Browser And Explorer Hijacked Pc Cleaner, Antispyware 2008, Fake Alarms

OK,,,

Spent about 10 hours trying to diagnose this virus but finally gave up (which I hate to do).

Symptoms:

Three Files are created on my desktop that will link to a bogus spyware software sites; you can remove them but a process at boot time just replaces them.
All user accounts have the bulk of administration tools disabled and removed from the "start menu"
Continual popups alerting me to false spyware intrusions
CPU is totally sucked dry by Explorer process
The Windows root drive is disabled/not visible to any accounts, unless I do a safe boot -->administrator login
It is impossible to run anything without it taking hours (CPU runs at 90+%)
There was a virus in a restore file, but I got rid of that.
I can run a hijackthis and capture the log (attached) while in normal mode
Task Manager is disabled for any account.

If I run manual virus scan in safe mode there are two virus detected but cannot be removed because they are in an archives (the file is winsock32.exe)..The error message doesn't tell me what archive so I can't go and fix it.. The scan log is attached as well.

OK..so all log files are zipped in the attached file logs.zip and encrypted with "infected".

Any other questions?

Thanks in advance,,

Reuben

PS: I have run spyhunter, adaware, and others with no luck...I think If I can identify the process and archive I can fix it with modest effort.

/applications/core/interface/file/attachment.php?id=2625" data-fileid="2625" rel="">Logs.zip

Find more posts tagged with

Comments

alexcrist

Hello,

You will receive a PM from a BitDefender analyst with an attached program that should remove the file.

Please download AVIS, make a Complete System Log and attach it to your next post.

Also, find the following files, put them in a password-protected archive and attach it (password: infected):

%SystemRoot%\System32\dimsntfy.dll
wvUkIcDU.dll (probably in windows\System32)
C:\WINDOWS\wbqxfpgl.dll
C:\WINDOWS\tpabfelq.dll
C:\WINDOWS\vwsrfton.dll

Make sure you set your system to show hidden and system files before looking for these files.

Cris.

rprichard

Hello,

You will receive a PM from a BitDefender analyst with an attached program that should remove the file.

Please download AVIS, make a Complete System Log and attach it to your next post.

Also, find the following files, put them in a password-protected archive and attach it (password: infected):
%SystemRoot%\System32\dimsntfy.dll
wvUkIcDU.dll (probably in windows\System32)
C:\WINDOWS\wbqxfpgl.dll
C:\WINDOWS\tpabfelq.dll
C:\WINDOWS\vwsrfton.dll
Make sure you set your system to show hidden and system files before looking for these files.

Cris.

OK Found all the files except wvUkIcDu.dll file (searched the entire system)..Files attached..You didn't say if I should delete them..I also did an update on the Avis to get the latest before i did the scan..

When I run the fix program..(hit start)..it just generates a message "Sample should be removed." and sit there...I'll let it run for a while, but it doesn't seem to be generating any CPU cycles..

/applications/core/interface/file/attachment.php?id=2642" data-fileid="2642" rel="">DLLsAndScanLog.zip

DLLsAndScanLog.zip

jkanes76@yahoo.com

I have this virus as well. You describe all of the exact symptoms. I'm sure you had the red fake "wallpaper" with the biohazard symbol that states: "Your Privacy is in Danger". The clock is changed to 24hr time and has Virus Alert! next to it as well, huh? This virus and my computer is a mess!

csalgau

First of, please let me apologize for the lack of instructions provided with the tool. It was finished as soon as the message was shown.

Provided files are infected and have been signed. Detection should be available soon.

What you have provided in the archive, while useful to some degree, is not what we requested. Please start AVIS again and use the logging function, not the Scan function. It's under the System Info/Info sistem tab. Select Complete/Complet and hit Create log/Creaza logul. A zip file should be generated on your desktop. Please attach that file to your next post along with an archive with

 c:\windows\system32\byXpNgfg.dll
c:\windows\system32\fccyayXo.dll

You might have trouble accessing regedit. You can fix this using AVIS by accessing the Clean/Stergere tab. If AVIS can(and it should) fix the problem, click the fix regedit button(or any of the others if you have those problems also).

To jkanes: please open a new topic and provide us with BitDefender(or at least a AVIS scan log) and AVIS system logs. Steps outlined in this topic might not work for you.

rprichard

First of, please let me apologize for the lack of instructions provided with the tool. It was finished as soon as the message was shown.

Provided files are infected and have been signed. Detection should be available soon.

What you have provided in the archive, while useful to some degree, is not what we requested. Please start AVIS again and use the logging function, not the Scan function. It's under the System Info/Info sistem tab. Select Complete/Complet and hit Create log/Creaza logul. A zip file should be generated on your desktop. Please attach that file to your next post along with an archive with
 c:\windows\system32\byXpNgfg.dll
c:\windows\system32\fccyayXo.dll
You might have trouble accessing regedit. You can fix this using AVIS by accessing the Clean/Stergere tab. If AVIS can(and it should) fix the problem, click the fix regedit button(or any of the others if you have those problems also).

To jkanes: please open a new topic and provide us with BitDefender(or at least a AVIS scan log) and AVIS system logs. Steps outlined in this topic might not work for you.

OK...rerun avis and log.zip password "infected" attached...None of the buttons to fix reged, or task manager are enabled..(I am running this from safe mode as administrator).

/applications/core/interface/file/attachment.php?id=2649" data-fileid="2649" rel="">logs.zip

logs.zip

rprichard

OK...rerun avis and log.zip password "infected" attached...None of the buttons to fix reged, or task manager are enabled..(I am running this from safe mode as administrator).

I've manually removed all the dlls and exe's as reqested, it looks like I'm back to normal right now.. I also see several updates that I have downloaded and rescan the system with out any detected errors..

I still need to get my C:\ drive show up when I click on "my computer"...and add the rest of the menu items that were removed from "Start->Settings (only task bar and start menu show up)... Any guideance here would be most appreciated...

Thanks for the excellent support..

Reuben M. Prichard Jr.

csalgau

While there may be an easyer way, I find this the fastest.

Please press Start->Run and paste the following in the box

REG DELETE HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /va /f
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

The second line may not be necessary, but it is safer.

If you do not see Run under your start menu, try and find Command Prompt under program\accessories\ in your start menu, or look for cmd.exe under c:\windows\system32\. Paste the same strings there. (you might gave to right click on the title bar and select edit-paste)