Virus attacks

[robkhoo]

Hey guys,

Im a relative novice on computers and so need some help sorting out my system. Seem to have been infected with a virus of some kind despite having antiviral protection.

symtoms: Slow system
Yellow triangle in bottom right corner of desktop.
I sometimes get a red warning box no "Abebot" and prompting me to follow links to buy remsoftware. (the warning bx notes C:\ \wml.exe)
I also have been getting "system integrity scan wizard pop-ups", again, prompting me to go and buy a product to fix.
Yesterday in particular I kept getting a new IE box open re-directin website, when i was usin the net.

So Far - Have tried alot of programs avast/ norton / spybot s and d / malwarebytes anti spyware and ad adware SE,

I know theres something going in theregistry but I have neither the knowledge or confidence to try to sort this!!

Please help!! By the way, I have hijack this so can produce a log if required.

 

[Blind Dragon]

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt


Attach the following here:

1)C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
2)Combofix log
3)Hijackthis log

 

[robkhoo]

thanks for replying,

I shall get onto the 3 points and post asap!!

 

[Blind Dragon]

Ok, please be patient with us as we have a lot of people here needing help, I reply as fast as possible, but can't be here 24 hours a day. Don't bump threads or private message unless you go 24 hours or more without response

talk to ya soon!

 

[robkhoo]

Small problem,

I ran combofix but didnt get a text box that came up, the sytem just went black (I **** myself) but managed to get back after a restart. However, I cant locate a saved log for combo fix even though I can find it in the C Drive. Hijack this - no problem, fresh log waiting.

Is the other thing to provide a Malwarebytes log? If so that is also no problem

 

[Blind Dragon]

Are you sure you didn't vvvv

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash.

yes HJT and MBAM logs

 

[robkhoo]

No id didnt touch anything,
combofix said firstly that 1 in 100 machines don't make it through the disinfection to which I accpted. Then it got going, looked as if it was deleting some files and all of a sudden the screen went copletely black., There was no action of the system for a good 4-5 minutes before I manually rebooted.

Are the hijack this and malwarebyes logd enough? Should I try agian with combofix?

 

[robkhoo]

logs

Hijack this and malwarebytes logs are attached.

 

[robkhoo]

not what happened with combofix first time but I managed to get a full log report this time. I also did a full scan on malwarebytes malware remover for which ill attach the log. The hijackthis log should complete what you needed, sorry it took so long.

 

[Blind Dragon]

If this works we should be able to get the rest with Hijackthis and manually finding the leftovers.

First go to add/remove programs and uninstall Viewbar

CFScript
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\Program Files\AGLOCO Viewbar\Viewbar.exe
C:\WINDOWS\system32\yayVnmNh.dll
C:\WINDOWS\system32\mlJDutTK.dll
C:\WINDOWS\system32\vtUopQGX.dll
C:\WINDOWS\system32\ctsjcnkb.exe
C:\WINDOWS\system32\ovwripkt.exe
C:\WINDOWS\system32\zqxarchm.exe
C:\WINDOWS\system32\gmuhsxpy.dll
C:\WINDOWS\system32\fcawlcyb.dll
C:\WINDOWS\system32\vmmpcbtr.dll
C:\WINDOWS\system32\ulohtvlu.dll
C:\WINDOWS\system32\tyclalvd.dll
C:\WINDOWS\system32\omtkrbjn.ini
C:\WINDOWS\system32\rlebuffb.ini
C:\WINDOWS\system32\htaptsnv.dll
C:\WINDOWS\system32\sknwoltf.dll
C:\WINDOWS\system32\dcikumlg.dll
C:\WINDOWS\system32\pksegmxm.ini
C:\WINDOWS\system32\lxstimyr.dll
C:\WINDOWS\system32\xasodmvs.ini
C:\WINDOWS\system32\rnguiwjc.dll
C:\WINDOWS\system32\wkmhyyih.ini
C:\WINDOWS\system32\svrofjne.dll
C:\WINDOWS\system32\ctsjcnkb.exe
C:\WINDOWS\system32\wqrsybjg.ini
C:\WINDOWS\system32\xbduogqa.dll
C:\WINDOWS\system32\ymysitwp.dll
C:\WINDOWS\system32\AyJiPXbc.ini
C:\WINDOWS\system32\qtwHRqru.ini
C:\WINDOWS\system32\ovwripkt.exe
C:\WINDOWS\system32\zqxarchm.exe
C:\WINDOWS\system32\RsAIOqru.ini

Folder::
C:\Documents and Settings\All Users\Application Data\atkjopgh
C:\Program Files\AGLOCO Viewbar

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"likrklrx"=-
"ckfnprxe"=-
"ijemrzto"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Viewbar"="-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

 

[robkhoo]

I cant find "viewbvar" in my programs list. Could it be listed as another program?

 

[robkhoo]

Hi, thanks for being patient with me. I just realised that I'm on the other side of the world (Japan) so im replying at a time u possibly will be alseep.

Anyhow, like I said I couldnt find viewbar on the programs list (I think I recall dlelting it a while back). However, followed the combofix instructions as all went smooth!! I shall attach the lastest combofix log along with a fresh hijackthis log!!

Thank you for all your help thus far by the way, its great to have people like you around helping as volunteers!!!

 

[Blind Dragon]

I am glad that you appreciate the help

You might want to copy and paste these instructions into a notepad file, and save it to your desktop. Then you can have the file open in safe mode, so you can follow the

instructions easier.

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run Hijackthis and Select Do A System Scan Only
Put a check mark next to the following entries:
O2 - BHO: (no name) - {3DF959F8-75BE-498E-A8CA-50D5C99CFD9B} - C:\WINDOWS\system32\yayVnmNh.dll (file missing)
O2 - BHO: (no name) - {49A3030D-4966-43CF-8DAE-0FA6C357FCA7} - C:\WINDOWS\system32\mlJDutTK.dll (file missing)
O2 - BHO: (no name) - {97F4D2A9-B0DF-4119-9E3A-FEADEE24BB4C} - C:\WINDOWS\system32\vtUopQGX.dll (file missing)
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [Viewbar] C:\Program Files\AGLOCO Viewbar\Viewbar.exe

Select Fix Checked

Close Hijackthis

Show hidden files through windows explorer

• Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press
  
  E
• On the Tools menu in Windows Explorer, click Folder Options.
• Click the View tab.
• Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

Use Windows Explorer to navigate to and delete the following folder:

Folder:
C:\Program Files\AGLOCO Viewbar <-This folder

Restart your computer into normal mode

Run a new scan with Hijackthis and attach the log


------------------------------------------------------------------------------------------------------

Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.
-------------------------------------------------------------------------------------------------------------------

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[robkhoo]

Ok, I followed exactly as you instructed and most everything seemed to go as planned.

Went into safemode and found and fixed the files you highlighted. However, I couldnt find the agloco file afterwards in the windows explorer. Is it possible it was destroyed in the hijackthis process??

ATF cleaner- no problems - smooth

Kaspersky - took along time for the scan but again, seemed to go ok. According thescan it did pick up 6 viruses and 23 infected files but im not expert in what this actually means.

Attached are both a fresh hijack this (prior to the Kasp scan) and of course the Kasp scan results.

Thanks again for all of your time this far!!

 

[Blind Dragon]

Ok, one more to delete.

Go to add/remove programs and uninstall Webbuilder if there

Then launch windows explorer again and delete the following folder:
C:\Documents and Settings\Robert Khoo\My Documents\Webbuilder

Empty recycle bin
-------------------------------------------------------------------------------------------------------

After completing the above:

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------
Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

* When finished exit out of OTMoveIt2

---------------------------------------------------------------------------
I recommend you keep
1 anti virus program
1 firewall
Combo of Anti-Spyware (Spybot S&D and MBAM, or your choice)

For Spybot you can download the latest version from HERE.

keep them updated.

You can also turn on tea timer in Spybot:

• Click on Mode at the top and make sure that Advanced is checked
• Expand the Tools tab in the left pane
• Single click on the Resident Icon also in the left pane
• check Resident "TeaTimer" (Protection of over-all system settings) Active
• Close spybot

Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

And just to be sure
Set correct settings for files

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please check Hide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

clear system restore points

• 
  This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  This will remove all restore points except the new one you just created.

 

[robkhoo]

Ok,

Just did exactly as you noted in the last email!! Everything seems great!! Btw, when I initially got the virus, when using smitfraudfix my desktop lost its vista appearance and went back to an old grey style. Is there an simple and easy way of getting the nice vista theme back? If not don't worry, im very content as it is!!

Honestly, I am so relieved at the outcome- thank you so so much for all your time helping me out with this. I was in such a state when the virus took over and now the system is better than it has been in over a year!! Thank you thank you and thank you again!!!

If anybody is reading this post I want you to know what a fantastic job this guy did in restoring my computer. His instructions were precise yet easy to understand and follow even for a complete novice like myself. I can't afford to buy lots of programs let alone purchase a new computer if this one fails, so what Mr "Blind-dragon has done for me is nothing short of a miracle!!

Gratefully

Robert

 

[Blind Dragon]

Robert,

I appreciate your kind words, and am glad your computer is functioning normal again.

To reset the background -> right click your desktop -> personalize -> Desktop background

you should be able to set from there, or just google desktop backgrounds, right click on pretty much any picture and select set as desktop background.

Regards,

BD