Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

please help remove malware


  • This topic is locked This topic is locked
56 replies to this topic

#46 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:58 PM

Posted 16 November 2009 - 02:20 PM

Hi,

Are you able to boot into safe-mode? You should be able to see an Administrator account. Please try to log into that one and tell me if you get the same error message for the Administrator account?

Could you please also give me the exact error message in your next reply.

thanks myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


BC AdBot (Login to Remove)

 


#47 devilfruit

devilfruit
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 16 November 2009 - 02:57 PM

i logged in to the same account (cherub) in safe mode and can confirm the error message did not pop up.
However the actual error message is:
windows could not connect to the Group Policy Client service. The problem prevents limited users from logging on to the system. As an administrative user you can review the system event log for details as to why the system didnt respond.


thanks
devilfruit

#48 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:58 PM

Posted 16 November 2009 - 03:07 PM

Hi,

I will look into that error message right now, since you did not get the error message in safe mode, could you please check if you can create a new account from there.


Please also run the following command: set > log.txt & log.txt and paste the output here.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#49 devilfruit

devilfruit
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 16 November 2009 - 03:18 PM

No worries logging in to the account i created earlier.

here is the log: (the profile is called jamie moore)

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Jamie Moore.cherub-PC\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CHERUB-PC
ComSpec=C:\Windows\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Users\Jamie Moore.cherub-PC
LOCALAPPDATA=C:\Users\Jamie Moore.cherub-PC\AppData\Local
LOGONSERVER=\\CHERUB-PC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\System32
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 22 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=1601
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
SAFEBOOT_OPTION=NETWORK
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\JAMIEM~1.CH~\AppData\Local\Temp
TMP=C:\Users\JAMIEM~1.CH~\AppData\Local\Temp
USERDOMAIN=cherub-PC
USERNAME=Jamie Moore
USERPROFILE=C:\Users\Jamie Moore.cherub-PC

Thanks Devilfruit

#50 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:58 PM

Posted 16 November 2009 - 03:33 PM

Hi,

lol, now you got me confused. :(

To clarify: You now have two accounts on the PC.
For the cherub account you get the error message in normal mode, but not in safe mode.
What about the new account? Do you also get the error message in normal mode, or not?

Could you please provide the output from the command I gave earlier when you run it in the cherub-account in safe mode?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#51 devilfruit

devilfruit
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 16 November 2009 - 03:46 PM

lol yes
I created a new account in normal mode (jamie) but wasnt able to actually log in to it. in safe mode i can log in to the account (jamie) also with no errors.

here is the log report for cherub in safe mode i will also restart in normal mode and post the exact reason why jamie wont log on in normal mode, and post that to you shortly

lol :(



ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\cherub\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CHERUB-PC
ComSpec=C:\Windows\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Users\cherub
LOCALAPPDATA=C:\Users\cherub\AppData\Local
LOGONSERVER=\\CHERUB-PC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 22 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=1601
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
SAFEBOOT_OPTION=NETWORK
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
USERDOMAIN=cherub-PC
USERNAME=cherub
USERPROFILE=C:\Users\cherub


regards devilfruit

#52 devilfruit

devilfruit
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 16 November 2009 - 03:54 PM

ok in normal mode in cherub now , tried to logon with jamie but underneath it just said "windows couldnt conect to the group policy client service. Please contact your system administrator for help


thanks devilfruit

#53 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:58 PM

Posted 17 November 2009 - 09:56 AM

Hi,

the logs say that system restore is not working. Can you please tell me if that is true?

Go to Start -> Run -> type rstrui.exe. A window will open, follow the instruction to restore from an older restore point. (If possible). What is the oldest restore point you have?

Could you please also try to download and rename combofix in safe-mode and have it run from there:
Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • rename it to fun.exe
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


I suppose a format and reinstall is not an option? I would really advise this as the best solution if you have gotten the PC from someone else or intend to give it away. This will remove all private data of the previous owner and removes every kind of problem through user profile corruption and similar you might have.

Was this PC used in a network of some sort before? Did it used to be a business PC?
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#54 devilfruit

devilfruit
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 17 November 2009 - 10:53 AM

hi myrti
before i try your next steps this laptop hasnt been used for buisnes or linked to a network. system restore is working fine but have used it at least five times and earliest restore point is earlier today ill post the combo fix log in safe mode in a moment, but i am in like mind of the back up and reinstall of os, but i have to ask since i dont have a copy i am halfway through downloading xp on vuze but it is a larger file than the cd can hold. is it possible to burn it on 2 cds and do it that way? (fyi im using nti cd maker)

thanks devilfruit

#55 devilfruit

devilfruit
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 17 November 2009 - 12:06 PM

hi myrti

i think the whole things reached an event horizon and wont come back. Combo fix would not create a log in safe mode and while it was running it said to check the date, that it could not find text for 0x8, and in mid run it it said the pev.exe would not respond and to close the program or find an online solution. And now not even system restore will work even though i only used it yesterday!!??

im not one for giving up normally but today was the last day i can work on this properly so thanks a million for all your time and help and sorry it was such a headache-you are the best!!!!

Kind Regards
Devilfruit

#56 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:58 PM

Posted 18 November 2009 - 08:44 AM

Hi,

there was indeed a date-problem with ComboFix yesterday, this has been changed and if you run a new copy it should not give you such problems.

I'm sorry I was unable to help you with your problems. I believe that we were making way with the new user account we had a functional account from which our tools can/could be run. Sadly that was too late.

If I had known that you were fixing a preowned setup I would have advised you to do a clean install from the start. I believe this is the best solution.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#57 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:58 PM

Posted 24 November 2009 - 04:13 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users