175 viruses-2 computers infected. Did I get rid of them?

[CelineTherese]

Hi there! I'm Celine. I wonder if someone out there can help me? I got my 2 computers infected because I didn't have any firewall,no Spybot, no Ad-aware-just AVG Free updated.

After finding your forum and reading up on the threads I followed Howard's advice and instructions for preliminary virus removal.

Ad-aware found 175 critical objects right away, Spybot 23, Spyware Doctor 21! Among the viruses named were: Trojan Dumaru,trojan PSW.QQ Pass.AM, trojan generic, trojan Win32, Worm Bagle, SmitFraud, Zango,Consul-Info b.v.,Bearshare,WildTangent,Dialer.Axload, and many others. What a mess. I did follow all Howard's instructions for preliminary removal. Below are my HJK logs- the one called HJK log Compaq is computer #2. Can you tell if I did it right and got rid of all the viruses? :dead:

Excuse me.... here are the attachments.

computer 1.

 

[howard_hopkinso]

Hello and welcome to Techspot.

I`ve just looked at your HJT log and your system is infected with at least one worm.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If you decide you want to clean your systems, do the following. Disconnect your systems from each other, if they are networked.

I will need a separate HJT from each system, plus an AVG Antispyware log from each system.

Regards Howard :wave: :wave:

This thread is for the use of CelineTherese only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[CelineTherese]

hello again- hey I'm really sorry but I can't seem to post 2 attachments- only 1 gets accepted what am I doing wrong? Another question- how do I save an AVG log?

 

[howard_hopkinso]

I thought you`d read the instructions in the preliminary virus removal lol.

All the instructions you need for AVG Antispyware etc, are in that thread.

I don`t know why you can`t attach more than one attachment, so lets do it this way. We`ll clean each system separately. So let`s do system 1 first, then we`ll move on to system 2.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ppl.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://SERV:80<Fix this if you didn`t set this proxy yourself or you don`t know what it is.

O4 - HKCU\..\Run: [agent] C:\WINDOWS\system32\ppl.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Advisor - {100898FF-EABB-4177-8927-4D2AD7BD7391} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)

O16 - DPF: {510AAE6C-3480-43B7-BE97-2DCBC2542FEB} (StuartClient Control) - https://webphone.globequest.com.ph/webphone/common/Innove_IAX.CAB

O17 - HKLM\System\CCS\Services\Tcpip\..\{5AD1C5F7-FBBA-4999-9E4E-C6705F6FA680}: NameServer = 212.17.192.216,212.17.192.56<Only fix this if it doesn`t belong to your ISP.

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\ppl.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log and an AVG Antispyware log.

Regards Howard

This thread is for the use of CelineTherese only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[CelineTherese]

Hi, I'm back. This is for computer #2:I followed your instructions and also deleted the objects you named except for this one:

O17 - HKLM\System\CCS\Services\Tcpip\..\{5AD1C5F7-FBBA-4999-9E4E-C6705F6FA680}: NameServer = 212.17.192.216,212.17.192.56<Only fix this if it doesn`t belong to your ISP.

cause I don't know if it belongs to my ISP. How do I find out?

Here are the attachments now:

 

[Rik]

A trace of 212.17.192.216,212.17.192.56 comes up with ns4.albacom.net. If you do not recognise it then it should be removed.

Other than that entry, your HJT log looks clean.

Your problem with posting 2 attachments may have been caused by them both being the same name perhaps??


This thread is for the use of CelineTherese only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[howard_hopkinso]

Your HJT log is clean, but your system is infected with a dialer. AVG Antispyware should clean this, provided it is run correctly.

Go HERE and follow the instructions exactly for AVG Antispyware. Post a fresh AVG Antispyware log when done.

Regards Howard

This thread is for the use of CelineTherese only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[CelineTherese]

O.K. Here's the log for AVG Antispyware. How did I do?:giddy:

I wonder if this is a problem? A smiley face pops up every once in a while in the right hand side of the icon tray at the bottom of the start menu. Today it changed to a fish getting it's head sawed off. Then it disappears. What is it?

Also there's this note pad that also keeps popping up saying:

[.ShellClassInfo]LocalalizedResourceName=@%SystemRoot%\System32\shell32.dll,-21787

 

[howard_hopkinso]

Delete all files in AVG Antispyware quarantine. It`s killed the dialer this time.

Also there's this note pad that also keeps popping up saying:

[.ShellClassInfo]LocalalizedResourceName=@%SystemRoot%\System32\shell32.dll,-21787

I`m not sure what that is to tell you the truth.

Do the following.

Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

Attach the Autoruns log here.

To recap. I need to see a fresh HJT log as well as the combofix and autoruns logs.

Regards Howard

This thread is for the use of CelineTherese only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[CelineTherese]

O.K. Howard, here are the logs you requested. Hope everythings alright now.:giddy:

 

[howard_hopkinso]

Take a look at this thread HERE, it may help with the [.ShellClassInfo]LocalalizedResourceName=@%SystemRoot%\System32\shell32.dll,-21787 problem, which is caused by some kind of corruption apparently and not by malware.

Your HJT log is still clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of CelineTherese only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[CelineTherese]

Computer #1

Thanks Howard! I'm really glad we got this computer fixed-no more virus problems. The funny face and the fish haven't come back however- just that note pad thing. I'll check it out. Can we fix computer #1?

Here's the HJT log: sorry, can't upload the file-says "upload error" -will try again later -only the AVG log got accepted

 

[howard_hopkinso]

Ok mate.

If you continue to have difficulties with attaching the HJT log, you can copy and paste it and I`ll delete it when I`ve finished with it.

Regards Howard

This thread is for the use of CelineTherese only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[CelineTherese]

Reply to Howard re: attachment trouble

Thanks Howard, here it is:




still trying to send an attachment: o.k. this one worked! It's a fresh HJT log for today.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

DirectX Service (DirectMeqq)[b[<Disable either the service name ot the name in brackets.[/b]

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

directx.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O23 - Service: DirectX Service (DirectMeqq) - Unknown owner - C:\WINDOWS\

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\directx.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log and let me know how the system is running.

Regards Howard

This thread is for the use of CelineTherese only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[CelineTherese]

O.K. Howard, here's a fresh HJK log. I did all the stuff you asked me to do. :wave:

After I disabled the directx.exe though, it didn't show up anymore in HJT nor in sustem 32. Is it a virus? After the removal of 83 critical objects ( one of them called Generic trojan) by Spyware Doctor last week, this computer did stop working completely. I didn't want to reformat the computer cause of all the important stuff I have on it so I just tried recovering it from the original CD. I lost all the updates after service pack 2 though and now it doesn't update automatically anymore.

Hey, the attachments seem to be working now. Hmmm...just can't figure it out why sometimes it doesn't work.

 

[howard_hopkinso]

Your HJT log is now clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of CelineTherese only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[CelineTherese]

Thanks a million Howard! You're #1!

That's great news! Thanks Howard for everything! You may have heard it a million times but I really do appreciate your taking the time to help out a newbie like me! You're #1!

 

[CelineTherese]

New threat, Howard?

Hello, again Howard. I hope I'm not disturbing you but you said if there are any new problems I can post here.

There's a new icon appeared in my icon tray and when I click on it, it has no name, no version number, and no application.

It has some sort of menu but none of it works, only the "about" which when I click on it says: "SIS- Best Choice! version unknown "

On startup, a picture appeared of the same thing but I found it in my startup menu and eliminated it and it disappeared.

In my HJK log it was registered as Startup-jpeg but after I cancelled it from startup it hasn't come back. Can you please take a look at my HJK log? However, it's still on my desktop in the icon tray and I don't know if it's supposed to be there.

Microsoft did have an optional update for hardware which I downloaded. Is it this thing? But it doesn't show up in updates.:suspiciou

 

[howard_hopkinso]

Your HJT log is clean.

If you want to get rid of the tray icon, fix this entry with HJT.

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

Regards Howard

This thread is for the use of CelineTherese only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[CelineTherese]

keyhook.exe problem

Sorry, Howard, don't want to be a pain but all kinds of funny things are popping up all over the computer. And on startup Zonealarm warns that "SiS compatible Super VGA Keyboard Daemon" is trying to access the trusted zone. I've never heard of that keyboard before. The application associated with it is keyhook.exe. Is this a virus problem? Also there are these desktop configuration notes appearing all over the computer in all the folders. I tried to delete them all. Here's a new HJK log. Sorry for the problem. By the way, should I get rid of those two file missing entries in HJK or does'nt it matter?

 

[Gars]

keyhook.exe a process which belongs to Acer Launch Manager. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.

its look that its ok
did you have any Acer things on the PC?
maybe "SiS compatible Super VGA Keyboard Daemon" is related to this keyhooker
anyway - "Super VGA Keyboard Daemon" sounds strange to me

Regards

 

[CelineTherese]

re: Acer

Hi, It sounds strange to me too especially since in all the time I've used this computer it's never done that before. It is a laptop Acer Aspire 3502 NLCi though. Looking it up in Everest, the keyboard is a standard 101/102-key or Microsoft Natural PS/2 Keyboard.Doesn't say anything about Daemon.

Do you think it has to do with that hardware update from Microsoft? It was an optional update. However all the antivirus programs don't show any viruses.

 

[Gars]

look at this

The program called keyhook.exe is used to allow multimedia keys on Acer multimedia keyboards to function correctly. If you stop this process all of the 'normal' keys on the keyboard should still function, but the multimedia keys will not. Only stop this process if it is causing instability to your system.

keyhook.exe is flagged as a system process and does not appear to be a security risk. However, removing Acer Hotkey Application may adversly impact your system.

The Spy Bot database currently registers keyhook.exe to Acer.

This is part of Acer keyboard drivers.

you say that your laptop is Acer Aspire
its ok and i dont see any problem in this keyhooker (except the name)

Regards

 

[CelineTherese]

Thanks Gars, that's good news. Can you please tell me how to get rid of the desktop notes that are appearing in all the folders of the computer. I cancel them but they just keep coming back.