"Your computer is infected" but a little different

I had to try again. It started to work fine and got through the scan. Then it got to where it was opening the log report and froze for 10 minutes (hung up). So, I had to reboot to get out of it and am going to try again. Be back soon, hopefully.

Here it is. Took unusually long to come up with the report again, but I waited it out and it finally came through.

Standing by...

Hi all, I would just like to add a few possible tips/things.

I too, have had these Rogue AntiVirus programs run on start-up, and prevented me from accesing certain websites.

I downloaded and installed Firefox and the Opera browsers, rotating them, off and on until eventually i was able to access ComboFix and SmitFraud and save them to my desktop. ((its always a good idea to have these programs already saved on your desktop in case of infection, not forgeting to update them periodaclly))

Always run these programs in safe-mode!

Ive heard that showing hidden files and turning off System Restore never hurts either.

Make sure and check C: program files, for any Rogue folders of the like. Also check add/remove programs.

Check Registry(regedit) for Browser Helper Objects!

Windows live one care is a powerful Anti-Virus program(must remove SBS&D) that can remove powerful Trojans. Might try this later on!

To clarify:

Most program should be run in Normal Mode unless 1. specifically instructed to run in Safe Mode or 2. they can't be run in Normal Mode due to the malware.

Some program will specifically direct the user to show hidden files and folders.

We usually leave System Restore on but will caution the user not to use it. At then end of the cleaning process, the old restore points are removed and a clean new on is created. SuperAntispyware will show infected System Volume files which are the restore points.

We remove these entries through HijackThis. Rarely is a user sent to do a regedit.

Thanks Xfactor and Bobbye for the clarification. Yeah, after my system gets cleared up, I'm going to make sure to hang on to my programs. Its seems that just when I get rid of them when I'm in a stretch of not having problems for awhile, that's when I get hit up again and then I'm searching to get the downloads again. Best bet is to keep them on-hand.

Hi,

Things are looking better, though seems like it takes a little time to remove some of the more tricky items. Try running Combofix in safe mode this time, with this CFScript:

Hopefull the next log will be fully clean.

ComboFixLog4

Hey Momok,

Ran it in Safe mode with the new script. Here's the new log.

Awaiting instructions...

Hi Will,

The new log shows all the old bad items have been removed. However, I'm very perplexed by the fact that new files and different variants of malware have appeared on your logs. I also see new programs installed when I see your new log.

Are you actively using the internet or seeking help elsewhere? If you are, please halt immediately as I am finding it difficult to clean your system thoroughly as it seems to have been reinfected by new sources.

That said, I believe you are almost clean now, except for the new infection.

Please run Combofix once again in safe mode with this new CFScript:

Then boot in normal mode, and save a fresh log from HJT. Post the 2 logs back here; hopefully this time the cleaning would be complete before I can issue a clean bill of health for your system.

Latest ComboFix and HJT

Hi Momok,

My apologies. Yes, I was still using the internet in between you helping me (I wasn't aware that I shouldn't have been doing that). With the new programs, I downloaded and ran the SmithFraud per almcneil in between your last post and this one. The only other thing I downloaded was a program that gives me system configuration easily - SIW (System Information for Windows). I'm running off of 512MB of RAM and wanted to see what kind of RAM I run off of without opening the case and that program helped me do that - so that I can go buy some more RAM today. Definitely not seeking any other help than what's provided in this thread, though.

My apologies, though. Didn't realize I wasn't supposed to surf or download anything else in between. My bad.

I did what you've asked and have posted a new HJT and ComboFix Log.

Curiosity - I think I might have more startup processes running when I probably don't need that many. Seems like my computer drags at startup for about 3-5 minutes trying to stabilize. I noticed in the HJT a lot of things about ActiveCardGold. That's a program that I'm no longer using at the moment, so if any of those are in my startup or running, I can disable them - you just may need to tell me how (which I'm sure you would've done anyway). Thanks again, Momok.

Awaiting instruction...

I see.

In that case, please fix these entries in HJT:
O23 - Service: ActivCard Authentication Service (ACachSrv) - ActivCard - C:\Program Files\Common Files\ActivCard\acachsrv.exe
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe

Be sure to visit Control Panel > Remove programs and uninstall it too.

I would say the main source of your slow start up would possibly be these:

There's Norton in there which is notorious for being labelled 'bloatware', as it takes up space, resources on your system, and just doesn't do that good a job as freeware out there.

Apart from that, your system is looking clean now =)

Now that you're gd to go,

1. Please download and run CCleaner via step 3 of the instructions HERE.
   
   
2. Clear your existing System Restore points and establish a new clean restore point:
   Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
   
   Next, go to Start > Run > cleanmgr
   Select the More options tab > Choose the option to clean up System Restore and OK.
   This will remove all restore points except the new one you just created.
   
   
3. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
   May I recommend you to read this article.
   This can help to prevent future infections.

As far as Norton, I could see that being most of the slow startup. You mentioned about it being freeware, but I bought this 360 at the store. I've always heard it's the best anti-virus protection around. Do you recommend trying something else that's a little less bloaty? I'd sacrifice slow startup over protection any day of the week, however.

I had Yahoo Toolbar before but I uninstalled it (I thought). It definitely does not run in my IE browser, so those listings in your second set seem like they shouldn't be there, either. Are those running at startup? If so, what should I do to disable them? MyspaceIM is a program that I use, but I've disabled it from startup - only to run when I click on the shortcut/executable. Is it secretly running still in startup though?

I will do the remaining steps with the restore point and what not. Look forward to your reply on the Norton and Yahoo things, though.

You've been great, Momok. Absolutely fantastic guidance and help. I hope you know that you're appreciated extremely.

wdawg, I'll let momok handle the logs but wanted to make one comment: be careful of the sites you download from. When possible, use the site of the company that writes the program or a mirror site that is trusted. There are some site that tack on extras when you download from them.

I see downloads offered on the torrent sites. There are file sharing and are not safe or reliable with respect to only getting the download you want without 'extras'..

Hi,

I didn't mean Norton was freeware lol. I meant it didn't do even as good a job as freeware like Avira and Avast for example. Avira and Avast are very good alternatives.

These can be fixed:

If you choose to uninstall norton and use one of the alternatives, you can fix these:

Be sure to do a proper uninstallation too though.

Quick question for anyone. I always tend to have two of these files in my processes under Task Manager:

CCSVCHST.exe

One has a username of my current active login and one has a username of SYSTEM. I only mention this because it seems that 95% of the time when I go to reboot or shutdown, I get a popup saying that that filename is unresponsive. Instead of letting it close itself, I always click End Now to get it to close faster and therefore reboot or shut down my computer faster.

I just wonder why this file always has a problem when I'm shutting down. I have no idea what it is or what it's for, either.

Update: Looking above at Momok's last reply, it appears that the file is attached to Norton's Live Update function. Still wonder why it has 2 of them - perhaps that's why it's unresponsive all the time?

I have no idea why there are two of that in your task manager. If you uninstall it and fixed those in HJT they should not be running anymore. If there are problems fixing them, you can post a fresh HJT log to check just in case.

Sounds like there may be an entry left on Startup, since it's hanging. Using msconfig, navigate to the Startup menu and remove any remaining Norton/Symantec entries.

Click on Apply> OK> Reboot> Close nag message after checking 'don't show message again.'

Since there is no new log since the Norton removal, we have nothing to go by.

An easy solution

Hello wdawg

I had the exact same problem like you but only worse , my background became a permanent depressing blue. Like a guy who said before remove anything fishy from the startup , you should also run this scan from Microsoft.

google "Windows Live OneCare safety scanner" and click on the first link and start the full service scan

You do not need to install anything it will just scan and remove all the malicious stuff. You have Norton which I do not recommend. After the web scan you might consider buying Bitdefender which has solid performance and low system impact. If you want something free than get Avast which is also very good. Dont get the Professional version , the Home version has everything that a normal user requires.

To make removing Norton easy, use the Norton removal tool which does everything for. google "norton removal tool" and click on the first link and select Norton 360 and download it, then double click and run. It remove everything form folders to registry entries associated with 360.

Hope this helps.

Windows Live OneCare is not enough to deal with the malware. In fact, there is no single program that effectively removes all types of malware. That said, wdawg is now clean of malware as we have just finished the cleaning earlier.

The norton removal tool is a good idea though. We have it on our forums, just got to search it.

Bobbye - I didn't remove Norton in this whole process. I think you're thinking that I did already. Norton is my anti-virus, although, I have thought about switching to another one because as Momok says: It's "bloatware" and makes my computer pretty sluggish. My concern is that the file I mentioned above is duplicated in my processes while it's running. One under my username and one under "system". Whenever I shut down or reboot, that file comes up as unresponsive like 95% of the time. Not sure why.

Any suggestions for free anit-virus/firewall protection? I still have the Avira application downloaded but not installed. Any suggestions?

Anti Virus + Firewall

Some of us already mentioned Avast ! which is a fully functional anti-virus and for firewall I recommend getting Comodo Firewall Pro which is one best to date.

Thanks for the suggestion, Vezineth. I'm kind of leery about anything outside of Norton. Ever since I've owned a computer, I've only ever used Norton. It would feel quite odd to step out of that "realm" of security without knowing a lot about the success of some of these other programs.