Virus and Spyware problem

[KnightRiderX]

I am on my friend's computer and I have been trying to clean it up of viruses and spyware. Everytime I do an antivirus scan with AVG, it reports the same 18 viruses and 2 trojans and it only deletes the 2 trojans. Everytime I do a spyware scan with ewido anti-spyware, it reports a LOT of infected files and is only able to delete a few of it. I have attached a log of the HJT of this computer in hopes that someone with knowledge of HJT can help me.

 

[howard_hopkinso]

Go HERE and follow the instructions exactly.

Post fresh HJT and Ewido logs into this thread, only after doing the above.

Regards Howard

This thread is for the use of KnightRiderX only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[KnightRiderX]

OK I have done what it says on the page. when i did the anti-virus scan, AVG detected 28 infections and only deleted 9 of them. I have attached the logs of the ewido anti-spyware scan and HJT.

 

[howard_hopkinso]

Your system is riddled with nasties. Follow the instructions below very carefully.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

DriveCleaner 2006 Free
Viewpoint\Viewpoint Manager
BearShare
BulletProofSoft.com\SpywareRemover\popup-watch

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

Duce6.exe
UDC2006.exe
ViewMgr.exe

ms05769433988.exe
clcbt.exe
?ttrib.exe The question mark can be any random number/letter etc.

wleesio.exe
stonedrv.exe
14C5632.exe

ibm00003.exe
BearShare.exe
14C5632.exe

PopUpWatch.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R3 - URLSearchHook: (no name) - {1465A165-3BD6-4722-A0AD-6943B417A6E7} - C:\WINDOWS\system32\wzpwo.dll (file missing)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,wleesio.exe

O4 - HKLM\..\Run: [lqmb1ad6] RUNDLL32.EXE w20afe6c.dll,n 003b1ad30000000320afe6c

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause

O4 - HKLM\..\Run: [themonitor] C:\WINDOWS\Duce6.exe

O4 - HKLM\..\Run: [DriveCleaner 2006 Free] "C:\Program Files\DriveCleaner 2006 Free\UDC2006.exe" /min

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [ms05769433988] C:\WINDOWS\ms05769433988.exe

O4 - HKLM\..\Run: [wodizxg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wodizxg.dll,lsvim

O4 - HKLM\..\Run: [clcbt.exe] C:\WINDOWS\system32\clcbt.exe

O4 - HKCU\..\Run: [Bhrrlsum] C:\Program Files\Common Files\?asks\?ttrib.exe

O4 - HKCU\..\Run: [POPUPWATCH] C:\Program Files\BulletProofSoft.com\SpywareRemover\popup-watch\PopUpWatch.exe /STARTUP

O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe

O4 - HKCU\..\Run: [Winsvr] C:\DOCUME~1\JEETER\LOCALS~1\Temp\14C5632.exe

O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"

Fix all 015-Trusted zone entries.

O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab

O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006Free Install.cab

O21 - SSODL: XhxykPbSHczdPaRH - {1442464F-BEE8-ECE5-DC34-4ACE53B725F9} - C:\WINDOWS\system32\funkj.dll (file missing)

O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\Duce6.exe

C:\Program Files\DriveCleaner 2006 Free

C:\Program Files\Viewpoint

C:\WINDOWS\ms05769433988.exe

C:\WINDOWS\system32\clcbt.exe

C:\Program Files\Common Files\?asks

wleesio.exe Search your system for this file and delete all instances of it.

C:\WINDOWS\system32\wodizxg.dll,lsvim

c:\windows\system32\stonedrv.exe

C:\DOCUME~1\JEETER\LOCALS~1\Temp\14C5632.exe

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe

C:\Program Files\BulletProofSoft.com

C:\WINDOWS\system32\funkj.dll

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.


Regards Howard

This thread is for the use of KnightRiderX only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[KnightRiderX]

I have done the above and when I did AVG anti-virus scan in normal mode, it found 25 infected files and deleted only 7 of them. I also did an ewido anti-spyware scan. I have attached both the logs for the anti-spyware scan and HJT. So far the pop-ups have stopped but AVG tells me that there are some virus left.

EDIT: also, for Spyware Remover, there was no button for me to click to remove it. It is still shown in Add or Remove Programs.

 

[howard_hopkinso]

Your HJT log is now clean.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run a complete system scan with AVG and delete whatever it finds. This includes anything in the virus vault.

Run a complete scan with Ewido and delete whatever it finds. This includes files in quarantine.

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Let me know if you`re still having problems.

Regards Howard

This thread is for the use of KnightRiderX only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.