Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero Access Rootkit Removal


  • This topic is locked This topic is locked
56 replies to this topic

#1 tiffanyk

tiffanyk

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:12:36 PM

Posted 01 June 2012 - 06:32 PM

Hello! I have an old but still in good shape desktop, we use it for the kids & school reports. Well, somehow even though no one will admit to it, I believe is infected with the rootkit zero access, along with other things. :angry: If it is the zero access rootkit, I understand even if I we remove the virus it can still leave the computer vulnerable and "unsecure". But I'm willing to try it anyway.
So I have an old Compaq Presario, 2005, running XP Home edition.
I use Malwarebytes and ran a scan last week. 7 objects were detected. Malwarebytes said all was removed. I ran another scan, and everything was clean. But I knew all was not well by how slow it was running. So I downloaded the trial version of Kaspersky, and more objects were detected. Most were removed, but it came back with an error on disinfection. My only choice (the other choices were grayed out) was to ignore (recommended).
This object is: afd.sys Untreated: Virus.Win32.ZAccess.aml

and then there are various other alerts of malware that are "multigeneric".

While I was writing this, Kaspersky alerted me of active malicious software, Trojan program: Trojan.Win32.Sasfis.dfya. Location c:\WINDOWS\system35\usbnlw32.dll

Oh, and Malwarebytes has since disappeared from my computer. Not sure if the malware deleted it, or what but its gone.

I can search in the google toolbar, but if I click on a link from the searches I am redirected to various ad-looking websites. If I manually enter the address myself, I have no problems.

I cannot figure out how to post a log of the Kaspersky scan, it doesn't seem to have the neat log that I can copy and paste! I ran the DDS scan and the GMER scan. The GMER scan ran for about 2 1/2 hours and then popped up with a warning that changes had been made to the system- or something to that effect. I hit ok, and then it said scan was stopped? - No one stopped the scan. Does that mean it was finished?

Here is the DDS Log:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Compaq_Owner at 16:51:48 on 2012-06-01
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.210 [GMT -4:00]
.
AV: AVG Internet Security *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\klwtblfs.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2012\ievkbd.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2012\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [VTTimer] VTTimer.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2012\avp.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\6750491\program\Compaq Connections.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: &Search
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2012\ievkbd.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2012\klwtbbho.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://echat.bellsouth.net/sdccommon/download/tgctlcm.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxps://lowes.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - hxxp://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} - hxxps://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130034722187
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aolsvc.aol.com/onlinegames/chuzzledeluxe/popcaploader_v10.cab
DPF: {EFD1E13D-1CB3-4545-B754-CA410FE7734F} - hxxp://www.cvsphoto.com/upload/activex/v3_0_0_2/PhotoCenter_ActiveX_Control.cab
TCP: DhcpNameServer = 10.0.0.1
TCP: Interfaces\{412F0915-ACBC-4864-B955-2B837039B452} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{868AE7B3-FEC2-4952-B07D-425E6014338A} : DhcpNameServer = 10.0.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: igfxcui - igfxsrvc.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 KL1;kl1;c:\windows\system32\drivers\kl1.sys [2011-3-4 133208]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-3 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-3 108552]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2011-3-4 11352]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2012-5-23 565552]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2012\avp.exe [2011-4-24 202296]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-8-3 29208]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2011-3-10 34608]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-11-2 19472]
S1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-3 27784]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-12-18 136176]
S2 NEC Usb3.0;NEC USB3.0 Service;c:\windows\system32\svchost.exe -k NECUsb3 [2004-11-28 14336]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-11 257696]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-8-3 29208]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2009-7-20 17149]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2011-12-4 18560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-12-18 136176]
S3 gUSBSTOi;gUSBSTOi;c:\docume~1\compaq~1\locals~1\temp\gUSBSTOi.sys [2004-1-29 31744]
S3 phc700;USB PC Camera (phc700);c:\windows\system32\drivers\phc700.sys --> c:\windows\system32\drivers\phc700.sys [?]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2009-7-20 384608]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-3 297752]
.
=============== Created Last 30 ================
.
2012-05-23 21:17:11 97961 ----a-w- c:\windows\system32\drivers\klick.dat
2012-05-23 21:17:11 115369 ----a-w- c:\windows\system32\drivers\klin.dat
2012-05-23 21:15:08 -------- d-----w- c:\program files\Kaspersky Lab
2012-05-23 21:15:08 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab
2012-05-22 18:43:21 664 ----a-w- c:\documents and settings\compaq_owner\local settings\application data\d3d9caps.tmp
2012-05-22 13:28:26 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
.
==================== Find3M ====================
.
2012-05-05 13:48:14 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-05 13:48:14 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-11 13:12:06 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 13:10:58 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 12:35:52 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-01 18:20:48 230808 ----a-r- c:\windows\system32\cpnprt2.cid
2012-03-11 13:37:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-11 13:37:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-05 01:34:42 1409 ----a-w- c:\windows\QTFont.for
.
============= FINISH: 16:53:26.12 ===============
GMER file was to big to attach, so I will cut and paste next post.

Attached Files



BC AdBot (Login to Remove)

 


#2 tiffanyk

tiffanyk
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:12:36 PM

Posted 01 June 2012 - 06:45 PM

Ok so maybe I did the GMER scan wrong, because it's too big to upload and too long to post- even if I break it up in two posts???

#3 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 PM

Posted 03 June 2012 - 02:24 PM

Hi tiffanyk,
I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

#4 tiffanyk

tiffanyk
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:12:36 PM

Posted 03 June 2012 - 02:29 PM

Ok. Thanks so much!

#5 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 PM

Posted 04 June 2012 - 11:59 AM

Hi tiffanyk :)

:welcome: to BleepingComputer.

My name is Karsten and I'll help you with the cleanup of malware from your computer.

Please be aware of the following:
  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you were doing and describe the problems you encountered as precisely as you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • If you can't answer for the next few days, please let me know. If you haven't answered within 3 days, I am assuming that you don't need help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all malware. Formatting is usually faster and always the safest way.
  • If you decide to clean your PC, work with us until a team member tells you that you are clean.
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.

:step1: Backdoor Trojan warning:

One or more of the identified infections is ZeroAccess, a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Please tell me if you want to go on with our removal or if you want to reinstall the operating system?

If you want to continue the cleanup process, I would like you to do the following:

:step2: Run Combofix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

#6 tiffanyk

tiffanyk
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:12:36 PM

Posted 04 June 2012 - 12:13 PM

Hello Karsten! As much as I would like to just reformat and reinstall the OS, I do not have any disks to do so. Also, the cd drive on this machine has been broken for a while, so I am limited to a flash drive at this point. If you could tell me how to reformat and reinstall OS despite these problems that would be great.

#7 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 PM

Posted 04 June 2012 - 01:49 PM

Hi tiffanyk :)
We can clean it up np, so if you would please continue and run combofix as written in previous post and post back with the resulting log.

Best Regards,
Karsten

#8 tiffanyk

tiffanyk
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:12:36 PM

Posted 04 June 2012 - 03:11 PM

Ok, I got all the way to combo fix installing. I had AVG Internet security installed a few years ago, but uninstalled it a while back. Combofix gave me a warning box that AVG Internet security is running and to disable it. But I do not have AVG. it is not in my start menu, or add/remove programs in control panel. I opened task manager, nothing running that looks like avg.

Edited by tiffanyk, 04 June 2012 - 03:38 PM.


#9 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 PM

Posted 05 June 2012 - 06:51 AM

Hi tiffanyk :)
:step1: Okay you have alot of leftovers from AVG (I saw the leftovers in the dds log too) and we need that program uninstalled properly, please do the following:
Download this AVG Removal tool and save it to your desktop. Run the tool and let it do its work in removing AVG.

After this tool is done please reboot the PC and continue onto Combofix. Do this:

:step2: Run Combofix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Did all go as it should, please let me know.

Best Regards,
Karsten

#10 tiffanyk

tiffanyk
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:12:36 PM

Posted 05 June 2012 - 12:42 PM

Ok I ran the AVG removal scan. It came up, did its thing, and then said I needed to reboot. After reboot, it came back up and started doing something. Then it dissapeared. I waited, and nothing. I thought maybe it was done so I rebooted and then tried to run combofix. Combofix gave me the same error about AVG running. So I rebooted, tried to run the ABG removal again. It ran for about 20 seconds, then dissapeared. I did this again and the same thing. Here is the log from AVG in two parts ( i had no choice but to attach it- sorry

Attached Files



#11 tiffanyk

tiffanyk
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:12:36 PM

Posted 05 June 2012 - 12:55 PM

Well that attachment is only one part of the log. I don't understand why I can't just copy and paste a log in to the post without it being too big? And if I try to attach it it is too big. If I break it up in two or three parts it is still to big to post or attach. This is confusing me. I have no way to get you the entire AVG log without breaking it up in 6 pieces and posting. On a computer that is running very slow, it is torture! Is there any other way to remove AVG so I can run combofix?

#12 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 PM

Posted 05 June 2012 - 01:43 PM

Hi tiffanyk :)
I would like you to just run combofix, when it gets to the warning, just click yes to continue and ignore the warning. Please post the combofix log after.

Best Regards,
Karsten

#13 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 PM

Posted 08 June 2012 - 12:05 PM

Hi tiffanyk :)
I have not heard from you in three days and I would like to know if the issue has been fixed or if you still require my help??

If you still require my help please continue and do the following:
I would like you to run combofix, when it gets to the warning, I want you to click yes to continue and ignore the warning. (Dont worry your AV warning, is just leftovers and can do no harm). Please post the combofix log after.

I would like to point out that in 48 hours if I have had no answer from you yet, this topic will then get closed.

Best Regards,
Karsten

Edited by KarstenHansen, 08 June 2012 - 02:20 PM.


#14 tiffanyk

tiffanyk
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Florida
  • Local time:12:36 PM

Posted 08 June 2012 - 01:54 PM

Yes, I am still in need of your help. I have not been able to run combo fix yet, but I plan on doing it tonight and posting the log. Sorry for the delay.

#15 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:36 PM

Posted 08 June 2012 - 02:23 PM

That's 100% okay, I will look forward to continuing our work. And also I thank you for answering me :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users