TechSpot

175 viruses-2 computers infected. Did I get rid of them?

By CelineTherese
Jan 6, 2007
  1. Hi there! I'm Celine. I wonder if someone out there can help me? I got my 2 computers infected because I didn't have any firewall,no Spybot, no Ad-aware-just AVG Free updated.

    After finding your forum and reading up on the threads I followed Howard's advice and instructions for preliminary virus removal.

    Ad-aware found 175 critical objects right away, Spybot 23, Spyware Doctor 21! Among the viruses named were: Trojan Dumaru,trojan PSW.QQ Pass.AM, trojan generic, trojan Win32, Worm Bagle, SmitFraud, Zango,Consul-Info b.v.,Bearshare,WildTangent,Dialer.Axload, and many others. What a mess. I did follow all Howard's instructions for preliminary removal. Below are my HJK logs- the one called HJK log Compaq is computer #2. Can you tell if I did it right and got rid of all the viruses? :dead:

    Excuse me.... here are the attachments.

    computer 1.
     

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    I`ve just looked at your HJT log and your system is infected with at least one worm.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If you decide you want to clean your systems, do the following. Disconnect your systems from each other, if they are networked.

    I will need a separate HJT from each system, plus an AVG Antispyware log from each system.

    Regards Howard :wave: :wave:

    This thread is for the use of CelineTherese only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. CelineTherese

    CelineTherese TS Rookie Topic Starter Posts: 28

    hello again- hey I'm really sorry but I can't seem to post 2 attachments- only 1 gets accepted what am I doing wrong? Another question- how do I save an AVG log?
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    I thought you`d read the instructions in the preliminary virus removal lol.

    All the instructions you need for AVG Antispyware etc, are in that thread.

    I don`t know why you can`t attach more than one attachment, so lets do it this way. We`ll clean each system separately. So let`s do system 1 first, then we`ll move on to system 2.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ppl.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://SERV:80<Fix this if you didn`t set this proxy yourself or you don`t know what it is.

    O4 - HKCU\..\Run: [agent] C:\WINDOWS\system32\ppl.exe

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

    O9 - Extra button: Advisor - {100898FF-EABB-4177-8927-4D2AD7BD7391} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)

    O16 - DPF: {510AAE6C-3480-43B7-BE97-2DCBC2542FEB} (StuartClient Control) - https://webphone.globequest.com.ph/webphone/common/Innove_IAX.CAB

    O17 - HKLM\System\CCS\Services\Tcpip\..\{5AD1C5F7-FBBA-4999-9E4E-C6705F6FA680}: NameServer = 212.17.192.216,212.17.192.56<Only fix this if it doesn`t belong to your ISP.

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\ppl.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and an AVG Antispyware log.

    Regards Howard :)

    This thread is for the use of CelineTherese only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. CelineTherese

    CelineTherese TS Rookie Topic Starter Posts: 28

    Hi, I'm back. This is for computer #2:I followed your instructions and also deleted the objects you named except for this one:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{5AD1C5F7-FBBA-4999-9E4E-C6705F6FA680}: NameServer = 212.17.192.216,212.17.192.56<Only fix this if it doesn`t belong to your ISP.

    cause I don't know if it belongs to my ISP. How do I find out?

    Here are the attachments now:
     
  6. Rik

    Rik Banned Posts: 4,985

    A trace of 212.17.192.216,212.17.192.56 comes up with ns4.albacom.net. If you do not recognise it then it should be removed.

    Other than that entry, your HJT log looks clean.

    Your problem with posting 2 attachments may have been caused by them both being the same name perhaps??


    This thread is for the use of CelineTherese only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your HJT log is clean, but your system is infected with a dialer. AVG Antispyware should clean this, provided it is run correctly.

    Go HERE and follow the instructions exactly for AVG Antispyware. Post a fresh AVG Antispyware log when done.

    Regards Howard :)

    This thread is for the use of CelineTherese only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. CelineTherese

    CelineTherese TS Rookie Topic Starter Posts: 28

    O.K. Here's the log for AVG Antispyware. How did I do?:giddy:

    I wonder if this is a problem? A smiley face pops up every once in a while in the right hand side of the icon tray at the bottom of the start menu. Today it changed to a fish getting it's head sawed off. Then it disappears. What is it?

    Also there's this note pad that also keeps popping up saying:

    [.ShellClassInfo]LocalalizedResourceName=@%SystemRoot%\System32\shell32.dll,-21787
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Delete all files in AVG Antispyware quarantine. It`s killed the dialer this time.

    I`m not sure what that is to tell you the truth.

    Do the following.

    Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

    Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

    Attach the Autoruns log here.

    To recap. I need to see a fresh HJT log as well as the combofix and autoruns logs.

    Regards Howard :)

    This thread is for the use of CelineTherese only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. CelineTherese

    CelineTherese TS Rookie Topic Starter Posts: 28

    O.K. Howard, here are the logs you requested. Hope everythings alright now.:giddy:
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Take a look at this thread HERE, it may help with the [.ShellClassInfo]LocalalizedResourceName=@%SystemRoot%\System32\shell32.dll,-21787 problem, which is caused by some kind of corruption apparently and not by malware.

    Your HJT log is still clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of CelineTherese only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
     
  12. CelineTherese

    CelineTherese TS Rookie Topic Starter Posts: 28

    Computer #1

    Thanks Howard! I'm really glad we got this computer fixed-no more virus problems. The funny face and the fish haven't come back however- just that note pad thing. I'll check it out. Can we fix computer #1?

    Here's the HJT log: sorry, can't upload the file-says "upload error" -will try again later -only the AVG log got accepted
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Ok mate.

    If you continue to have difficulties with attaching the HJT log, you can copy and paste it and I`ll delete it when I`ve finished with it.

    Regards Howard :)

    This thread is for the use of CelineTherese only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. CelineTherese

    CelineTherese TS Rookie Topic Starter Posts: 28

    Reply to Howard re: attachment trouble

    Thanks Howard, here it is:




    still trying to send an attachment: o.k. this one worked! It's a fresh HJT log for today.:) :)
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    DirectX Service (DirectMeqq)[b[<Disable either the service name ot the name in brackets.[/b]

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    directx.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O23 - Service: DirectX Service (DirectMeqq) - Unknown owner - C:\WINDOWS\

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\directx.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let me know how the system is running.

    Regards Howard :)

    This thread is for the use of CelineTherese only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. CelineTherese

    CelineTherese TS Rookie Topic Starter Posts: 28

    O.K. Howard, here's a fresh HJK log. I did all the stuff you asked me to do. :wave:

    After I disabled the directx.exe though, it didn't show up anymore in HJT nor in sustem 32. Is it a virus? After the removal of 83 critical objects ( one of them called Generic trojan) by Spyware Doctor last week, this computer did stop working completely. I didn't want to reformat the computer cause of all the important stuff I have on it so I just tried recovering it from the original CD. I lost all the updates after service pack 2 though and now it doesn't update automatically anymore.

    Hey, the attachments seem to be working now. Hmmm...just can't figure it out why sometimes it doesn't work.
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your HJT log is now clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of CelineTherese only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  18. CelineTherese

    CelineTherese TS Rookie Topic Starter Posts: 28

    Thanks a million Howard! You're #1!

    That's great news! Thanks Howard for everything! You may have heard it a million times but I really do appreciate your taking the time to help out a newbie like me! You're #1!:D
     
  19. CelineTherese

    CelineTherese TS Rookie Topic Starter Posts: 28

    New threat, Howard?

    Hello, again Howard. I hope I'm not disturbing you but you said if there are any new problems I can post here.

    There's a new icon appeared in my icon tray and when I click on it, it has no name, no version number, and no application.

    It has some sort of menu but none of it works, only the "about" which when I click on it says: "SIS- Best Choice! version unknown "

    On startup, a picture appeared of the same thing but I found it in my startup menu and eliminated it and it disappeared.

    In my HJK log it was registered as Startup-jpeg but after I cancelled it from startup it hasn't come back. Can you please take a look at my HJK log? However, it's still on my desktop in the icon tray and I don't know if it's supposed to be there.

    Microsoft did have an optional update for hardware which I downloaded. Is it this thing? But it doesn't show up in updates.:suspiciou
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your HJT log is clean.

    If you want to get rid of the tray icon, fix this entry with HJT.

    O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

    Regards Howard :)

    This thread is for the use of CelineTherese only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. CelineTherese

    CelineTherese TS Rookie Topic Starter Posts: 28

    keyhook.exe problem

    Sorry, Howard, don't want to be a pain but all kinds of funny things are popping up all over the computer. And on startup Zonealarm warns that "SiS compatible Super VGA Keyboard Daemon" is trying to access the trusted zone. I've never heard of that keyboard before. The application associated with it is keyhook.exe. Is this a virus problem? Also there are these desktop configuration notes appearing all over the computer in all the folders. I tried to delete them all. Here's a new HJK log. Sorry for the problem. By the way, should I get rid of those two file missing entries in HJK or does'nt it matter?
     
  22. Gars

    Gars TS Enthusiast Posts: 228

    its look that its ok
    did you have any Acer things on the PC?
    maybe "SiS compatible Super VGA Keyboard Daemon" is related to this keyhooker
    anyway - "Super VGA Keyboard Daemon" sounds strange to me

    Regards
     
  23. CelineTherese

    CelineTherese TS Rookie Topic Starter Posts: 28

    re: Acer

    Hi, It sounds strange to me too especially since in all the time I've used this computer it's never done that before. It is a laptop Acer Aspire 3502 NLCi though. Looking it up in Everest, the keyboard is a standard 101/102-key or Microsoft Natural PS/2 Keyboard.Doesn't say anything about Daemon.

    Do you think it has to do with that hardware update from Microsoft? It was an optional update. However all the antivirus programs don't show any viruses.
     
  24. Gars

    Gars TS Enthusiast Posts: 228

    look at this
    you say that your laptop is Acer Aspire
    its ok and i dont see any problem in this keyhooker (except the name)

    Regards
     
  25. CelineTherese

    CelineTherese TS Rookie Topic Starter Posts: 28

    Thanks Gars, that's good news. Can you please tell me how to get rid of the desktop notes that are appearing in all the folders of the computer. I cancel them but they just keep coming back.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.