Friend computer bogged down with virus an malware

[cbarnard]

Ok here it goes
My friends computer has been really screwed up. He gave it to me today to try and fix.
it is an ACER T180 Running Win xp pro This is a box stock machine...

I have followed the steps in the forum, and I have the log files. I have spent several hours working on this computer, and have pulled out Hundreds of infected files but I still have more that are showing up. Could someone take a look at the logs and let me know what else to do... Thank you
Cbarnard

[attachment deleted by admin]

[evilfantasy]

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with HijackThis fixes. Please disable TeaTimer for now until you are clean.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.

----------

1. Close all open Web browsers.
2. From the Start menu in Windows select Control Panel.
3. Select Add or Remove Programs.
4. In Add or Remove Programs select any of the following: (the names may be slightly different)

- Ask.com
- Ask Bar
- Ask Desktop Search
- Ask Search
- Ask Toolbar

5. Click Change/Remove for each and uninstall all found.

----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ASK.COM

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[cbarnard]

Here is the log file Evilfantasy

Sorry about the tea timer I forgot about it... I have deleted the entry as you asked. I was going to delete it before but I wanted a second opinion... Thank you

[attachment deleted by admin]

[evilfantasy]

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
c:\windows\ixonygiga.lib
c:\documents and settings\All Users\Application Data\tinuw.vbs
c:\windows\bemy.sys
c:\windows\system32\lyjepusali.bin
c:\program files\Common Files\onozedago.reg
c:\windows\ilykysexuv.db
c:\windows\pezeryxef._sy
c:\program files\Common Files\opykawoni.dll

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[cbarnard]

here is that logfile:


[attachment deleted by admin]

[evilfantasy]

You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:

• ViewMgr.exe - Useless
  
• Viewpoint to Plunge Into Adware

.
It is suggested to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
  
• Viewpoint Manager
  
• Viewpoint Media Player
  
• Viewpoint Toolbar
  
• Viewpoint Experience Technology

.
----------

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.
.
The above procedure will:

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

Delete temporary files

Go to:

• Start
• Run
• type: CLEANMGR.EXE
  
• Press Enter.

When prompted select the C: drive and click OK.
Check the boxes for:

• Temporary Internet Files
• Downloaded Program Files
• Recycle Bin
• Temporary Files

.
Click OK or Enter

----------

How is the computer running now?

[cbarnard]

Thank you Evilfantasy,
I deleted the viewpoint items. I should have seen that before...
The computer seems to be much better than it was, All though it is still slow. That is ok because they are going to upgrade it soon. Have a very good day, Thanks again...
Cbarnard

[evilfantasy]

I would also recommend that you Defrag the computer. There may be a lot of fragmented sections on the drive after cleaning the malware.

You can use the built in Windows Defrag or a faster FREE program. Defraggler is very effective and easy to use. Be sure to clean out temp files and restart the computer just before using this.

----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[cbarnard]

Thank you for your help EvilFantasy
I have already Defragged the HDD... I used Auslogic Disc Defrag

I also have already installed WOT and checked for updates for Micro, and Secunia
and updated as needed.

Thank you very much
Cbarnard

[cbarnard]

Just writing back to follow up, I called my friend he said his computer is doing 100% better, and that it is running as well as the day he purchased it. I just want to say thank you again EvilFantasy

[evilfantasy]