Computer gone CRAZY...Help!

Discussion in 'Malware Help (A Specialist Will Reply)' started by gkdockery, Nov 14, 2010.

  1. gkdockery

    gkdockery Private E-2

    My computer has been acting crazy for the past 2 weeks. I run Avira Antivirus and no infected files showed up. I ran AdAware and Super Anti-Spyware and Malwarebytes and they also said that there were no infected files. All of the above programs are up to date on definitions. My desktop items get changed around and I have to reboot several times a day because it freezes up on me. I have dial up and when I tried to download Avast Antivirus it takes 6 hours and I get disconnected before the download completes. I had Avast a couple of years ago but it said that most of the files on my computer were protected and were unable to be scanned so I got rid of it and got Avira instead. Tried AVG but it really messed up my computer until I got rid of it. I am unable to do a System Restore at ANY point. I checked and everything seems to be set/working properly with Restore except I always get the same message that my computer cannot be restored to an earlier point...so, something isn't right with it...

    Here is my Hijack This file. PLEASE, PLEASE help me. I ask that you make it simple. I'm not very good with computers but willing to learn.
     
    Last edited by a moderator: Nov 14, 2010
    gkdockery, Nov 14, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Welcome to Major Geeks!

    Please read ALL of this message including the notes before doing anything.

    Pleases follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    Kestrel13!, Nov 14, 2010
    #2
  3. gkdockery

    gkdockery Private E-2

    Ok...I did everything I was suppose to do and when I ran the SuperAnti-Spyware it picked up a Trojan
    Trojan.SystemDriver
    C:\Combofix\CREG.DAT

    SuperAnti-Spyware has it quarantined. What is my next step? How can I get rid of this?
     
    gkdockery, Nov 15, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    The next step would be to actually attach the logs from the scans you ran during the Read and Run me First. ;)
     
    Kestrel13!, Nov 15, 2010
    #4
  5. gkdockery

    gkdockery Private E-2

    I know...I'm sorry. It takes so long to run the scans and when I do them I can't fine the logs...here is the one from MalwareBytes



    I am doing the Combofix again and hopefully can find the log for it to send you. Each time I run that program it has to download something from Microsoft. I will send the results (if I can find the log) as soon as it finishes.
    Truly Sorry.
     

    Attached Files:

    Last edited by a moderator: Nov 15, 2010
    gkdockery, Nov 15, 2010
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Kestrel13!, Nov 15, 2010
    #6
  7. gkdockery

    gkdockery Private E-2

    I got disconnected when replying to last post and don't know if you got this or not, but here is the log file for ComboFix. The problem I was having finding the log for this program was I was not waiting long enough....so sorry again! I appreciate your patience with me.
     

    Attached Files:

    gkdockery, Nov 15, 2010
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We still need the C:\MGLogs.zip --> from running the C:\MGTools.exe.
     
    TimW, Nov 15, 2010
    #8
  9. gkdockery

    gkdockery Private E-2

    Log files for MGTools:
     

    Attached Files:

    gkdockery, Nov 15, 2010
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What issues are you having, as I am not seeing any malware in those logs. You can remove a left over:

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.
     
    TimW, Nov 15, 2010
    #10
  11. gkdockery

    gkdockery Private E-2

    Ok, I will do like you said. My computer freezes up and items on my desktop is moved around and added/deleted. I recently was told my computer was locked and had to enter a password and NEVER had to do that in all of the years I have had my computer. Many times I could go from site to site and then I would get to the point that I had to re-boot to get anyplace. I have also been getting emails from people that I have never heard of (Facebook) with nude pics. I don't open them and report them but it is driving me crazy.
     
    gkdockery, Nov 15, 2010
    #11
  12. gkdockery

    gkdockery Private E-2

    Ok, I did that but it didn't work...
    I got this message:

    Registry Editor:
    Cannot import C:\Documents and Settings\Owner\Desktop\fixME.reg:
    The specified file is not a registry script you can only import binary registry files from within the registry editor.

    This is what I put on notepad...wasn't sure if I should put the things on each end...
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
     
    gkdockery, Nov 15, 2010
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to put the entire script in notepad and then save it as type: all files.

    Just copy and paste what I wrote including the regedit line (note that there is a - sign in that script).

    Your other issues should probably be addressed in the software forum. We can't help you with spam coming from Facebook.
     
    TimW, Nov 15, 2010
    #13
  14. gkdockery

    gkdockery Private E-2

    Yay!!! That worked! Now what?
     
    gkdockery, Nov 15, 2010
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    So how did you resolve that problem? If you didn't create a password how did you know which one to put in? :confused

    Anyway, run this and then we will see about wrapping up.

    Important Notice: A new version of SUPERAntiSpyware is available.
    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this log later.

    Next...

    Using ESET's Online Scanner
     
    Last edited: Nov 16, 2010
    Kestrel13!, Nov 16, 2010
    #15
  16. gkdockery

    gkdockery Private E-2

    I shut the computer down and when it re-booted the message didn't return...until yesterday. After the message showed up the first time I checked my account in the Control Panel and saw that I had an option to have a password or have it removed. I chose to have it removed. Yesterday when it happened again I just left the password blank and clicked on OK and it opened right up. That's what I'm talking about. I have never had to do that in all of the years that I've had my computer...why now? Sometimes when I first turn on my computer in the morning I will have a new item on my desktop. For example, the other day when I turned it on I had "My Networks" on it and I have not had that on the desktop for a couple of years. It hasn't been doing anything crazy since I did all of those scans, at least so far. The ComboFix downloaded Microsoft Recovery Console. Is that why my System Restore didn't work? Also, do I leave the "trojan system driver" in quarantine in Super Antispyware or do I need to get rid of it? Sorry I confused you. I'm confused too.
     
    gkdockery, Nov 16, 2010
    #16
  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No. Nothing to do with it.

    It's not malware, it's part of combofix, so you can restore it or get rid of it, it does not matter. But it is not malware, SAS falsely detected it as being so due to the nature of the tool.

    No problem, just attach the new SAS log after re scanning with the updated version and then also the results from ESET. One of us will be here floating about.
     
    Kestrel13!, Nov 16, 2010
    #17
  18. gkdockery

    gkdockery Private E-2

    Ok, here is the log from the updated SAS.
    It stated that I had 246 tracking cookies. I have NEVER had that many...most of the time a couple or so. Also as it was finishing the scan I had Avira Guard send this notice...
    "Avira Guard-Autorun Blocked
    Access to the file D:\autorun.inf.aug8 was blocked for your security"
     

    Attached Files:

    gkdockery, Nov 17, 2010
    #18
  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    One suggestion on the Avira forum is to disable "Block autostart function" in Avira
    • go to Avira's configuration
    • tick Expert Mode > Guard > Scan > Further actions
    • untick the "Block autostart function" option
    • click Apply
    • then install Panda USB Vaccine

    And what about the eset results?
     
    Kestrel13!, Nov 17, 2010
    #19
  20. gkdockery

    gkdockery Private E-2

    Ok I took care of the Avira and working on the ESET. It is taking forever to download the signature database. I have had to re-start it 3 times and it is at 53% right now. I will let you know the results. I will start the Panda process asap. In the mean time I have had more weird things happen. I got a brand new shut down screen that I have never seen before and also a new Windows Logging off screen that was totally new.
     
    gkdockery, Nov 18, 2010
    #20
  21. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Alright, we will be here waiting. And it will be time for you to follow final steps soon anyway I think.
     
    Kestrel13!, Nov 18, 2010
    #21
  22. gkdockery

    gkdockery Private E-2

    I have tried for 2 days to get the ESET scan completed. It stops downloading the components at 80% each time and then I have to re-boot and start over. It picks up at 50% and then back up to 80% and takes hours. In the meantime I used the Advanced System Care that I have installed on my computer and it listed over Nine Thousand security items that had been found on my computer. I am going to try one more time to get the ESET to work and will try to get the Panda scan for you. It's frustrating because I can't have my phone line tied up 24 hours a day and I know you all are trying to help me and I'm trying really hard to do what you ask...and appreciate your time and help.
     
    gkdockery, Nov 20, 2010
    #22
  23. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Forget ESET. Tell me the exact files, and file paths of the threats being found by ASC.
     
    Kestrel13!, Nov 20, 2010
    #23
  24. gkdockery

    gkdockery Private E-2

    Here is the log for the Advanced System Care. I also took your advice and gave up on the ESET scan. I did get the Panda USB Vaccine and it seems to be working. My computer seems to be a little more stable. I am still using Avira Free Version and would love to know your recommendations to a dependable Antivirus that don't hog up all of my resources on this slow computer. Avira Free is good but don't know how effective it is right now.
     
    gkdockery, Nov 20, 2010
    #24
  25. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It didn't attach. Try again.
     
    Kestrel13!, Nov 20, 2010
    #25
  26. gkdockery

    gkdockery Private E-2

    The upload keeps failing....Maybe the file is too large??
    Here is an example of what is on the log file.
    About 1/2 of them are these type...
    Windows Registry Editor Version 5.00
    //11/18/2010 15:50:50
    //9604
    [HKEY_CURRENT_USER\Control Panel\Desktop]
    "UserPreferencesMask"=hex:10,20,01,80
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\]
    "Start"=dword:3
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc\]
    "Start"=dword:2
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\]
    "Start"=dword:3
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\]
    "MaxConnectionsPerServer"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\]
    "MaxConnectionsPer1_0Server"=-
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-5eb9-11d5-9d45-009027c14662}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{0000001D-BA9B-11D2-BDF1-0090272A6D78}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{0000026A-8230-4DD4-BE4F-6889D1E74167}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatib


    And the rest are this type:

    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\webtrendslive.com]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\wegcash.com]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\wegcash.net]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\wfix.com]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\wflu.com]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\X10.com]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\xxxcounter.com]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\xxxtoolbar.com]



    What should I do now? Keep trying to upload??
     
    gkdockery, Nov 20, 2010
    #26
  27. gkdockery

    gkdockery Private E-2

    It keeps telling me that the file is too large. I tried to break it down into 2 parts and it is still too large.
     
    gkdockery, Nov 20, 2010
    #27
  28. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You sure that was from logs from Advanced system care? :confused

    Either way, I am going to give you final steps to follow now. Any remaining problems will have to be further discussed in the software forum. :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Nov 20, 2010
    #28
  29. gkdockery

    gkdockery Private E-2

    Yes, I am absolutely sure that the log came from the scan with Advanced System Care. I usually only have a couple of issues with each scan but I had over 9 thousand on that particular scan.
    Anyway, I did everything you asked me to do. I plan to download another firewall as suggested.
    I still have problems with my computer. After I re-boot I have no problems what-so-ever. Runs smooth as silk. Then when I disconnect I can not do anything else until I re-boot again. I am sending you some pics of things that happen. When I try to dial up again I get weird messages. One was that my password was unable to be deleted...I wasn't trying to delete it. When I try to use Task Manager to shut down I can't...eventually have to just manually shut it down and reboot. I don't know what to do. I would appreciate anything you could do to help me. When I got this computer I got a Vista upgrade disk. (Using the XP that came installed on the computer). I never did install it in fear that my computer would crash, or that a lot of my software would not be compatible to Vista. Do you think if I installed it all of my problems would be fixed or I would have a whole new list is headaches.
     

    Attached Files:

    gkdockery, Nov 23, 2010
    #29
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What you posted was a registry patch of some type. It is not a log from a scan. Maybe Advanced System Care is showing you its proposed fix but you should not run it since it is clearly wrong. The items being detected are valid. For example the below is one on many items put on your PC by a program like Spybot ( or similar ) to stop you from going to that URL:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\webtrendslive.com

    Also the activex settings were added by SpywareBlaster or similar. The value in the registry key is what is important. Advanced System Care is not looking at the values and is therefore falsely declaring it to be a problem when it is not. I suggest that you uninstall Advanced System Care since it has these problems which have never been corrected.

    And other settings are things you changed.
     
    Last edited: Nov 23, 2010
    chaslang, Nov 23, 2010
    #30
  31. gkdockery

    gkdockery Private E-2

    Ok, I went back to Advanced System Care and put back everything that it detected with that scan. Maybe that will help. I hope I didn't appear to be cranky with you. Not my intention. You all are trying to help me and I am very thankful.
     
    gkdockery, Nov 23, 2010
    #31
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay now let's just take a look at something to be sure. ( I really cannot believe the ASC would still have a problem with false detections of Spybot and SpywareBlaster entries). Run the Windows Registry editor and navigate to the below key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\webtrendslive.com

    Once you select the above key, tell me what you see for the default value.

    Also do the same for the below key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{00000000-5eb9-11d5-9d45-009027c14662}
     
    chaslang, Nov 23, 2010
    #32
  33. gkdockery

    gkdockery Private E-2

    Ok, I checked and when I looked for the first item there was no webtrendslive.com

    When I checked the second item it went as far as the 00000000 but there was no 5eb9-11d5-9d45-009027c14662}
     
    gkdockery, Nov 23, 2010
    #33
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then it sounds like they were already deleted by Advanced System Care.

    If you have installed Spybot and SpywareBlaster per the How to protect yourself from malware link, you should rerun Spybot and reimmunize. Also run SpywareBlaster and renenable all protection. Make sure you then update each program and again re-immunize with Spybot and enable all protection in SpywareBlaster.
     
    chaslang, Nov 23, 2010
    #34
  35. gkdockery

    gkdockery Private E-2

    Ok, I will download Spybot and SpywareBlaster again and do as you say. I have SuperAntispyware and Malwarebytes installed so I got rid of the other programs. I am thinking that my problems were all associated with Advanced System Care. Since I restored all of the items it had detected on the last 2 scans and uninstalled that program I haven't had one bad thing happen to my computer...not one!! I am cautiously optimistic that maybe it is fixed....I also did a scan with SuperAntispyware and it picked up 7 items and it fixed them. Maybe it was the program that got rid of the 2 items you asked me about.
    If you have any more suggestions for me about what to run or have installed on my computer I would truly appreciate it.
     
    gkdockery, Nov 23, 2010
    #35
  36. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    Just what is suggested in the How to protect yourself from malware link.

    I also suggest that you run the below AVG removal tool since you had left overs from AVG in your logs.

    AVG Remover(32bit) 2011
    (avg_remover_stf_x86_2011_1165.exe)
     
    chaslang, Nov 23, 2010
    #36

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds