Author Topic: Downloaded something bad from Isohunt... (Read 21207 times)

ChevyDieselPride · « **on:** June 25, 2008, 07:10:45 PM »

I download alot of stuff all the time and I believe i downloaded a file containing a virus. I have norton anti virus and norton system works which says everything is fine and system is secure. I can get into the C drive and all the way to the file where everything is downloaded, but the second I open the file where everything is downloaded my computer closes out of every window and all that is shown is the desktop background picture. The icons, the taskbar and anything else is all gone and only my back ground picture is left. But i can still hit control alt delete and it will bring up the Windows Task Manager but it says no apps are being run when there are. I still have internet and everything functions the same as long as i dont go into My Computer. If i access my C drive i have to restart my computer to get everything back on my desktop... Any ideas?
Thanks for your time

Also i hooked up my external hard drive and it did the same to me as above...

ChevyDieselPride · « **Reply #1 on:** June 25, 2008, 07:51:10 PM »

Anyone?

Broni · « **Reply #2 on:** June 25, 2008, 07:52:01 PM »

Can you operate My Computer from Safe Mode?

ChevyDieselPride · « **Reply #3 on:** June 25, 2008, 07:56:36 PM »

yes i can.

I was thinking just wipe out the file where everything is downloaded and that may help but then if its a virus its embedded somewhere else so it wouldnt do much...

Broni · « **Reply #4 on:** June 25, 2008, 08:17:03 PM »

Quote

I was thinking just wipe out the file where everything is downloaded and that may help but then if its a virus its embedded somewhere else so it wouldnt do much...

It won't work.

Are you able to download, and install programs?

ChevyDieselPride · « **Reply #5 on:** June 25, 2008, 08:23:39 PM »

I havent tried downloading a program and installing it. But i tried going to add/remove programs under controls and it did the same thing to me as if i went in my c drive.

But i was downloading other stuff when this first started and the downloads have completed, just cant run winrar. to them or get to them.

Think i should try downloading something and installing?

Broni · « **Reply #6 on:** June 25, 2008, 08:26:06 PM »

Give this a try...

Print these instructions out.

1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

2. Download Malwarebytes' Anti-Malware: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

3. Download HijackThis:
http://www.snapfiles.com/get/hijackthis.html
Post HijackThis log.

ChevyDieselPride · « **Reply #7 on:** June 25, 2008, 08:28:33 PM »

Thanks for your help, hopefully it works

ChevyDieselPride · « **Reply #8 on:** June 26, 2008, 10:25:38 PM »

So Broni,
ran your advice and now its even worse than when i began... When my computer reboted, my computer got as far as the windows XP screen and then went to a blue screen saying i need to run a manufacturers diagnostic or uninstall recently installed programs, drivers...ect

I made it through step one of what you told me to do, got to the end and this happened. Now i can only get on in safemode. Do i do the remaining steps in safemode?

Here my report log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/26/2008 at 08:46 PM

Application Version : 4.15.1000

Core Rules Database Version : 3492
Trace Rules Database Version: 1483

Scan type : Complete Scan
Total Scan Time : 01:51:19

Memory items scanned : 169
Memory threats detected : 2
Registry items scanned : 5789
Registry threats detected : 14
File items scanned : 54530
File threats detected : 30

Trojan.Vundo-Variant/Small-GEN
   C:\WINDOWS\SYSTEM32\MLJYOLKK.DLL
   C:\WINDOWS\SYSTEM32\MLJYOLKK.DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C2215AD7-241D-4F05-B05F-AA7B9A16E18C}
   HKCR\CLSID\{C2215AD7-241D-4F05-B05F-AA7B9A16E18C}
   HKCR\CLSID\{C2215AD7-241D-4F05-B05F-AA7B9A16E18C}\InprocServer32
   HKCR\CLSID\{C2215AD7-241D-4F05-B05F-AA7B9A16E18C}\InprocServer32#ThreadingModel
   Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\mlJYolkk
   C:\WINDOWS\SYSTEM32\CBXNDUKA.DLL
   C:\WINDOWS\SYSTEM32\JKKIBRKL.DLL

Adware.Vundo Variant/Resident
   C:\WINDOWS\SYSTEM32\YAYYVUUN.DLL
   C:\WINDOWS\SYSTEM32\YAYYVUUN.DLL

Adware.Vundo Variant
   HKLM\Software\Classes\CLSID\{57A52E74-004C-464B-96CC-4DFE5366EA02}
   HKCR\CLSID\{57A52E74-004C-464B-96CC-4DFE5366EA02}
   HKCR\CLSID\{57A52E74-004C-464B-96CC-4DFE5366EA02}\InprocServer32
   HKCR\CLSID\{57A52E74-004C-464B-96CC-4DFE5366EA02}\InprocServer32#ThreadingModel
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{57A52E74-004C-464B-96CC-4DFE5366EA02}
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{57A52E74-004C-464B-96CC-4DFE5366EA02}
   HKCR\CLSID\{57A52E74-004C-464B-96CC-4DFE5366EA02}

Adware.Tracking Cookie
   C:\Documents and Settings\owner\Cookies\owner@advertising[1].txt
   C:\Documents and Settings\owner\Cookies\owner@imrworldwide[2].txt
   C:\Documents and Settings\owner\Cookies\owner@questionmarket[1].txt
   C:\Documents and Settings\owner\Cookies\owner@media6degrees[2].txt
   C:\Documents and Settings\owner\Cookies\owner@realmedia[1].txt
   C:\Documents and Settings\owner\Cookies\owner@tacoda[2].txt
   C:\Documents and Settings\owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\owner\Cookies\owner@tribalfusion[1].txt
   C:\Documents and Settings\owner\Cookies\owner@zedo[2].txt
   C:\Documents and Settings\owner\Cookies\owner@apmebf[2].txt
   C:\Documents and Settings\owner\Cookies\owner@fastclick[2].txt
   C:\Documents and Settings\owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\owner\Cookies\owner@interclick[2].txt
   C:\Documents and Settings\owner\Cookies\owner@atdmt[2].txt
   C:\Documents and Settings\owner\Cookies\owner@insightexpressai[2].txt
   C:\Documents and Settings\owner\Cookies\owner@burstnet[2].txt
   C:\Documents and Settings\owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\owner\Cookies\owner@trafficmp[2].txt
   C:\Documents and Settings\owner\Cookies\owner@adrevolver[2].txt
   C:\Documents and Settings\owner\Cookies\owner@mediaplex[1].txt
   C:\Documents and Settings\owner\Cookies\owner@casalemedia[1].txt
   C:\Documents and Settings\owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\owner\Cookies\owner@doubleclick[1].txt
   C:\Documents and Settings\owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\owner\Cookies\[email protected][2].txt

Adware.Vundo Variant/Rel
   HKLM\SOFTWARE\Microsoft\FCOVM
   HKLM\SOFTWARE\Microsoft\RemoveRP
   C:\WINDOWS\SYSTEM32\MCRH.TMP

HELP ME!!!

Broni · « **Reply #9 on:** June 26, 2008, 10:33:14 PM »

You couldn't operate in Normal Mode before, so I'm not sure what you mean by things getting worse.
Your computer seems to be seriously infected, so there is no guarantee we'll be successful, but, please continue running next programs in Safe Mode.

ChevyDieselPride · « **Reply #10 on:** June 26, 2008, 10:39:44 PM »

I could run in "normal mode" just not access my c drive... By the way i didnt mean to come off mad at you. Im frustrated with this *censored* thing. Ill try the rest, im very thankful for your help.

ChevyDieselPride · « **Reply #11 on:** June 26, 2008, 10:40:30 PM »

Also if this doesnt work, what should i do? Take it to best buy to get ripped off and pay 250$ to get it fixed?

ChevyDieselPride · « **Reply #12 on:** June 27, 2008, 04:50:34 PM »

Heres the log from the second part:

Malwarebytes' Anti-Malware 1.18
Database version: 895

1:42:42 PM 6/27/2008
mbam-log-6-27-2008 (13-42-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 91852
Time elapsed: 17 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\yayyvuUn.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dac37ffa-3b35-46f9-9218-2409e4d85af2} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dac37ffa-3b35-46f9-9218-2409e4d85af2} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\yayyvuun -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\yayyvuun -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\yayyvuUn.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\nUuvyyay.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nUuvyyay.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP94\A0014992.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP95\A0014993.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP95\A0014997.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP98\A0021284.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP98\A0021285.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5D527826-05BD-4A83-8416-28ACDDA14001}\RP98\A0024288.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Theres no change either, still can only start in safemode. Any ideas?

Broni · « **Reply #13 on:** June 27, 2008, 06:23:52 PM »

ChevyDieselPride

Quote

By the way i didnt mean to come off mad at you. Im frustrated with this *censored* thing.

I fully understand. It may be frustrating. We're trying.
Give me fresh HJT log from Safe Mode.

Broni · « **Reply #14 on:** June 27, 2008, 06:25:43 PM »

Quote

what should i do? Take it to best buy to get ripped off and pay 250$ to get it fixed?

We're not done here, so hold your horses.

Computer Hope Forum

News: