killer virus

Rodney_Revenge · February 3, 2009, 3:12pm

hey guys. before you read i should let you know, this was a long drawn out process that has been destroying me for about 12 hours and i have worked endless nonstop to fix it.

So i was on my computer, randomly, not actually doing anything. and my firewall popped up, something about changing trusted registry entries. Obviously i blocked it. but they kept coming, i couldnt stop it. what it was doing was: every application no matter what it was or wether it was something already running or not was being targeted to either, change registry info, or something along those lines, or execute a global hook with a bunch of different .dll’s. now, some of them were menuhook.dll, MSCTF.dll, kesibahi.dll, and maybe a few others, im not quite sure of all of them anymore after all this. it got to the point where i couldnt do anything, it was just lagging me out all over the place and i couldnt do anything from accessing my coputer to typing an im in MSN to accessing my web browser. it took me hours to start to get the hang of things. now, i know this was a “wing it” job, and i know i probably did a few things wrong. but after a while, i realized i was seeing the same .dll’s and such come up on the firewall notifier. so, in my desperation and exaustion, i started to rename the all to obsenities with .dll at the end, then after i felt i got them all, i went into my C:/windows/system32 and found what i had renamed, and began to delete them (because A.) i really suck at regedit, and B.) it wouldnt let me do anything with regedit anyway, it took hours to cycle the files in my system32 folder as it was, there was no way of getting to anything in regedit.) i prettymuch have deleted them all, but MSCTF.dll remains, i kept renaming it, but it would always have the renamed file AND MSCTF.dll was still there, and the only one i couldnt delete was MSCTF.dll. After the others have been deleted, i started being able to get access to my computer, so i browsed around with good old google fu on MSCTF.dll and how to go about deleting it. turns out its a microsoft certified .dll and such, and also, a lot of malware and such renames itself to MSCTF.dll to dscuise it so no antivirus will get rid of it. now, my question herein lies, how do i fix this? and how do i get rid of MSCTF.dll? because that is the only one my firewall is still getting everytime i openn a program, usualy asking for a global hook.

With all of this said, i would like to point out, i am by no means a computer genius. i use it to game and such, hang around. i know some basic knowlege, i can get around easy, and know some good stuff of the hardware, and a good deal about other things. but i am by no means, good at all this and i get almost none of it really. SO please, help me out. If you could, not only reply on here, but i have an MSN Live messenger account and i would really love and appreciate it if you could respond to me on there, because it would be easier to go thru a process working WITH someone, rather than following a list of instructions, without being able to respond and recieve info, right away. My msn messenger is shadow.rayne@hotmail.com. thanks in advance for any help you can give, i have been fighting this thing relentlessly four hours on end, i actually conceeded to trying to restore to an earlier time, but, it wouldnt let me, it always came up at the end saying, system restore could not restore you PC to the date suggested, no files have been saved and no changes have been made. once again, thanks in advance, i really appreciate this, i love your software so much and its amazing you can provide such great software free, for cheap guys like my who dont have a job and cant afford one that you have to pay for.

Rodney_Revenge · February 3, 2009, 3:53pm

one last thing: sorry if i posted this in the wrong section, you have so many, and i just kinda found one that looked slightly appropriate at a glance and posted.

:ilovecomodo: :comodomarryme: (:AGL)

alaertsxan · February 3, 2009, 4:05pm

I think this is another zlob/virtumonde or so… try these steps

Back-up all your files and folders using a back-up program, for example Comodo Back-up
Download following programs and install them

Check for definition Updates (Important!).

http://i39.tinypic.com/2cfqqs6.png

http://i39.tinypic.com/zix5b7.png

http://i42.tinypic.com/8yt5w0.png

Allow each program to scan. Scan one at a time.

http://i43.tinypic.com/20hxd9j.png

http://i40.tinypic.com/2yzhced.png

http://i40.tinypic.com/2q8x17m.png

Let the programs clean the infections.

http://i39.tinypic.com/2wdc278.png

http://i42.tinypic.com/jua2dl.png

Reboot into normal mode and see if you find any remains of the virus
Download and install Hijackthis. Afterwards, do a system scan and safe a log file. A text file will open in notepad, safe this one and later upload it together with your post.
DO NOT FIX ANYTHING YET !!!

http://i40.tinypic.com/2nbblon.png

Please post back in this topic :

if you think your computer is still infected
The hijackthis log
the name of the malware the programs said

Thanks,

Xan

Rodney_Revenge · February 3, 2009, 5:42pm

starting to download it all now. i usually use ad-aware for the malware and such, but these are good too. i still believe (nefore i have run these scans) that my computer is infected, because as i amn downlaoding, MSCTF.dll is still trying to add global hooks to all of them as they are being downloaded. should get everything posted in a while, but give me some time, as fulls scans take a bit and i have some prescheduled things to take care of as well, but this will be up before tomorrow i promise you.

alaertsxan · February 3, 2009, 5:50pm

Sure :), I’ll wait for the results…

Xan

Rodney_Revenge · February 4, 2009, 4:35am

hey, just finished doing all that you asked. the malware scans picked up a good number of stuff, which is great because ad-aware wasnt picking up any, so yay. just rebooted after the scans and ran hijackthis, and saved a log file. So far, things are looking much better in the aspect that i havent seen MSCTF attempting to add any global hooks pop up on my firewall since my last reboot. however i will still post the hijackthis log, as there might be a few things wrong. it will be attached. Also, i would like to know if it is alright to run a scan using comodo’s registry cleaner, because i know, in renaming those .dll’s and such when i was franctically running about, i probably hurt a few things lol. and i thought maybe comodo’s registry cleaner might be a good thing to run?

OK heres the hijackthis log, thanks for taking the time to help!
:ilovecomodo:

[attachment deleted by admin]

Rodney_Revenge · February 4, 2009, 7:55am

had an instance of MSCTF trying to add a global hook again when i started up left4dead earlier to see if it would pop up, so i guess its not fully resolved, but, my computer is running better.

alaertsxan · February 5, 2009, 8:47am

These things seem suspicious to me

O4 - HKUS\S-1-5-19..\Run: [sedolebato] Rundll32.exe “C:\WINDOWS\system32\gisakoru.dll”,s (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [sedolebato] Rundll32.exe “C:\WINDOWS\system32\gisakoru.dll”,s (User ‘NETWORK SERVICE’)

These ones could be unwanted to
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
O4 - Startup: PowerReg Scheduler.exe

Please do not fix anything yet, but please upload “C:\WINDOWS\system32\gisakoru.dll” to rapidshare and pm me the link to it. Thanks
Afterwards run A-squared

(do not forget to update first ;))

Xan

Rodney_Revenge · February 8, 2009, 1:19pm

ummm gisakoru.dll is no longer on my comp. that was one of the files i had renamed and deleted.

alaertsxan · February 8, 2009, 1:23pm

Are you sure it didn’t recover ?

Also, if not, please delete them in hijackthis

Then try the scan of A-squared

Xan