Help!

All of my antiviruses have shut down and will not update. The combofix will not even run even when i rename it. I would appreciate any suggestions you might have..Thanks so much!

 

If any of the scans will not run or download move on to the next one and let me know what happened like if there were any errors or if they just wouldn't download or run.

Try not to restart the computer until one of the tools we use does it for you or tells you to.

If one of the tools will not run just go on to the next one. Save the logs to post in your next reply.

1) Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the next one.

Vista and Windows 7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* When finished it will create a log.
* Please post the rkill.log in the next reply.

* If Rkill does not run from the first link, delete the file, then download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.


Once you've gotten one of them to run then try to immediately run the following.


2) Download and run exeHelper

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Add the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).



If you already have them installed, be sure to update Malwarebytes and SUPERAntiSpyware before the scan!

Now run this: Using Malwarebytes Anti-Malware

Now run this: SUPERAntiSpyware - running & getting a log

Now run this: Using MGtools

Logs needed:

• Rkill
• exeHelper
• Malwarebytes
• SUPERAntiSpyware
• MGlogs

 

Hi,

I cannot even get to the download page for Rkill...??? I have tried all of the links.

Pam

 

Here is my log file for rkill

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as David Reedy on 03/07/2010 at 12:55:33.


Processes terminated by Rkill or while it was running:


C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\David Reedy\Desktop\rkill.com


Rkill completed on 03/07/2010 at 12:55:39.

 

Here is my exehelper.exe report

exeHelper by Raktor
Build 20091220
Run at 12:58:39 on 03/07/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

 

Try to keep going with the rest.

 

Here is my malwarebytes scan

 

trying to attach the MG Tools report? It is a zipped file

 

Here is the MGTools report

 

Yes you must attach all logs. HOW TO: Attach Items To Your Post

 

Here is my exe file

 

Here is my malawarebytes log

 

I think I have all of them uploaded now. I had the aleuron rootkit virus when MS did an update (which really wasn't an update). I had a rolling reboot, then had to go into Microsoft Recovery Console and delete the updates that way...Everything seemed fine as I could get on the computer again. My browser was continually being redirected, unsure if I cured that still appears to be doing it. Downloaded hitman pro 3.5 and it seemed to get rid of it? But it could still be lying about. Atleast my system is able to update anti virus programs now, but it is really running slower than normal.

I really appreciate all of your help!! I am still debating to throw this computer out to the sharks in the water!! LOL

 

You can slow down now. You have posted everything I need for now. It will take me a few minutes to go through all of the logs and work up a new reply.

 

Thank you

 

1. Close all open Web browsers.
2. From the Start menu in Windows select Control Panel.
3. Select Add or Remove Programs.
4. Uninstall any of the following programs associated with Ask.com: (the names may be slightly different)

- Ask.com
- Ask Bar
- Ask Desktop Search
- Ask Search
- Ask Toolbar
- Ask Jeeves

5. Click Change/Remove for each and uninstall all found.




Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

• R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
• O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

After clicking Fix checked, exit HijackThis.




Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.



Update your Java. Updating Sun Java



If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix



Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Attach the new C:\MGlogs.zip file that will be created.



Next post please add the ComboFix log, new MGtools log and also post the SUPERAntiSpyware log.

C:\Documents and Settings\David Reedy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\supera~3.log Mar 7 2010 559 "SUPERAntiSpyware Scan Log - 03-07-2010 - 12-12-39.log"

 

Ok thank you I have to print your post to know what steps to follow before i close my browser.

 

I do not see any ask files?

 

Run this.

Ask Toolbar Remover 1.3:
A program that is able to remove the Ask toolbar (plus all the debris) and set the homepage back to the one the user wants to.
More info here. Download here

 

COmboFix appears that it is running; however, nothing happens...Have disabled by resident shielf in avg?>?

 

Does it start or does nothing happen at all?

 

Here is my combofix log

 

Still need the other two logs. You can save them and post them all at the same time.

 

MG Tools log

 

You are using both the AVG Security Toolbar and the Crawler Toolbar with Web Security Guard. I suggest uninstalling the Crawler Toolbar with Web Security Guard and using only the AVG Security Toolbar.

After uninstalling delete the Crawler folder found in C:\Program Files\Crawler


1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

Driver::
rk_remover

File::
c:\windows\system32\drivers\rk_remover.sys
C:\WINDOWS\system32\drivers\tsk3E.tmp
C:\WINDOWS\system32\drivers\tsk41.tmp
C:\WINDOWS\system32\drivers\tsk44.tmp
C:\WINDOWS\system32\drivers\tsk47.tmp
C:\WINDOWS\system32\drivers\tsk81.tmp
C:\WINDOWS\system32\drivers\tsk84.tmp
C:\WINDOWS\system32\drivers\tskA1.tmp
C:\WINDOWS\system32\drivers\tskA4.tmp

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared  Tools\MSConfig\startupreg\KernelFaultCheck]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

http://img249.imageshack.us/img249/1218/cfscript1.gif

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze


Also let me know how the computer is running now.