abnow plus windows problem

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by iivanita, Apr 1, 2012.

  1. iivanita

    iivanita Private E-2

    I noticed i have abnow virus, went on to remove it myself, i did not had anti virus programe , so bumped on quick solution on (snip), followed their steps on removing abnow, and one procedure was to download some spzware 4 in windows safe mode, after that i got fatal error, it did not run, before doing that i used avast and it detected many viruses, problems in this xxx32, so now i can not open windows , and dont know how to follow any steps without opening my pc, writing from tablet here
     
    Last edited by a moderator: Apr 1, 2012
  2. iivanita

    iivanita Private E-2

    I managed to start windows, restored it so ehow, although it showed this light blue page for several times, and it could not go on, i tried to remove some virusues but they seem to attack my windows, am afraid to do anything else now, is it ok i run full scan avast and it will find viruses i know, but when i will remove them are they going to attack my windows? Can i try this way?
     
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

  4. iivanita

    iivanita Private E-2

    I am so desperate i was reading this all day long i just dont understand it its too many links, and i am lost especially because of so many warnings there are, i am totaly afraid i will loose my computer...and i need to work tomorrow...some people suggest best to redo the whole windows andthat it would be most effective and fastest solution, with loosing programms installed...-.i am afraid of this combofx also dont understandwhat is cd emulator..and spent 30 dolars on speedpc pro i dont really need now. Just because someone told me it will work, whoever knows anything about computers dont want to read this here and i msyelf dont know to do it
     
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

  6. iivanita

    iivanita Private E-2

    i try to follow steps...but you must know i really hardly can follow those steps they just seem too advanced for normal people....i did who knows what to my pc.....now tried to install this mgtools, and i just got black windown acccess denied...it was repeating for 100 times...then did ctrl+alt+del and killed that cmd window?...also mbam-setup. has some numbers behind and not exe extension so did not know how to rename it....now disabling user control should be next step. can i do more harm to my pc following these steps? i did not download combofix i am so afraid i will have problem noone will be here to help me...
     
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No one can help you unless you help us. We need you to download and install those programs and get the logs from running them.
     
  8. iivanita

    iivanita Private E-2

    super anti spyware i performed the first and quick scan. then mbm second will, try to do the third now
     

    Attached Files:

  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You have some serious issues that we need to fix. Try to get me the C:\MGLogs.zip.

    Once you have done that and attached it, please do the following:

    Go to the below link and follow the instructions for running TDSSKiller from Kaspersky

    Be sure to attach your log from TDSSKiller

    Please also download MBRCheck to your desktop.

    See the download links under this icon [​IMG]

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )
     
  10. iivanita

    iivanita Private E-2

    here is this one
     

    Attached Files:

  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    After you finish doing my last instructions, then do this:

    Download The Avenger by Swandog46 to your Desktop.

    See the download links under this icon [​IMG]
    Extract avenger.exe from the Zip file and save it to your desktop.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):


    1. Run avenger.exe by double-clicking on it.
    2. Click OK at the warning to continue to use The Avenger
    3. Do not change any of the check box options!
    4. Shut down your protection software now to avoid possible conflicts.
    5. Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
    6. Now click the [​IMG] button
    7. Click Yes to the prompt to confirm you want to execute.
    8. Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
    9. Your PC should reboot, if not, reboot it yourself.
    10. A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
    11. Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!

    ALSO?> I assume you allowed MBAM to fix what it found?
     
  12. iivanita

    iivanita Private E-2

    this is from kaspersky
     

    Attached Files:

  13. iivanita

    iivanita Private E-2

    and mbrc check log
     

    Attached Files:

  14. iivanita

    iivanita Private E-2

    ALSO?> I assume you allowed MBAM to fix what it found?[/QUOTE]

    no i did not its still open should i select remove? malwarebytes right?
     
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    YES!!! Have it remove those item!! ;)
     
  16. iivanita

    iivanita Private E-2

    so here i did the above, and when rebooted it went all much faster!
    i got 1st tiem and now as well runing this mgtools message: the ordinal 1108 could not be located in the dynamic link.... WOCK32.dll, and OK , so i cklicked ok
    here is just 1 file mglogs.zip, the one from avenger was not created, and i did not see any pop-up when i rebooted? avenger.txt i could not find
     

    Attached Files:

  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download ComboFix to your desktop and run it. Attach the log when it is finished. Make sure you disable any AV software you have before running it.
     
  18. iivanita

    iivanita Private E-2

    i will try now again this super antispyware i downlodaded was on .....i come back
     
  19. iivanita

    iivanita Private E-2

    ok do i have to repeat the avenger before this?
     
  20. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I need you to run ComboFix as Avenger did not remove the malware.
     
  21. iivanita

    iivanita Private E-2

    i did and it was finished in like 1 minute , and cant find log, what would be the name of it? and i dont have any antivirus softwares..i did instal avast 2 times, but it dissapeared after problems with starting pc....i checked on the right bottom bar for what is running...nothing there...avast not visible at all under programs on my pc.....
     
    Last edited: Apr 1, 2012
  22. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If it only ran for a short time, it probably did not complete. The log would be at C:\ComboFix.txt.

    Go back and try to re-run Avenger. Make sure you put all the info from the quote box in the program.
     
  23. iivanita

    iivanita Private E-2

    yes was for very short time....

    now reran avenger and copied everything , and nothing still, no log file, but when i reboot i dont get pop up except it starts this superspyware i downloaded on step 1...... how can i prevent him from starting together with opening windows?
     
  24. thisisu

    thisisu Malware Consultant

    @TimW
    Avenger is not compatible with x64
     
  25. iivanita

    iivanita Private E-2

    thank you really so much for today...and for your effort to help!! dont know what i would do without you....i will come back tomorrow...its 1 am here and i work tomorrow... at least rebooting of windows looks better then it was....i hope we can do something more tomorrow, i can come after work and pls let me know when you can be here so i can come at the same time
     
  26. iivanita

    iivanita Private E-2

    hello i am back, is there something more i can do to my pc to help him recover from malware...., must say i did not have Antivirus s. on this computer since i bought it in 2010.
    in the mean time i tried to uninstall my older java version and just could not do it, why? i went to control panel uninstall, and it gave some message windows gathering data and nothing
     
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do the below so that we can boot to System Recovery Options to run a scan.

    For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
     
  28. iivanita

    iivanita Private E-2

    many thanks!!! i attach the file
     

    Attached Files:

  29. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download OTCby Old Timer and save it to your Desktop.

    Double-click OTL.exe to start the program.

    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

    Code:
    :processes
    :killallprocesses
    :files
    C:\Windows\assembly\tmp\U
    C:\Windows\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
    C:\Windows\assembly\tmp\U\00000001.@
    C:\Windows\assembly\tmp\U\000000c0.@
    C:\Windows\assembly\tmp\U\000000cb.@
    C:\Windows\assembly\tmp\U\000000cf.@
    C:\Windows\assembly\tmp\U\80000000.@
    C:\Windows\assembly\tmp\U\800000c0.@
    C:\Windows\assembly\tmp\U\800000cb.@
    C:\Windows\assembly\tmp\U\800000cf.@
    C:\Users\Ivana\AppData\Local\4d0d2e25
    C:\Users\Ivana\Local Settings\4d0d2e25
    C:\Users\Ivana\AppData\Local\4d0d2e25
    :commands
    [PURITY]
    [EMPTYTEMP]
    [RESETHOSTS]
    [REBOOT]
    
    
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:

    • C:\MGlogs.zip
     
  30. iivanita

    iivanita Private E-2

    hello Tim,
    here it is otl
     

    Attached Files:

  31. iivanita

    iivanita Private E-2

    here is mglogs.zip
     

    Attached Files:

  32. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click OTL.exe to start the program.

    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

    Code:
    :processes
    :killallprocesses
    :otl
    :files
    C:\Windows\assembly\GAC_32\Desktop.ini
    C:\Windows\assembly\GAC_64\Desktop.ini
    C:\Windows\assembly\tmp\loader.tlb
    C:\Windows\SysWOW64\drivers\iggaord.sys
    C:\Windows\SysWOW64\drivers\meguh.sys
    :commands
    [PURITY]
    [EMPTYTEMP]
    [RESETHOSTS]
    [REBOOT]
    
    
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  33. iivanita

    iivanita Private E-2

    otl ..
     

    Attached Files:

  34. iivanita

    iivanita Private E-2

    this time nslookup.exe gave message: the ordinal 1108 could not be located in the dynamic link library WSOCK32.dll

    shal i try now if abnow is appearing? yes its still there redirecting me to abnow
    these desktop .ini files are on my desktop still, and they are like not totaly visible like other icons, was wondering what that is
     

    Attached Files:

  35. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please do all of the following:

    Double-click OTL.exe to start the program.

    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

    Code:
    :processes
    :killallprocesses
    :otl
    :files
    C:\Windows\assembly\GAC_32\Desktop.ini
    C:\Windows\assembly\GAC_64\Desktop.ini
    C:\Windows\assembly\tmp\loader.tlb
    C:\Windows\assembly\tmp\U
    C:\Windows\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
    C:\Windows\assembly\tmp\U\00000001.@
    C:\Windows\assembly\tmp\U\000000c0.@
    C:\Windows\assembly\tmp\U\000000cb.@
    C:\Windows\assembly\tmp\U\000000cf.@
    C:\Windows\assembly\tmp\U\80000000.@
    C:\Windows\assembly\tmp\U\800000c0.@
    C:\Windows\assembly\tmp\U\800000cb.@
    C:\Windows\assembly\tmp\U\800000cf.@
    :commands
    [PURITY]
    [EMPTYTEMP]
    [RESETHOSTS]
    [REBOOT]
    
    
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.


    Now download and install:
    Microsoft Security Essentials

    Run it.

    Please also download MBRCheck to your desktop.

    See the download links under this icon [​IMG]

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  36. iivanita

    iivanita Private E-2

    the log otl
     

    Attached Files:

  37. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Attach the MBRCheck log and the new MGLogs.zip when you are done.
     
  38. iivanita

    iivanita Private E-2

    here is mbrc check

    the microsoft found 2 trojans...win 64 /sirefef.Q and B
     

    Attached Files:

  39. iivanita

    iivanita Private E-2

    mglog
     

    Attached Files:

  40. iivanita

    iivanita Private E-2

    WOOOW :))))
    its not redirecting now :))

    could it be my pc is now free from all those bad stuff?..viruses, malware spyware and others....?

    what should i do now , to not get anything like that again? and is my PC safe now?.....

    :cool
     
  41. iivanita

    iivanita Private E-2

    i want to thank you all GUYS here...TimW thank you so much!! came here in such a miserable state......and without any knowledge managed to follow your steps and fix these ugly viruses.... you are so so great!! and this page!..

    how can i make something in return ? buy some useful product for protection or donate? how does it work here?

    also if you need any info on croatia, planing a visit, need some help, tips whatever....pls contact me...:)
     
  42. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Not quite done.

    Double-click OTL.exe to start the program.

    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

    Code:
    :processes
    :killallprocesses
    :otl
    :files
    C:\Windows\assembly\tmp\U
    C:\Windows\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
    :commands
    [PURITY]
    [EMPTYTEMP]
    [RESETHOSTS]
    [REBOOT]
    
    
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!

    Hopefully that will do it. ;)
     
  43. iivanita

    iivanita Private E-2

    Tim you are a star :)...i think my pc works now better then before it was infected, it seems beeing faster...and webpages opening so quickly
     

    Attached Files:

  44. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sweet, looks good. :)

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     
  45. iivanita

    iivanita Private E-2

    :)))))))))) THAAAAAAAAAAAANK YOU so so much!!!....

    pls tell me what would be best to do to repay somehow....do people donate to this site? or to you?

    this tought me a lesson now, never to be without antivirus s. , i did not have it for 2 years....or more :)
     
  46. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Note there are two more files from the Zero Access infection that should be deleted. You should be able to manually delete them now that the heart of the infection has been removed. See if you can delete the below two files:

    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D12}.tlb
    C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D12}.tlb
     
  47. iivanita

    iivanita Private E-2

    i have done it :)))
    now my computer is safe, right? :)

    THANK YOU GUYS!!! so much, i see you are busy now ...many desperate people...but you are doing great job!
     
  48. iivanita

    iivanita Private E-2

    now i coppied this into run

    "%userprofile%\Desktop\combofix" /uninstall

    and combofix started to install....and now i got this message warning to disable microsoft security essential....what should i do pls?..it was supposed to uninstall and it looks like installing to me....it is on the desktop
     
  49. iivanita

    iivanita Private E-2

    i suppose this %userprofile% should have been my name....i did not notice it...i would like to stop combofix now...am afraid of that program....would be best to shut it down in the middle of process or something else?
     
  50. iivanita

    iivanita Private E-2

    aha i uninstalled it, read that this is normal process....was a bit confusing to me. but all is safe :) ignore the previous 2 posts
    :-D
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds