Here we go...

Well, to make things easier I put some instructions together so that I don't have to repeat these steps over and over - you may be able to eliminate spyware/adware altogether with this - if there are any trojans we may have more steps

http://forum.oddthought.com/tutorial-section/12283-guide-removing-malware.html

Attach the logs back here when complete and I will review then we may have further steps

Norton isn´t working, shall I install another anti virus?

Yes - Avira is free and will be a lot better for your system

Uninstall Norton through add/remove programs (programs and features in Vista)

Then go ->
Download and run the Norton Removal Tool (http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039)

Select your product to download and run the removal tool

*if you had a complete security suite - then you will want to download a firewall as well - personally I would go with Zone Alarm of Comodo - even though Comodo may be the better product - it can be a very nagging firewall

Norton isn´t working, shall I install another anti virus?

Not to see like im being a smartarse here but :haha:

norton is a joke lol

It found a trojan: TR/Crypt.XPACK.Gen in:
C:\WINDOW\system32\emprqv.dll
C:\WINDOW\system32\awtrPgGV.dll
C:\WINDOW\system32\drvzex.dll

What shall I do? Repair option is not available.

Not to see like im being a smartarse here but :haha:

norton is a joke lol

I fully agree, I don´t find it good at all, but it came with the computer.

I fully agree, I don´t find it good at all, but it came with the computer.

Yeah, i think its standard install on most modern computers because it is a joke, i don't think anybody on this forum who is tech savy has ever recommended norton, the only thing they ever recommend is fucking it off. :haha:

Edit - sorry /end hijack lol

Repair option not available?

Can you quarantine it

You can access quarantined files through the main screen -> administration tab in left pane

Looks like when you are done with the preliminary stuff we may have more work to do this infection can be injected/attached to the legitimate Windows process such as explorer.exe or others.

Yea quaratine works, I´m doing that now, the scan should be finished soon (95%).

Here´s the log of the anti virus, had to split it in 2 files.

Good work - looks like you had quite a mess on there - I will give further instructions after you finish up the rest of the instructions. We are gonna have some fun on this one - judging by those logs MBAM will find a lot



Der Suchlauf über die Masterbootsektoren wird begonnen:
Masterbootsektor HD0
[INFO] Es wurde kein Virus gefunden!
Masterbootsektor HD1
[INFO] Es wurde kein Virus gefunden!
[WARNUNG] Systemfehler [21]: Das Gerät ist nicht bereit.
Masterbootsektor HD2
[INFO] Es wurde kein Virus gefunden!
[WARNUNG] Systemfehler [21]: Das Gerät ist nicht bereit.
Masterbootsektor HD3
[INFO] Es wurde kein Virus gefunden!
[WARNUNG] Systemfehler [21]: Das Gerät ist nicht bereit.
Masterbootsektor HD4
[INFO] Es wurde kein Virus gefunden!
[WARNUNG] Systemfehler [21]: Das Gerät ist nicht bereit.

Der Suchlauf über die Bootsektoren wird begonnen:
Bootsektor 'C:\'
[INFO] Es wurde kein Virus gefunden!


I can't understand that part of it if you could translate a little it would help

is it saying there is an infection in the MBR>

=============================================

In addition to the instructions we need to manually clear your cache

Manually clear cache


Open an Explorer folder window (for example, double-click My Computer).
From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
You should see a series of folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.

I think it says this but correct me if I am wrong

The search of the master boot sectors will begin:
Masterbootsektor HD0 Master boot sector HD0
[INFO] Es wurde kein Virus gefunden! [INFO] There was no virus found!
Masterbootsektor HD1 Master boot sector HD1
[INFO] Es wurde kein Virus gefunden! [INFO] There was no virus found!
Masterbootsektor HD2 Master boot sector HD2
[INFO] Es wurde kein Virus gefunden! [INFO] There was no virus found!
[WARNUNG] Systemfehler [21]: Das Gerät ist nicht bereit. [WARNING] system error [21]: The device is not ready.
Masterbootsektor HD3 Master boot sector HD3
[INFO] Es wurde kein Virus gefunden! [INFO] There was no virus found!
[WARNUNG] Systemfehler [21]: Das Gerät ist nicht bereit. [WARNING] system error [21]: The device is not ready.
Masterbootsektor HD4 Master boot sector HD4
[INFO] Es wurde kein Virus gefunden! [INFO] There was no virus found!
[WARNUNG] Systemfehler [21]: Das Gerät ist nicht bereit. [WARNING] system error [21]: The device is not ready.
Masterbootsektor HD5 Master boot sector HD5
[INFO] Es wurde kein Virus gefunden! [INFO] There was no virus found!
[WARNUNG] Systemfehler [21]: Das Gerät ist nicht bereit. [WARNING] system error [21]: The device is not ready.
Masterbootsektor HD6 Master boot sector HD6
[INFO] Es wurde kein Virus gefunden! [INFO] There was no virus found!
[WARNUNG] Systemfehler [21]: Das Gerät ist nicht bereit. [WARNING] system error [21]: The device is not ready.

Der Suchlauf über die Bootsektoren wird begonnen: The scan on the boot sectors will begin:
Bootsektor 'C:\' Boot sector 'C: \'
[INFO] Es wurde kein Virus gefunden! [INFO] There was no virus found!

I think it says this but correct me if I am wrong

The search of the master boot sectors will begin:
Masterbootsektor HD0 Master boot sector HD0
[INFO] Es wurde kein Virus gefunden! [INFO] There was no virus found!
Masterbootsektor HD1 Master boot sector HD1
[INFO] Es wurde kein Virus gefunden! [INFO] There was no virus found!
Masterbootsektor HD2 Master boot sector HD2
[INFO] Es wurde kein Virus gefunden! [INFO] There was no virus found!
[WARNUNG] Systemfehler [21]: Das Gerät ist nicht bereit. [WARNING] system error [21]: The device is not ready.
Masterbootsektor HD3 Master boot sector HD3
[INFO] Es wurde kein Virus gefunden! [INFO] There was no virus found!
[WARNUNG] Systemfehler [21]: Das Gerät ist nicht bereit. [WARNING] system error [21]: The device is not ready.
Masterbootsektor HD4 Master boot sector HD4
[INFO] Es wurde kein Virus gefunden! [INFO] There was no virus found!
[WARNUNG] Systemfehler [21]: Das Gerät ist nicht bereit. [WARNING] system error [21]: The device is not ready.
Masterbootsektor HD5 Master boot sector HD5
[INFO] Es wurde kein Virus gefunden! [INFO] There was no virus found!
[WARNUNG] Systemfehler [21]: Das Gerät ist nicht bereit. [WARNING] system error [21]: The device is not ready.
Masterbootsektor HD6 Master boot sector HD6
[INFO] Es wurde kein Virus gefunden! [INFO] There was no virus found!
[WARNUNG] Systemfehler [21]: Das Gerät ist nicht bereit. [WARNING] system error [21]: The device is not ready.

Der Suchlauf über die Bootsektoren wird begonnen: The scan on the boot sectors will begin:
Bootsektor 'C:\' Boot sector 'C: \'
[INFO] Es wurde kein Virus gefunden! [INFO] There was no virus found!

That is correct, since when do you speak German? lol

And here is the mbam log file.

SuperAntiApyware too.

And the last one :)

I'm kinda drunk sorry I took so long

Remove bad HijackThis entries

Run HijackThis
Click on the System Scan Only button
Put a check beside all of the items listed below (if present):

O2 - BHO: (no name) - {4AB3FF55-6CD9-4F68-8058-745A822D1550} - C:\WINDOWS\system32\awtrPgGV.dll (file missing)
O2 - BHO: (no name) - {4C5AB1EC-0ADD-4825-AA2D-D046A4B35FAC} - C:\WINDOWS\system32\wvUnKdAR.dll (file missing)
O2 - BHO: {a970351c-e405-e83a-58c4-9815c766502b} - {b205667c-5189-4c85-a38e-504ec153079a} - C:\WINDOWS\system32\emprqv.dll (file missing)
O4 - HKLM\..\Run: [lphc14tj0erct] C:\WINDOWS\system32\lphc14tj0erct.exe
O4 - HKLM\..\Run: [BM3bfe0b02] Rundll32.exe "C:\WINDOWS\system32\vfjvecvb.dll",s
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - AppInit_DLLs: emprqv.dll
O20 - Winlogon Notify: wvUnKdAR - wvUnKdAR.dll (file missing)

Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.


=============================================

http://i10.photobucket.com/albums/a117/justinlutzfl/avatar62338_1.gifCombofix

Download Combofix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
Double click combofix.exe & follow the prompts.
A window will open with a warning.
When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

Here are the 2 logs (Combofix and a new HJT one).

How's your computer doing now buddy?

Go to add/remove programs and uninstall anything related to Viewpoint

FileASSASSIN

Launch Malwarebytes' Anti-Malware
Select the More Tools Tab
Under FileASSASSIN select Run Tool
Navigate to C:\Dokumente und Einstellungen\Carli\Anwendungsdaten\Viewpoint
Press Open

-------------------------------------------------------

This will give us a 2nd opinion and look in a few additional places - then we can clean up

http://i10.photobucket.com/albums/a117/justinlutzfl/f_Logo1m_7c1b64d.pngRun Kaspersky Online AV Scanner

In order to use it you have to use Internet Explorer.
Go to Kaspersky (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary.
Once the database has downloaded, click Next.
Click on "My Computer"
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

It´s doing fine, I don´t get warnings from the anti-virus anymore.

In that Viewpoint Folder there are no files, only a sub-folder called Viewpoint Experience Technology, with some more folders in it and files there as well, where should I run the FileAssassin?

Just manually delete the folder

Kaspersky.txt:
Your file of 94.4 KB bytes exceeds the forum's limit of 19.5 KB for this filetype.

I guess the log is a bit too massive...

click on my name and select send email to Red Dragon

Then send it with your name in the subject

It´s sent.

Wow. Gonna take me a little bit to go through and you may not want to remove some of the things it found - they look like downloads - music - ect.

indeed, most of it is music.

It looks like this worm corrupted your music files - I am going to look a bit more to find a way to remove it without deleting all of your music - but as a last resort this may be your only option - it's not worth the risk unless we can clean it somehow.


The objective of the infection is to install a Trojan that gives a cybercriminal control of the user’s computer.

The worm, which was named Worm.Win32.GetCodec.a, converts mp3 files to the Windows Media Audio (WMA) format (without changing the .mp3 extension) and adds a marker with a link to an infected web page to the converted files. The marker is activated automatically during file playback. It opens an infected page in Internet Explorer where the user is asked to download and install a file which, according to the website, is a codec. If the user agrees to install the file, a Trojan known as Trojan-Proxy.Win32.Agent.arp is downloaded to the computer, giving cybercriminals control of the victim PC.

Unlike earlier Trojans, which used the WMA format only to mask their presence on the system (i.e., the infected objects were not music files), this worm infects audio files. According to Kaspersky Lab virus analysts, this is the first such case. The likelihood of a successful attack is increased because most users trust their audio files and do not associate them with possible infections. It should be noted that the file on the counterfeit web page is digitally signed by Inter Technologies and is identified by UserTrust with Site Seal from Comodo (http://www.usertrust.com), the resource that issued the digital signature, as trusted.

================================================== =================

Avira has some definitions of this in their database

================================================== =================

After some further reading I don't think there is much we can do - if you open any of those music files there is a good chance you will be reinfected


Do you want a script to remove them? Let me know what you would like to do and then we can cleanup and remove some of the tools we used - and secure your system from future attacks

*if you had a complete security suite - then you will want to download a firewall as well - personally I would go with Zone Alarm of Comodo - even though Comodo may be the better product - it can be a very nagging firewall

To be fair, mine doesn't hassle me at all anymore. Once you've set up your trusted applications or whatever it stays shut up and I'd prefer it to ask me what I want to do rather than ZA's automatic one that blocked half my programs when I last used it.

Yea after a while Comodo gets better - it does nag a lot at first though

Zonealarm is easy to unblock - you just launch control center - programs tab - find the program and change the X to a check mark. I like both of them - Comodo seems to be a better product but zone alarm is much easier to use and I like to point that out up front

It took me a while to reply, I was away from home for a couple of days, work and stuff, you know...
Looking at all that, I think that getting rid of all the infected files is the best option. So yeah, if you can get me that script, it would be great. Thanks a lot Justin!

Comodo log.

Well, seeing that the files in the Kaspersky log were basically the only thing that I wouldn´t like to lose, I decided to reinstall the whole computer.

Thought, when I installed Comodo, it found one infection still:

Trojan.Win32.Patched.m(ID = 0x4d69a) C:\WINDOWS\system32\winlogon.exe

And I also have a question, besides Comodo and Avira, what others should I have installed?

that's a false positive - leave it

I was almost done with your script to remove those files too.

Other protection I recommend

Anti-Spyware At least one of these
Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe)
SUPERAntispyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)


Additional Utilities
Winpatrol (http://www.winpatrol.com/)
Tutorial for Winpatrol (http://www.winpatrol.com/features.html)

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html)
Tutorial for Spyware Blaster (http://www.bleepingcomputer.com/forums/tutorial49.html)