Infected computer (logs attached)

[vinnie05]

Hi, I'm trying to clean a friends computer. I have followed the preliminary removal instructions and here are the logs. He is getting the popups saying his computer is infected directing him to AntiSpyware Gold, WinAnonymous, AntiSpyware Golden etc.

Thanks in advance.

 

[Jase123]

Your HJT log is clean.

Your Combofix log does look clean - but let Evilfantasy check it over as he is better with comobofix logs than me.

Did the Panda Antirootkit find anything?

Regards Jason

 

[vinnie05]

Thanks Jase, Antirootkit didn't find anything..

I'm a bit suspisious of these from the combofix log..

Contents of the 'Scheduled Tasks' folder
"2007-11-28 06:00:16 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2007-11-21 16:00:00 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe

Cheers - Shane

 

[Jase123]

They belong to Regcure (Registry Cleaner) found HERE.

Did you install this?

Regards Jason

This thread is for the use of vinnie05 ONLY. Please do NOT post your own virus/spyware problems into this thread. Instead, open a new thread in our security and the web forum.

 

[vinnie05]

No i didn't, but pehaps my friend whos computer it is might have, I will remove anyway as i don't trust it.

I'll wait to see what Evilfantasy says about the combofix log but i think that the preliminary instructions may have worked to remove AntiSpyware Gold, WinAnonymous, AntiSpyware Golden popups.

Cheers - Shane

 

[Jase123]

I do advise you to remove Regcure - as registry cleaners are dangerous if not used properly.

Apart from that I think everything is Ok.

Regards Jason

This thread is for the use of vinnie05 ONLY. Please do NOT post your own virus/spyware problems into this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

Hi,

Allow me to fix just one little thing.

• Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
  
  

  File::
  C:\WINDOWS\ALCXMNTR.EXE
  
  Registry::
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "AlcxMonitor"=-
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]

• Save this as CFScript on the desktop.
• Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
  
  
  
  
  
• ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
  
  Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread.


Regards,
momok =)

This thread is for the use of vinnie05 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.