TechSpot

Virus and Spyware problem

By KnightRiderX
Sep 10, 2006
  1. I am on my friend's computer and I have been trying to clean it up of viruses and spyware. Everytime I do an antivirus scan with AVG, it reports the same 18 viruses and 2 trojans and it only deletes the 2 trojans. Everytime I do a spyware scan with ewido anti-spyware, it reports a LOT of infected files and is only able to delete a few of it. I have attached a log of the HJT of this computer in hopes that someone with knowledge of HJT can help me.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Go HERE and follow the instructions exactly.

    Post fresh HJT and Ewido logs into this thread, only after doing the above.

    Regards Howard :)

    This thread is for the use of KnightRiderX only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. KnightRiderX

    KnightRiderX TS Rookie Topic Starter Posts: 36

    OK I have done what it says on the page. when i did the anti-virus scan, AVG detected 28 infections and only deleted 9 of them. I have attached the logs of the ewido anti-spyware scan and HJT.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system is riddled with nasties. Follow the instructions below very carefully.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    DriveCleaner 2006 Free
    Viewpoint\Viewpoint Manager
    BearShare
    BulletProofSoft.com\SpywareRemover\popup-watch

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    Duce6.exe
    UDC2006.exe
    ViewMgr.exe

    ms05769433988.exe
    clcbt.exe
    ?ttrib.exe The question mark can be any random number/letter etc.

    wleesio.exe
    stonedrv.exe
    14C5632.exe

    ibm00003.exe
    BearShare.exe
    14C5632.exe

    PopUpWatch.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: (no name) - {1465A165-3BD6-4722-A0AD-6943B417A6E7} - C:\WINDOWS\system32\wzpwo.dll (file missing)

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,wleesio.exe

    O4 - HKLM\..\Run: [lqmb1ad6] RUNDLL32.EXE w20afe6c.dll,n 003b1ad30000000320afe6c

    O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

    O4 - HKLM\..\Run: [themonitor] C:\WINDOWS\Duce6.exe

    O4 - HKLM\..\Run: [DriveCleaner 2006 Free] "C:\Program Files\DriveCleaner 2006 Free\UDC2006.exe" /min

    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    O4 - HKLM\..\Run: [ms05769433988] C:\WINDOWS\ms05769433988.exe

    O4 - HKLM\..\Run: [wodizxg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wodizxg.dll,lsvim

    O4 - HKLM\..\Run: [clcbt.exe] C:\WINDOWS\system32\clcbt.exe

    O4 - HKCU\..\Run: [Bhrrlsum] C:\Program Files\Common Files\?asks\?ttrib.exe

    O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP

    O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe

    O4 - HKCU\..\Run: [Winsvr] C:\DOCUME~1\JEETER\LOCALS~1\Temp\14C5632.exe

    O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"

    Fix all 015-Trusted zone entries.

    O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab

    O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006Free Install.cab

    O21 - SSODL: XhxykPbSHczdPaRH - {1442464F-BEE8-ECE5-DC34-4ACE53B725F9} - C:\WINDOWS\system32\funkj.dll (file missing)

    O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\Duce6.exe

    C:\Program Files\DriveCleaner 2006 Free

    C:\Program Files\Viewpoint

    C:\WINDOWS\ms05769433988.exe

    C:\WINDOWS\system32\clcbt.exe

    C:\Program Files\Common Files\?asks

    wleesio.exe Search your system for this file and delete all instances of it.

    C:\WINDOWS\system32\wodizxg.dll,lsvim

    c:\windows\system32\stonedrv.exe

    C:\DOCUME~1\JEETER\LOCALS~1\Temp\14C5632.exe

    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe

    C:\Program Files\BulletProofSoft.com

    C:\WINDOWS\system32\funkj.dll

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.


    Regards Howard :)

    This thread is for the use of KnightRiderX only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. KnightRiderX

    KnightRiderX TS Rookie Topic Starter Posts: 36

    I have done the above and when I did AVG anti-virus scan in normal mode, it found 25 infected files and deleted only 7 of them. I also did an ewido anti-spyware scan. I have attached both the logs for the anti-spyware scan and HJT. So far the pop-ups have stopped but AVG tells me that there are some virus left.

    EDIT: also, for Spyware Remover, there was no button for me to click to remove it. It is still shown in Add or Remove Programs.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run a complete system scan with AVG and delete whatever it finds. This includes anything in the virus vault.

    Run a complete scan with Ewido and delete whatever it finds. This includes files in quarantine.

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of KnightRiderX only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...