VBS:SMALL

Unknown

Hi,

My computer and flash drives were infected with "VBS:SMALL" nearly at the same time as other users. First, I did exactly as the removal instructions given on Viruslistcom. (virusid=147355) But, I couldn't log on to any account after that. I was automatically being logged off. Then I recovered my XP and ran DSS. I'm posting the reports. Please help...

musicman

Sorry for the delay Juli@.

If you are still have trouble please post a fresh HJT log with an update on current problems.


MM

Juli@~

I don't have so much trouble with it. I think, it doesn't even slow down my computer but it's getting annoying. The virus seems to be spreading via removable media rather than network connections. Any memory card that I plug in my computer, is infected. It must be hard to get rid of this virus fully. Anyway, I'm waiting for your help. Thank you!

--
Berkay O.

musicman

I suggest you print this out to help you follow my advice.

***********************

Make sure you have exposed all Hidden Files & Folders.

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and close My Computer.

***********************

I suggest you run some first line (free) removal programs. These four ...

>> Superantispyware > http://www.superantispyware.com/

>> AVG Anti Spyware > http://free.grisoft.com/doc/5390/us/frt/0?prd=asf

>> TrojanHunter > http://www.misec.net/

Download each and have them run full scans on your entire systems.

Let them fix whatever they find.

>> ComboFix > http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

ComboFix may create a folder called QooBox in C: (C:\QooBox). It will contain any folders that were quarantined. When you are done you can delete the folder “QooBox” and empty your recycle bin.

***********************

Download SDFix from here and save it to your desktop …….

http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Please then reboot your computer in Safe Mode by doing the following ……

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All ……
• Open the extracted folder and double click RunThis.bat to start the script.
• Type Y to begin the script.
• It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• Your system will take longer that normal to restart as the fixtool will be running and removing files.
• When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
• Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum.

***********************

Close all browser windows, open HJT again and click on "scan".

Check/tick the following entries then click on FIX CHECKED button at the foot of the HJT window ......

F2 - REG:system.ini: UserInit=userinit.exe,autorun.bat

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - Startup: EV Detect.lnk = C:\byte\eczviz\evdet.exe

Close HJT.

***********

Locate and delete the following ....

Autorun.bat..... file.
ALCMTR.EXE..... file.

> run system wide search for these two to find them. (Autorun.bat is possibly at the root of C:\ or perhaps at C:\Windows folder.)

C:\byte .... whole folder

***********

Empty your recycle bin once more.

***********

Reboot your machine inot normal mode, rehide your Hidden Files & Folders by carrying out the reverse operation to that described at the start of this post & reboot to normal mode.

***********

In your next post here please include the following ....

1. The Combofix log

2. The SDFix log

3. A fresh HJT log.


Please also tell us how your computer is operating now. Any better?

There is some evidence of smitfraud infections so we may need to run the fix if this doesn't clear up your problem.


MM

Trogan

Whilst we appreciate that you may be busy, it has been 7 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Spyware & Virus Removal Forum

If you wish this topic reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
If you are not the user who started this thread, you must start a new Thread instead.