Requesting PC Help please

sillygirl · Oct 26, 2010

Hiya,
New here need help!
Ok so where to start!
Not exactly sure where the infection come from I was on holiday and come back to it.
Seems it was/is that fake Microsoft security thing I was told by the person who downloaded it they picked red cross as the program of choice which infected me.
So I got down to trying to fix it, checked add remove programs run crap cleaner, run malwarebytes which come up clean, spybot search and destroy which didn’t and avast also didn’t.
After this my pc went nutso avast kept popping alerts every second I didn’t even have windows open some of the time so I would shut avast off, which I then uninstalled later.
I get blue screened a lot different things all the time haven’t written any down it happens at least once a day normally within the first hour of booting, when I reboot it doesn’t happen again.
I would look them up to see what the problem was in the first week but they were always different so it drove me mad I know a little bit not totally tech stupid but not at all any good to really do anything but some picked up basics.
This moved on to getting popup windows randomly -dating sites, car sites nothing crazy like 100’s of them and not all the time just online and pop one here and there in the end I noticed it was roughly the same 6 all the time.
(I didn’t make note of any url) I know it wasn’t site pop ups I was surfing on as I was on ebay for 2 hours and on a forum I work on that has no pop ups.
I was looking up how to clean off the virus downloaded dr web.
Run it, it found stuff etc still my system wasn’t clean as a few days later my task bar and all my desktop info folders etc disappeared and I couldn’t get into my add remove programs, I was also getting rundll32 boxes pop up.
Not sure if all of them were the same about 8 all in all would hit me one after another when I loaded the pc and a couple would hit when I tried to do certain things like in my control panel.
From there I task mastered to get online read how to bring them back looked over how the hell I could fix my system as its been about 2-3 weeks of problems now.
Sooooooooo I did the entire read me first things uninstalling programs including malwatebbytes to redownload it with the changed name which found stuff this time when run.
Rebooted it seemed fine I boot today the security warning is back and I was blue screened after 15mins of booting.
I currently do not have a anti virus program when avast went nuts and I removed things to do the program runs I have nothing now so a recommendation would be helpful too.
I had a guest account which I also removed when this started.
Logs to follow SAS and malwarebytes are in the same log nothing altered just copy and pasted to one page to save making another post to attach all logs they are clearly separated SAS top then malwarebytes.
Thanks!

TimW · Oct 26, 2010

You did not allow MGTools.exe to run to completion. In the meantime:
* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

File::
c:\windows\system32\runonceSrv.exe
c:\windows\system32\controlSrv.exe
c:\windows\system32\verclsidSrv.exe

Folder::
c:\documents and settings\sarah  oddi\Application Data\Dacuic
c:\documents and settings\sarah  oddi\Application Data\Xupi
c:\documents and settings\sarah  oddi\Application Data\Tuirla
c:\documents and settings\sarah  oddi\Application Data\Okzeub
c:\documents and settings\sarah  oddi\Application Data\Hesyo
c:\documents and settings\sarah  oddi\Application Data\Ytsi
C:\Documents and Settings\sarah  oddi\Application Data\Ozevk

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"{B5ECBF8A-403B-82F2-E918-2F821D3B5EC1}"=-
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

sillygirl · Oct 27, 2010

Hiya tim,
Ok did everything you said I think MGTools isn’t running properly or should I say fully.
I never stopped it the first time round or messed with anything the logs are attached but I also have some things to report during the programs running firstly combofix.
First thing popped up was:

Iexplore.exe application error 0xc0000005

Service:izomgmt
File: C\WINDOWSLSYSTEM32\drivers\iomgmt.sys

Error loading C:\WINDOWSRYRTEM32\kebikag.dll
specified module could nor be found

windows defender started to run during one of the reboots I couldn’t get into it to turn it off completely beforehand so it triggered a scan during like the 3rd boot which threw up a alert:

trojan downloader:win32/bredolab.AA

during MGTools the following popped once, the avast one popped about 8 times I would just click close and nothing else.

16 bit MS-DOS subsystem
C:\WINDOWS\SYSTEM32\cmd.exe

C:\projram files\alwill software\avast\aswmonvd.dll
An installable virtual service driver failed DLL initialisation choose “close” to terminate the application

I can only assume if it keeps popping up its blocking a full run of MGTools if its not coming up as complete.
as far as I know I uninstalled it completely but that was while infected so I have no clue if it did it correctly I assume not as it keeps popping up during the program run.
Thanks for the help btw!

TimW · Oct 27, 2010

MGTools is still not running properly. Please see this thread: Using MGtools

In the mean time:

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

File::
c:\windows\system32\taskmgrSrv.exe
c:\program files\Internet Explorer\iexploreSrv.exe
c:\windows\system32\svchostSrv.exe
c:\program files\microsoft\desktoplayer.exe
c:\documents and settings\sarah  oddi\Application Data\Zizuyf\fyiqm.exe
c:\documents and settings\Administrator\Start Menu\Programs\Startup\asmum.exe 
c:\documents and settings\Administrator\Start Menu\Programs\Startup\batuy.exe 
c:\documents and settings\Administrator\Start Menu\Programs\Startup\esdeli.exe 
c:\documents and settings\Administrator\Start Menu\Programs\Startup\ohaxa.exe 
c:\documents and settings\Administrator\Start Menu\Programs\Startup\suecif.exe 
c:\documents and settings\Administrator\Start Menu\Programs\Startup\veuzfu.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\liicga.exe 
c:\documents and settings\Guest\Start Menu\Programs\Startup\opika.exe 
c:\documents and settings\Guest\Start Menu\Programs\Startup\pusip.exe 
c:\documents and settings\Guest\Start Menu\Programs\Startup\umby.exe 
c:\documents and settings\Guest\Start Menu\Programs\Startup\ywnu.exe 
c:\documents and settings\Guest\Start Menu\Programs\Startup\yxxo.exe
c:\documents and settings\sarah  oddi\Start Menu\Programs\Startup\ucroup.exe

Folder::
c:\documents and settings\sarah  oddi\Application Data\Furya
c:\documents and settings\sarah  oddi\Application Data\Zizuyf
c:\documents and settings\sarah  oddi\Application Data\Lifey

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{B5ECBF8A-403B-82F2-E918-2F821D3B5EC1}"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,"
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

sillygirl · Oct 28, 2010

Hiya again,
So I fixed the MGTools problem (I hope anyway!)
Did everything you said, I even turned off windows defender this time before running anything it allowed me in there and no messages popped up during scans this time!
new logs attached

Kestrel13! · Oct 28, 2010

Please immediately do the below. You must do this immediately and you must complete all 3 scans one after the other with only the delay to post logs in between. DO NOT use your PC for anything else but these instructions.

Run this Using ESET's Online Scanner and immediately attach the log.

Then run the Eset scan a second time and attach the 2nd log.

Then run the Eset scan a third time and attach the 3rd log.

After attaching the 3rd log, if any Ramnet infections were found by Eset, try to repeat the above until it comes up clean. The only infections of Ramnet you can ignore, are ones that may be found in the System Volume Information folder which is System Restore and cannot be cleaned. We will remove them later by disabling System Restore.

Then:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

sillygirl · Oct 28, 2010

Hi kestrel,
Thanks for the further assistance first log attached.

TimW · Oct 28, 2010

Keep running the scans.

In the mean time, please delete ( uninstall ) these:
C:\Documents and Settings\sarah oddi\Local Settings\Temporary Internet Files\Content.IE5 --> empty it out!
C:\MGtools\
C:\Program Files\SUPERAntiSpyware

sillygirl · Oct 28, 2010

hey hey,
ok second log here and i have removed the things i was told too.
3rd run will begin in 5!

TimW · Oct 28, 2010

Keep running it as we are not making as much progress as I would hope. You may need to run it more than 3 times.

sillygirl · Oct 28, 2010

Here is the 3rd log.
I take it I should just keep running this now till it’s clean?
I will be picking this back up in the morning (uk here)
Should I run it a few times back to back or do you want a log for every run?
Let me know I will check in here before I do anything!
Thanks again guys I really do appreciate the time in helping!

Kestrel13! · Oct 28, 2010

Run the scans back to back three at a time and then attach 3 x eset logs into a post.

Run three more back to back and attach those..
Keep going until ESET starts to find less and less.. remember:

The only infections of Ramnet you can ignore, are ones that may be found in the System Volume Information folder which is System Restore and cannot be cleaned. We will remove them later by disabling System Restore.
Click to expand...

sillygirl · Oct 29, 2010

Hey guys,
I know you said post every 3 logs but this first one I did today had some problems.
It took over 7 hours, while doing the first 3 only one of them took nearly 2 hours the rest were 1- 1and half hours so I know over 7 is long.
Also it triggered windows defender 2 times to run throwing up that same warning message as before:

trojan downloader:win32/bredolab.AA

I know its definitely turned off I even checked it today that it was still switched off to make sure nothing would hinder the scans.
Should I remove windows defender?

TimW · Oct 30, 2010

This can be a very difficult virus to remove once it has taken hold. You need to keep running the eSet scan back to back. It is that or you will have to reformat and do a clean install.

sillygirl · Nov 2, 2010

Hey guys,
3 back to back runs finally!
Its takes several hours to run so taking time and I got blue screened during 2 runs!

TimW · Nov 3, 2010

Please disable system restore. Now see if you can find this folder:
C:\eff2b6b40e69c7820026e9f971eb9db2 --> delete it if you can.

Please re-run eSet again.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

sillygirl · Nov 3, 2010

Hey hey,
Ok so that folder C:\eff2b6b40e69c7820026e9f971eb9db2
Will not let me delete it or rename it I even tried going inside to remove/rename the contents I kept getting the same notice, which is:

Cannot delete filterpipelineprintproc.dll: access is denied.

I did run the eset test again, log attached and then the MGTool again also zip attached.

Also the past 3 times I have booted this box pops up its mostly blank I screen grabbed it so explaining it is easier, I included the task bar as what it seems to be named is different there than in the top of the box.
No idea what it is I just X it when it comes up.
Thanks!

TimW · Nov 4, 2010

Based on your latest log, it is time to throw in the towel. This virus has gotten too deeply embedded in your system to be able to clean it with any success. Your best course of action is to save your personal data and files to a cd and reformat your computer with a clean install. Then once you are back up and running, and well protected, scan your backup disc before you transfer the data and files back over.

sillygirl · Nov 4, 2010

Hey again

After postng last night i shut down my system. Booting today it will not load keep getting blue screened with the followng: stop:C000021A {fatal system error}
The window logon process system process terminated unexpectedly with a status of 0XC0000005 (0X00000000 0X00000000)
The system has been shut down.

Will not allow me in safe mode either.
Can i reformat with this error still there?
Please jog my memory on how i reformat.
Thanks again for the assistance!

TimW · Nov 4, 2010

Yes, you can do a clean install regardless of the message you are now getting. In order to do a clean install, you must first enter the bios ( F2 on some machines ) and set the boot order to allow the cd-rom the first boot device. Then put in your OS CD and reboot. Once it comes up you hit enter to "boot from CD". It will ask if you want to install or repair. Choose install. Then it will find the partition your previous install is on and you will want to format that partition. It is simple after that.

Requesting PC Help please

sillygirl Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

sillygirl Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

sillygirl Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

sillygirl Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

sillygirl Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

sillygirl Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

sillygirl Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

sillygirl Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

sillygirl Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

sillygirl Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member