Virus attacks

By robkhoo ยท 16 replies
Apr 9, 2008
  1. Hey guys,

    Im a relative novice on computers and so need some help sorting out my system. Seem to have been infected with a virus of some kind despite having antiviral protection.

    symtoms: Slow system
    Yellow triangle in bottom right corner of desktop.
    I sometimes get a red warning box no "Abebot" and prompting me to follow links to buy remsoftware. (the warning bx notes C:\ \wml.exe)
    I also have been getting "system integrity scan wizard pop-ups", again, prompting me to go and buy a product to fix.
    Yesterday in particular I kept getting a new IE box open re-directin website, when i was usin the net.

    So Far - Have tried alot of programs avast/ norton / spybot s and d / malwarebytes anti spyware and ad adware SE,

    I know theres something going in theregistry but I have neither the knowledge or confidence to try to sort this!!

    Please help!! By the way, I have hijack this so can produce a log if required.
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt

    Attach the following here:

    1)C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2)Combofix log
    3)Hijackthis log
  3. robkhoo

    robkhoo TS Rookie Topic Starter

    thanks for replying,

    I shall get onto the 3 points and post asap!!
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok, please be patient with us as we have a lot of people here needing help, I reply as fast as possible, but can't be here 24 hours a day. Don't bump threads or private message unless you go 24 hours or more without response

    talk to ya soon!
  5. robkhoo

    robkhoo TS Rookie Topic Starter

    Small problem,

    I ran combofix but didnt get a text box that came up, the sytem just went black (I **** myself) but managed to get back after a restart. However, I cant locate a saved log for combo fix even though I can find it in the C Drive. Hijack this - no problem, fresh log waiting.

    Is the other thing to provide a Malwarebytes log? If so that is also no problem
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Are you sure you didn't vvvv

    Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash.

    yes HJT and MBAM logs
  7. robkhoo

    robkhoo TS Rookie Topic Starter

    No id didnt touch anything,
    combofix said firstly that 1 in 100 machines don't make it through the disinfection to which I accpted. Then it got going, looked as if it was deleting some files and all of a sudden the screen went copletely black., There was no action of the system for a good 4-5 minutes before I manually rebooted.

    Are the hijack this and malwarebyes logd enough? Should I try agian with combofix?
  8. robkhoo

    robkhoo TS Rookie Topic Starter


    Hijack this and malwarebytes logs are attached.
  9. robkhoo

    robkhoo TS Rookie Topic Starter

    not what happened with combofix first time but I managed to get a full log report this time. I also did a full scan on malwarebytes malware remover for which ill attach the log. The hijackthis log should complete what you needed, sorry it took so long.
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    If this works we should be able to get the rest with Hijackthis and manually finding the leftovers.

    First go to add/remove programs and uninstall Viewbar

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.


    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
  11. robkhoo

    robkhoo TS Rookie Topic Starter

    I cant find "viewbvar" in my programs list. Could it be listed as another program?
  12. robkhoo

    robkhoo TS Rookie Topic Starter

    Hi, thanks for being patient with me. I just realised that I'm on the other side of the world (Japan) so im replying at a time u possibly will be alseep.

    Anyhow, like I said I couldnt find viewbar on the programs list (I think I recall dlelting it a while back). However, followed the combofix instructions as all went smooth!! I shall attach the lastest combofix log along with a fresh hijackthis log!!

    Thank you for all your help thus far by the way, its great to have people like you around helping as volunteers!!!
  13. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I am glad that you appreciate the help

    You might want to copy and paste these instructions into a notepad file, and save it to your desktop. Then you can have the file open in safe mode, so you can follow the

    instructions easier.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run Hijackthis and Select Do A System Scan Only
    Put a check mark next to the following entries:
    O2 - BHO: (no name) - {3DF959F8-75BE-498E-A8CA-50D5C99CFD9B} - C:\WINDOWS\system32\yayVnmNh.dll (file missing)
    O2 - BHO: (no name) - {49A3030D-4966-43CF-8DAE-0FA6C357FCA7} - C:\WINDOWS\system32\mlJDutTK.dll (file missing)
    O2 - BHO: (no name) - {97F4D2A9-B0DF-4119-9E3A-FEADEE24BB4C} - C:\WINDOWS\system32\vtUopQGX.dll (file missing)
    O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
    O4 - HKLM\..\Run: [Viewbar] C:\Program Files\AGLOCO Viewbar\Viewbar.exe

    Select Fix Checked

    Close Hijackthis

    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press

    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

    Use Windows Explorer to navigate to and delete the following folder:

    C:\Program Files\AGLOCO Viewbar <-This folder

    Restart your computer into normal mode

    Run a new scan with Hijackthis and attach the log


    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
  14. robkhoo

    robkhoo TS Rookie Topic Starter

    Ok, I followed exactly as you instructed and most everything seemed to go as planned.

    Went into safemode and found and fixed the files you highlighted. However, I couldnt find the agloco file afterwards in the windows explorer. Is it possible it was destroyed in the hijackthis process??

    ATF cleaner- no problems - smooth

    Kaspersky - took along time for the scan but again, seemed to go ok. According thescan it did pick up 6 viruses and 23 infected files but im not expert in what this actually means.

    Attached are both a fresh hijack this (prior to the Kasp scan) and of course the Kasp scan results.

    Thanks again for all of your time this far!!
  15. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok, one more to delete.

    Go to add/remove programs and uninstall Webbuilder if there

    Then launch windows explorer again and delete the following folder:
    C:\Documents and Settings\Robert Khoo\My Documents\Webbuilder

    Empty recycle bin

    After completing the above:

    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.

    Cleanup using OTMoveit2 by OldTimer
    Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

    Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

    1. Double click OTMoveIt2.exe to launch it.
    If using Vista Right-Click OTMoveIt and choose Run As Administrator
    2. Click on the CleanUp! button.
    3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
    4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

    * When finished exit out of OTMoveIt2

    I recommend you keep
    1 anti virus program
    1 firewall
    Combo of Anti-Spyware (Spybot S&D and MBAM, or your choice)

    For Spybot you can download the latest version from HERE.

    keep them updated.

    You can also turn on tea timer in Spybot:
    • Click on Mode at the top and make sure that Advanced is checked
    • Expand the Tools tab in the left pane
    • Single click on the Resident Icon also in the left pane
    • check Resident "TeaTimer" (Protection of over-all system settings) Active
    • Close spybot

    Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

    And just to be sure
    Set correct settings for files
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK

    clear system restore points

    • This is a good time to clear your existing system restore points and establish a new clean restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.
  16. robkhoo

    robkhoo TS Rookie Topic Starter


    Just did exactly as you noted in the last email!! Everything seems great!! Btw, when I initially got the virus, when using smitfraudfix my desktop lost its vista appearance and went back to an old grey style. Is there an simple and easy way of getting the nice vista theme back? If not don't worry, im very content as it is!!

    Honestly, I am so relieved at the outcome- thank you so so much for all your time helping me out with this. I was in such a state when the virus took over and now the system is better than it has been in over a year!! Thank you thank you and thank you again!!!

    If anybody is reading this post I want you to know what a fantastic job this guy did in restoring my computer. His instructions were precise yet easy to understand and follow even for a complete novice like myself. I can't afford to buy lots of programs let alone purchase a new computer if this one fails, so what Mr "Blind-dragon has done for me is nothing short of a miracle!!


  17. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908


    I appreciate your kind words, and am glad your computer is functioning normal again.

    To reset the background -> right click your desktop -> personalize -> Desktop background

    you should be able to set from there, or just google desktop backgrounds, right click on pretty much any picture and select set as desktop background.


Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...