TechSpot

Viruses, spyware.. help!

By Ariinya
Aug 6, 2006
  1. I don't even know WHERE to begin. There seems to be too much wrong with my computer at the moment. Somewhere, I picked up a few viruses and spyware. Popups, er... popup randomly on my desktop (some of them sexually explicit, which is ANNOYING >.<). That's the most noticable thing. I get false virus warnings that ask me to go download anti-spyware programs.

    I think two of the things are Troj_Agent, and Toolbar888 (which I think is MyToolbar, or something).

    Anyway, I've heard I need a HijackThis log? I'm not sure, I've never used it before.

    Someone please help me. I'm at my wit's end! My virus program can't help me (Trend Micro PC-cillin). The Troj_Agent thing can't be quarantined, and the MyToolbar thing... I don't know. I think it says it's a .dll in the System Volume folder, and access is denied to the cleaning tool. Troj_Agent is in winhoo32.dll.
     

    Attached Files:

  2. unforgiven1977

    unforgiven1977 TS Rookie

    I'm no expert by any means but I've dealt with more than a few viruses and spyware programs in my time. I don't think you'll need to go so far as to reformat and reinst windows though.
    Anytime an antivirus or other problem removal program like PC-cillin can't quarantine, clean, or delete an identified threat is more than likely because the program has gotten into your system restore folder. The system restore folder is blocked to any and all access by every program on your PC, including anti-virus programs. This is understandable because it's designed so that nothing can alter the files so you have a suposedly safe registry to roll back to. Unfortunately there are quite a few malware programs out there that can root themselves in there.
    The best way to get rid of them is to open your start menu. Then go to My Computer and on the right click on "view system information". Click on the "system restore" tab. Check "turn off system restore on all drives" and hit apply. I'll warn you that this will clear out the folder of everything including past known registries but will remove any malicious programs as well.
    Hit OK and restart the PC. When it restarts start pressing f1 or f8 to bring up your boot menu and select to start up in safe mode.
    When windows boots in safe mode run your anti-virus software again. This time as long as it identifies the unwanted programs it should be able to delete them. Once that is complete go back to your system restore option (start menu, my computer, view system info, system restore tab, uncheck system restore).
    Then restart your PC. Run your anti-virus program again and see if that didn't take care of it.
    Most of the time when there's a program giving you false warnings it's actually a spyware program (such as spydetective) disguised as an anti-spyware program. While infact the program that's warning you is the one causing the problem.
     
  3. Ariinya

    Ariinya TS Rookie Topic Starter

    I can't run my main virus program (Trend Micro PC-Cillin) while in safe mode. I'll try again and write down the error I receive, but I THINK it may involve not being connected to the 'net while in safe mode. Or something. I am absolutely NOT computer savvy.

    Also, I refuse to reformat. I've been through that hell enough times. Unless this is something that can't be fixed and will seriously hurt my computer's performance, I won't even consider reformatting.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    I have moved your thread to the correct forum.

    Your system is infected with some real nasties.

    Download and run these three tools. Follow the instructions for using each tool.

    Tool1. Tool2. Tool3.

    Post a fresh HJT log into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of Ariinya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. Ariinya

    Ariinya TS Rookie Topic Starter

    Thank you so much for helping me! I ran those three programs, and I hope they helped and I'm on the road to recovery. :D I'm not sure what they did, but I hope your trained eye will pick up something I missed. ^_^
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download the Pocket killbox programme from HERE. Extract it, but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab
    O20 - Winlogon Notify: winhoo32 - C:\WINDOWS\SYSTEM32\winhoo32.dll

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    This is the filepath you need to enter into killbox.

    C:\WINDOWS\SYSTEM32\winhoo32.dll

    Once your system has rebooted, turn system restore back on.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of Ariinya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Ariinya

    Ariinya TS Rookie Topic Starter

    I haven't yet followed the instructions, because I'm getting another error. I try to go into System Configuation Utility (start menu, run, msconfig), and I get an error.

    AppName: msconfig.exe AppVer: 5.1.2600.2180 ModName: msconfig.exe
    ModVer: 5.1.2600.2180 Offset: 0000c809

    I can post the technical information about the error here if you need me to. Meanwhile, I'm going to use the F8 method to get into Safe mode.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I never asked you to run msconfig.

    Just follow the instructions I have given exactly.

    Regards Howard :)
     
  9. Ariinya

    Ariinya TS Rookie Topic Starter

    Sorry. I was trying to use it to get into safe mode. And, unfortunately, the F8 method isn't working.

    I'm taken to a blue screen called "Boot Menu" that says:

    Select a boot first device

    Removable
    - Floppy Disks

    Hard Disk
    - 1st Sata-M: WDC WD2OCKP-22HBCO
    - Bootable Add-in cards

    CD Rom
    - 1st Master: Lite-on DVD SOHD16P9S
    - 1st Slave: Liton-on CD-RW SOHR-5239V

    Legacy Lan

    This is when I hit the F8 button at startup. Also, I'm getting a system configuration popup accompanied with error each time I restart now, along with an error from DrWatsons PostMortem Debugger, or something similar. I didn't write it down when it popped up.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, don`t panic lol.

    Your system must use another key instead of F8.

    Try using the delete key instead. If that doesn`t work, tell me what brand your computer is and I`ll attempt to find out the correct key.

    Regards Howard :)
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Bugger it. If you can`t get into safe mode, try following the instructions from normal mode.

    Regards Howard :)
     
  12. Ariinya

    Ariinya TS Rookie Topic Starter

    Ah ha ha... nope, it isn't the delete key. ^^; Scared the heck out of me. It brought me to a menu called:

    Phoenix - Award BIOS CMOS Setup Utility

    I didn't touch anything. Promise!

    My computer is a Velocity Micro.

    Edit: Ah! I don't know what changed from restarting this time to last time, but I can get into msconfig again! Hooray. I'll be back in a jiffy.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Forget safe mode, just make sure you trun off system restore and turn on show hidden and system files etc.

    Once your done with the instructions. Post a fresh HJT log.

    Regards Howard :)

    Edit: just seen your post edit. OK.
     
  14. Ariinya

    Ariinya TS Rookie Topic Starter

    Okay, I did what you said. There was one thing on HijackThis I wasn't sure of:

    020 - Winlogon Notify: Wgalogon - C:\windows\system32\wgalogon.dll


    I didn't touch it, because I wasn't sure what it was.

    Edit: And, unfortunately, the system config utility is bugging out again.
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    Just have HJT fix the following inactive entry.

    O20 - Winlogon Notify: winhoo32 - winhoo32.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Do not fix 020 - Winlogon Notify: Wgalogon - C:\windows\system32\wgalogon.dll This is a genuine file and shouldn`t be fixed.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Ariinya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. Ariinya

    Ariinya TS Rookie Topic Starter

    So far, so, good! Thank you so VERY, very much. ^_^ I've been trying to remedy this problem for a week now, and obviously, that didn't much. I'll come here immediately with anymore problems. ^^;
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No proble, glad I could help.

    You might want to go and read this thread HERE. It will show you how you can keep your system more secure.

    Regards Howard :)

    This thread is for the use of Ariinya only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...