Really screwed...

Hi, I have been given a friends PC to try and clean up for them. The story is they have not been able to use it for a few months so now I have the fun of trying to fix it...

Have been following the READ & RUN ME FIRST thread, but have come across some strange problems.

In any login (including safe mode) I can not install any programs, nor can I run or remove any existing antivirus software (it appears to Norton Internet Security 2005, Avast, Kaperspy, AVG all installed - but none will run or can be removed).

Following the above thread, this is how I have gone..

Can not install CCleaner - just beeps then nothing happens.
Can not install MS Malicious removal tool - unpacks then just stops
Can not install Spybot - double clicked the executeable and nothing happens
Can not install Windows defender - nothing happens...

Online Bitdefender scan ran, found 24 viruses and removed them
Online Panda scan is now running.

Any suggestions?? Please
Dave.

 

First off you must uninstall all but one. You can't run all of these, running more than one will cause conflicts. I havn't ever seen this many one on computer.

After you uninstall these reboot and then try to procede with the READ ME attach the logs of what you can run.

 

Thanks for your quick reply, I think the kid that screwed it up was trying his best to fix it... unfortunatley, I am unable to either run or uninstall any of the anitvirus programs - when I try, nothing happens. It is as though anything that is antivrus related just will not work! just waiting for the panda scan to complete then will try the hijackthis.

Thanks, Dave

 

Download Your Uninstaller! 2006 5.0.0.256, save to desktop and install.

See if this will install and allow you to uninstall.

 

Thanks heaps - will give that a run when the panda scan finshes - it is 1/3 way through scanning and has already disinfected 1200 viruses and identified another 160 spywares..... and that was after a sucessful run of bitdefender!!
Back soon, Dave.

 

Hello again.
The uninstaller ran, but would not uninstall anything, it kept coming up with errors saying I had stopped the uninstall process! and when trying to install new programs (such as Spybot) not all of the installation screen is visible, some buttons and text are missing, it get right through until it is ready to actually copy the files then just freezes - I have to use task manager to kill it.

So.. have done everything else and attaching the logs from what I was able to run.
Cheers, Dave.
Bitdefender and Hijackthis logs attached, others coming in a minute

 

Other logs attached here - I had to zip the activescan log as it was too big to be accepted

Thanks in adavance for any advice available.

Cheers, Dave.

 

Please see this thread on Alcan.a Removal, let me know the results.

After you complete the above, reboot once more. Once you have rebooted the second time run a fresh Panda Online Scan and attach the log with a fresh HJT log.

 

Dear bjgarrick...

Your blood is worth bottling

After running the cleanup for the Alcan.a worm, I have now regained access to install / remove / and run programs. Have now been able to remove the excessive virus scanners and run the CCleaner.

Internet access has also returned in normal log in and have completed the panda online scan and another HJT run - log files attached.

Thanks again and whilst waiting to hear if there are any other nasties hiding in the logs I will run some more malware scans and see if I can get rid of every last annoyance - I must confess I was very very close to reformatting, so I thank you from the bottom of my heart.

Cheers, Dave.

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Please look in Add/Remove Programs for the following and uninstall them if found:

Spyware Stormer

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_AU&c=Q105&bd=pres ario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172 .24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;192.168.*;* .IPrimus.com.au;<local>

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NI.UERS_0001_N82M1105] "C:\Documents and Settings\Benny\My Documents\xzcbvgfkdjvbh lsfdbnafb\ErrorSafeFreeInstall.exe" -nag
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\Warez.exe" -h
O4 - Startup: VirtuaGirl2.lnk = C:\Program Files\Vg\VirtuaGirl2.exe

O20 - AppInit_DLLs:
O20 - Winlogon Notify: dxtpdx - dxtpdx.dll (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\Program Files\Spyware Stormer ← Delete this whole folder if it exist!

C:\Documents and Settings\Benny\My Documents\xzcbvgfkdjvbh lsfdbnafb ← Delete this whole folder if it exist!

Next, run CCleaner to clean up cookies and temp files.

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, REBOOT and proceed with the rest of this fix...

Next Reset Web Settings & Default Security Settings

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now. Also please attach a fresh HJT log.

 

Thanks heaps,

Allsteps followed, no real problems except for trying to delete the strange folder under Benny (had no access to it from safe mode) but logged in as that user and the folder was gone anyway.

New and hopefull final HJT log attached.

And thank you again for all your assistance, you will put a smile back on the dial of a single mum trying to entertain her kids! I will make sure to try and explain some rules for future use to her kids........

Cheers, Dave.

 

Your log now looks good, are you having any current problems?

 

Hi again,

all seems to be running good now, ran some more scans and found more files floating around that were suspect and have eliminated what appears to be all the nasties!

Everything seems to be running well now - thak you so much again! It does have a strange problem now with trying to install something everytime you open MSword and asks for the wordret.msi files which of course can not be found. Dont know if that prob existed before but have been doing some research and appears to be related to MSworks.

Apart from that all is excellent. I was really starting to wonder if it would be a full rebuild but you have restored my faith in M$ and fellow geeks

Cheers, Dave.

 

Glad things are running better, for the office problem I would post this in the Software Forum. Those guys can help you with that problem.

You should see now this article on How to Protect yourself from malware!