Hello. I am having trouble with VBS Small. I saw another user had the same trouble, and you told him to run clean autoruns and post the resulting files. I am posting them. Please help me. Thank you.

Hi lvega and welcome to Short-Media. I'm checking your log, so please be patient.

:) Hi lvega
What Firewall you use?
Lets start with this:

step#1
Click here (http://downloads.malwareremoval.com/HJTsetup.exe)to download HJTsetup.exe and save it to your Desktop.
* Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.

step#2
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

F2 - REG:system.ini: UserInit=userinit.exe,autorun.bat
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Archivos de programa\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O9 - Extra button: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)
O9 - Extra 'Tools' menuitem: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing

Close ALL open windows
Click Fix Checked
Close HiajckThis

step#3
Please delete the following folder
C:\Archivos de programa\Ringz Studio\Storm Codec

step#4
Please Download Clean Autoruns (http://forums.techguy.org/attachments/102310d1175652013/clean-autoruns.zip)
Save the attached Clean autoruns.zip to your desktop and extract (unzip) its contents to the desktop. It contains a batch file, Clean autoruns.bat, Written by Mosaic1. Once extracted, open the folder and double click on the Clean autoruns.bat to run the fix.
1. If any autoruns are found, the fix will move them to a backup folder.
2. If any autoruns are found on the root of your drives, it will kill explorer so that the registry entries in the MountPoint(s) key are fixed.
3. It will produce two files, Part1.txt and Part2.txt , that will show the state before and after the cleaning.

step#5
Post these Logfiles in your next reply:
hjt-log
Part1.txt
Part2.txt

Thank you for your help. These are the files. What do these files tell you?

Hi lvega
I need a new HijackThis log too

Hi, I had to rename the log file to txt, because it said invalid file. Thanks a lot. :)

:smiles: Hi lvega
we have five things to do
Please follow my steps in the right order...
Lets start with this:

step#1
Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following,( if present)
Ringz Studio

step#2
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
F2 - REG:system.ini: UserInit=userinit.exe,autorun.bat
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Archivos de programa\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O9 - Extra button: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)
O9 - Extra 'Tools' menuitem: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)
Close ALL open windows
Click Fix Checked
Close HiajckThis

step#3
Please delete the following folder,(if present)
C:\Archivos de programa\Ringz Studio\Storm Codec

step#4
Please download Deckard's System Scanner (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop
* Close all applications and windows.
* Double-click on Dss.exe to run it, and follow the prompts.
* The scan may take a minute. When the scan is complete, a text file will open Main.txt and extra.txt

step#5
Post these Logfiles in your next reply:
Main.txt and extra.txt:wink:

I couldn´t find any registry entry nor a program to uninstall. It is a good sign I think :tongue: .

I am sending you main.txt, because the program didn´t generate an extra.txt

Thanks a lot!

:smiles: Hi lvega
Good Work!
Please do the following..

step#1
Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following,
all older versions of Java.

step#2
Please backup your registry before fix it:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window
Please run Notepad and paste the following text into a new file:
REGEDIT4

[-HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5e104aa0-4464-11db-92d9-000b6a12dbf7}]

[-HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a10a1630-713d-11db-8810-000000000000}]

[-HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b87f7290-4111-11db-92d7-000b6a12dbf7}]


Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files".
Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry

step#3
Please Update your Java Java Runtime Environment (JRE) 6u1 (http://java.sun.com/javase/downloads/index.jsp)
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
* From your desktop, double-click on jre-6-windows-i586.exe to install the newest version.

step#4
Please download
ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
This program is for XP and Windows 2000 only!
Double-click ATF Cleaner.exe to open it.
Under Main select the following:
* Windows Temp
* Current User Temp
* All Users Temp
* Temporary Internet Files
* Prefetch
* Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

step#5
Print out these instructions or save them with notepad or Word

Please download AVG Anti-Spyware (http://downloads.grisoft.cz/softw/70/filedir/inst/avgas-setup-7.5.0.50.exe) to your desktop. When ready, do following:

Start AVG Anti-Spyware
Click the Update icon
Click Start update
Wait until updates are downloaded
Click the Scanner icon
Open the Settings tab
If you are having problems with the updater, you can use this link (http://www.ewido.net/en/download/updates/) to manually update
Make sure that under "How to act?" read Quarantine



(If not, click the text and choose Quarantine)
Under "How to scan?" all checkboxes should be ticked
Under "Reports" select Automatically generate report after every scan
and uncheck Only if threats were found
Under "What to scan?" select Scan every file
Click the Shield icon
Under the "Resident shield is" click active to make it inactive
Close AVG Anti-SpywareReboot to safe mode

If the computer is running, shut down Windows, and then turn off the power
Wait 30 seconds, and then turn the computer on
Start tapping the F8 key
The Windows Advanced Options Menu appears
Ensure that the Safe Mode option is selected
Press Enter. The computer then begins to start in Safe mode
Login on your usual accountOpen My Computer.
Click Tools menu then click Folder Options.
Click the View tab.
Scroll to the ;Hidden files and folders; section and click Show hidden files and folders.;
Uncheck the Hide protected operating system files (recommended); option. (SEE NOTE ABOVE ON THIS OPTION!) Click Yes to confirm. Then click OK.

Close all open windows / programs / folders
Start AVG Anti-Spyware
Click the Scanner icon
Click Complete System Scan
Let the program scan the machine
When the scan has finished, follow the instructions below
Make sure that under "Set all elements to" read Quarantine



(If not, click the text and choose Quarantine)
Click Apply all actions
Click Save Report
Click Save reports as
Save report to your Desktop
step#6
Post these Logfiles in your next reply
AVG Anti-Spyware report
hjt-log

Hi, :)

I send you the reports. Have a question: the avast antivirus found the vbs ona a restore archive from system restore. What I did was to disable system restore, turn off the computer and turn it on again, then enable system restore and create one restore point. Is the procedure ok?

Thanks a lot.

:) Hi lvega
Is the procedure ok? = Yes
Excellent Work!
Your comp looks clean.
Everything is good now

we have two things to do

step#1
Clean your System Restore:
Turn off System Restore.
On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab
Check Turn off System Restore
Click Apply, and then click OK

You can fix these lines with HijackThis, if you want. This could to speed up to your computer starting.
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Archivos de programa\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Archivos de programa\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Archivos de programa\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Archivos de programa\InterVideo\Common\Bin\WinCinemaMgr.ex
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Archivos de programa\InterVideo\WinDVR\WinScheduler.exe
Close ALL open windows
Click Fix Checked
Close HijackThis

Reboot.
Turn on System Restore.
On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab
Uncheck Turn off System Restore
Click Apply, and then click OK


step#2
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read This Article (http://www.spywareinfo.com/articles/p2p/)written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.
Spybot Search & Destroy (http://www.safer-networking.org/)- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
AdAware (http://www.lavasoftusa.com/)- Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Great prevention tool to keep nasties from installing on your system.
SpywareGuard (http://www.javacoolsoftware.com/spywareguard.html)- Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
IE-SpyAd (http://www.bleepingcomputer.com/tutorials/tutorial53.html)- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
CleanUP! (http://cleanup.stevengould.org/) - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
Windows Updates (http://windowsupdate.microsoft.com/) - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
Google Toolbar (http://toolbar.google.com/) - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
Trillian or Miranda-IM (http://www.trillian.cc/)- These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)article by Tony Klei
Happy surfing and stay clean!:thumbsup:

Peku, thank you very much for your help :p

Definitely, you know how to manage this viruses thing. Congratulations! :respect: