help with a virus

[evilfantasy]

OK, you can uninstall that. We will use AVG Antispyware instead. Sorry for that, I have not had any problems with it before....



Download and install AVG Anti-Spyware Free to your desktop.

    * Once you have downloaded AVG Anti-Spyware Free , locate the icon on the desktop and double-click it to launch the set up program.
    * Once the setup is complete you will need run AVG and update the definition files
    * On the main screen select the icon Update then select the Update now link.
    * Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
    * Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
    * Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this
    * Under Reports
    * Select Automatically generate report after every scan
    * Un-Select Only if threats were found
    * Under "What to scan"? "Select Scan every file".
   
    * Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan
    * AVG will now begin the scanning process, be patient this may take a little time.
    * Once the scan is complete do the following:
    * If you have any infections you will prompted, then select Apply all actions <--be sure qaurantine is selected
    * Next select the Reports icon at the top.
    * Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
    * Make sure to remember where you saved that file, this is important (usually the desktop)
    * Close AVG Anti-Spyware Free

    * Attach the AVG scan report in the next post.

[blu_smiley]

I have SUPER antispyware from  before. Do I need to uninstall that before I  install AVG antispyware?

[evilfantasy]

No it will not hurt to have both installed, they only run when you launch them so it is safe.

[blu_smiley]

AGV log attached

-----------

do i still need to post the hjt log?


[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Yes, I will need to see a new HijackThis log.

The hjiackthis logs are how we can tell if the removal tools are working and if more work needs to be done.

[blu_smiley]

hijack this log attached

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Delete the copy of Combofix from the desktop and download a new one.

Download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
When finished, it will produce a log for you.
Attach that log in your next reply.

Do not mouseclick combofix's window while it's running. That may cause your computer to stall

Also post a fresh hijackthis log after combofix has completed.

[blu_smiley]

combo fix & hjt log attached

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
  
• On the page that opens, scroll down to

Hardware Clock Driver (hwclock)

• Then right click the entry, select Properties and press Stop Service.
  
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
  
• Now repeat the above to Stop and Disable the below Service (if you do not find it or get any errors, just continue):

winauthm (spdauth)

---------------

Please download OTMoveIt2 by OldTimer OTMoveIt2.exe and save it to your desktop.

Don't use it yet

---------------

Open HijackThis and select Do a system scan only then place a check mark next to:

O4 - HKUS\S-1-5-18\..\Run: [kimochiz.exe] C:\WINDOWS\temp\kimochiz.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kimochiz.exe] C:\WINDOWS\temp\kimochiz.exe (User 'Default user')
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: winauthm (spdauth) - Unknown owner - C:\WINDOWS\spdauth.exe (file missing)

Close all windows except for HijackThis and click Fix checked

---------------

Double click OTMoveIt.exe to launch it.

Be sure there is a check mark next to Unregister Dll's and OCX's

• Copy the file paths below to the clipboard by highlighting ALL of them.
  
• Then right-click and choose copy.

C:\WINDOWS\temp\kimochiz.exe
C:\WINDOWS\System32\hwclock.exe
C:\WINDOWS\spdauth.exe

• Return to OTMoveIt, right click in the Paste List of Files/Folders to be moved window and choose Paste.
  
• Click the MoveIt! button.
  
• The list will be processed and the results will appear in the right hand pane.
• Copy everything on the Results window to the clipboard by highlighting ALL of them.
  
• Then right-click and choose copy, and paste it on your next reply.
• When finished click Exit to exit the program.
  
• Please add the log in your next reply.

• If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.

• If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at : C:\_OTMoveIt\MovedFiles\********_******.log
  
  • (where "********_******" is the "date_time")[/color]
  Click Exit to close OTMoveIt.
  
  ---------------
  
  Next post please add
  OTMoveIt log <<Just copy and paste it in the post.
  New HijackThis log.

[blu_smiley]

I did the system scan only but when it finished i couldnt find:
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: winauthm (spdauth) - Unknown owner - C:\WINDOWS\spdauth.exe (file missing)

[evilfantasy]

We stopped them from running in services so they probably just didn't get picked up by the HJT scan.

Do the next step with OTMoveIt and we will see if they are removed by it.

[blu_smiley]

ok ^^

oh oh one thing...should i fix:
O4 - HKUS\S-1-5-18\..\Run: [kimochiz.exe] C:\WINDOWS\temp\kimochiz.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kimochiz.exe] C:\WINDOWS\temp\kimochiz.exe (User 'Default user')

[evilfantasy]

ok ^^

oh oh one thing...should i fix:
O4 - HKUS\S-1-5-18\..\Run: [kimochiz.exe] C:\WINDOWS\temp\kimochiz.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kimochiz.exe] C:\WINDOWS\temp\kimochiz.exe (User 'Default user')

Yes fix them in hijackthis and then continue with OTMoveIt.

[blu_smiley]

OTmoveIt:

File/Folder C:\WINDOWS\temp\kimochiz.exe not found.
File/Folder C:\WINDOWS\System32\hwclock.exe not found.
File/Folder C:\WINDOWS\spdauth.exe not found.
 
Created on 01022008_151824

---------------
hjt log attached

[file cleanup - saving space - attachment deleted by admin]

[evilfantasy]

Well that revealed a few more bad guys.


Run Combofix again and post the log.



Also run SDFix and post its log.

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard).
* Finally add the contents of the Report.txt in your next post as an Attachment with a new HijackThis log