Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Help! Think Point Virus now HDD Plus Virus!


Recommended Posts

Help! Got infected yesterday with Think Point virus on my Windows XP system. Finally cleaned it with Malwarebytes but now everytime computer boots up "HD Plus" fake security system loads on my desktop. Lots of phony error messages (hard drive is full, not enough ram, etc). Tried three times to remove with Malwarebytes but didn't work. Any ideas or anyone ever heard of "HD Plus?" Much thanks.

Link to post
Share on other sites

Hello tracyvale

Welcome to Malwarebytes.

=====================

  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Link to post
Share on other sites

Will try this and get back to you. Thanks alot!

Welcome to Malwarebytes.

=====================

  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Link to post
Share on other sites

Will try this and get back to you. Thanks alot!

Welcome to Malwarebytes.

=====================

  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Link to post
Share on other sites

HiJack This! Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

For you this means BitTorrent please uninistall that before proceeding.

===========================

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    O4 - HKLM..\Run: [Qcafiy] C:\WINDOWS\omilehefo.DLL File not found
    O4 - HKCU..\Run: [6531671] C:\Documents and Settings\Tracy Vale\Local Settings\Temp\6531671.exe (Hddtools Corporation)
    O4 - HKCU..\Run: [cdkcfKSKdQ.exe] C:\Documents and Settings\Tracy Vale\Local Settings\Temp\cdkcfKSKdQ.exe (MS Corporation)
    O4 - HKCU..\Run: [Vhahusig] C:\WINDOWS\msvcet.DLL File not found
    O20 - Winlogon\Notify\jkkiiHAr: DllName - jkkiiHAr.dll - File not found
    O20 - Winlogon\Notify\nnnlklj: DllName - nnnlklj.dll - File not found
    O28 - HKLM ShellExecuteHooks: {E1759A31-E627-4758-9562-6899DF36C9C2} - C:\WINDOWS\System32\nnnlklj.dll File not found
    [2010/12/07 17:50:24 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\gqlj.sys
    [2010/12/07 15:30:53 | 000,000,006 | ---- | M] () -- C:\Documents and Settings\Tracy Vale\Application Data\completescan
    [2010/12/07 15:13:15 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\tfghnwx.sys
    [2010/12/07 11:04:26 | 000,000,010 | ---- | M] () -- C:\Documents and Settings\Tracy Vale\Application Data\install
    [2008/05/13 10:30:55 | 000,362,286 | -HS- | C] () -- C:\WINDOWS\System32\ufrkhufp.ini
    [2008/05/13 10:29:28 | 001,173,960 | -HS- | C] () -- C:\WINDOWS\System32\DcKkUFii.ini
    [2008/05/13 10:29:28 | 001,173,642 | -HS- | C] () -- C:\WINDOWS\System32\DcKkUFii.ini2
    [2008/01/04 14:07:29 | 000,058,053 | -HS- | C] () -- C:\WINDOWS\System32\vvvwa.ini2
    [2007/08/11 08:37:25 | 001,688,264 | -HS- | C] () -- C:\WINDOWS\System32\rtstv.ini2
    [2007/08/09 14:12:28 | 001,738,612 | -HS- | C] () -- C:\WINDOWS\System32\rtstv.ini
    [2007/08/06 19:19:36 | 000,000,405 | -HS- | C] () -- C:\WINDOWS\System32\klxesquk.ini

    :Files
    C:\Windows\tasks\at*.job
    C:\WINDOWS\system32\gkydrjcr.exe
    C:\WINDOWS\system32\wdeafbvx.exe
    C:\WINDOWS\system32\youhsukm.exe
    C:\WINDOWS\system32\wxrllyqo.exe
    C:\WINDOWS\system32\hixehtom.exe
    C:\WINDOWS\system32\hfxqipjt.exe
    C:\WINDOWS\system32\hakpuwpk.exe

    :reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\Program Files\BitTorrent\bittorrent.exe"=-
    "C:\WINDOWS\system32\gkydrjcr.exe"=-
    "C:\WINDOWS\system32\wdeafbvx.exe"=-
    "C:\WINDOWS\system32\youhsukm.exe"=-
    "C:\WINDOWS\system32\wxrllyqo.exe"=-
    "C:\WINDOWS\system32\hixehtom.exe"=-
    "C:\WINDOWS\system32\hfxqipjt.exe"-
    "C:\WINDOWS\system32\hakpuwpk.exe"=-

    :Commands
    [emptytemp]
    [purity]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.

================================Malwarebytes' Anti-Malware=================================

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

================================Online scan=================================

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Tried cutting / pasting your info into OTL twice and both times didn't finish. Program hangs. Is there a special setting I need to do to OTL first. Check or uncheck boxes? By the way, HDD PLUS no longer starts on startup but I'm getting alot more popups and website redirects so I'm sure that Think Point Virus left it's mark. Thank you!

Link to post
Share on other sites

Ok Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

Tried to run ComboFix but first tried to uninstall my AVG 8.5 free but I got this error message:

Local machine: installation failed

Installation:

Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....

Error 0x80070005

Ok Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you still want to clean it please do the following

===================

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Link to post
Share on other sites

I did clean the machine with TDSSKiller and it did find and cure a rootkit infection. (See attached log file). I have so many programs on this computer and it is 6 years old so maybe I will just buy a new one rather than reformating. Is there any way to tell if my computer is safe even if there are no problems? If I change my passwords on a clean computer can I never use the banking or paypal sites again from this computer? Thank you and please tell me how much I owe you for your help.

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you still want to clean it please do the following

===================

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

TDSSKiller.2.4.11.0_11.12.2010_16.45.57_log.txt

Link to post
Share on other sites

Can I see the tdsskiller log please.

Yes you can install either one.

Also just because there aren't any apparent problems you are more than likely still infected.

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan inside archives.
  • Click Scan
  • Wait for the scan to finish
  • Click on the option that says Export to text file.
  • Save it to your desktop and post the contents here in your next reply.
  • Once the log is saved click the option to delete quarantined threats and Uninstall application on close.

Link to post
Share on other sites

Here is the log you requested.

I did run Malwarebyte and got no infections.

Log attached.

I probably will buy a new computer just to be safe.

But I have ALOT of files, documents, photos, video, etc. on my old computer that I want to transfer to my new computer.

Is this safe?

Much thanks

Tracy

TDSSKiller.2.4.11.0_11.12.2010_16.45.57_log.txt

mbam_log_2010_12_11__12_25_02_.txt

Link to post
Share on other sites

It will be once we are done.

Please do the rest of my instructions this part please:

* Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the activex control to install

Click Start

Check next options: Remove found threats and Scan inside archives.

Click Scan

Wait for the scan to finish

Click on the option that says Export to text file.

Save it to your desktop and post the contents here in your next reply.

Once the log is saved click the option to delete quarantined threats and Uninstall application on close.

Link to post
Share on other sites

I have no fee I am a volunteer for malwarebytes.

I only get paid through donations but it is not necessary.

You can use your computer like normal now.

Not saying it was compromised but the type of infection you had present had that potential.

=======

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.

======Next======

  • Double click on OTL to run it.
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  • This will remove itself and other tools we may have used.

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe to install the newest version.

Delete\uninstall anything else that we have used that is leftover.

After that your all set.

===The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance===

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article Some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

How did I get infected in the first place? Also this one by Tony Klein.

If your computer is slow Things you can do if your computer is slow.

PC Safety and Security - What Do I Need? Security suggestions and general hints and tips for PC security.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent etc...

===Free antimalware tools used for on demand scanning and cleaning no real time unless purchased===

Malwarebytes Antimalware

superantispyware

===Free antivirus links===

This is antivirus and antispyware.

Microsoft Security Essentials

This is free antispyware protection and Antivirus protection.

AVG free

This is just antivirus protection.

Antivir

This is antivirus and antispyware protection.

Avast

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.