Jump to content

I need to purge this cursed PC again, Sincerest apologies for the repost


offsafety
 Share

Recommended Posts

I sincerely apologize for reposting the thread but I read the disclaimer advising not to reply to your own topic within 48 hrs AFTER I had already replied to my topic.

Greetings everyone. My computer is in trouble.

I manage to download mbam and install but it won't run... I've already looked for that TDSys non plug and play driver or whatever the name is in the Hardware Device manager but it's not listed (AFTER showing hidden items). If any mods could delete the other thread I would appreciate it and again, apologies.

Pardon my ignorance on the matter as I don't maintain my pc as I should. I don't have another pc or laptop at the moment so I'm not at the liberty to run programs on other OS' and what not. I do have a USB memory stick though (not sure if that helps any)

Again pardon my ignorance in internet jargon and grammar and whatever else makes me seem more like an ignoramus.

Thank you for your help.

Attached is my HiJackThis log from my PC.

I am running Windows XP. My taskbar stays on hourglass so I can't use it)

I have no money to purchase a good AV program.

hijackthis.txt

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

I have downloaded Combofix.exe to my desktop but it won't run. I get an hourglass flicker and nothing more. Also I wanted to know when you say to disable the Antivirus/Antispyware/Firewall does that include the fake antivirus programs like Personal Antivirus or PC AntiSpyware? Also fyi my taskbar is frozen for a really long time before it starts to function don't know if that affects anything. Seems like clean this computer a little late. This is sort of new behavior.

Link to post
Share on other sites

  • Staff

Hi,

Please do next..

Download and run Win32kDiag:

Link to post
Share on other sites

Hi,

Please do next..

Download and run Win32kDiag:

Good morning (bout 7:25am here)

The following is the contents of the Win32kDiag.txt file created after running the exe:

Running from: C:\Documents and Settings\Ati\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Ati\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

Link to post
Share on other sites

  • Staff

Hi,

Do next please, exactly the way I describe..

Delete the combofix from your desktop.

Then, Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

  • Staff

Hi,

Go to start > run and copy and paste next command in the field:

sc delete RPCM

Hit enter.

Then, I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Reboot and Let me know in your next reply how things are now.

Link to post
Share on other sites

  • Staff

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Again, as requested, the Malwarebytes report, followed by the fresh Hijackthis log:

Malwarebytes' Anti-Malware 1.41

Database version: 2897

Windows 5.1.2600 Service Pack 3

10/2/2009 7:25:03 PM

mbam-log-2009-10-02 (19-25-03).txt

Scan type: Quick Scan

Objects scanned: 129370

Time elapsed: 5 minute(s), 28 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 9

Registry Values Infected: 5

Registry Data Items Infected: 0

Folders Infected: 9

Files Infected: 14

Memory Processes Infected:

C:\Program Files\PersonalAV\PAV.exe (Rogue.PersonalAntiVirus) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Rogue.Ascentive) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Rogue.Ascentive) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Rogue.Ascentive) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Rogue.Ascentive) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{c24d7016-d00f-41ef-9781-984b6b5ff38f} (Rogue.Ascentive) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{ec88fcd0-2ed5-4d65-9b4c-71d146b43a2e} (Rogue.Ascentive) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e532cfb1-5edd-4663-8c22-bcd67b5e5bd4} (Rogue.Ascentive) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\PC-AntiSpyware (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_PCA-FIREWALL (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\ConTest.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\personalav (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Environment\avapp (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Environment\avuninst (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Documents and Settings\Elijah\Application Data\PC-Antispyware (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully.

C:\Documents and Settings\Elijah\Application Data\PC-Antispyware\logs (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully.

C:\Documents and Settings\Elijah\Application Data\PC-Antispyware\startup (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully.

C:\Documents and Settings\Glenys\Application Data\PC-Antispyware (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully.

C:\Documents and Settings\Glenys\Application Data\PC-Antispyware\logs (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully.

C:\Documents and Settings\Glenys\Application Data\PC-Antispyware\startup (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully.

C:\Program Files\Common Files\Uninstall\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

C:\Program Files\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

Files Infected:

C:\Documents and Settings\Glenys\Desktop\SpeedScan_setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Downloads\Swap.Magic.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ConTest.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.

C:\Documents and Settings\Elijah\Application Data\PC-Antispyware\config.xml (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully.

C:\Documents and Settings\Elijah\Application Data\PC-Antispyware\Sites.bl (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully.

C:\Documents and Settings\Glenys\Application Data\PC-Antispyware\config.xml (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully.

C:\Documents and Settings\Glenys\Application Data\PC-Antispyware\Sites.bl (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully.

C:\Documents and Settings\Glenys\Application Data\PC-Antispyware\logs\1208113869.log (Rogue.PCAntiSpyware) -> Quarantined and deleted successfully.

C:\Program Files\Common Files\Uninstall\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

C:\Program Files\PersonalAV\PAV.exe (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\PersonalAV\Personal Antivirus.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

C:\Documents and Settings\Ati\Desktop\Personal Antivirus.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

hijackthislog.txt

Link to post
Share on other sites

Hi,

This is an older HijackThislog you posted. Can you rescan with Hijackthis and post again?

Also, let me know how things are right now.

Hello,

I'm very sorry. Attached is a current hijackthis log. Things are running much smoother now. The Personal Antivirus is gone. I see no signs of malware, spyware or the such right now. I'm really not sure how to analyze the system better to provide you with a better answer.

hijackthis.txt

Link to post
Share on other sites

Hello,

I'm very sorry. Attached is a current hijackthis log. Things are running much smoother now. The Personal Antivirus is gone. I see no signs of malware, spyware or the such right now. I'm really not sure how to analyze the system better to provide you with a better answer.

quick update: I notice that IE is still redirecting me to sites other than the ones I'm typing in.

Link to post
Share on other sites

Hi,

Can you redownload and run Combofix again as well? Then post the log in your next reply. This to make sure.

Also, can you tell me to what sites it redirects for example? Is this when you search via google or so?

Hi!

Here's my combofix log.

I'm going to have to ask you to disregard last post about the IE redirecting me. I was under the influence of alcohol and am not 100% sure if I mistyped a url. Google seems to be working fine.

combofixlog.txt

Link to post
Share on other sites

  • Staff
I'm going to have to ask you to disregard last post about the IE redirecting me. I was under the influence of alcohol and am not 100% sure if I mistyped a url. Google seems to be working fine.
Lol, that makese sense as well.

Don't drink and surf? :D

Everything looks OK here though.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again! :D

Link to post
Share on other sites

Lol, that makese sense as well.

Don't drink and surf? :D

Everything looks OK here though.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again! :D

Hello again!

Sorry for the delayed response. I have been doing everything you told me, step by step. I've chosen to use a combination of AVG, COMODO (just the firewall), and of course, Malwarebytes Anti-Malware. I've also run the Startup Lite program, and last night I defrag'ed my C:/

One question though, am I supposed to check and fix the all of the results on combo-fix's or malwarebytes? I'm pretty sure I skipped that the last few times I ran them. Guess I was focused on the logs and I didn't take notice.

Link to post
Share on other sites

  • Staff

Hi,

There's nothing strange anymore in the latest Combofix log. It already did its job there, so all you have to do is uninstall it again as I already posted before:

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.