txt

C:\Documents and Settings\Brea\Cookies\brea@ad.wsod[2].txt

C:\Documents and Settings\Brea\Cookies\brea@ad.yieldmanager[1].txt

C:\Documents and Settings\Brea\Cookies\brea@doubleclick[1].txt

C:\Documents and Settings\Brea\Cookies\brea@serving-sys[1].txt

C:\Documents and Settings\Brea\Cookies\brea@vertamedia.30008.search-goals[1].txt

C:\Documents and Settings\Brea\Cookies\brea@www.stopzilla[2].txt

C:\Documents and Settings\Brea\Cookies\brea@advertise[1].txt

C:\Documents and Settings\Brea\Cookies\brea@atdmt[2].txt

C:\Documents and Settings\Brea\Cookies\brea@apmebf[1].txt

C:\Documents and Settings\Brea\Cookies\brea@imrworldwide[2].txt

objects.tremormedia.com [ C:\Documents and Settings\Brea\Application Data\Macromedia\Flash Player\#SharedObjects\JX365UUV ]

C:\Documents and Settings\LocalService\Cookies\system@adbrite[2].txt

crackle.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\EBM4LPZK ]

media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\EBM4LPZK ]

media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\EBM4LPZK ]

secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\EBM4LPZK ]

C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@yieldmanager[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[3].txt

C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[3].txt

C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@lucidmedia[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@statcounter[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@statcounter[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@a.tribalfusion[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@pixel.invitemedia[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@educationcom.112.2o7[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@interclick[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@ru4[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@ru4[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@adbrite[3].txt

C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[3].txt

C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@g-pixel.invitemedia[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@adxpose[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@trafficengine[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[3].txt

C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[4].txt

C:\Documents and Settings\NetworkService\Cookies\system@mediaplex[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@www.mediaquantics[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[3].txt

C:\Documents and Settings\NetworkService\Cookies\system@entrepreneur[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@ehg-players.hitbox[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@realmedia[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@user.lucidmedia[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[3].txt

C:\Documents and Settings\NetworkService\Cookies\system@fastclick[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@fastclick[3].txt

C:\Documents and Settings\NetworkService\Cookies\system@fastclick[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[4].txt

C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@ads.undertone[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@zedo[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@www.burstbeacon[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@rotator.adjuggler[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@findology[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@a1.interclick[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@pro-market[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@www.burstnet[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@gotacha.rotator.hadj7.adjuggler[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@revsci[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@hitbox[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@network.realmedia[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@segment-pixel.invitemedia[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@t.pointroll[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@pointroll[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@advertising[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@pointroll[4].txt

C:\Documents and Settings\NetworkService\Cookies\system@pointroll[3].txt

C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@mediabrandsww[3].txt

Trojan.Hugipon

HKLM\System\CURRENTCONTROLSET\SERVICES\6TO4\Parameters

HKLM\System\CURRENTCONTROLSET\SERVICES\6TO4\Parameters#ServiceDll

Malware.Trace

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon#Taskman

Share this post


Link to post
Share on other sites

I figured that might happen.

Follow my instructions from post #5

Share this post


Link to post
Share on other sites

I figured you might say that :)

So I already tried to get to that site, and I feel like it's doing the JUMP thing -- taking me to a 'revival' software site... Is there any way you can post the ACTUAL download link? It seems that when I type in exactly where I want to go, it's not redirecting... I started a download from the download link #1 on the site it took me to, but I did NOT run it (cuz it said the publisher was unknown AND it asked me what program to open it with)... I'm sure you can understand why I'm feeling a little sketchy...

Since my last post, I HAVE rebooted in safe, downloaded updates for SAS, and run another scan (which it is showing as clear)... Any chance it's nabbed it all yet?

Share this post


Link to post
Share on other sites

If you're getting browser re-directs, then an infection is still present.

To be clear, you downloaded the file combofix.exe, correct? If so, attempt to run it via "Safe Mode With Networking".

Share this post


Link to post
Share on other sites

Yes, the file I downloaded was named combofix.exe

To update (cuz I checked after I posted last)... I am NOT getting redirects right now... I just tried several times, no redirects... I was able to click on the link I wanted and go to the right page.

I DID download the UPDATES from TODAY for SAS while is safe mode... so maybe, hopefully, please, it's all clear?

If your suggestion is still to run combofix, I will -- Just want to make sure I'm not going to mess anything up any further. :)

Share this post


Link to post
Share on other sites

If you're no longer getting re-directs, then don't run ComboFix.

Share this post


Link to post
Share on other sites

If you're no longer getting re-directs, then don't run ComboFix.

Okay... Will wait and see what happens today :)

Thanks again, Seth... And again, I hope ya don't hear from me again!! :)

Share this post


Link to post
Share on other sites

Okay... Will wait and see what happens today :)

Thanks again, Seth... And again, I hope ya don't hear from me again!! :)

Okay, Seth... Here's the current update. I was still getting re-directs, but ONLY from search pages (google and bing)... I was still getting that Generic Host needs to close, blah, blah pop-up window about 15 minutes after I would access the internet (every time)...

So I've started ComboFix, downloaded whatever they've asked me to also download, agreed to everything they've asked (yeah, they can have my first-born as long as they understand that the college tuition comes with him!!)...

It said a 'Rootkit' was found??? Whatever that is...

Anyway, whenever this finishes running, what's my next step? Anything? Will everything be cleaned up? Do I need to run SAS again? And do you know how I got this thing in the first place? Do you have a recommendation if I should see one of those fake-Windows-pop-up-messages in the future? Without something to 'X' out of, I'm not sure how to avoid this in the future (as I'm usually pretty good about NOT clicking on anything to get these)...

Thanks...

Share this post


Link to post
Share on other sites

A rootkit is a type of infection that hides itself. Often these are password stealers, so I suggest you change any online passwords.

What are you running for antivirus software?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...