Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

please help - computer badly infected by a virus, probably "personal antivirus"


  • Please log in to reply
10 replies to this topic

#1 TheChin

TheChin

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:29 PM

Posted 19 August 2009 - 05:43 PM

Hi, and thank you so much for any help. Here's the problem:

I was websurfing on my expensive hp laptop (windows '06), and when I went to a website I got a message saying to download "personal antivirus". I looked it up on google, and found it was mal-ware so I x-ed out of it. As I continued to use the internet, it started going slower, and then stopped letting me go to websites. I restarted my computer, and tried to look up how to stop personal antivirus, and the internet stopped working after a tiny bit. I tried ctrl-alt-delete, and the computer froze. I had to shut down my computer manually. When I reloaded my computer I started having trouble with other programs, and when I would try to ctrl-alt-delete it would always freeze my computer. Things got worse, and at some point I got a screen saying "wxwidgets fatal error.." and another telling me to download something to see if I had the right version of windows, calling itself "windows genuine advantage program, and a few other pop-ups when I wasn't currently using the internet. I ignored these, suspecting they were part of the virus, and I disconnected my computer from the internet to see if the problem would stop. It didn't and here are some of the strange problems my computer has been having:

- at start-up, black screen doesn't leave
- freezes at startup
- freezes as windows starts up
- after windows start-up, can't open any programs, or can only open some
- sound on windows media player sometimes works, sometimes doesn't: same with VLC media player
- when I tried to check computer volume, it said program was deleted
- sometimes internet works for seconds, sometimes not at all
- will shut-down by itself
- cannot open microsoft word ever
- windows toolbars changed to an older-looking version

I didn't know viruses could be this horrible. The above occurences would happen whenever they decided to, and my computer has barely worked at all since the beginning of these problems. It's been a nightmare. There is constantly a red word-bubble in the bottom right of my screen saying that my computer has been infected, but I didn't want to click it out of fear it was part of the virus.

The last time I was on my computer, it told me that I either had, or was attempting to delete programs that are vital to the function of windows, and to insert a windows CD immediately to fix the problem. I had no clue what to do, so I shut down my laptop. The computer I'm using now is of course not my laptop. I've been searching the web for ways to fix it, but I haven't found anything helpfull. This website seemed like a good place to ask for help.

I'd be very grateful if anyone here could give me any idea of what to do. If you have any questions, please ask.

Thanks a lot!
-Jo

Edited by The weatherman, 19 August 2009 - 05:45 PM.
Moved from HJT to a more appropriate forum. Tw


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:29 PM

Posted 20 August 2009 - 06:47 PM

What happens if you try to do a anti-virus scan?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 TheChin

TheChin
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:29 PM

Posted 21 August 2009 - 05:04 PM

I imagine that if I tried a virus scan, my computer would freeze or I might be notified that the antivirus program had been deleted (not by me). I tried to do a virus scan once, but at some point when I was trying to access the program, my computer froze. Since ctrl-alt-del doesn't work, I figured a virus scan wouldn't. I haven't been on my computer since my above post, because I'm worried what other programs the virus might delete in the process. Would you suggest trying an antivirus scan anyway, just in case? Do you think it would be able to find and remove the virus if the antivirus program somehow was allowed to work? Thanks.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:29 PM

Posted 21 August 2009 - 06:04 PM

Try doing a anti-virus scan in Safe Mode.

How to start Windows in Safe Mode
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 TheChin

TheChin
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:29 PM

Posted 22 August 2009 - 07:34 PM

Okay, my computers running in Safe Mode now. I had 2 antivirus programs I downloaded over a year ago, called Ad-aware 07 and Adwatch 07. I performed scans with them before, but I just tried to open them, and it said it was doing a search for the files, and then I got a message informing me that the program I requested has either been deleted or it's location was changed. I'm sure I never deleted or changed the location of these files, but it's true I haven't used them in some time.

So I was going to try windows firewall to see if that could scan for viruses, but it said that I needed to be connected to the internet. It asked me if I wanted to join an internet sharing/compatibility program or something called ICN(?). I clicked NO, and here I am.

I didn't know about safe mode, so thanks for suggesting that. Now what should I do? I could try downloading an antivirus with a USB if that's possible. I heard you can't use the internet in Safe Mode, but there's a "Safe Mode" for firefox- should I try using that to download an antivirus program? Is there a program built into my computer I could use to run a scan? What would you do? Thanks again.

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:29 PM

Posted 23 August 2009 - 01:22 AM

Download and install the free version of AVG (they have both a free and paid-for version, so make sure you get the free one). Once it is installed run a scan in safe Mode. Post back the log from the scan.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 TheChin

TheChin
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:29 PM

Posted 25 August 2009 - 06:08 PM

My computer wouldn't download the AVG antivirus in Safe Mode (it needed the internet, which was unavailable in Safe Mode), but surprisingly I was able to download it in normal mode. I then, still in normal mode, ran an antivirus scan. Then something that called itself "windows antivirus pro" kept sending me pop-ups (even after I turned the net off). I noticed many of the pop-ups had no name in their little slot on the menu-bar (at the bottom of the screen). I also got warning bubbles periodically in the lower right-hand of my screen, telling me things like "somebody is truing to attack your PC, click here to stop them now" (trying was spelt incorrectly). It kept warning me that other computers in my network could be infected if I didn't stop the problem now. All of these warnings had a simbol which was a small grayish, thin triangular shield with two small notches/scratches in the middle. I continued to run the AVG antivirus scan, and I stopped trying to X out of the WAP warnings, because they often would display another screen if I tried to close them. At 2 points, just my background turned blue and then back to normal. Another WAP pop-up came up, telling me it had performed a virus scan, and gave me a list of my own programs, labeling them as either "HIGH RISC" or "LOW RISC", again mispelling.

As for the results of the virus-scan, around 30 threats were found when I last looked, and there was a large list of problems, including: Trojan Horse downloading files, etc., Tracking files, and a few others. I took a picture of this while the virus-scan was running, but the pic is useless (I can't read it). I planned on copying the virus info for you when the scan was over. However, maybe at the end of the scan, my computer logged off by itself (!?). I logged back on, and found that AVG was no longer there, but the WAP warnings still were. I was able to use ctrl-alt-del this time, but after I ended tasks on the WAP warnings, some just popped up again. So I shut down and went into safe mode to try another scan.

I performed a full-computer scan of all the programs possible to scan in Safe Mode. When the scan finished, I wasn't given a report like I thought I'd be given. It just went back to the normal AVG screen. Since AVG was set to clean bad files automatically, I thought my computer might be cured now, but when I went back to normal mode I realized that it was just as bad as before.

If you need specific info about the threats found, I'll run another scan and post the info in my next response. What should I do now?

#8 TheChin

TheChin
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:29 PM

Posted 25 August 2009 - 06:15 PM

OK Im running another scan now, and I'll post the log.

#9 TheChin

TheChin
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:29 PM

Posted 25 August 2009 - 10:04 PM

Here is the log of the AVG antivirus scan in Safe Mode:



AVG 8.5 Anti-Virus command line scanner
Copyright © 1992 - 2009 AVG Technologies
Program version 8.0.401, engine 8.0.408
Virus Database: Version 270.13.65/2324 2009-08-24


\\?\globalroot\systemroot\system32\UACqiqtorhals.dll Trojan horse Downloader.Zlob.AOED Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACwmppbjllxr.dll Trojan horse Downloader.Zlob.AOEC Object was moved to Virus Vault.
C:\WINDOWS\system32\svchost.exe (792) Trojan horse Downloader.Zlob.AOED Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACwmppbjllxr.dll Trojan horse Downloader.Zlob.AOEC Object was moved to Virus Vault.
C:\WINDOWS\explorer.exe (1036) Trojan horse Downloader.Zlob.AOEC Object was moved to Virus Vault.
\\?\globalroot\systemroot\system32\UACwmppbjllxr.dll Trojan horse Downloader.Zlob.AOEC Object was moved to Virus Vault.
C:\Program Files\Internet Explorer\IEXPLORE.EXE (1328) Trojan horse Downloader.Zlob.AOEC Object was moved to Virus Vault.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\NetworkService\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Locked file. Not tested.

C:\Documents and Settings\smithjd\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\smithjd\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\smithjd\Local Settings\Temporary Internet Files\Content.Word\~WRS2016.tmp Locked file. Not tested.
C:\Documents and Settings\smithjd\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\smithjd\ntuser.dat.LOG Locked file. Not tested.
C:\pagefile.sys Locked file. Not tested.
C:\System Volume Information\ Locked file. Not tested.
C:\WINDOWS\system32\config\default Locked file. Not tested.
C:\WINDOWS\system32\config\DEFAULT.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SAM Locked file. Not tested.
C:\WINDOWS\system32\config\SAM.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\software Locked file. Not tested.
C:\WINDOWS\system32\config\software.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\system Locked file. Not tested.
C:\WINDOWS\system32\config\System.LOG Locked file. Not tested.
C:\WINDOWS\system32\drivers\sptd.sys Locked file. Not tested.
C:\WINDOWS\system32\ias\ias.mdb:\embedded.doc



So there you have it.
My computer froze up at the same time in my first two attempts to get into Safe Mode, but I was eventually able to. Hope this helps.

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:29 PM

Posted 25 August 2009 - 10:08 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 TheChin

TheChin
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:29 PM

Posted 08 September 2009 - 01:12 AM

Okay, I finally tried downloading MBAM. Sorry it took so long to reply. I downloaded the "registry booster" free scan. I tried running the program in Safe Mode on my infected comp, but after it downloaded, and I tried to open it, it said that multiple applications cannot run at once. It said later that I should uninstall the program first, then reinstall it, indicating I already have this program (I don't).

You said to install the program while on-line. So I connected to the net (not in Safe Mode) and tried running the program. A fake warning bubble (from the virus itself) in the bottom of the screen said that running the program is impossible as it is infected, and then suggested that I use their antivirus. I checked to see if I was able to run other programs like Microsoft Word and VLC media player, and I was.

I restarted my computer, but updates were installing and I didn't know if this was part of the virus (I can't use firefox, but I can istall updates?). I didn't think it was part of the virus but I shut off my computer immediately, and tried running "registry booster" again. I still wasn't allowed to open it.

Did I download the right program in the first place? If I did/didn't, still how am I supposed to run a program if the virus won't let me open it?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users