Jump to content

Please someone help me


Recommended Posts

My computer is being taken over! this virus has left all sorts of malware on my computer. Ive removed the bulk using Pc tools antivirus but i am unable to get new updated as i there is a url changer at work. Also it removes my search history, turns off my firewall (pf firewall log?), etc. It has left a setupapi.log in windows. Ive uploaded gmer that says there is a suspicious modification to a system32 driver. It has started crashing my computer now when i run gmer and rkill!! PLEASE HELP AS I NEED MY COMPUTER FOR STUDIES.

Link to post
Share on other sites

Welcome to the forum.

Please folow this guide, that should get most of it fixed.

There's also several options in this guide.

Let me know, MrC

Hi again, after renaming and running malwarebites as described it found one more trojan, however after following the removal my Adobe photoshop opens up instantly with a whole lot of items opening up! It then crashes. Malwarebites does not ask me to reboot my computer and no logs open. After looking at my windows log, there is a recent date where my computer was accessed and random words, images appear, then it looks like someone is changing all sorts of drivers etc.

I have followed ALL other steps shown to get rid of this. There is a svchost.exe problem i think with gmer showing a suspicious modification to a system32/atapi driver. When trying to download microsoft security settings i get a problem showing an error no. 0x80072EFF. I have seen this in a setupapi.log or a windows log. Should i upload any logs for you to look at?

PLEASE HELP, i fear that soon my computer will crash alltogether.

Link to post
Share on other sites

Please post them on the forum.

What scan did you run?

MrC

i ran the quick scan on malwarebites

im getting redirected from all important sites still, and cannot download any security related files. i put gmer and rkill via usb after downloading from another computer.

Link to post
Share on other sites

See if you can run this scan:

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillerMain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png

After the reboot (if it required) you'll find the log in C:\

Please post it back here, MrC

Link to post
Share on other sites

See if you can run this scan:

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillerMain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png

After the reboot (if it required) you'll find the log in C:\

Please post it back here, MrC

Hi Mr charlie , i cannot download this to desktop as my connection keeps getting reset. do i have to use another computer again and save to usb?

Link to post
Share on other sites

This is from my windows log:

Validating signature for C:\WINDOWS\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:

2010-08-05 05:11:38:031 992 414 Misc Microsoft signed: Yes

Send failed with hr = 80072efe.

= Process: C:\WINDOWS\System32\svchost.exe

2010-08-05 05:52:29:250 992 4f4 Misc = Module: C:\WINDOWS\system32\wuaueng.dll

Link to post
Share on other sites

Please don't quote my replies, just use the Add reply button, thanks.

See if you can run this first, it will run right off of the usb flash drive.

Try running VIPRE Rescue Program

is a new anti-malware utility that runs from the command prompt that will scan for and remove most malware including rootkits. It will run when other programs won't.

Please note:
Windows must load for this scanner to work.

What ever
VIPRERESCUE
deletes is not easily restored!

It's easy to use:

1. Download
to your desktop (it's a big download about 80mb.....takes about 4-5 minutes on broadband and always download a fresh copy as it is updated frequently)

2. Double click on the
VIPRE Rescue
icon, it will ask if you want to extract
VIPRE Rescue Scanner
to your computer, click
yes
.

3. The "WinZip Self- Extractor" window will pop-up, click
Unzip

It should by default unzip to
C:

Make sure the checkbox for "
When done unzipping open: .\deep_scan.bat
" is checked

After the files are unzipped, click
OK

4.
VIPRE Rescue
will now run automatically and perform a deep (full) scan.

5. When it's done, type
exit
and press
enter
to close the program.

6. The log isn't that good but will be in the
VIPRERESCUE
folder and listed as a
CSV
file.

Note:
If you find that you can't download any programs to the infected computer, you can download
VIPRERescue
to a usb flash drive on another computer.

Then plug the drive into the infected computer, navigate to the drive and double click on
VIPRERescue****.exe
and follow the directions above starting at #2.

MrC

Link to post
Share on other sites

Spyware doctor update has also just failed. Is this because I ran the cmd in my system32cmd.exe ???

net stop wuauserv

net stop bits

net stop cryptsvc

ren %systemroot%\System32\Catroot2 Catroot2.old

net start cryptsvc

ren %systemroot%\SoftwareDistribution SoftwareDistribution.old

regsvr32 wuapi.dll

regsvr32 wuaueng.dll

regsvr32 wucltux.dll

regsvr32 wups2.dll

regsvr32 wups.dll

regsvr32 wuwebv.dll

net start bits

net start wuauserv

net start Eventlog

I believe the infection started on o7/28/2010.

This is from a notepad in a C/windows, setupapi.log:

#I292 Changing device properties of "PCI\VEN_8086&DEV_4220&SUBSYS_27018086&REV_05\4&1D3F0FBB&0&20F0".

#I296 DICS_ENABLE: Enabling device for profile (null).

[2010/07/28 16:25:58 716.3 Driver Install]

#-019 Searching for hardware ID(s): hdaudio\func_02&ven_14f1&dev_2bfa&subsys_1025008f&rev_0900,hdaudio\func_02&ven_14f1&dev_2bfa&subsys_1025008f

#-018 Searching for compatible ID(s): hdaudio\func_02&ven_14f1&dev_2bfa&rev_0900,hdaudio\func_02&ven_14f1&dev_2bfa,hdaudio\func_02&ven_14f1,hdaudio\func_02

#-198 Command line processed: C:\WINDOWS\system32\services.exe

#W389 No [sTRINGS.0409] or [sTRINGS.0009] section in C:\WINDOWS\inf\oem1.inf, using [sTRINGS] instead.

#I393 Modified INF cache "C:\WINDOWS\inf\INFCACHE.1".

#I393 Modified INF cache "C:\Windows\LAN\INFCACHE.1".

#I393 Modified INF cache "C:\windows\atheros\INFCACHE.1".

#W389 No [sTRINGS.0409] or [sTRINGS.0009] section in C:\windows\intel\w29n51.INF, using [sTRINGS] instead.

#I393 Modified INF cache "C:\windows\intel\INFCACHE.1".

#I022 Found "HDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_1025008F" in C:\windows\modem\Acr008FK.inf; Device: "HDAUDIO Soft Data Fax Modem with SmartCP"; Driver: "HDAUDIO Soft Data Fax Modem with SmartCP"; Provider: "CXT"; Mfg: "CXT"; Section name: "ModemX".

#I023 Actual install section: [ModemX.NT]. Rank: 0x00000001. Effective driver date: 08/26/2005.

#I393 Modified INF cache "C:\windows\modem\INFCACHE.1".

#-166 Device install function: DIF_SELECTBESTCOMPATDRV.

#I063 Selected driver installs from section [ModemX] in "c:\windows\modem\acr008fk.inf".

#I320 Class GUID of device remains: {4D36E96D-E325-11CE-BFC1-08002BE10318}.

Link to post
Share on other sites

Please Listen, don't run any more programs unless I say to, you're only making things worse.

Yes download VIPRERESCUE to a usb flash drive on a CLEAN computer then plug the drive into the sick computer, double click on the VIPRE Rescue icon and it will run right from there.

Just read and follow my instructions.

I have to leave the forum now, be back tomorrow, MrC

Link to post
Share on other sites

  • 3 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.