Link to home
Create AccountLog in
Anti-Virus Apps

Anti-Virus Apps

--

Questions

--

Followers

Top Experts

Avatar of tqtclipper
tqtclipper🇺🇸

REGEDIT and TASK MANAGER DISABLED BY VIRUS
I was working on a computer for the last three or four days with a nasty computer virus. I tried everyting I could locate on EE and the internet. ComboFix and a little tool I found on the systeminterval website called autorun provided the most promising help. Now a second computer on my home newtork is infected (task manager & regedit disabled on one of the three accounts only). I resisted opening a ticket to date because I was sure that I would find the answer. Currently I have two computer with the virus one it. The first computer has several registry that I can restore and gain control of the PC the second computer has a logon without admin priv and two accounts with.... the account without the admin priv is the one with the virus...

I attached the combofix file for review...

My apologies gang; but i think I need help on this one...


cbfix2708.txt

Zero AI Policy

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

ASKER CERTIFIED SOLUTION
Avatar of Pete LongPete Long🇬🇧

Link to home
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Create Account
SOLUTION
Avatar of rpggamergirlrpggamergirl🇦🇺

Link to home
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Create Account
Avatar of tqtclippertqtclipper🇺🇸

ASKER

Thanks Guys!! Only wish I had asked three days ago!!! My wife thinks that I am nuts working on her sister's (college student) computer that long. Anyway, I attached the CBfix logs ... Feel free to post any additional feedback. The only thing left is to figure out why I can not install XP SP2 on computer # 1 (sister's (college student) computer))... Her machine was missing about 50 hotfixes... I got them all installed but XP SP2. I get the following error msg.... Service Pack2 setup error.... the file c:\windows\system32\services.exe is open or in use by another application. Close all other applications and click retry. I tried to kill the services.exe process but could not... Any on this issue is appreciated too.
Avatar of tqtclippertqtclipper🇺🇸

ASKER

Here are the combofix logs...

It was interesting that computer 2 (my machine); the computer with the multiple logins.. I had to run  the above instructions on each login. Is that normal?

Thanks Again!!
cbfixlog29apr08.txt
CBFixlog29APR08.txt
Avatar of tqtclippertqtclipper🇺🇸

ASKER

It looks like I may have spoken too soon.

The virus returned on one of the computers. Both logs belong to the infected computer (combofix logs #2 combofix logs #1 above). Still unable to open reg or tskmgr on all three accounts. I will give safe mode a try if you can come upmwith anyother suggestions that would be appreciated as well... Also, i will search to see what else is out there for the SirCam Virus.. I will reopen the ticket... next time I will wait 24hours just to make sure i got it... One computer is still doing fine.

Thanks,
Terry

Reward 1Reward 2Reward 3Reward 4Reward 5Reward 6

EARN REWARDS FOR ASKING, ANSWERING, AND MORE.

Earn free swag for participating on the platform.

Avatar of rpggamergirlrpggamergirl🇦🇺

Terry,
Both logs are still infected.

1.  This one below is the Combofix log 1 for the 'tqtclipper"pc.
Open notepad and copy/paste the text inside the lines below into it.
--------------------------------------------------------------
File::
C:\WINDOWS\La15366\ib7197.exe
C:\WINDOWS\SY20118\ib9573.exe
C:\WINDOWS\system32\n6543\b7197.exe
C:\WINDOWS\system32\n6543\csrss.exe
C:\WINDOWS\system32\n6543\lsass.exe
C:\WINDOWS\system32\n6543\services.exe
C:\WINDOWS\system32\n6543\smss.exe
C:\WINDOWS\system32\n6543\sv711441830r.exe
C:\WINDOWS\system32\n8127\b9573.exe
C:\WINDOWS\system32\n8127\csrss.exe
C:\WINDOWS\system32\n8127\lsass.exe
C:\WINDOWS\system32\n8127\services.exe
C:\WINDOWS\system32\n8127\smss.exe
C:\WINDOWS\system32\n8127\sv711917030r.exe
C:\Documents and Settings\Default User\Local Settings\Application Data\dv6191700x\yesbron.com
C:\Documents and Settings\4mychildren\Local Settings\Application Data\dv6171900x\yesbron.com

Folder::
C:\WINDOWS\SY20118
C:\WINDOWS\La15366
C:\WINDOWS\system32\n8127
C:\WINDOWS\system32\n6543
C:\Documents and Settings\4mychildren\Local Settings\Application Data\dv6171900x
C:\Documents and Settings\Default User\Local Settings\Application Data\dv6191700x

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"y3114SYS"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]
"y3114SYS"=-

--------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), attach the contents of Combofix.txt in your next reply.




2.  This is for the lafina pc.
Open notepad and copy/paste the text inside the lines below into it.
--------------------------------------------------------------
File::
C:\WINDOWS\system32\n6543\csrss.exe
C:\WINDOWS\system32\n6543\lsass.exe
C:\WINDOWS\system32\n6543\services.exe
C:\WINDOWS\system32\n6543\smss.exe
C:\WINDOWS\system32\n6543\sv711441830r.exe
C:\WINDOWS\La15366\ib7197.exe
C:\WINDOWS\system32\n8127\sv711917030r.exe
C:\Documents and Settings\Lafina\Local Settings\Application Data\dv6144180x\yesbron.com
C:\Documents and Settings\Default User\Local Settings\Application Data\dv6191700x\yesbron.com

Folder::
C:\Documents and Settings\4mychildren\Local Settings\Application Data\dv6171900x
C:\WINDOWS\system32\n6543
C:\WINDOWS\La15366
C:\WINDOWS\system32\n8127
C:\Documents and Settings\Lafina\Local Settings\Application Data\dv6144180x
C:\Documents and Settings\Default User\Local Settings\Application Data\dv6191700x

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"y2322Laf"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"y3114SYS"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"y2322Laf"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]
"y3114SYS"=-

--------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
then drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), attach the contents of Combofix.txt in your next reply together a hijackthis log.




Please also run this removal tool for Brontok worm.
http://www.sophos.com/support/disinfection/brontok.html

BRONTGUI is a disinfector for standalone Windows computers
http://www.sophos.com/support/cleaners/brontgui.com
open BRONTGUI
run it
then click GO.
Avatar of tqtclippertqtclipper🇺🇸

ASKER

I have three logins on the infected computer. The combofix logs above are on the same computer, different logins. Right now I have control of one of the logins.. Every previous attempt to access the other two logins revelas the virus i.e.  REGEDIT and TASK MANAGER DISABLED BY VIRUS. After that I return to my good login and the virus is there again... I run combofix three or four times and its still there... the only thing that seems to work is running  my Ultimate Boot >>miniPE>>Registryt Wizard to restore the registry to a earlier restore point run combofix and then I have access to the same login again and the process repeats itself.. Oh yeah I ran hijack and cleared the errors as well as ran Smitfraudfix and BRONTGUI and just about any online scan tool that I could find.... Anyway, I will take a look at the instructions above and get back to you.

Thanks Again!!
Avatar of IndiGenusIndiGenus🇺🇸

rpg can you check in on the new thread that was started for these machines? I posted my thoughts but would certainly like a second, and/or third opinion from someone.

Thanks,
Dave
Free T-shirt

Get a FREE t-shirt when you ask your first question.

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

Avatar of rpggamergirlrpggamergirl🇦🇺

Dave,
I'm so sorry, somehow I missed the alerts on this thread and only just now found it by chance searching in the database. My apology.


Terry,
Thanks!
Avatar of tryagiantryagian

You may download a free tool at www.digitalsupporttech.com. The tool will tell you what causes the problem. It is also free to get it fixed.
Anti-Virus Apps

Anti-Virus Apps

--

Questions

--

Followers

Top Experts

Anti-virus software was originally developed to detect and remove computer viruses. However, with the proliferation of other kinds of malware, antivirus software started to provide protection from other computer threats. In particular, modern antivirus software can protect from malicious browser helper objects (BHOs), browser hijackers, ransomware, keyloggers, backdoors, rootkits, trojan horses, worms, malicious layered service providers (LSPs), dialers, fraud tools, adware and spyware. Some products also include protection from other computer threats, such as infected and malicious URLs, spam, scam and phishing attacks, online identity theft (privacy), online banking attacks, social engineering techniques, Advanced Persistent Threat (APT), botnets and DDoS attacks.