Im Infected

Status
Not open for further replies.
Untamed Desirez

Untamed Desirez

Posts: 22   +0
I'm in need of Tech Support Advice. Ive been reading these posts and answers for people that have been infected with the PSW.x-Vir trojan. I too have caught this disease and now my puter is sick ~ makes sad face ~ . I have tried everything I could think of. I went into my " C " drive and tried to delete the file but it says " Error cannot delete this file may be in use by another program." It also says " Violates user agreement ". I currently have the McAfee Internet Security Suite installed and running on my system. When this trojan moved in I was supposedly protected by this Anit-Virus program. I have ran many scans and yet McAfee has not destroyed it. I keep getting these annoying pop-ups and a small shield in the lower right hand corner of my system. It has currently created a new folder in my registry " C " drive called " Video ActiveX Access " . I tried to delete the entire folder and yet its still alive. ~ Again makes sad face ~ . I even tried to send the contents of this folder to the McAfee shredder , it just laughed at me .. ~ raises eyebrow ~. Is there anyone here that can save me from going crazy please ???
 
Hello and welcome to TechSpot.

It sounds like you are infected with the Zlob trojan.

Very important: Before deciding whether to clean or reformat your system, read this thread and decide what you want to do.

If you decide to clean your system after reading the above thread, do the following.

Go and read the Viruses/spyware/malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, ComboFix, and AVG Antispyware logs as attachments into this thread, only after doing the above. Also post here the results of the AVG Antirootkit scan.

Regards :)

This thread is for the use of Untamed Desirez only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
 
Hello & Glad to be here.
I currently have " McAfee Internet Security Suite " installed on my system. If I download the " AVG " wont it be in conflict with my current Anti-Virus/ Anti-Spyware protection ? I have also ran a scan with the link provided in step # 3. It completed the scan and found infectuous parasites. When I clicked on " Clean " it shut down my entire browser.
 
Yes, McAfee and AVG could cause conflicts if installed at the same time. I recommend removing McAfee, but it's up to you. Please let me know what you decide.
 
Yes I will uninstall my McAfee I mean after all it didnt protect me as it should have. ~ Raises eyebrow ~. I'm on step # 8. I will be uninstalling McAfee before I reboot in safe mode.

Thank you.
 
I seem to have a problem. I just went to my " Set Program Access and Defaults " - " Add and Remove Programs " to uninstall my McAfee and it is no longer showing as a program in there so @ this point I am unable to uninstall it. I also noticed that a few of my other programs are no longer listed in there. Do you have any suggestions on how to fix this problem ? Should I just proceed to step # 9. Also I just rebooted hoping that it was a mere glitch in my system and hoping that upon rebooting the programs that were not showing in my " Set Program Access and Deaults " - " Add and Remove Programs " would be restored. However to my dismay they are not. On top of everything else the little blinking shield that was producing the pop-ups is no longer there but the dat file is still on my " C " drive .
 
Hmm. Is McAfee still running?

Just skip the parts about AVG Anti-Virus and Anti-Spyware and post the ComboFix and HJT logs.

Regards :)

This thread is for the use of Untamed Desirez only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
 
Yes it appears to be running. It is not currently scanning but when I click " Open Security Center " it says " Yes you are protected ". So I assume it is active. I have just completed step # 9. I ran the cleaner several times. When I logged onto the cleaner " ALL " boxes were already check marked with the acception of " ADVANCED " none of those boxes were check marked. So I of course took the liberty of checking them, Now hoping I was supposed to ~ Raises eyebrow ~
 
On step # 10 it says download and run these tools with the directions given on each of their web sites. Unfortunately step # 2 does not come up as a web site but only as a download box. It has the options of " Open " " Save " " Cancel " and " More Info " . It shows the file name as : VirtumundoBeGone.exe file type : Application From : Secured2k.home.comcast.net. So now my question is how will I know what to do with this application if there is no Web Site attatched ?
 
CCleaner contains an Uninstall tool. Try to uninstall McAfee using that.

As for the VirtumundoBeGone.exe problem, just download the file and run it. The resulting logfile will be located on your desktop under the name VBG.txt. Please attach that logfile into your reply, as well as fresh HJT, ComboFix, and AVG Anti-Spyware logs.

Regards :)
 
I just went to the cleaner and it does not have McAfee listed as a program there either. So I'm just going to proceed.

Thank you
 
I have a question about tool # 1 . It says that it can create a report about the infected files. It tells you how to reboot in safe mode and clean the files am i supposed to do this or just go and get the log ? Tool # 1 is SmitFraudFix.exe . Which tool is the HJT ? Which one is the ComboFix ?
 
If tool #1 in Step 10 found bad files, then follow the instructions to boot into safe mode and remove them.

HijackThis is in Step 4. ComboFix is in Step 12.

Regards :)
 
Inre: ComboFix scan

The AVG didnt find anything and it did not create a report. Im unhappy to say but the little annoyting shield is back on my computer. I just finished step # 12 and these are the results :


What should I do now ?
 
Hi,

Please complete the remaining steps and post all requested files, and results of the AVG anti-rootkit scan.

Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.
Drag the Combofix-Do.txt that you downloaded earlier over on to Combofix.exe and release.

This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

Thereafter, please post fresh HJT and AVG Antispyware logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of Untamed Desirez only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 

Attachments

  • Combofix-Do.txt
    1.9 KB · Views: 9
Inre: hijackthis

I just completed the hijackthis scan and here are the results. I still have this annoying little blinking sheild in the lower right hand corner. I also ran the AVG AntiRootKit and the results came back with nothing found. I have also attatched a result of the AVG AntiSpyWare results. The Ad-AdAware would not allow me to run it in SAFEMODE so when I rebooted in REGULARMODE it said that it had errors so I @ this point have been unable to run that product.
 
Unfortunately I am misunderstanding what it is that you want me to do with the ComboFix because I saved it to the folder marked " CombFix " on my " C " drive and when I opend that folder there were no other contents in it with the exception of the file that you have just told me to save there.
 
Hi,

Have HijackThis fix these entries:
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - (no file)
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSYYYYYYYZUS
O22 - SharedTaskScheduler: fagging - {94524218-9af3-4643-9687-cbc2880e54da} - C:\WINNT\system32\nuqjici.dll

Where are you running ComboFix from? (ie where is your combofix.exe located?)
Save the attachment from my previous post into the same folder. Then drag the Combofix-Do.txt icon over onto the ComboFix.exe icon and let go. This will run ComboFix via my instructions.

After that, post the resultant ComboFix log as well as a fresh HijackThis log in your reply.


Regards,
Your friendly momok =)

This thread is for the use of Untamed Desirez only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
To be really honest I don't know where its located. The folder named " ComboFix " is located in " C " . But the contents of the folder are empty. I am currently @ work and unfortunately do not have access to my computer. I saved the copy of the scan results to my " DeskTop " . I believe there is also a document called " Quarantine " in " C " that ComboFix also created.
 
Im home now ... If possible I'd like to ressume my help please.

Thank you

I have just ran and cleaned or had hijack this delete the files as instructed. Here is the attatched results after another scan. Im still trying to figure out where the combofix is .....

I did a search for files & folders for " ComboFix " . It located 1 empty folder & 5 text documents. 1 of the documents it titled " ComboFix-quarantined files " so I clicked on it. I then noticed it says :

Folder PATH listing for volume DSK1_VOL1
Volume serial number is 0006FE80 C398:B160
C:\QOOBOX
\---Quarantine
+---C

So @ this point I'm assuming this is where it is located. Am I correct ?

I have attatched the file.

I couldn't locate the other file for ComboFix nor did I know where the application was being stored so I went back to my instructions given by a Tech on here & I reinstalled the " ComboFix " . I made sure it was saved on the " C " drive. When I double clicked it as instructed in the first instructions it automatically started. I was not prompted to do anything. Here is the result of that scan.

Edited by Moderator: No need for a double post if there are no replies between your current post and the last post, unless bumping the thread. In that case, please wait at least 24 hours before doing so. Otherwise, simply use the "Edit post" button instead.
 
Cumpter is sick

I am unable to get rid of the Active X virus. I have followed all of the steps and other different ways. I just cant seem to get rid of it. I need help so now what do i do?
 
I couldn't locate the other file for ComboFix nor did I know where the application was being stored so I went back to my instructions given by a Tech on here & I reinstalled the " ComboFix " . I made sure it was saved on the " C " drive. When I double clicked it as instructed in the first instructions it automatically started. I was not prompted to do anything. Here is the result of that scan.

As you already know I had to reinstall the " ComboFix " and it automatically ran itself without any prompting. The good part about all of this is that this time it actually saved to my " C " drive. I opened my " C " drive where I also saved the " ComboFix-Do " file by a Tech Support on this thread and dropped it into the " ComboFix " . It automatically ran itself and this is the report it produced.

Now what do I do ??? Where do I go from here ???

Edited by Moderator: No need for a double post if there are no replies between your current post and the last post, unless bumping the thread. In that case, please wait at least 24 hours before doing so. Otherwise, simply use the "Edit post" button instead.
 
Hi,

Please wait at least 24 hours have lapsed since the last reply before you bump your thread.

Navigate manually in windows explorer and delete these 3 files.
C:\WINNT\system32\Perflib_Perfdata_604.dat
C:\WINNT\system32\Perflib_Perfdata_5c4.dat
C:\WINNT\system32\Perflib_Perfdata_520.dat

Apart from that, your logs look clean now.

Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

You may also delete the C:\VundoFix Backups folder and its contents.

Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.

After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
Your friendly momok =)

This thread is for the use of Untamed Desirez only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Good morning momok,

I have a couple of questions. I'm sorry it took me so long to respond. You said

Navigate manually in windows explorer and delete these 3 files.
C:\WINNT\system32\Perflib_Perfdata_604.dat
C:\WINNT\system32\Perflib_Perfdata_5c4.dat
C:\WINNT\system32\Perflib_Perfdata_520.dat

I'm a little curious as how to do this ?

I've also been running scans and it keeps detecting the quarrantined files on my " C " drive. Is there a way to delete those files ? I ran a scan yesterday ( AVG AntiSpyware scan ) and it picked up something called hijacker.Agent.jw it said it had a high risk level. See below :

The QooBox is where hijackthis stored the quarantined files from the previous infection that initially brought me to this web site. Is there a way to permanently destroy those files ? Will these files keep being detected in scans ? Is keeping those files in my system putting my computer @ risk again ?

Looking forward to hearing from you and thank you.

I just went into " Find Folders and Files " from my start button. It searched the " C " drive and found the first 2 files that you told me to locate and delete. I just " Right Clicked " on them directly from the " Search Results " box and clicked " Delete " . Was this a sufficient form of deletion or do I need to perform this in a different way? Also this brings me to the last file on your list , After locating the first 2 and I deleted those it said the 3rd file didn't exist.

Perflib_Perfdata_520.dat

Did I do something wrong? If so will you please tell me how to continue.

Thank you

Edited by moderator: Please do not copy and paste logs here.
Also, no need for a double post if there are no replies between your current post and the last post, unless bumping the thread. In that case, please wait at least 24 hours before doing so. Otherwise, simply use the "Edit post" button instead.
 
Status
Not open for further replies.

Similar threads

B
Help with "special permissions" please
Replies
1
Views
595
Nelson28
N
M
Virus warning popup
Replies
1
Views
574
Mark Fuller
M
D
Being spyed on
Replies
1
Views
110
Nelson28
N

Latest posts

Back