Computer infected.

Status
Not open for further replies.

Ray B

Posts: 41   +0
New to techspot, and definitely not a computer guru. I am hoping to get some help with my computer. I have a year old computer that my kids use more than I do, so I dont know the specifics of my PC, but is an HP with XP home edition.

Anyway, the reason for my visit to this website is that as of about a week ago, there is a bubble telling me that my computer is infected with spyware. I went out and bought norton anti virus, anti spyware and firewall, and ran a full scan and there were some things that were found and deleted, but that annoying bubble keeps coming up. More annoying are the symantec banners are filling my screen with messages that my email could not be sent for some reason that I dont remember, ( all to people I dont even know).

Can anyone help????

Thanks

Ray
 
Hello and welcome to Techspot.

I have moved your thread to our security and the web forum and changed the thread title to something a little more appropriate.

I`m afraid to say you should have saved your money as Norton is a pile of crap.

Not only does it slow your system down, but it`s not very good at killing viruses either.

Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard :wave: :wave:


This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thanks, I got the information, but I have another question. It says to make sure that I have the updated definitions, what does this mean and where do I get them???

Thanks again
 
That simply means you have to make sure you have the latest updates for your antivirus programme and any other programme that`s in the instructions.

For example. Ad-Aware se personal allows you to check online for any updates to it`s list of infections, called the definition file. When you tell Ad-Aware to check for updates it opens a connection to it`s website, if any updates are found it downloads them, therefore it`s data base is updated. Typically updates are availabe from time to time. However, in the case of your Antivirus programme and also the AVG Antispyware programme, these are usually released daily.

Regards Howard :)

This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I turned on my PC last nite hoping to do some of what is being said to do. I guess I should have mentioned that when I intially ran NAV, it found one item "requiring attention", but recommended to "ignore it". That item is Adware.Sheriff, and now BraveSentry has helped itself onto my computer. Ive been reading up on it, and it sounds as if it may be diffcult to remove.
Anyway, in my search here, it appears that there are several posts with different ways of fixing my problem.
Another item to mention is that my task bar has been disabled by the administrator.

I'm actually doing the process given by howard_hopkinso as I type on my work PC.

Could BraveSentry be the cause of some of my problems? By the way, I am probably going to uninstall Norton, as it is causing alot of email proxy messages to pop up on my screen saying that the email I sent was to delivered.

As a newbie here, thanks for all the help, and I hope I am posting correct, if not please let me know.

thanks

Ray
 
Yes, Bravesentry could well be part of your problems.

Follow the instructions and I`ll try and get your system cleaned up.

Regards Howard :)

This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thank you, I will post my logs as soon as I get them.
Im sorry to keep asking these (hopefully not stupid) questions, but I installed smitfrauld, vundo, virtumundo, and look2me, but couldnt install the other items suggested by RealBlackStuff, will these programs interfere with your instructions? since NAV is the only antivirus program i have installed on my PC, it is running a complete scan, so I havent gotten to SSD yet.
 
What other programmes suggested by RBS are you talking about?

You only need to follow the instructions in my Thread.

Regards Howard :)

This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Its time for me to go home for the day, and was only able to complete the adaware scan. My question is that there are 18 objects in the quarantine file, should they be there or should they be deleted?
I was not able to run spybot, it looks like I didnt install it correct, I will install it when I get home.
 
Leave them in quarantine for the time being.

Once your system is clean, provided you have no problems, you can delete them.

Regards Howard :)

This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thanks,

Ray

OK its ******* me again, I ran HJT but it appears I did it wrong, because I tried to upload it and it said there was an error.

Im looking at how to post your hijack this log as an attachment ????

can you explain to me in the simplest terms as to how to save the log so that I can get it to you, please.

OK I think I did it right, here they go and please let me know what you find.
Thanks

Ray
 
Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

_mzu_stonedrv3
Microsoft ASPI Manager

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

_mzu_stonedrv3.exe
ibm00004.exe
aspi1794110.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe

O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.exe"

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEB utton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEB utton\support.htm

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEB utton\support.htm (HKCU)

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEB utton\support.htm (HKCU)

O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll

O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\gmcjpq.dll

O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi1794110.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\aspi1794110.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.exe
c:\windows\system32\_mzu_stonedrv3.exe

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.If your computer doesn`t automatically restart, restart it manually.

These are the filepaths you need to enter into killbox.

C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
C:\WINDOWS\system32\gmcjpq.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log as well as an AVG Antispyware log

Regards Howard :)

This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
thanks for getting back to me and for helping me out here. I have a question before I do this step.

I was able to install spybot onto my computer, shall I ran it prior to doing the above mentioned step??

It is also asking me if I want to create a complete backup of my registry, should I do this or do I not need it?

as usual...Thanks

Sorry but kind of confused so here is another question,

in your instructions, you say to locate and delete the following BOLD files and/or directories (if there),,,,

2 of the 3 items have some characters in bold, but one doesnt, is this one to be deleted as well??

Thank you
 
Yes, run SS&D from safe mode, then follow the rest of the instructions.

As for the bold issue. I simply forgot to put one of the nasty .exe files in bold. Fixed now.

Regards Howard :)

This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
OK, I did the process as you instructed, and am currently running AVG again to give you an updated list.

I believe I have to run HJT again to have a fresh list as well (?).

I had the list of things for HJT to fix, BUT, a couple of the items were different, such as:
021 SSODL: DCOM (it didnt say C:WINDOWS etc,) instead it just said (no file), ( hope I didnt mess up, but since everything else was the same I checked the fix it box)
023 Service: Microsoft ASPI Manager ( was not there)

Also, the 3 files and/or directories that were to be deleted were not there.

I will post the results to you soon.

Thank you
 
Yes, I require fresh HJT and AVG Antispyware logs.

Regards Howard :)

This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Viewpoint
Viewpoint Manager

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ViewMgr.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Viewpoint<Delete the entire folder.

Delete all files in AVG Antispyware quarantine.

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know if you`re still having any problems.

Regards Howard :)

This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Yes, you can safely delete all the previous log files.

I think we`re almost done anyway.

Regards Howard :)

This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Yes, uninstall anything to do with Viewpoint.

Regards Howard :)

This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
It doesn`t matter about that.

Once you`ve completed the instructions just post a fresh HJT log.

Regards Howard :)

This thread is for the use of Ray B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.
Back