Other > Viruses and worms
I need help with virus!
oldman:
Okay, that checks out. Let's go get the bad guys. Combofix first then HJT.
Before you run hijackthis, please rename hijackthis.exe to bugs.exe
Download ComboFix from Here or Here to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
brondog:
Ok, ComboFix and HiJackthis logs:
oldman:
Hopefully, this will take care of the rest. How is it on your end?
A word of caution, when fixing the 020 lines in HJT, DO NOT checkmark O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
Open HJT, run a system scan only, check mark these lines if present
O20 - Winlogon Notify: eddcsown - eddcsown.dll (file missing)
O20 - Winlogon Notify: efccbyw - efccbyw.dll (file missing)
O20 - Winlogon Notify: wgqhrohz - wgqhrohz.dll (file missing)
O20 - Winlogon Notify: winjvd32 - winjvd32.dll (file missing)
O20 - Winlogon Notify: winpsa32 - winpsa32.dll (file missing)
O21 - SSODL: flammei - {9d635a36-6b3c-4146-8625-f3aaf507bbf8} - (no file)
Close all other browsers/windows, click fix, close HJT.
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.
Copy and paste all the text in the quote box below into Notepad.
Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.
--- Quote ---File::
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\hanypagr.ini
C:\WINDOWS\system32\ycgshorp.ini
c:\WINDOWS\system32\urytctrk.ini
C:\WINDOWS\system32\synorxkd.ini
--- End quote ---
This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DSS log.
brondog:
Ok, now that I followed all the steps I don't get those avast messages anymore, but the icon for my C: drive still displays a red X and now I receive windows validation messages too.
Perhaps the virus isn't gone yet?
These are the logs for Combofix and HiJackthis.
Thanks for all of your help untill now!
oldman:
For the red X
--- Quote ---REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\c\DefaultIcon]
--- End quote ---
Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop
Make sure the top box is set to DESKTOP
To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.
We didn't remove anything that would turn on the notification. The wgalogon.dll is legitamate and was there from the start. Did you install KB905474 from MS sometime?
http://www.mydigitallife.info/2006/06/28/official-ways-to-disable-or-manually-uninstall-the-microsoft-windows-genuine-advantage-notifications-from-microsoft/
"This file is a legitimate Windows oeprating system file. It used as part of Windows Genuine Advantage and alerts when you are using an unvalidated Microsoft product"
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version