System message popup virus HELP!

[A1181899]

In the past day or so, it has come to my attention that my computer has been infected with a virus. The symptoms of the infection are constant pop-up messages in the style of "Windows Security Alert". These popups redirect me to a phony anti-virus software website. My Internet homepage has been changed to something along the lines of softwarereferrall.bla bla. Ive tried everything, though I believe this one is beyond my ability.

I have Kaspernsky internet security suite.

I have attached a current hijackthis log.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Your system is infected with malware.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of A1181899 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[A1181899]

OK, I have attached the neccessary logfiles. The Panda Rootkit didnt find anything to my knowledge.

As an additional note, AVG anti-spy keeps finding Downloader.agent.dag, though is unable to do anything with it.

 

[howard_hopkinso]

Delete all files in AVG Antispyware quarantine.

You have not renamed HijackThis_v2.exe as per the instructions. Please do so, before posting any further HJT logs.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

WEP/WPA-PMK key recovery service (WZCOOK)

Close the services window.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\WINDOWS\movctrlnkd.dll
C:\windows\ALCMTR.EXE
C:\WINDOWS\ocgrep.dll
C:\WINDOWS\bxsbang.dll
C:\WINDOWS\privacy_danger\index.htm
Folder::
C:\WINDOWS\privacy_danger

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard

This thread is for the use of A1181899 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[A1181899]

Okay, I have completed the steps noted in your prior post. Also, I have changed the hijackthis.exe to crusty.exe; and have included the new logfile

 

[howard_hopkinso]

That all looks good.

Delete the following folder:

C:\Qoobox

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of A1181899 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[A1181899]

Thanks Howard. I was thinking: Is it typical for malware of this variety to be removed without using the killbox utility? In my instance, it seemed as though utilizing the anti-malware tools included on the preliminary removal page solved my problem. My most recent post, which included the updated logfiles, had been sent after the use of those programs. I merely sent it to recieve confirmation that the malware had been completely removed

 

[howard_hopkinso]

Killbox is very limited in it`s effectiveness. So much so, I hardly ever use it anymore.

A lot of the tools in my sticky thread specialise in removing certain infections.

Combofix, especially, is a very powerful programme, apart from automatically removing certain infections, it also has the capability to remove files/folders/registry keys etc via a script file.

Regards Howard

This thread is for the use of A1181899 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[A1181899]

Happy holidays Howard! I hope everything has gone well for you as we slip into the new year. Anyways, I was having some data corruption in the WINDOWS directory which had forced me to repair the OS with the recovery console. I then ran avast! virus scan and deleted a trojan which may be associated with the file curruptions. I was hoping you could take a look at my logfiles and tell me if im clean or not. Thanks again.

Here they are:

 

[Tedster]

1. howard is no longer a member of techspot
2. What did your anti-virus or anti-trojan say?
3. Cookies are NOT viri or spyware

 

[A1181899]

Wow Howard is gone? That really is unfortunate. Well my virus scan had found some sort of trojan I dont recall what its name was. I was hoping that someone could take a look at those logfiles like Howard did and give me a synopsis on what was going on.

 

[momok]

Hi,

1. Go to start > run and type services.msc. Press the enter key.
   Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
   
   Viewpoint Manager Service
   
   
2. Have HJT fix this entry:
   
   O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
   
   
3. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
   
   

   File::
   C:\WINDOWS\system32\guard32.dll.vir
   Folder::
   C:\Program Files\Viewpoint
   C:\Documents and Settings\All Users\Application Data\Viewpoint
   C:\Documents and Settings\John\Application Data\Viewpoint

4. Save this as CFScript on the desktop.
5. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
   
   
6. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Apart from that, your logs are clean.


Regards,
momok =)

This thread is for the use of A1181899 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.