oh dear sooo many problems

I have been on a few sites before with problems and did everything they said but my system is still not working right.

I have also gone through their prelimenary remove malware post and did all in that.

For some reason the remove programs in add/remove programs has dissapeared AND for some reason all these folders keep popping up everywhere even when I havent put them there.

I created a folder in my name a while ago and now it is full of other folders. Examples of some are:
ACPI Fixed Feature button, ACPI Sleep Button
CD Rom Drive, Communications Port, Disk Drive, HID keyboard Device, HID complaint consumer control device #1, HID compliant mouse, Advanced Controllable Interrupt Controller, Direct Memory Access controller ECP Printer Port and soooo many more. Please help!!!!


Many thanks

Maz

 

Hi mazza,
Welcome to Major Geeks!

It sounds like it could be malware which is causing this and it's also possible that something got damaged when you followed instructions and it may need repairing. For us to give you any help in figuring out which it is, we need for you to go through the READ & RUN ME FIRST and attach the logs so we can look at them. HijackThis just isn't adequate.

Thanks.
abri

 

Thanks heaps Anyhow, I have done that. What next?

Maz

 

Oh good!
Then attach the requested logs, please. There's a Manage Attachments button below the reply window.

abri

 

Thank you so much Abri for your help.

There were problems:-(

When trying to download Spybot and Malwarebytes a connection could not be made with the server, even though the internet is working. Consequently I couldnt run them:-(

Superantispyware found nothing. Here are some logs.

Many thanks

 

Hi mazza,

I have a few questions.

Do you mean, when you go into add/remove programs, the button for each program that says remove is gone? If that's what you mean, is it gone for all the programs?

What folder did you create for yourself where and where are folders appearing all over the place with these folders? All over the place as in C:\Program Files or C:\Documents and Settings? Did you create a user name? I need more specific information.

Are the following files in C:\Documents and Settings\Administrator\My Documents\
files that you put in and want?

After I hear back from you about the above, I'll post some instructions to you.
Thank.
abri

 

I use an xml viewer and I have opened those documents. Maybe that is just a default place where they are saved.

 

Hi mazza,

You have evidence on your computer of software which is designed to spy on you: a program which looks at your emails and one which records what websites you browse.

See the following:
http://www.symantec.com/security_response/writeup.jsp?docid=2007-112711-0007-99&tabid=2
http://www.siteadvisor.com/sites/defeatspyware.org - refers to a rogue spyware company which tries to get you to buy their product called Spyware Detector

The characteristic problem of programs like these, is that they don't provide uninstall programs with them, so you can't remove them through your add/remove programs.

Please begin by running CCleaner at the default setting with the Windows tab as the one on top.

Then proceed as follows:

1) Run RogueRemover

2) Next I would like for you to rename the following drivers:

"C:\WINDOWS\system32\pitvm4.sys -----> pitvm4.sys.zzz
C:\WINDOWS\system32\drivers\CSNPDM51.sys ------> CSNPDM51.sys.zzz


3) Now I'm going to have you use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FILES::
C:\Documents and Settings\All Users\Application Data\cw5.sdf
C:\WINDOWS\msmgr.exe
C:\WINDOWS\slog.dll
C:\WINDOWS\svers.dll
C:\WINDOWS\29.rps

DIRLOOK:
C:\Documents and Settings\Administrator\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Symantec

REGISTRY::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


4) Now run CCleaner at the default setting with the Windows tab as the top one.

5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Combofix log.


Let me know how things are running now?

abri

 

Hi Abri

Did the best I could but had the following problems.

Could not update Combifix, unistalled it and downloaded it again. It came up with folder already exists so I save it to another place. Still wont update but scanned with nothing wrong.

Copied the file you asked into CombiFix and scanned but log went missing off the desktop.

Ran the next program you asked to run but even though a log was created, there's no zip file on my desktop:-(

Further to that, I check my add/remove programs and it only removes some. It wont remove Ad-Aware2007 as an example.

ccCleaner works well, however, I keep deleting the following startup entries but they keep coming back.
!AVG Anti-Spyware
and ccNortApp

Another thing...I cant update anything, not ad-aware, superantispywarefree, AVG....

Thanks

 

Hi mazza,

Your computer is not in a state where you have the full control over it. Therefore, it's important that you do things that we ask, in the order we ask, and if something doesn't work, to explain what happened. I can't tell from your description in your last post what you actually did. In your next posts, please refer to the number of the step, for instance after you complete this post 9, refer to steps 1, 2, etc. with your answers This will be very important as otherwise I have no idea what you have done. I have a bunch of questions for you now. Please answer each one. You still have not answered my question back in post 6 where I asked you whether you created a folder for yourself or a new user name? Which of these did you create?

After you answer the above, please continue as follows. You wrote:

1) To begin with Combofix does not need to be updated, so I wonder if you meant CCleaner? When you tried to do the instructions in post 8, I asked you to start by running CCleaner. Did you do this? Is this what you downloaded again? Both CCleaner and Combofix were working earlier in this thread. Which of these programs did you reinstall and where are each of them now and what is the name of each one? If they are in more than one location, please go to Start / Search and do a search of your main drive and tell me where they are located.

2) CCleaner can be run without updating it. You just double-click on the CCleaner icon on your desktop (the C with the broom in it) and in the window that opens up, you click on the Run Cleaner button in the lower right-hand corner, then say yes to the warning and then allow it to run. When it's finished, you simply close the window. You can tell when it's done, because the Run Cleaner button will become an active button again and the bar across the top will say 100%.

3) Next, please tell me if Combofix is installed on your desktop? Can you see the Red disk with the White X with the name cf.exe or if you didn't rename it, Combofix.exe?

The reason you can't download some things, why some programs are missing their uninstall buttons and why some programs don't run correctly, is because your computer's been tampered with. I don't see a firewall on your computer and would like for you to get one. But first I would like to see if we can get through the instructions in post 8, because the files I'm trying to get you to remove are part of the problem. After you answer the above questions, we'll try to go back to the instructions in post 8 and see what still needs to be done and how best to go about it.

abri

 

Do you mean, when you go into add/remove programs, the button for each program that says remove is gone? If that's what you mean, is it gone for all the programs?

Not for all programs, just some, for instance I cannot remove ad-aware2007

What folder did you create for yourself where and where are folders appearing all over the place with these folders? All over the place as in C:\Program Files or C:\Documents and Settings? Did you create a user name? I need more specific information.

I created a folder C:\Marian Now inside that folder somehow, all these other folders have appeared and I did not put them there.

1) To begin with Combofix does not need to be updated, so I wonder if you meant CCleaner? When you tried to do the instructions in post 8, I asked you to start by running CCleaner. Did you do this? Is this what you downloaded again? Both CCleaner and Combofix were working earlier in this thread. Which of these programs did you reinstall and where are each of them now and what is the name of each one? If they are in more than one location, please go to Start / Search and do a search of your main drive and tell me where they are located.

I ran CCleaner first. I did not download CCleaner again. I than ran ComboFix from the desktop and it had an update button so I tried to update it. Then unistalled it and downloaded another Combo-Fix to try and update again. It wouldnt. I then pasted the posts you told me into notepad and saved the log in the name you asked to the desktop. Then moved the log over combofix as you said. Then I ran MGTools/getlog etc as per your post but both the zip file and the combo log dissapeared:-(

2) CCleaner can be run without updating it. You just double-click on the CCleaner icon on your desktop (the C with the broom in it) and in the window that opens up, you click on the Run Cleaner button in the lower right-hand corner, then say yes to the warning and then allow it to run. When it's finished, you simply close the window. You can tell when it's done, because the Run Cleaner button will become an active button again and the bar across the top will say 100%.

Yes all is OK with CCleaner but not sure what you meant by (at the default setting with the Windows tab as the top one.
). Anyhow, I ran it by double clicking it and clicked on run cleaner button. The tab which was up was the windows one.

3) Next, please tell me if Combofix is installed on your desktop? Can you see the Red disk with the White X with the name cf.exe or if you didn't rename it, Combofix.exe?

Yes Combofix is installed on the desktop. The original one was called cf.exe but the new downloaded one was combofix:-(

CCleaner.exe is in C:/Programfiles twice:-( AND on the desktop

ComboFix.exe is in C:/documentsand setting/administraotr/desktop only. The search showed up a combofix-quaranteened-files.text as C:/QooBox whatever that is??? and combofix2.txt same again with the QooBox???
Thanks for your patience

 

I have comodo and zone alarm on my computer but have disabled them while doing the fixes.

 

Hi mazza,

Nothing bad here. The combofix log will be located directly under C:\ That's why you couldn't find it. If you look under C where the files are, you should find one called combofix.txt or cf.txt. That's the one I'd like to see. It might be called Combofix2.txt. Attach that one in any case so I can see it. Qoobox is where Combofix puts things you've had it delete. They are there in case we deleted something you needed to have.

It sounds like things are going well. You still have some malware, so we want to get that all out before we look at the folder problem.

Please reactivate one of your firewalls and leave the other one turned off. Of the two, Zone Alarm is easier to use. Make sure your Windows Firewall is turned off. To check this, go to Start / Control Settings / Windows Firewall. There should be a box to check or uncheck. Make sure it's deactivated.

As soon as I get your combofix log, I'll post you another set of instructions. We're getting there. You're doing everything okay.

abri

 

aaaah great. Will attach files You're a life saver

 

Hi mazza,

I would like to have you remove some more things from your computer, but it's important that we not remove programs which you installed yourself and want to keep. There's a piece of software which records everything which is said in a number of different chat clients. There's a surveillance program which enables you to recover passwords. You also have a folder for Online Armor which is another firewall besides the other two you had. There are a lot of old java entries. There is a symantec shared folder. There is at least one piece of software which allows someone to remotely control your computer.

If you installed this variety of programs yourself, then please decide if there are some that you want to keep.

Also, there are programs missing from your uninstalls list. How many programs do you have in your add/remove programs and how many of the total are missing the remove button? From your uninstalls log, it looks like some of your programs no longer have the uninstall string in the registry. They are missing altogether, as if they had been deleted. It's not clear to me at this point if the main problem you have has been created by malware or by a well-intentioned person.

Also, did you install a program called Elite or EliteCentral? Is this something you mean to have?

Thanks for getting back to me about the above.
abri

 

There's a surveillance program which enables you to recover passwords. You also have a folder for Online Armor which is another firewall besides the other two you had. There are a lot of old java entries. There is a symantec shared folder. There is at least one piece of software which allows someone to remotely control your computer.

I DON'T NEED TO REMOTELY CONTROL MY COMPUTER. I WOULD LIKE TO KEEP A SURVEILANCE PROGRAM IF IT IS SAFE.


Also, there are programs missing from your uninstalls list. How many programs do you have in your add/remove programs and how many of the total are missing the remove button?

THERE IS 15 PROGRAMS WHICH I CAN REMOVE. THE REST I CANT.

From your uninstalls log, it looks like some of your programs no longer have the uninstall string in the registry. They are missing altogether, as if they had been deleted. It's not clear to me at this point if the main problem you have has been created by malware or by a well-intentioned person.

I DONT KNOW:-(

Also, did you install a program called Elite or EliteCentral? Is this something you mean to have?

YES ELITE IS THE MOST IMPORTANT SOFTWARE ON MY COMPUTER. I RUN MY BUSINESS THROUGH ELITE. SISCO SYTEMS VPN CLIENT IS ALSO VERY IMPORTANT. UNFORTUNATELY DUE TO THE PROBLEMS WITH THIS COMPUTER I HAVE MISSED MY DEADLINE FOR LODGEMENT OF IMPORTANT PAPERS FOR CLIENTS:-( UNFORTUNATELY MY LODGEMENT PROGRAM WOULD NOT WORK.


THANK YOU SO MUCH FOR YOUR HELP.

 

Hi mazza,

1) In general, surveillance programs designed to monitor the computer activities of children are safe and this is what you should look for. When I look at your logs, I don't know if you put on a specific program or if someone trying to gain access to your computer put this on, that's why it's important for you to know what you put on there yourself.

The remote access program and the keystrokes and internet monitoring programs are not pieces of software that came with your computer unless you bought it used and had been installed by someone else. They would be programs you installed yourself or were put on by malware. If you didn't install them but would like such a program, it would be better to remove these and get something you know you put on yourself.

It will be difficult in the following instructions to avoid damage to either of these programs, therefore I would like to ask if one of the surveillance programs gets damage, can you reinstall it? I'm worried if we don't remove all of the files below, that malware will still remain. You may have a rootkit, but then again, this may be something you installed yourself.

If you have questions regarding the above, please let me know. Otherwise, continue with the instructions below. This may disable your surveillance program, which may be a program on your desktop.

2) The total number of programs in your add/remove programs list interests me. Please count the number of programs. You do not have to count all the KB-windows updates. These will only show if you have the "show windows updates" box ticked. I only want to know the total number of programs in add/remove programs, without the updates. I need to understand how many you are missing.

Next I would like for you to do the following:

3) Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

The following all belong to old versions of belong to programs you know or want to keep? If not, please fix them as well.

O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Plug-in 1.4.2_06) -
O16 - DPF: {CAFEEFAC-0014-0002-0009-ABCDEFFEDCBA} (Java Plug-in 1.4.2_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.5.0_05) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -

After you click fix, just close hijackthis.


4) Download and install Erunt. Use it to create a backup of your registry.

5) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) Now run CCleaner at the default setting with the Windows tab as the top one.

8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hi Abri

As for the surveillance programs, I am currently using an xml program to check msn. Other than that there is nothing I use. However, I have a problem with a `15 year old mixing with the wrong crowd and am doing everything I can to make sure he has a chance to have a normal life, however, with the amount of drugs on the streets now this is not an easy task. If you can recommend any way to help me by using safe programs that would be great

The only programs I am worried about is Elite and Sisco VPN client. They are important, other than that, I can survive.

Thank you so much for your help. Will go through everything tommorow. Need some sleep right now

Take care.

Maz

 

I cant say how things are running yet as haven't been on long enough to know but will keep you updated. I hope I have attached the right logs

Thanks you sooo much

 

Can you think of a reason why I cant update the following:

Ad-Aware2007, SuperAntiSpyware and AVG 7.5?

Regards

Marian

 

Hi mazza,

It may be necessary to back up to before the last Avenger removal, but try the following steps first:

Have you tried since we started to reinstall one of the programs you are unable to uninstall over the original one and then seeing if the uninstall button comes back?

Do you have the cd for your computer? If so, please go to Start / Run and type in scf /scannow (there's a space after scf) and click on okay. If corrupted files are found, you will be prompted to insert the cd. Please try this and let me know what happens.

abri

 

I will try reinstalling them now. I now have 7-Zip 4.57 in my add/remove programs. Wasnt there before. Is this OK?

Before re-installing Ad-Aware should I uninstall using ccleaner?

When I got my computer, it had XP and windows installed. I cant seem to do the SP3 update. Is there a way around this?

 

Sorry about all the questions.

In startup in ccleaner it has HKLM:Run, AVG Antyispyware but with an ! mark in fornt of it (is this normal) ccNortApp (I dont have norton installed) and ERUNT Autobackup.lnk

Is the above OK?

Many thanks

 

Hi Mazza,

Would it be possible for you to make a list of the programs you have in add/remove programs and for you to indicate next to each one whether or not it has the remove button with it or not? You can put an X next to any which do not have the remove button.

Please see the following for why you can't update AVG Anti-Spyware:

http://free.grisoft.com/ww.download-avg-anti-spyware-and-anti-rootkit

What resident antivirus program are you using?

AVG Anti-Spyware no longer exists as a stand-alone program. Try opening the AVG Antispyware program by double-clicking on the link on your desktop and see if you get the AVG Antispyware window. If so, see if there is a button there for the AVG 8.0 upgrade. If so, try installing it and allow it to uninstall any previous versions of AVG which are still on your computer.

abri

 

I have attached a list on the Add/Remove Programs. So many programs that I have no idea about. Those marked with an X means I cannot remove them.

My resident anti virus is AVG.

I tried upgrading AVG Spyware and couldnt:-(

 

scf /scannow wont work:-(

 

Hi Mazza,

Please do the following:

Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [ccNortApp] C:\WINDOWS\system32\ccRSpool\ccSvcHst.exe

After you click fix, just close hijackthis.



Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

Now run CCleaner at the default setting with the Windows tab as the top one.

Then run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip and let me know if you got a success message with the registry patch REGEDIT4

abri

 

Hi Abri

all done, yes the regipatch was a success.

MGlogs zip attached

 

Hi Mazza,

Please go to AVG Anti-Spyware and download and install this version of AVG_Anti-Spyware over the existing one. See if that works.

Thanks.
abri

 

Yes it updates now

 

And now do the following:


Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

Let me know if you get a success message.

 

Yes the reg was successful

 

Hi Mazza,

Please go to add/remove programs and see if AVG Anti-Spyware now has the remove button? I want to know if you can recover your uninstallers by reinstalling the various programs directly over the existing version.

If this works with AVG Anti-Spyware, I would advise you to do the same for ZoneAlarm. After you download the installation program but before you actually re-install it, you may need to disable the existing ZoneAlarm so it doesn't prevent the installation. Be sure to install it to the same folder where it already is. Normally the default installation will do this anyway.

abri

 

just found AVG spyware is in add/rove programs and it can be removed. I will do the same with zone alarm