KTASKR.dll HELPPPPP

[aussieoi]

hello
i have recently been attacked by a virus which hijacks computer and puts icons in your task bar and takes over your background saying that your computer has been attacked buy this product to get rid of it....well i tried to get rid of it and some how now my computer is not letting me into any applications like internet explorer ( i get on it by going to my documents and writing the URL in the address bar) but if i click on any application like system restore i get an error message saying:
Error loading KTASKR.dll
the specified module could not be found!!!!
and then the application wont open so i cant do anything
PLZ help i don't know where to go from here and i don't want to re- install xp!!!!
thanks in advance,
Mitchell Orr

[getting space - attachment deleted by admin]

[JPH]

Hello aussieoi, welcome to Computer Hope.

Your machine is obviously infected:

Trojan downloader, a variant of Win32.Trojan-Spy.Banker.EGJ

Download HijackThis and make sure that the exe is in it's own directory not just sitting on your desktop. Rename the HijackThis_v2.exe to something else (e.g. aussieoi.exe) then do a system scan and save a logfile. Post the contents of the resulting hijackthis.log file into your next post.

(Mods, please move this thread to the "Computer Viruses and Spyware" section)

- JPH

[JPH]

Thanks for moving this patio...

[aussieoi]

here is the log!

[getting space - attachment deleted by admin]

[Broni]

I'll take a look in a moment, but one question, first:
I can't see any firewall listed. Do you have any?

[Broni]

1. Print this post out, since you won't have an access to it at some point.

2. Download, and install Spybot (if you don't have it) from here: http://www.safer-networking.org/en/download/index.html

3. Close all windows, except for HJT.

4. Put a checkmark next to following HJT entries:

- O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)

- O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)

- O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

- O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)

- O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)

- O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)

- O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)

- O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)

- O2 - BHO: Flash Module - {3039C679-F399-4c5a-B465-47385038D0EC} - ktaskr.dll (file missing)

- O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)

- O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)

- O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)

- O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)

- O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)

- O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

- O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

- O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)

- O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)

- O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)

- O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)

- O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)

- O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)

- O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)

- O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)

- O2 - BHO: oembios32.msdn_hlp - {D79E1D43-C805-40EF-8ACB-DFFB17E9A4AF} - C:\WINDOWS\system32\oembios32.dll

- O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)

- O2 - BHO: Flash Module - {DF50F976-592A-47a4-81C7-AD34D5A3A947} - btasv.dll (file missing)

- O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)

- O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)

- O4 - HKLM\..\Run: [AntispyStorm] C:\Program Files\AntispyStorm\AntispyStorm.exe

- O23 - Service: Performance Monitor Command Line Shell (Performance Monitor) - Unknown owner - C:\WINDOWS\perfmon.exe (file missing)

- O23 - Service: tjk8rla0zxexp - Unknown owner - C:\WINDOWS\system32\systs.exe


5. Click on "Fix It" button.

6. Restart your computer in Safe Mode (F8)

7. Run Spybot (click on updates, first), and fix whatever it asks you to fix.

8. Open Windows Explorer. Go Tools>Folder Options, put a checkmark next to "Show hidden files, and folders".

9. Delete following files (if they still exist):

- AntispyStorm.exe from C:\Program Files\AntispyStorm\

- perfmon.exe from C:\WINDOWS\

- systs.exe from C:\WINDOWS\system32\

10. Turn off System Restore.

11. Restart in Normal Mode.

12. Turn System Restore on.

13. Run HJT again, and post back its log back here.

[aussieoi]

i don't actually think i have a firewall...
but here's the new log!!!

[getting space - attachment deleted by admin]

[Broni]

Firewall IS A MUST!!!
At least turn built-in Windows firewall on.
If anything will happen in the future, and you still don't have a firewall, I'd refuse to even look at your HJT log.

Now, I'll take a look, and I'll post back. When you post back, you will let me know, that your firewall is on, right?

[Broni]

Your log looks much better, but it's not 100% clean, yet.

Your next steps are:

   0. Create Autoruns folder in your root C:\ directory.

   1. Download and extract the Autoruns (http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx) program to C:\Autoruns

   2. Reboot into Safe Mode.

   3. Navigate to the C:\Autoruns folder you created in Step 0 and double-click on autoruns.exe.

   4. When the program starts, click on the Options menu and enable the following options by clicking on them. This will place a checkmark next to each of these options.

         1. Include empty locations

         2. Verify Code Signatures

         3. Hide Signed Microsoft Entries

   5. Then press the F5 key on your keyboard to refresh the startups list using these new settings.

   6. Click on Services tab. Find following entry:
- Performance Monitor Command Line Shell (Performance Monitor) (you may see just partial name).

   7. Once you find the entry that is associated with the malware, you want to delete that entry so it will not start again on the next reboot. To do that right click on the entry and select delete. This startup entry will now be removed from the Registry.

   8. Open Windows Explorer. Make sure, that hidden files are shown (Windows Explorer >Tools>Folder Options>View tab, check "Show hidden files, and folders").
Navigate to: C:\WINDOWS\TEMP\, and remove VRT2.tmp file

   9. When you are finished removing the malware entries from the Registry and deleting the files, reboot into normal mode.

  10. Post new HijackThis log.