Alphabet Folder virus

Hi
I have some very sticky virus with strage alphabet names. The folders contain more folders with strange names like dotnetfix30,dotnetfix20 etc...also clwrig.exe,xpssvcs.dll,update.exe, wganotify.cat...supposedly microsoft applications!
Tried malwarebytes,superantispyware,Nod32, ADaware, Spybot search and destroy and a-squared. None detects these folders...
Kindly suggest a solution...

 

O by the way,I can see the folders but cannot delete them a sthe system says that they are either locked by the system or are in use.

 

This is because you are trying to delete Protected System Files. It's never a good idea to delete a file because it looks suspicious. Many legitimate Windows files have odd names and extensions. Delete the wrong one and you may have to reformat and reinstall Windows to fix it.

If you think this is a malware issue please follow the instructions in the below link and attach the requested logs when you finish these instructions. We can not help without the logs.

READ & RUN ME FIRST. Malware Removal Guide

 

Yup. Will post the logs soon. Am on the job.

 

Hi
I have attached the log files for Combofix,Hijack this and MalwareBytes in this mail.

 

This mail contains the ReadMeRootRepeal log file.
Superantispyware slowed my system to an almsot stall, so I unistalled it.
Also registry cleaner found about 350 errore but will only repair if I buy the product.
Spybot seacha nd destroy found no infections.
Thanks

 

I had to zip the registry cleaner log because it was too big.
Sara

 

You didn't follow the instructions in the READ ME.

That isn't anything we asked you to download and run. What is the name of this registry cleaner? You need to stick to the instructions or it just makes it harder for both of us.

You have too much protection installed.

Step 2: Uninstalling Multiple Protection Applications

*** IMPORTANT NOTES - READ THESE ***
​

• You must uninstall all but one antivirus program.
  • If you have multiple antivirus applications installed on your PC, please choose the one you prefer and uninstall all others. Do this now before continuing because you will only be asked to do it later if not done now. This does not mean online scanners. It is only referring to full antivirus applications like McAfee, Symantec, AVG, Avast, AntiVir, Kaspersky, etc.
• You must uninstall all but one software firewall.
  • Only use one software firewall. Running multiple software firewalls is unnecessary and using more than one software firewall on the same connection could cause issues with connectivity to the Internet or other unexpected behavior including excessive use of system resources which will slow down overall PC performance.

You didn't finish following the READ ME. I need the MGtools logs. Using MGtools

Please only install and run what we ask you to until we give the all clear.

 

Here is the MGTools Zip file.
I had run Regstry Booster 2010 and Registry Mechanic. I dont remember why thought about that Sorry. I donwloaded from here: http://www.majorgeeks.com/downloads15.html
I have Comodo firewall and Nod32 antivirus.
The rest are antispyware...I have Malwaryebytes, Spybot without Teatimer, but with immunization and Spysweeper.
I had to disable Comodo and Nod32 for letting Combofix function smoothly.
Thanks

 

You have COMODO Internet Security installed. That is the whole security suite including an antivirus and firewall.

Go to Add or Remove Programs and uninstall::

• Comodo HopSur
• COMODO Internet Security
• COMODO SafeSurf

Be sure to restart the computer after uninstalling.

Now install only the Comodo firewall. Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any Ask.com options)



Now please run MGtools again and attach the MGlogs.zip. Using MGtools

 

Attached is the MGTools log.
Thanks

 

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with certain fixes. Please disable TeaTimer for now until you are clean.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.



Visit this web page to download then run the AVG Remover(32bit).

"AVG Remover utility removes all parts of AVG installation on your computer, including registry items, installation and user files on your disk, etc. AVG Remover is the least option to be used in case the AVG uninstallation / repair installation process has failed repeatedly."



Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines (if found) but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

• R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=10587&gct=&gc=1&q=
• R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=10587&gct=&gc=1&q=%s
• R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
• R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
• R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
• O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
• O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
• O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
• O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
• O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
• O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

After clicking Fix checked, exit HijackThis.


Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.




You should delete the below left over folders from Kaspersky:

Code:

"C:\WINDOWS\system32\"
AR-SA         Sep 21 2009              "ar-SA"
DA-DK         Sep 21 2009              "da-DK"
DE-DE         Sep 21 2009              "de-DE"
EL-GR         Sep 21 2009              "el-GR"
FI-FI         Sep 21 2009              "fi-FI"
FR-FR         Sep 21 2009              "fr-FR"
HE-IL         Sep 21 2009              "he-IL"
IT-IT         Sep 21 2009              "it-IT"
KO-KR         Sep 21 2009              "ko-KR"
NB-NO         Sep 21 2009              "nb-NO"
NL-NL         Sep 21 2009              "nl-NL"
PT-BR         Sep 21 2009              "pt-BR"
SV-SE         Sep 21 2009              "sv-SE"
TR-TR         Sep 21 2009              "tr-TR"
ZH-HK         Sep 21 2009              "zh-HK"
ZH-TW         Sep 21 2009              "zh-TW"

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Windows\temp
C:\Users\acer\AppData\Local\temp

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Restart the computer and let me know how it is running now.

 

Hi
Thanks.
I did as said and attached the new hijackthis log which came from running MGTools.
Also, the AVG and Windows messenger-related entries
# O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
# O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
# O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
# O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

were not found as I ran the AVG and windows removal first.

The system is faster and the 'search options' which was not working had started working since the first step...removal of extra protection etc.
But the 'alphabet folders' remain. I don't know what they do there. The folder is for media files. There are also two new folders there, one called 'Recycler' and another, 'System volume information', both of which are hidden files. Both cannot be deleted.
I hope they are not a cause for concern.
Thanks.
S

 

Remember what I said in my first post.

Hidden files and folders are hidden for a few reasons. One is to keep people from deleting them. Windows is constantly creating, overwriting and deleting files with very odd names and extensions. The ones you mention are not a threat. They are normal Windows folders. Re-hide your hidden files and folders and trust your antivirus to do it's job. Also keep SUPERAntiSpyware and Malwarebytes Anti-Malware. Update and scan with them on a regular basis. If they don't find anything other than tracking cookies then you are likely malware free.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

OK. Thanks a lot.
A lot...
and have a nice weekend!;0

 

Your welcome.

Safe surfing...