TechSpot

Computer infected.

By Ray B
Oct 23, 2006
  1. New to techspot, and definitely not a computer guru. I am hoping to get some help with my computer. I have a year old computer that my kids use more than I do, so I dont know the specifics of my PC, but is an HP with XP home edition.

    Anyway, the reason for my visit to this website is that as of about a week ago, there is a bubble telling me that my computer is infected with spyware. I went out and bought norton anti virus, anti spyware and firewall, and ran a full scan and there were some things that were found and deleted, but that annoying bubble keeps coming up. More annoying are the symantec banners are filling my screen with messages that my email could not be sent for some reason that I dont remember, ( all to people I dont even know).

    Can anyone help????

    Thanks

    Ray
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    I have moved your thread to our security and the web forum and changed the thread title to something a little more appropriate.

    I`m afraid to say you should have saved your money as Norton is a pile of crap.

    Not only does it slow your system down, but it`s not very good at killing viruses either.

    Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


    Regards Howard :wave: :wave:


    This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Ray B

    Ray B TS Rookie Topic Starter Posts: 41

    Thanks, I got the information, but I have another question. It says to make sure that I have the updated definitions, what does this mean and where do I get them???

    Thanks again
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That simply means you have to make sure you have the latest updates for your antivirus programme and any other programme that`s in the instructions.

    For example. Ad-Aware se personal allows you to check online for any updates to it`s list of infections, called the definition file. When you tell Ad-Aware to check for updates it opens a connection to it`s website, if any updates are found it downloads them, therefore it`s data base is updated. Typically updates are availabe from time to time. However, in the case of your Antivirus programme and also the AVG Antispyware programme, these are usually released daily.

    Regards Howard :)

    This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. Ray B

    Ray B TS Rookie Topic Starter Posts: 41

    I turned on my PC last nite hoping to do some of what is being said to do. I guess I should have mentioned that when I intially ran NAV, it found one item "requiring attention", but recommended to "ignore it". That item is Adware.Sheriff, and now BraveSentry has helped itself onto my computer. Ive been reading up on it, and it sounds as if it may be diffcult to remove.
    Anyway, in my search here, it appears that there are several posts with different ways of fixing my problem.
    Another item to mention is that my task bar has been disabled by the administrator.

    I'm actually doing the process given by howard_hopkinso as I type on my work PC.

    Could BraveSentry be the cause of some of my problems? By the way, I am probably going to uninstall Norton, as it is causing alot of email proxy messages to pop up on my screen saying that the email I sent was to delivered.

    As a newbie here, thanks for all the help, and I hope I am posting correct, if not please let me know.

    thanks

    Ray
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, Bravesentry could well be part of your problems.

    Follow the instructions and I`ll try and get your system cleaned up.

    Regards Howard :)

    This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Ray B

    Ray B TS Rookie Topic Starter Posts: 41

    Thank you, I will post my logs as soon as I get them.
    Im sorry to keep asking these (hopefully not stupid) questions, but I installed smitfrauld, vundo, virtumundo, and look2me, but couldnt install the other items suggested by RealBlackStuff, will these programs interfere with your instructions? since NAV is the only antivirus program i have installed on my PC, it is running a complete scan, so I havent gotten to SSD yet.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    What other programmes suggested by RBS are you talking about?

    You only need to follow the instructions in my Thread.

    Regards Howard :)

    This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. Ray B

    Ray B TS Rookie Topic Starter Posts: 41

    Its time for me to go home for the day, and was only able to complete the adaware scan. My question is that there are 18 objects in the quarantine file, should they be there or should they be deleted?
    I was not able to run spybot, it looks like I didnt install it correct, I will install it when I get home.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Leave them in quarantine for the time being.

    Once your system is clean, provided you have no problems, you can delete them.

    Regards Howard :)

    This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. Ray B

    Ray B TS Rookie Topic Starter Posts: 41

    Thanks,

    Ray

    OK its ******* me again, I ran HJT but it appears I did it wrong, because I tried to upload it and it said there was an error.

    Im looking at how to post your hijack this log as an attachment ????

    can you explain to me in the simplest terms as to how to save the log so that I can get it to you, please.

    OK I think I did it right, here they go and please let me know what you find.
    Thanks

    Ray
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    _mzu_stonedrv3
    Microsoft ASPI Manager

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    _mzu_stonedrv3.exe
    ibm00004.exe
    aspi1794110.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

    O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe

    O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.exe"

    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEB utton\support.htm

    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEB utton\support.htm

    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEB utton\support.htm (HKCU)

    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEB utton\support.htm (HKCU)

    O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll

    O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\gmcjpq.dll

    O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi1794110.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\aspi1794110.exe
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.exe
    c:\windows\system32\_mzu_stonedrv3.exe

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.If your computer doesn`t automatically restart, restart it manually.

    These are the filepaths you need to enter into killbox.

    C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
    C:\WINDOWS\system32\gmcjpq.dll

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log as well as an AVG Antispyware log

    Regards Howard :)

    This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. Ray B

    Ray B TS Rookie Topic Starter Posts: 41

    thanks for getting back to me and for helping me out here. I have a question before I do this step.

    I was able to install spybot onto my computer, shall I ran it prior to doing the above mentioned step??

    It is also asking me if I want to create a complete backup of my registry, should I do this or do I not need it?

    as usual...Thanks

    Sorry but kind of confused so here is another question,

    in your instructions, you say to locate and delete the following BOLD files and/or directories (if there),,,,

    2 of the 3 items have some characters in bold, but one doesnt, is this one to be deleted as well??

    Thank you
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, run SS&D from safe mode, then follow the rest of the instructions.

    As for the bold issue. I simply forgot to put one of the nasty .exe files in bold. Fixed now.

    Regards Howard :)

    This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. Ray B

    Ray B TS Rookie Topic Starter Posts: 41

    OK, I did the process as you instructed, and am currently running AVG again to give you an updated list.

    I believe I have to run HJT again to have a fresh list as well (?).

    I had the list of things for HJT to fix, BUT, a couple of the items were different, such as:
    021 SSODL: DCOM (it didnt say C:WINDOWS etc,) instead it just said (no file), ( hope I didnt mess up, but since everything else was the same I checked the fix it box)
    023 Service: Microsoft ASPI Manager ( was not there)

    Also, the 3 files and/or directories that were to be deleted were not there.

    I will post the results to you soon.

    Thank you
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, I require fresh HJT and AVG Antispyware logs.

    Regards Howard :)

    This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. Ray B

    Ray B TS Rookie Topic Starter Posts: 41

    logs

    OK I think I did this right. please let me know what I need to do.

    Thanks

    Ray
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Viewpoint
    Viewpoint Manager

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ViewMgr.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Viewpoint<Delete the entire folder.

    Delete all files in AVG Antispyware quarantine.

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know if you`re still having any problems.

    Regards Howard :)

    This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. Ray B

    Ray B TS Rookie Topic Starter Posts: 41

    thanks,
    will do.

    Ray

    should I delete all the previous logs.
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, you can safely delete all the previous log files.

    I think we`re almost done anyway.

    Regards Howard :)

    This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. Ray B

    Ray B TS Rookie Topic Starter Posts: 41

    Im at remove programs and there is viewpoint media manager, should I delete this as well??
     
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, uninstall anything to do with Viewpoint.

    Regards Howard :)

    This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  23. Ray B

    Ray B TS Rookie Topic Starter Posts: 41

    Sorry but I forget, am I too save the HJT notepad before closing it??
     
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It doesn`t matter about that.

    Once you`ve completed the instructions just post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  25. Ray B

    Ray B TS Rookie Topic Starter Posts: 41

    how do I delete files in AVG
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...