Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: YT8A.exe  (Read 13608 times)

0 Members and 1 Guest are viewing this topic.

Latagore

    Topic Starter


    Rookie

    YT8A.exe
    « on: November 15, 2008, 08:01:38 AM »
    [rant]This virus is really pissing me off.  :'( So far, it's slowed down my computer, apparently it's a trojan, and this one program has created 70+ infections on my computer. I've sent several files in the past few days, so I believe I've infected a few other people, plus two computers at my school.[/rant]

    Due to my own stupidity, I've followed another forum topic's advice who has the exact same problem, but not with a whole lot of success. I've checked my computer for the files infecting my computer and they are still there, even after running ComboFix, both the (normal?) and by sUBs (?) version.

    The following attachments are the logs by ComboFix run several times. Oopsie.

    Thank you very much in advance for your help!

    [Saving space - attachment deleted by admin]

    kpac

    • Web moderator


    • Hacker

    • kpacョ
    • Thanked: 184
      • Yes
      • Yes
      • Yes
    • Certifications: List
    • Computer: Specs
    • Experience: Expert
    • OS: Windows 7
    Re: YT8A.exe
    « Reply #1 on: November 15, 2008, 11:23:06 AM »
    To help the malware specialists, please read this and post the three logs here.

    Good luck. ;)

    Latagore

      Topic Starter


      Rookie

      Re: YT8A.exe
      « Reply #2 on: November 19, 2008, 05:06:48 PM »
      To help the malware specialists, please read this and post the three logs here.

      Good luck. ;)

      Uh, you're kinda confusing me. By here, would you mean in the guide or in this thread? I've already posted the logs, and I've also read the guide >_<

      CBMatt

      • Mod & Malware Specialist


      • Prodigy

      • Sad and lonely...and loving every minute of it.
      • Thanked: 167
        • Yes
      • Experience: Experienced
      • OS: Windows 7
      Re: YT8A.exe
      « Reply #3 on: November 19, 2008, 05:23:16 PM »
      What you have posted are ComboFix logs.  What we need are SUPERAntiSpyware, Malwarebytes' Anti-Malware, and HijackThis logs.  ComboFix is usually something that comes later.  It is showing me that you've got quite a few infected files, but it's not detecting them, so we need those scanners to give it a shot.
      Quote
      An undefined problem has an infinite number of solutions.
      由obert A. Humphrey

      Latagore

        Topic Starter


        Rookie

        Re: YT8A.exe
        « Reply #4 on: November 22, 2008, 08:24:35 PM »
        This is what happens when stupid people like me don't follow FAQs that other people post. Sorry about that. Attached are the logs of those programs.

        [Saving space - attachment deleted by admin]

        CBMatt

        • Mod & Malware Specialist


        • Prodigy

        • Sad and lonely...and loving every minute of it.
        • Thanked: 167
          • Yes
        • Experience: Experienced
        • OS: Windows 7
        Re: YT8A.exe
        « Reply #5 on: November 23, 2008, 07:06:27 AM »
        It's quite alright; it actually happens a lot.  Your logs don't show much, but there are a couple of malicious files hidden in your computer.  This may take a couple of tries, but we'll do what we can.

        First, do you recognize this file?
        D:\Stuff\AGs\Mania\o2mania.exe
        It's being marked as malicious on a lot of sites.  But I'll give you a chance to identify it (if you can) before removing it.

        You should uninstall a program called Rainlendar2 from your computer and then follow these steps...


        Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

        Delete these files/folders, as follows:

        1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
        It must be Notepad, not Wordpad.
        2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

        Code: [Select]
        KillAll::

        Folder::
        C:\Program Files\Rainlendar2

        File::
        C:\Program Files\Rainlendar2\Rainlendar2.exe
        c:\windows\system32\qonenx.dll
        c:\windows\system32\hvexalt.dll
        c:\windows\system32\delnicek.exe
        c:\windows\system32\kandoftt.dll
        c:\windows\system32\417871mm.dll
        c:\windows\system32\417871cqwz.dll
        c:\windows\system32\sysmxd.dll
        c:\windows\system32\Æ×ÄÊÀ‹ÁÉÉk.exe
        c:\windows\system32\kandawf.dll
        c:\windows\system32\woodkenk.exe
        c:\windows\system32\qensng.dll
        c:\windows\system32\cenvta.dll
        c:\windows\system32\zesttnsk.exe
        c:\windows\system32\A~AEA?AEEk.exe
        c:\windows\Fonts\AA31D5B0.DLL
        c:\windows\Fonts\45BB3148.EXE

        Registry::
        [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "Rainlendar2"=-

        [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ÐÞ¸´¹¤¾ß.exe]

        3. Go to the Notepad window and click Edit > Paste
        4. Then click File > Save
        5. Name the file CFScript.txt - Save the file to your Desktop
        6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



        ComboFix will begin to execute, just follow the prompts.
        After reboot (in case it asks to reboot), it will produce a log for you.
        Post that log (Combofix.txt) in your next reply along with a new HJT log.

        Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
        Quote
        An undefined problem has an infinite number of solutions.
        由obert A. Humphrey

        Latagore

          Topic Starter


          Rookie

          Re: YT8A.exe
          « Reply #6 on: November 23, 2008, 08:26:29 AM »
          Eek. D: There is a problem. One of the files that you listed is in Japanese. I can't type Japanese nor copy the text into Notepad, because it's gibberish when you posted it. Is it really a virus...?

          And by the way, the program you listed, I've been using it quite a bit (games :P) but I have no idea if it's malicious or not.

          EDIT: Alright, I've messed around with my browser encodings and I have no idea what the language is that the program is in. It used to be running in Task Manager, but now it doesn't.

          EDIT 2: Ew. I just kind of realised what was wrong. I don't think you have an asian language on your computer so I don't think it came out right. Once I have your reply, I'll copy the name off the log, or look for the file itself and copy it's name.

          CBMatt

          • Mod & Malware Specialist


          • Prodigy

          • Sad and lonely...and loving every minute of it.
          • Thanked: 167
            • Yes
          • Experience: Experienced
          • OS: Windows 7
          Re: YT8A.exe
          « Reply #7 on: November 24, 2008, 04:25:11 AM »
          You know, it's quite possible that I don't in fact have the proper language file.  That is often how text will look in cases such as this.  For the time being, let's assume that is the issue and we'll just leave those two files alone for now.  Just to be safe, you may want to ignore this part as well:
          [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\ÐÞ¸´¹¤¾ß.exe]

          But go ahead and follow through with the rest and get back to me.


          As for your game file...some sites say it's malicious, some don't.  It's a tough call, but I had a feeling that it might be game-related, so I wanted to run it by you first.  If you don't think it's causing you any problems, then just leave it alone.
          Quote
          An undefined problem has an infinite number of solutions.
          由obert A. Humphrey

          Latagore

            Topic Starter


            Rookie

            Re: YT8A.exe
            « Reply #8 on: November 24, 2008, 05:30:19 PM »
            [rant]Erm. I have a problem. Combofix is gone, and before that, it gave me a *censored* of a lot of errors. It told me it needed to update, which I wasn't quite sure about. Then I closed it because I really wasn't sure if it might be a virus (as virus paranoid as I am), and then I opened it again, and I didn't select update, then it told me it expired, so I naturally clicked no to exit. Then I ran it again (all of these times using the instructed method) and I clicked Yes to continue with limited functionality. Then it told me that YOU HAVE RUN COMBOFIX FOR THE FIRST TIME. All I could think in my head was wut? So I clicked okay, and it told me it was scanning. That's when I really thought I was screwed over, I went over to open Firefox and my internet was gone! After closing the browser, I found that Combofix was GONE. Had to restart the computer to fix the whole mess.[/rant]

            IN SHORT: ComboFix told me a whole bunch of crud and prompts. I'm not quite sure that they were you expecting for me to click okay on, but my intuition says otherwise. Combofix is gone, and I'm still where I was before, except -1. Thank you very much for taking the time to read.

            CBMatt

            • Mod & Malware Specialist


            • Prodigy

            • Sad and lonely...and loving every minute of it.
            • Thanked: 167
              • Yes
            • Experience: Experienced
            • OS: Windows 7
            Re: YT8A.exe
            « Reply #9 on: November 25, 2008, 03:04:43 AM »
            Trying to do other things on your computer while ComboFix is scanning can cause possible complications.  It's also possible that the infection has started attacking it.  In any case, let's use a different program instead for now...

            Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

            Download The Avenger by Swandog46 and save it to your Desktop.
            • Extract avenger.exe from the Zip file and save it to your Desktop
            • Run avenger.exe by double-clicking on it.
            • Do not change any check box options!!
            • Copy everything in the Code box below, and paste it into the Input script here window:
            Code: [Select]
            Comment:

            Files to delete:
            C:\Program Files\Rainlendar2\Rainlendar2.exe
            c:\windows\system32\qonenx.dll
            c:\windows\system32\hvexalt.dll
            c:\windows\system32\delnicek.exe
            c:\windows\system32\kandoftt.dll
            c:\windows\system32\417871mm.dll
            c:\windows\system32\417871cqwz.dll
            c:\windows\system32\sysmxd.dll
            c:\windows\system32\kandawf.dll
            c:\windows\system32\woodkenk.exe
            c:\windows\system32\qensng.dll
            c:\windows\system32\cenvta.dll
            c:\windows\system32\zesttnsk.exe
            c:\windows\Fonts\AA31D5B0.DLL
            c:\windows\Fonts\45BB3148.EXE

            Folders to delete:
            C:\Program Files\Rainlendar2


            • Now click the Execute button.
            • Click Yes to the prompt to confirm you want to execute.
            • Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
            • Your PC should reboot, if not, reboot it yourself.
            • A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
            • Add the Avenger log in your next post along with a new HijackThis log.
            Quote
            An undefined problem has an infinite number of solutions.
            由obert A. Humphrey

            Latagore

              Topic Starter


              Rookie

              Re: YT8A.exe
              « Reply #10 on: November 25, 2008, 02:20:30 PM »
              Hum. One of three things happened. I either cleared my computer of viruses with ComboFix, sent an old log, or I screwed up my computer.

              I'll leave it to you guys to interpret. :P

              [Saving space - attachment deleted by admin]

              CBMatt

              • Mod & Malware Specialist


              • Prodigy

              • Sad and lonely...and loving every minute of it.
              • Thanked: 167
                • Yes
              • Experience: Experienced
              • OS: Windows 7
              Re: YT8A.exe
              « Reply #11 on: November 27, 2008, 01:30:44 AM »
              Sorry for the delay; the power in our apartment went out unexpectantly.

              It looks to me like the infections were simply cleaned out.  Several of those files were from your first set of logs, so some of them were probably already removed.  There's also a chance that when I had you make the CFScript, it may have actually worked, although it didn't seem to.  In any case, everything looks clean now.  You just need to fix this entry with HijackThis:

              O23 - Service: F9573AA8 - Unknown owner - C:\WINDOWS\Fonts\45BB3148.EXE (file missing)

              Now that this is taken care of, you really need to look into getting a good anti-virus (such as AVG or Avast!) and a good firewall (such as Comodo or ZoneAlarm).  You should only have one of each, of course.

              You should also clean out your System Restore.  This is to remove any infected files that have been backed up by Windows.  Please follow these steps...

              1.  Go to Start > Programs > Accessories > System Tools > System Restore
              2.  Click on System Restore Settings.
              3.  Check Turn off System Restore and click OK.
              4.  Restart your computer.
              5.  Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK.
              6.  Create a new restore point and close the program.

              System Restore will now be active again.  If you would like to learn more about System Restore, go here.
              Quote
              An undefined problem has an infinite number of solutions.
              由obert A. Humphrey

              Latagore

                Topic Starter


                Rookie

                Re: YT8A.exe
                « Reply #12 on: November 27, 2008, 02:37:18 PM »
                Thank you very much for taking the trouble. I have two things to say first: Should I send another log in case... or is it fine? And secondly, I've noticed you copy and paste a lot :P (SHH. I said nothing.)

                CBMatt

                • Mod & Malware Specialist


                • Prodigy

                • Sad and lonely...and loving every minute of it.
                • Thanked: 167
                  • Yes
                • Experience: Experienced
                • OS: Windows 7
                Re: YT8A.exe
                « Reply #13 on: November 29, 2008, 01:20:19 AM »
                I don't think another log will be necessary.  That HJT entry refers to a file that no longer exists, so I mainly had you remove it as a precaution and a matter of general clean-up.  And yes, I do a lot of copying and pasting.  This sometimes causes instructions to be a little awkward because everything doesn't always flow properly, but I promise I don't do it out of laziness.  Heh.  When one gets involved in malware removal, you compile and collect a lot of "canned speeches".  Because certain infections have specific removal instructions, doing this is faster, easier, and less confusing.

                In any case, I hope things continue to go well with your computer.  Oh, and I'm sorry for another delay.  This time, I got stuck with the in-laws because my wife's car broke down.  So, I'm more than a little behind on my work...  Take care.
                Quote
                An undefined problem has an infinite number of solutions.
                由obert A. Humphrey

                Latagore

                  Topic Starter


                  Rookie

                  Re: YT8A.exe
                  « Reply #14 on: November 29, 2008, 01:29:46 PM »
                  I had just forgotten something. What do I do about those Japanese programs? And should this go into a new thread or...?