TechSpot

Is it Spyware or Virus??

By ARGuy83
Jun 6, 2007
  1. Yesterday I spent more than 12 hours scanning my computer with SuperAntiSpyware, Ad-Aware, and all Norton System Works applications only to resolve nothing. I managed to clean and delete the files that these programs recommended were affecting my computer. I even deleted all cookies, temp files, history, and everything related to Internet.

    Now the problem started when my firewall, Norton, kept asking me to decide whether to allow connections from a file 13018015.exe, just as an example, and it recommended that i allow the connection, but i kept blocking it and the alert kept popping back up. i ran superantispyware since this always fixes my problems but after rebooting it appeared again and this time i accepted the connection but it asked again and again like when i blocked it and each time it was a different numbered .exe file, like when i blocked it as well. Thereafter i ran Ad-Aware and it quarantined all files it deemed dangerous, but the prompts kept coming up after i rebooted. I ran all the applications with Norton System Works but ended up with the same results. I found the .exe files in the Temp folder from my Local Settings folder and quickly erased them thinking it would stop the prompts but they continued appearing in the folder and the prompts continued as well.

    Today i googled all the process running in my task manager and found one in particular, smgr.exe, that shouldnt be there. I quickly ended the process and the prompts stopped, I even went into safe mode to erase it from my but it appeared again when i rebooted.

    Is this a virus or some type of spyware, malware, etc?? and how can i get rid of this permanently?? the prompts are so annoying and i dont want to risk the security of my computer. also, i do not want to reformat, i just want to get rid of this headache. can someone be able to diagnose the problem and help me fix my computer, please. Everytime my firewall promps me to accept or block, the file trying to "connect to a DNS server" is a numbered .exe file and they are always different numbers. Why does it keep replicating itself even after deleting them? And how serious is this problem? Please, someone help me.

    Thanking you in advance,

    AR
     
  2. ellyquim

    ellyquim TS Rookie

    have you tried deleting the smgr.exe file in safe mode and looking your drive c: some smgr.exe files that are hidden and also deleting in the registry which has smgr.exe? and stopping it to run in the startup in the msconfig if it was there running?
     
  3. momok

    momok TS Rookie Posts: 2,265

    Hi ARGuy83 and welcome to techspot. =)

    Your system is definitely infected with malware.

    Important: Please read this thread HERE before you decide whether to clean or reformat your system.

    Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. Do follow all the instructions exactly. They will provide logs for analysis of your system so I will know how to instruct you to proceed.

    Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste your logs if not it will be ignored and/or removed.

    Also, please let me know the results of the AVG Antirootkit scan


    Regards,
    Your friendly momok =)

    This thread is for the use of ARGuy83 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  4. ThaUnknown

    ThaUnknown TS Rookie Posts: 62

    hmmm maybey you should do a system restore to the day before the problem happened.Start>programs>accessories>systemtools>system restore. That has been working good for me :)
     
  5. momok

    momok TS Rookie Posts: 2,265

    Hi,

    That is not recommended in the case of an infection. Often times, infections reside in your restore points too, and doing a restore would not solve the problem itself.

    I would recommend that you post a HijackThis log in a new thread for checking too, ThaUnknown.


    Regards,
    Your friendly momok =)

    This thread is for the use of ARGuy83 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. ARGuy83

    ARGuy83 TS Rookie Topic Starter

    thank you all for the replies so far....

    ellyquim:
    ive deleted the smgr.exe file in safe mode and all files pertaining to it including in the prefetch folder, which was the other instance where the file was found. the problem is that the file keeps returning even after deletion of all instances and further, this file creates other .exe files with numbered file names

    momok:
    thank you for your suggestions, so far ive only gotten to the online scan, which further found more infections, but was unable to take care of the problem. i will however continue with your advice and post the logs and follow the other steps.

    thaunknown:
    i tried Norton GoBack and it didnt give me a restore point of 6/5/07 or later, now the method you suggested gave me a restore point of 6/2/07, which I hope may fix my computer, but don't you think my computer will still be infected??

    I want to try both momok and thaunknown methods, but which one should i do? I'm leaning towards a clean sweep the way momok suggest, which is undoubtely complicated, i believe, since i've never done this before. However, thaunknown's way is fairly less complicated, although i do run the risk of having the computer infected. Is this true? Will the computer still be infected?

    Thank you all again for your suggestions and I hope to have this fixed soon

    **Thank you Momok for the clarification...I hadnt seen your second post.**...I'm going to continue the steps you suggested....thank you......
     
  7. ARGuy83

    ARGuy83 TS Rookie Topic Starter

    Finally??

    Hi Momok,

    It seems that my problem has gone away after going through all 15 steps in the removal process. However, I'm still attaching the log files so you may see if I have any other problem. As for the Antirootkit scan result, it told me that the computer had none. Please find attached the logs from hijackthis, combofix, and avg antispyware. Thank you again for your help.

    AR
     
  8. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Please download and run CCleaner via step 9 of the instructions HERE.

    I noticed that your AVG log displays 'No Action Taken' for all the files detected.
    I suggest you run AVG again and quarantine the files. Pictorial instructions HERE.

    In addition to that, please boot into safe mode and unhide all files.

    Delete the following:

    C:\WINDOWS\system32\CNDUD73B.dll
    C:\WINDOWS\system32\PSCLD73B.dll
    C:\WINDOWS\system32\CNDCD73B.dll
    C:\found.001
    C:\gobackio.bin

    After that post a fresh AVG Antispyware log file after you have quarantined the infections, and I'll give you some final cleaning steps.


    Regards,
    Your friendly momok =)

    This thread is for the use of ARGuy83 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...