How do I fix a computer offline?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by d_n_kuhn, Oct 6, 2007.

  1. d_n_kuhn

    d_n_kuhn Private E-2

    Hello, This is my first post. My daughter's computer has some kind of malware that prevents me from getting on to the Internet. It goes to some security website (Udefender.com is one of them) and if I try to go to another website it puts Internet Explorer offline. Reconnecting just drives it back to the original website as the home page for Internet Explorer is reset to that, no matter what I do. So, I took the computer offline and using this computer, started to work my way through the ReadThis Before Asking file, but it has been tough. I couldn't run Spybots because it wants to have the files updated and I'm not on the Internet. I'm running CounterSpy now, but it is so slow because the malware is constantly popping up boxes (Windows Security Alert, Work Offline) and I've noticed that at times, the performance goes to 100% CPU usage and then everything just about stops. CounterSpy has been running for 45 minutes and has only scanned 25000 files. It wasn't too happy about not having an Internet connection either. What can I do to get rid of this thing so I can connect her computer back to the Internet?

    David
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please stop whatever you are doing right now (even though it is the READ & RUN ME) and get the below ComobFix.exe file on to your daughters PC and run the procedure given.

    Download this file - combofix.exe
    1. Double click combofix.exe & follow the prompts.
    2. When finished, it will produce a log ( C:\combofix.txt ) for you. Attach this log to your next reply See: HOW TO: Attach Items To Your Post
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Are things any better now? If yes, see if you can continue with the READ & RUN ME.
     
  3. d_n_kuhn

    d_n_kuhn Private E-2

    Wow, that took way longer than 10 minutes! Some of the icons from the bogus security programs have been removed and I haven't seen a popup yet. I'll see if I can get SpyBots to run now. I've attached the log.
     

    Attached Files:

    • log.txt
      File size:
      10.2 KB
      Views:
      4
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes that definitely removed part of your SmitFraud problem, but there could be more to do. Let me know if you can now run thru the READ & RUN ME.
     
  5. d_n_kuhn

    d_n_kuhn Private E-2

    Chaslang,
    I moved my daughter's computer out of her room so I could put it next to mine. I can't seem to get her computer to recognize the wireless connection, so I'll have to move it back to her room. That's about it for tonight. Spybot won't run without the updates and all of this will be easier if I can get to the Internet on her computer. Thanks so much. I lived in Ridgewood for awhile and my sister and mother live in Summit. I've been thinking a lot about Ridgewood as it's my 40 year high school reunion.
     
  6. d_n_kuhn

    d_n_kuhn Private E-2

    Ok, Moved my daughter's computer back to her room. Reinstalled the software so her computer could get to the Internet through our wireless network. Updated SpyBot Search and Destroy and CounterSpy after making a connection with the Internet. Rebooted in Safe Mode and ran SpyBot S&D. It found an ALEXA object and deleted it. I couldn't figure out how to get a log from SpyBot. Ran CounterSpy. It runs differently in SafeMode on her computer, there's no tool bar. It found 24 cookies. I tried several times to get it to quarantine the cookies, but it wouldn't. It only removed them (I guess). Since there was no tool bar, I couldn't get a CounterSpy log, although I suppose I could get one if I ran it under normal boot. You tell me.

    Restarted her computer in SafeMode with Networking. That didn't seem to work out as the computer never went into safe mode, it rebooted into normal mode. When I started Internet Explorer, it tried to go to ucleaner.com, the old site that started this problem. I closed it and it hasn't returned. The firewall found that a program c:\Program Files\HP....\hpqtra08.exe was trying to connect to 208.174.87.25 Port 80. I blocked it, but noticed later when I was trying to print that I couldn't from my HP printer. Does the printer need to contact the Internet to print?

    I keep getting a Virtual Memory Minimum Too Low error message. Is this real or some part of the malware?

    I ran Bitdefender and have attached the log. Bitdefender said it couldn't update the virus definition files, but I went ahead and scanned anyway. Bitdefender found one Trojan:Downloader which it deleted.

    I don't know what was up with PandaActiveScan, but I couldn't make it work on my daughter's computer or my laptop.

    Finally, I couldn't get through to majorgeeks forums on my daughter's computer, so I copied the log files to my computer and have attached them.
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Cookies are not problems so don't concern yourself with them.

    Please uninstall this CounterSpy trial now since we are finished with it.

    No you printer does not need internet access to print but is your printer a network printer or is it connected directly to the PC that you are trying to print from.

    hpqtra08.exe is installed alongside the drivers for Hewlett Packard Imaging devices and installs an easy-to-use traybar icon for quick access to diagnostics. This is a non-essential process. Disabling or enabling it is down to user preference.


    This is not a malware problem. You may need to adjust the size of Virtual Memory. The way to do this is

    • Click Start
    • Select Control Panel
    • System
    • Advanced tab
    • Settings button
    • then Advanced tab again
    • At the bottom of that page you will see Virtual Memory
    • Click the Change button
    • On the next page do you have the System managed size button checked.
    • If not, what are your Custom size settings and how much RAM do you have in your PC
    Which antivirus do you believe you are supposed to be using? I see signs of multiple AV's. I see:
    • CA Internet Security - I expect this is what you use
    • McAfee - I expect this was uninstalled but not completely
    • Avast - I expect this was uninstalled but not completely
    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now attach new logs from:
    1. GetRunKey
    2. ShowNew
    3. HijackThis
     
  8. d_n_kuhn

    d_n_kuhn Private E-2

    Hi, Thanks for the help and pardon my "bump".

    Answers to the questions in your previous e-mail.

    Virtual Memory is low problem.

    Virtual memory: Current settings: Paging file size 192-384 MB
    Amount of RAM in computer: 130,352 Kb. (It's my wife's old computer and we can add RAM if that is an issue.)
    Total paging size for all drives:
    Minimum allowed: 2 MB
    Recommended: 190 MB
    Currently allowed: 205 MB

    Current Registry size: 24 MB
    Max size: 35 MB

    There was no system managed button.

    Under the Performance Options: It was optimized for Applications not for Background Services.

    Uninstalling McAfee and Avast problem.

    I had McAfee but couldn't completely uninstall it. The new CA Internet Security that I had a license for wouldn't install Anti-Virus because it detected McAfee. I installed Avast just to have an anti-virus program to do a scan early in the nightmare. I have uninstalled Avast (and CounterSpy) as advised. I actually uninstalled CAInternet Security and reinstalled it. It reinstalled with Anti-Virus this time and I ran a scan and it found 2 viruses in qoobox, which I don't recognize but it may be a part of ComboFix (thank you very much for ComboFix!).

    I took the file that you sent to merge into the registry and did that. It got rid of the McAfee install error (although I saw a mention of McAfee in the HijackThis log).
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry! I forgot you had Win2K. I gave you instructions for Virtual Memory on WinXP.

    In reality, you do not have enough RAM to run CA Internet Security and you PC may be too slow too (but I don't know that for sure since we did not discuss processor speed). Simply put, I would recommend against using this or any other internet security suite because they are all massive resources hogs that will slow your PC down. You can bump up your Initial and Maximum page sizes (double or triple both) but you still don't have even the minimum amount of RAM recommended by CA. You really should consider uninstalling this and using some of the free tools we have available.

    Yes that folder is just a backup from ComboFix.



    We have more junk from McAfee to remove.
    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to McAfee Task Scheduler
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
      • McAfee SecurityCenter Update Manager
    • Click OK until you get back to Windows.
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/paste McTskshd.exe into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
      • mcupdmgr.exe
    • Now exit HJT and reboot when it tells you it needs to.
    After reboot, attach a new HJT log.
     
  10. d_n_kuhn

    d_n_kuhn Private E-2

    I only loaded CA Internet Security Suite because we had it. I was surprised when the anti-virus loaded, even though there wasn't enough RAM. Any suggestions for free security programs? I already have SpyBot, I could reload avast.

    I ran services.msc. I ran HijackThis (just open the program) but it never asked to reboot. I did reboot anyway and everything has been very slow since. It took forever to get to Major Geeks forum, but that could just be the firewall. I have attached the most recent HijackThis log.

    Thanks again for all your help.
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    CA is bringing your PC to its knees. Uninstall it and use the free tools mentioned in step 11 of my final instructions give below. Remember only 1 antivirus, 1 realtime antispyware (you will see what is meant when you read this) and 1 firewall.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    10. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
     
  12. d_n_kuhn

    d_n_kuhn Private E-2

    Hi, I removed the combofix files and the CA Internet Security Suite. The answer to a previous question about computer speed is 800 MHz. I wanted to change the user profiles so that my daughter couldn't log in as an administrator. I deleted the administrator profile that I had done all the computer cleaning in (like an idiot) and created a regular user file for my daughter. I could log in to that file but there was no wall paper or Start menu, just a blue screen. When I went to Task Manager, there were no applications running. Not quite sure about that. Is there anyway to recover a user profile that has been deleted? All the files in Documents are still there, including the desktop where I had CCleaner and some other stuff. If I could recover that old profile, I could just change the password, so she couldn't log in. But why is there no Start menu for her account (regular user account)? I was hoping this would be my last post and I could thank you profusely for all your help. Now I have to ask for a little more, although this isn't really malware removal. I did load on avast, a squared, comodo and a spyware program which I just noticed didn't show up with an icon on my new administrative account desktop. When I see the problems others are having with their computers, I'm sobered by how relatively easy I got off. Let's hope I can fix these little problems in time for my daughter to finish her Hispanic Heritage project on Puerto Rico.
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    On the very slow side in this day and age but should be okay for Win2K. You should added as much RAM as possible though.

    All you had to do was change your daughter's account type. Do you mean you deleted the user account name Administrator that only shows in safe boot mode?


    You mean user account not file. What account do you mean? Your daughters?

    No!

    You need to clarify exactly what you have done. I'm not following you. Did you delete your daughter's user account or did you delete some other account with administrator priviledges. If you deleted your daughters, it is gone. You should backup all files for that user account and then you could try, just creating the same user account again. It will not have everything that was in the old account since the registry files were most likely removed so you may need to reinstall various things she needs.

    I reemphasize to make sure you make backups of her files so that nothing is lost while trying to get a new user account created.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds