I need help with virus!

[brondog]

I'm REALLY new at this, so please forgive my ignorance...
Avast detected a virus (by resident protection, right after I turned my computer on) and I have no idea about how I got it. I tried to move it to chest and also to delete it, but the messages kept coming back. After several unsuccessful attempts I noticed that my computer was really slow and that the icon for my C: drive had turned into a big red X... I even had several full avast boot-time scans and also tried some different antiviruses, but nothing works! Now I'm running the computer on safe mode.
My OS is windows xp professional running service pack 2
This is the report for one of avast messages:

File Name: A0139781.dll
FileID: 42
Virus Description: Win32:TratBHO [trj]
C:\System Volume Information\_restore{5EC1EC9F-1730-4252-A3C6-479B5CAD91C1}\RP584\A0139781.dll


What should I do now?

[philly12]

by looking at your log, it looks like you got yourself a case of smitfraud by this entry (dont fix it yet):
O21 - SSODL: flammei - {9d635a36-6b3c-4146-8625-f3aaf507bbf8} - (no file)

an advast admin will prolly advise you to run a specific program made to remove smitfraud.  Just give them a lil time because they work their butts off

[brondog]

Ok, then! I'll wait.
Thanks, philly12!

[oldman]

Please download SmitfraudFix (by S!Ri) to your Desktop.
Download this ptool from: http://siri.urz.free.fr/Fix/SmitfraudFix.exe
Double-click Smitfraudfix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply as an attachment. The report can be found at the root of the system drive, usually at C:\rapport.txt

IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool";
it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user

[brondog]

Ok, here goes the Smitfraudfix.exe report:

[oldman]

Okay, that checks out. Let's go get the bad guys. Combofix first then HJT.

Before you run hijackthis, please rename hijackthis.exe to bugs.exe




Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

[brondog]

Ok, ComboFix and HiJackthis logs:

[oldman]

Hopefully, this will take care of the rest. How is it on your end?


A word of caution, when fixing the 020 lines in HJT, DO NOT checkmark O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll


Open HJT, run a system scan only, check mark these lines if present

O20 - Winlogon Notify: eddcsown - eddcsown.dll (file missing)
O20 - Winlogon Notify: efccbyw - efccbyw.dll (file missing)
O20 - Winlogon Notify: wgqhrohz - wgqhrohz.dll (file missing)
O20 - Winlogon Notify: winjvd32 - winjvd32.dll (file missing)
O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
O21 - SSODL: flammei - {9d635a36-6b3c-4146-8625-f3aaf507bbf8} - (no file)
 

Close all other browsers/windows, click fix, close HJT.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File::
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\hanypagr.ini
C:\WINDOWS\system32\ycgshorp.ini
c:\WINDOWS\system32\urytctrk.ini
C:\WINDOWS\system32\synorxkd.ini

This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DSS log.

[brondog]

Ok, now that I followed all the steps I don't get those avast messages anymore, but the icon for my C: drive still displays a red X and now I receive windows validation messages too.
Perhaps the virus isn't gone yet?
These are the logs for Combofix and HiJackthis.
Thanks for all of your help untill now!

[oldman]

For the red X

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c\DefaultIcon]

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file.  Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop

Make sure the top box is set to DESKTOP

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.


We didn't remove anything that would turn on the notification. The wgalogon.dll is legitamate and was there from the start. Did you install KB905474 from MS sometime?

http://www.mydigitallife.info/2006/06/28/official-ways-to-disable-or-manually-uninstall-the-microsoft-windows-genuine-advantage-notifications-from-microsoft/



"This file is a legitimate Windows oeprating system file. It used as part of Windows Genuine Advantage and alerts when you are using an unvalidated Microsoft product"

 

[brondog]

Alright, thanks a lot for your help!

[oldman]

So everything is ok?

If so, time to clean up the tools you used.

1. Click startt button, click run, copy and paste this line into the box, click ok

combofix /u


2. Please download
 OTMoveIt2 by OldTimer.


Open OTMOVEIT2 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

3. Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

Remove old restore points

- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.


4. Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to "Java Runtime Environment (JRE) 6 Update 4...allows end-users to run Java applications".

Click the download button on the right.

 > If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

 You do not have to install the Java Web Start ActiveX Control


Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it. Do not install it yet.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure  and reboot if not prompted to do so.



5. Download and run this clean up utility. You can use it regularly. When it's first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp by Steven Gould

http://www.stevengould.org/downloads/cleanup/


6. If you are using windows firewall, please note that it doesn't provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0


You're welcome

Take care and keep safe.

[brondog]

Ok, I've cleaned up everything now and my computer seems to be running as it used to before the virus.
Thanks again!

[oldman]

You're welcome.