Hijacked computer

If you are really sure that you cannot run any of our procedures even in safe boot and even after renaming the programs as suggested, then you will have to format and reinstall. I suggest that you first use the below suggestions as a guide to trying to get some steps completed because in many cases people stop before trying all steps and we clearly stated that you need to try all steps.


Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.

• If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
  • TDSSserv Non-Plug & Play Driver Disable
• If something does not run, write down the info to explain to us later but keep on going.
• Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

We did not ask you to run anything from Comodo. You need to download and run ComboFix as requested. I do not see combofix.exe on your Desktop which means you did not follow the instructions we gave for it. You need to run this now and attach the log from ComboFix not Comodo.

This may not even be a malware problem.

Did you really mean to say explorer was crashing above?? Or did you mean Internet Explorer which is your browser that is used for downloading? Explorer is not the same thing as Internet Explorer.

What do you with crazy extensions added? Give an exact example.

We don't need it. It of no use to us. The log from MGtools is a thousand times more comprehensive.

It looks like you recently installed all of the below:
Avast
Comodo BoClean
PC Tools Firewall
PC Tools ThreatFire
WinPatrol

It would be a good idea to uninstall PC Tools Firewall Plus 5.0 right now which is probably what also installed Threatfire. Also uninstall Comodo BOClean and WinPatrol. I want you to uninstall all of these to make sure that they are not causing any of your problems. They are not malware but installing to many things in a short period of time can sometimes lead to unexpected behavior.

Also it looks like you had AVG8 installed. It did not cleanup after itself completely. What is the below that I see in your logs?
Junk that will not un install AVG 8.5


Please also attach the below earlier logs from SUPERAntiSpyware. I want to see what was removed.

Code:

"C:\Users\Karen\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\"
Apr 23 2009    2299  "SUPERAntiSpyware Scan Log - 04-23-2009 - 22-02-41.log"
Apr 27 2009    1211  "SUPERAntiSpyware Scan Log - 04-27-2009 - 16-31-41.log" 

 

Are you saying you gave it back with no protection on it as I asked you to uninstall all the clutter that was being cause by someone randomly installing way too many programs.

Even after my previous message, I see even more things we did not ask to be run were run. I see new folders from all of the below:

Code:

2009-05-01 23:19 . 2009-05-01 23:19 -------- d-----w c:\program files\Trend Micro
2009-05-01 04:35 . 2009-05-01 04:35 -------- d-----w c:\users\Guest\DoctorWeb
2009-05-01 01:00 . 2009-05-01 01:00 -------- d-----w c:\program files\VirusSecureLab
2009-04-30 23:58 . 2009-05-02 00:08 -------- d-----w c:\program files\Windows Live Safety Center

The READ & RUN ME specifically states that once you start this cleaning process, you must only do what we ask you to do and nothing else. When you continue to do other things you make our jobs impossible because you keep changing the conditions. Even now, I have no idea what is now installed, what got uninstall properly and what did not get uninstalled properly. I don't even know if you still have the PC to work on or if the owner took it back and has installed even more stuff on their own.

Installing too many security programs at the same time will frequently cause problems like this since they are all falling over each other. Hard fast rule is NEVER install another AV or firewall while another is still installed. Also if the first has not been properly uninstall (i.e., the uninstall was really not complete) you still must not install the next program. All of the first program needs to be cleaned up first.

Bad idea! It does not stop it from running. It makes it impossible to uninstall because the proper registry entry no longer exists. And it makes it look like a malware entry in the registry.

We recommend avoiding registry cleaning of any kind unless an expert has recommended that you run one and do specific things with it.

There is no such program. I assume you meant Spybot Search & Destroy? We also did not ask for this to be installed.

Since now do not know that actual status of the PC, it is difficult to continue so I will give you some instructions below which are all non-malware related. They are just steps towards getting all of the excess applications properly removed. However before doing any of the instructions further down, you must make sure that you have attempted to uninstall all of the below:

• Advanced SystemCare 3
• avast! Antivirus
• BOClean
• DoctorWeb
• PC Tools Firewall Plus 5.0
• Windows Live Safety Center
• WinPatrol 2009
• Also whatever you installed from Trend Micro, please uninstall it.
• Also disable Spybot's Teatimer that I saw running as it will get in the way. See this: How to disable Spybot's TeaTimer

Once you have completed ALL of the above, run the below.


Now we need to use ComboFix again.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner to clean out only temp files and nothing else!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome.

Yes! Give them the link to the forum and have them signup for a login. Then let them work thru the procedures to learn from them. It would be a good lesson on why you don't want to get infected and want your PC properly protected.

Just attach those logs when you get them but please do note that my instructions actually were uninstalling everything to get things straightened out. If you don't uninstall things, the ComboFix procedure will break any of those protection programs still installed since I'm forcing and files and folders left over from them to be removed by ComboFix.