Am I virus - spyware - anybadthingthatslowsmypcdown-ware free...?

[Cobra_MX5]

Hello, this is Paul from Greece...

I used to have the "Spyware infection has detected" problem, as well as a Vudo trojan infection (don't know if they are the same thing), but followed howard_hopkinso's 15-step guide (BTW, thanks mate) to clean my PC up...

I think it worked, 'cause I believe all symptoms have gone away...

Symptoms before I did the cleanup were:

- PC used to reboot on its own every now and then, I think Windoze used to crash because when it started up again, it would give me an error report...

- winlogon.exe failure upon startup

- Norton would pop a window saying something about a file infected with Trojan.Vundo and even if I closed it, it would pop up immediately

- Strange characters instead of normal "open - explore" etc on right-click menus on hard drives.

- When double-clicked, hard drives wouldn't actually open but a "autorun.vbs" script would run (didn't actually, 'cause Norton didn't allow it to)

- Red shiled with a white X at tray that often popped-up a yellow balloon saying "Spyware infection has detected"

Actions taken:

- 15-step "Viruses/Spyware/Malware, preliminary removal instructions" followed
- Norton uninstalled, AVG and ZoneAlarm installed

Programs Running now:

- AVG antivirus Free Edition fully funtional
- ZoneAlarm, Firewall, email protection and anti-spyware is on while anti-virus is off
- AVG anti-spyware fully functional
- Spyware Doctor

I think everything is OK now...
Below I attached my HJT, AVG and ComboFix logs, could you tell me if my PC IS ok or not?
Should I do something?

P.S. With all these programs running, is Spyware Doctor actually helpful or just slowing the PC down? Should I de-activate something?

Thanks in advance!

 

[momok]

Hi Cobra_MX5 and welcome to techspot. =)

I noted that you had bumped your thread twice in the past less than 24 hours. Please refrain from doing so in the future as it is against the forum rules. Please wait until at least 24 hours before bumping your thread.

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Alcmtr

Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

ALCMTR.EXE

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O20 - Winlogon Notify: wudb - C:\WINDOWS\system32\wudb.dll (file missing)

Close HJT.


Navigate in Windows Explorer and delete the following files and folders in bold.

C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\g5518015.exe
C:\WINDOWS\system32CmdLineExt.dll
C:\WINDOWS\system32\FBAE01E83A.sys
C:\WINDOWS\SW_Win2000X9.DLL
C:\WINDOWS\SW_Win2000X16.DLL
C:\WINDOWS\bwUnin-7.2.0.137-8876480SL.exe

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of Cobra_MX5 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Cobra_MX5]

I noted that you had bumped your thread twice in the past less than 24 hours. Please refrain from doing so in the future as it is against the forum rules. Please wait until at least 24 hours before bumping your thread.

Sorry mate, I didn't know I was breaking the rules... I just felt kinda ...left out because I didn't get any answers... Sorry, though...

I did what you said in your post, here are my new HJT and ComboFix logs...

What about the programs I use, are they OK / should I uninstall some / install some more?

 

[TimeParadoX]

You should uninstall Spyware doctor and get Spybot: search & Destroy ( http://www.safer-networking.org/en/download/index.html ), Ad-aware SE personal ( http://www.lavasoftusa.com/products/ad_aware_free.php )

Also pick up CCleaner ( http://www.filehippo.com/download_ccleaner/ ) Which is used to clean out your cookies and internet temp folders

 

[Cobra_MX5]

I downloaded all three programs you mentioned during the cleanup, so I already got them... But I think they are not protecting in real-time, I mean that you have to perform a system scan every now and then for the programs to actually work, or am I wrong? If it is so, plz tell me what extra steps I have to take in order to make the most out of these programs without using up much of my system resources?

Thanks!

 

[TimeParadoX]

No the programs I told you don't protect real time ( Except ad-aware but you need to buy it )

AVG anti-virus / anti-spyware is real time

Also you should delete Norton ( from your post you said you had it ), it takes up all of your CPU usage and makes boot time alot longer then it should be, go to here https://www.techspot.com/vb/topic57112.html and install the program


Also follow this guide https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/ and download all the programs it says ( unless you already have ) then follow the instructions, it should get rid of all the viruses you have

 

[momok]

Hi,

Personally I've used both spyware doctor and spybot SnD. Both have real time system monitors, but I find Spybot much better because of its tea-timer. It tracks changes to your registry and you can set rules to always allow/disallow in future. Spybot has helped protect my system from further infection in several past cases, thus I would highly recommend it. However getting it is entirely up to your choice though. I would advise you to use only one of the two though.

I entirely agree with TimeParadoX on Norton. It is quite a serious system hog. Again, removing it is up to you.

Your logs look clean now.

Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

You may also delete the C:\VundoFix Backups folder and its contents.

Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.

After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
Your friendly momok =)

This thread is for the use of Cobra_MX5 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Cobra_MX5]

Thanks to everyone involved in this!!!

 

[Cobra_MX5]

Hello, it's me again!!

Got infected again...
This time symptoms were:
- autorun.vbs on all disks and strange characters appearing on right-click menu on any disk (same as previous time)
- screen saver inactive (while set as active, it wouldn't ever come up, as if my pc were active 24/7)

Followed the 15-step cleaning procedure once again, and everything is OK now... Is everything actually OK? I attached ComboFix anf HJT logs, and AVG Anti-Rootkit found no rootkits present...

Since this is the third time I get this "autorun.vbs" sh*t, I am wondering where I get it from... Any ideas?

Thanks again!!

 

[kitty500cat]

Please complete the following steps, which should finish off the cleaning process.

1. Run HijackThis and do a system scan. Place a check in the box next to the following entry (if there):
   
   R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ÓõíäÝóåéò
   
   Also place a check in the box next to all the O18 entries.
   
   Then close all open windows except HJT and click the Fix Checked button. Wait until it's done fixing, then close HJT.
   
   
2. Please download the file CFScript.txt attached to my post. Save it in the same folder as ComboFix.
   
   Referring to the image below, drag the CFScript.txt that you downloaded earlier over on to ComboFix.exe and release.
   
   
   
   
   
   This will ask ComboFix to execute the instructions within my file. Let ComboFix run normally and do its job. Attach the resultant log in your reply.
   
   
3. Please navigate to www.virustotal.com.
   
   In the Upload a file section, click the Choose... button.
   
   Navigate to the following file:
   
   C:\WINDOWS\system32\perfc008.dat
   
   Click the Open button, then click Send File.
   
   Make note of the results.
   
   Then do the same with the following file:
   
   C:\WINDOWS\system32\d3d9caps.dat
   
   
4. The version of HijackThis that you are using is outdated. Please obtain the latest version from the link in the Viruses/Spyware/Malware, preliminary removal instructions. Then post a fresh HJT log, an AVG Anti-Spyware log, the ComboFix log resulting from the CFScript, and the virustotal results as attachments into this thread.

Regards

This thread is for the use of Cobra_MX5 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.

 

[Cobra_MX5]

OK, here goes:

- I downloaded tha latest version of HJT, v2.0.2...

- virustotal.com found no viruses in both my perfc008.dat and d3d9caps.dat
files...

- I attached all HJT, AVG and ComboFix logs...

AVG log will show 11 cookies that have "no action taken", because although I tried to quarantine them it was not available as an option... So didn't delete them waiting for a reply... All 11 cookies are "Tracking Cookies"... Should I delete them?

What should I do to prevent these "tracking cookies" from getting into my PC? Should I delete them every time I run into them?

 

[kitty500cat]

Please download the file CFScript.txt attached to my post and save it to the same folder as ComboFix.

Referring to the image below, drag the CFScript.txt that you just downloaded over onto ComboFix.exe and release.

This will ask ComboFix to execute the instructions within my file. Let ComboFix run normally and do its job. Attach the resultant log in your next reply.

Also, search your computer, including hidden and system files and folders, flash drives, memory cards, and CD-R/CD-RWs; excluding CD-ROMs) for autorun and post here where it was found.

Regards

This thread is for the use of Cobra_MX5 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.

 

[Cobra_MX5]

Please download the file CFScript.txt attached to my post and save it to the same folder as ComboFix.

Referring to the image below, drag the CFScript.txt that you just downloaded over onto ComboFix.exe and release.

This will ask ComboFix to execute the instructions within my file. Let ComboFix run normally and do its job. Attach the resultant log in your next reply.

Had done that already ...

Also, search your computer, including hidden and system files and folders, flash drives, memory cards, and CD-R/CD-RWs; excluding CD-ROMs) for autorun and post here where it was found.

OK, did it... Run a search for "autorun.*" and found 36 files, 15 of which are .html files (support for a game), 11 are .inf files from various programs (that I know are installed on my PC), 2 of them are icons, 1 is a .exe (installer for a program), but one file is named "autorun.exe.manifest", while 4 others are "autorun.inf.vir" files, but they are in a folder called C:/QooBox/Quarantine, somehow...

What should I do with the cookies AVG found?

P.S.: BTW, all symptoms are gone since I took the 15-step-cleaning process...

 

[kitty500cat]

Sorry, I forgot about the cookies; pictorial instructions on how to deal with AVG Anti-Spyware scan results HERE.

Please do the CFScript thing again, only using the CFScript attached to my 8:51 PM post.

The autorun.inf.vir files (found in C:\QooBox\Quarantine) are files that ComboFix has renamed and quarantined. Where are the 11 .inf files, the 1 .exe.manifest file, and the 1 .exe file located?

It seems this malware copies itself to flash drives and makes itself to run as soon as the drive is accessed, which tends to complicate things.

Regards

 

[Cobra_MX5]

the .inf files are:
- 6 of them are in my documents, they are related to some applications I have there...
- 4 of them are in "Norton Antivirus 2005" - I can't locate where the folder is exactly, search results have "Norton Antivirus 2005" as its location...
- one of them is in C:\Program Files\Corel\CorelDRAW Graphics Suite X3 Setup Files
- one is in C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}
- one is in C:\Program Files\HP\Temp\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}
- one is in F:\Program Files\Ulead Systems\Ulead VideoStudio 8.0 SE DVD\Player
- one is in a zip file containing the installation files for an application
- one is in "Phtoshop CS2", doesn't give an entire path

I just inticed there is one .ini file in C:\Program Files\Corel\CorelDRAW Graphics Suite X3 Setup Files

The .exe.manifest as well as the .exe files are also in C:\Program Files\Corel\CorelDRAW Graphics Suite X3 Setup Files...

Should I delete the .vir files?

I ran ComboFix again with the new script, results are attached below...

I haven't used a flash drive recntly... Could it be stored in an SD card? I use these in my Camera as well as my Cellphone...

In the past I had the same problem again (prior to the first time I wrote here), but it had inly infected a portable hard drive I had, which I formatted...

 

[kitty500cat]

Boot into safe mode, under your normal user name (not the administrator account). See how HERE.

In Windows Explorer, turn on "show all files and folders, including hidden and system." See how HERE.

Go into your Task Manager by pressing and holding ctrl+alt+delete, then releasing them simultaneously.

Go the the processes tab and select the following processes if they are running. Then click the End Process button. A message box may come up, asking if you really want to end the process; click Yes.

autorun.exe
autorun.inf
autorun.vbs
autorun.bin
autorun.reg
autorun.tmp

Close the Task Manager.

Then navigate to and delete the following files (if there):

C:\autorun.bin
C:\autorun.reg
C:\WINDOWS\system32\autorun.bin
I:\autorun.exe

Then reboot into normal mode and rehide your protected files, by doing the reverse of the above instructions.

Please post a fresh HJT log after rebooting into normal mode.

Regards

This thread is for the use of Cobra_MX5 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.

 

[Cobra_MX5]

No autorun.whatever processes were running...
I deleted all files, except for I:/autorun.exe, which is the autorun executable from a dvd-rom...

I noticed one thing, though: In all my hard drives (C:, E:, F: and N: that is), I found the following files:

- autorun.bin
- autorun.txt
- autorun.wsh
- autorun.reg

(I think those were the file types, not sure tho...) Should I delete them?
I deleted autorun.bin and .reg from C:/ drive as you told me, but ignored the others... Should I delete them?

Should I also delet the files in the "QooBox"?

 

[Cobra_MX5]

OK so I noticed something... Although PC seems fine, this happened: All night long, although I have a screen saver as well as the feature that turns the onitor off activated, it would neither go to screen saver mode nor turn the screen off.. What could have caused that?

Edit (half a day later): Everything is OK now, screen saver etc work fine... I didn't change anything! What caused the screen saver not to work properly? Could it be that I had left a window of MediaPlayer open?

 

[Cobra_MX5]

DEAR GOD WHY ME?

As you can guess, I GOT INFECTED AGAIN!

Symptoms are a bit different, this time...
- Strange characters in right-click menu on hard drives (only on internal drives, tho! External (Portable) HD is OK)
- When double-clicking to open a hard drive I get a "access is not permitted" kind of message and nothing happens... So I need to rightclick the HD and open it.
- PC seems REALLY slow at times eg. when "My Computer" is opened, or when some Games are played...

I did the 15-step guide again but things didnt get any better...
I attached combofix, HJT and avg antispyware logs...
AntiRootkit found no rootkits.

Please help!

 

[Cobra_MX5]

Please help, I need to get it cleaned ASAP...

 

[kitty500cat]

Sorry for not getting to you earlier. I somehow missed your post.

I'm not sure how to fix some of the malware I saw in the ComboFix log. It might require registry editing, but I'm not too sure about it and I'd rather not tell you to do something I'm not sure about.

Howard, can you get here soon?

Regards

 

[Cobra_MX5]

Wouldn't something like a registry cleaner do the job?

 

[howard_hopkinso]

Please post an AVG Antispyware log.

Please visit this link http://virusscan.jotti.org/
* Click the Browse... button
* Navigate to the following file C:\WINDOWS\nMtsk.exe
* Click Open
* Please let me know the results.

Regards Howard

This thread is for the use of Cobra_MX5 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Cobra_MX5]

Nothing was found in nMtsk.exe...

I am running an AVG Antispyware full system scan to save a log, although last time I did a full scan (2 days ago, right before posting), it didn't find anything other than one cookie (low risk level) which was deleted by mistake... It seems I forgot to keep a logfile...

Will post it asap...!

 

[howard_hopkinso]

If your AVG Antispyware scan doesn`t find anything, then there`s no need to attach it.

Your HJT and Combofix logs appear to be clean.

I`d like you to run the AVG Antirootkit programme as per step11 of these instructions.

I`d also like you to run this tool.

Download this TOOL. Extract it and run the Noob_kill.

Please let us know the results.

Regards Howard

This thread is for the use of Cobra_MX5 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.