Spy-Agent.bv!inf.......Utter Misery. Please Help.

[Algorhythmz]

I have been having an absolutely miserable time with this one. I've no clue how I contracted it. I googled instances of it and eventaully came to find a reference on this forum in this post:

https://www.techspot.com/vb/topic74768.html

I've followed the 15 step directions found here:

https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

and have done every scan and completed all instructions barring the fourth tool in step 10 which never re-opened after the alotted minute. I attempted it several times but eventually moved on.

I have logs of the scans that I can supply once I know where things stand.

I use mcaffee for antivirus, and it continually informs me over and over that I have this virus. I cannot quarantine or delete this virus due to it being part of winlogon.exe so I am unsure how to continue at this point. As each computer is different I have not continued following the instuctions given to dement0r but have halted at this point in hopes of more specific assistance. Please let me know what information I need to supply or any questions I need to answer to resolve this problem. Thank you.

 

[momok]

Hi Algorhythmz and welcome to techspot. =)

Important: Please read this thread HERE before you decide whether to clean or reformat your system.

Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. These are a comprehensive mix of steps to remove common malware, as well as provide us logs of your system to look at so we can further remove any tricky nasties.
Do follow all the instructions exactly.

Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed by the moderators.

Also, please let me know the results of the AVG Antirootkit scan


Regards,
Your friendly Momok =)

This thread is for the use of Algorhythmz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Algorhythmz]

here are the requested logs, the antirootkit scan came up completely negative.

 

[momok]

Hi,

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

ASEService
QPS

Go to start > Control Panel > Add and Remove Programs.
Remove anything related to the following:

Aluria Spyware Eliminator
QurioPhotoSharing

Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

ASEServ.exe
QurioService.exe

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {F2D35D99-63B1-46D3-970C-6E22320D5DCB} (kSoloCntrlIE Class) - http://www.ksolo.com/getPlugin.do

O23 - Service: Aluria Spyware Eliminator Service (ASEService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ASE\ASEServ.exe
O23 - Service: QurioPhotoSharing (QPS) - Unknown owner - C:\Program Files\Qurio\QurioService.exe

Close HJT.


Navigate in Windows Explorer and delete the following files and folders in bold.

C:\WINDOWS\SYSTEM32\sfsync02.dll
C:\WINDOWS\Screen Recorder Uninstaller.exe
C:\Delme.bat
C:\PROGRA~1\ALURIA~1
C:\Program Files\Qurio\

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread.


Regards,
Your friendly Momok =)

This thread is for the use of Algorhythmz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Algorhythmz]

No difficulties thus far in performing as directed. Here are the updated logs as requested.

 

[momok]

Hi,

Have HijackThis fix these two entries:
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab

Apart from that, your logs look clean now.

Delete all files in AVG Antispyware Quarantine folder and also the entire C:\VundoFix Backups folder.

Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.

After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.

I noticed that you are using Windows Defender. Here are some recommended firewalls and links to them.

For firewalls please use one and only one. Using more than one is not recommended as it will hog your system resources.
Zonealarm
Kerio
Comodo

May I also suggest that you read this thread here on how to speed up your system.

Should you have any further problems, please post in this thread.


Regards,
Your friendly momok =)

This thread is for the use of Algorhythmz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Algorhythmz]

Done everything as instructed, no flaws in carrying them out. McAfee is still repeatedly and unceasingly giving me the virus detection popup.

"The file C:\WINDOWS\system32\winlogon.exe is infected by the Spy-Agent.bv!inf trojan and cannot be cleaned."

No choice given will either accomplish anything or prevent this notice from popping up. It also gives me a message about McAfee knowing there is a virus present on the system each and every time I reboot, both on logout and login. Unsure of how to proceed here.

 

[momok]

Hi,

I'd like you to try the following:

Download my attachment (Fixwinlogon.zip) and extract its contents to Desktop. There should be a folder with two files in it, FixWL.bat and process.exe.

Close all running programs and browsers.

Double click FixWL.bat. It will run and create a logfile C:\FixWL.txt. Attach this file in your next post.

Reboot your system and see if McAfee shows the alert. Let me know the results. (Note: You may not be able to shutdown your computer in the usual fashion. Hold the power button for a few seconds to shutdown)

In your next post, I'd like a fresh HijackThis and ComboFix log too please just in case.


Regards,
Your friendly momok =)

This thread is for the use of Algorhythmz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Algorhythmz]

Well, that certainly sucked.

All programs closed, all instructions followed.

Upon rebooting I get this:

"STOP:c000021a {Fatal Systen Error}
the Windows Logon Process System process terminated unexpectedly with a status of 0xc0000034 (0x00000000 0x00000000).
The system has been shut down."

Normal mode, Safe mode and Debug mode all return the same Fatal Error.

 

[momok]

Hi,

Are you able to post any logs of your system in any case?

EDIT: Please check out this thread HERE on how to repair your windows.


Regards,
Your friendly momok =)

This thread is for the use of Algorhythmz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Algorhythmz]

no, how would I be able to access any logs to post them?? I will post again once I have attempted to repair this.

 

[Algorhythmz]

Fortunately, I was able to repair windows, and to the best of my knowledge I've not lost any data. This also has cleared up any indication of a problem with winlogon.exe, and there are no McAfee notices at this time. It would seem that I am in good working order at this point. I appreciate your attempts to help me through this, the frustration was very great. Might I suggest NOT reccommending that batch file to fix winlogon in the future, although it lead to the problem being solved, it was very nearly a greater problem than the virus itself. Thank you for your time and effort, I am greatly relieved to have this behind me. I will return to the forums in the future.

Regards,

-Algo

 

[momok]

Sure thing, point noted. Thanks for the feedback.

Should you have any further problems please post in this thread.


Regards,
Your friendly momok =)

This thread is for the use of Algorhythmz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.