Hello all, new member here, Need help

Hi All,
My name is Rob.
I am a painter by trade and really do not know much about pc stuff.
I got online friday morning for a sec before work and everything was fine.But when i got home my pc had the Antivir Pro virus on it. I have looked every where for how to remove it.

I have found the info on it here but I can not get anything to work as it will not go past the main page. I have seen how people have said they are downloading things and such but I can do nothing here.The safe mode does nothing. When i go to tools and try that, it will not let me apply the new setting. I could really use some help if someone was willing to walk me through it in laymens terms so i could understand what is going on
Please help if you can.
Thanks again and hope everyone else is having a great weekend.

Hi, Welcome to GeekPolice.net!

Please download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3

• Save it to your Desktop.
  
• Double click the RKill desktop icon.
  
• It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
  
• Please post its log in your next reply.
  
• After it has run successfully, delete RKill.

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.

========

Please download OTL to your Desktop. (If you already have it downloaded, then just follow the instructions below).

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• Under the Custom Scan box paste this in
  
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %systemroot%\System32\config\*.sav
  %systemroot%\system32\*.sys
  %systemroot%\system32\drivers\*.dll
  %systemroot%\system32\drivers\*.ini
  %systemroot%\system32\drivers\*.exe
  %SYSTEMDRIVE%\*.*
  %PROGRAMFILES%\*.
  %appdata%\*.*
  netsvcs
  msconfig
  safebootminimal
  safebootnetwork
  activex
  drivers32
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  disk.sys
  nvstor32.sys
  ahcix86s.sys
  nvrd32.sys
  symmpi.sys
  adp3132.sys
  mv61xx.sys
  usbstor.sys
  /md5stop
  CREATERESTOREPOINT
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of these files, one at a time

Note: in the event that OTL fails to run, please use alternate download links to try again:

http://oldtimer.geekstogo.com/OTL.com
http://oldtimer.geekstogo.com/OTL.scr

Hi,
Thanks for the help with this. I can not download anything as i can not get on line the the pc with the problem. I tried to go through the tool part with explorer but can not get the changes to apply.
I do not know what to do here.

Hi,

Do you have clean machine you can download them on and transfer them over to the infected machine with a USB drive with?

Can i burn these to a CD and do it that way ? Or should i go buy one of those ubs things and download it to that ? I can down load on to this pc.
Thanks for the help here as well.

Hi,

Nah, don't worry about that, try this:

Remove the Proxy setting in Internet explorer and/or in FireFox.

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"

Click the apply button and restart that computer in normal mode.

=====

Then try to download Rkill and OTL.

I have IE,
I tried this below
In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"

Click the apply button and restart that computer in normal mode.

But it will not let me use the apply button. I think if that would work I might have a chance at fixing it. Do you think if i bought a UBS thing I could get that to work ? By doing that would the pc bring it up or would this virus thing block it again ?
Thanks again for the help.

Hi,

Yes, do you have a clean computer you can download the programs to? If so, can you please get a USB drive and transfer them over?

ok, I can not change the proxy setting is it will not let me do this. I can click it off and hit ok but them the apply tab will not work. I also can not get the pc to restart in safe mode for some reason. I was able to copy MBAN to a cd but the pc will not bring that up either.

I really dont know how people are getting the things to change for them. I have been trying for two days now and just do not know what to do. the pc will not let me do anything but switch back and fourth from window security alert to spyware alert to viagra site to porn site.

The sad thing is I have all copies of med records and reports on this pc for a family memeber awaiting a heart transplant.
But thanks for the help with this. It takes a good hearted person to take the time to work with people here like you all do.

I just wish I knew more about pc than i do.

BTW,
I know i seen it posted somewherr last night on what files needed to be deleted to remove this by hand. But i can not find them now. Anyone know where they might be located ? I know i was on the site when i found them.
Just cant find them now.

Hi,

There are still some things we can try, I will not give up.

Please download OTH.scr to your desktop

Please download OTL to your Desktop

Save all work and close all programs, the next step will stop nearly every process on your computer!


Double click the OTH file and select Kill All Processes, your desktop will go blank




Then select Start OTL
OTL will now run

• Double-click on the Custom Scans box and a message box will popup asking if you want to load a custom scan from a file
  Select Scan.txt that you downloaded
  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so.
  
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Copy and paste the contents back here.
    
  
  

I copied this to a cd. Then put it in the machine i am having problems with.
I ca hear it start but it will not come up on my screen or ask where i would like it downloaded to. Sneaky, if you are in the states and might be willing to chat with me on the phone please send me a e-mail to
[Mod Removed] and let me know a # you can be reached at.
I dont have a lot of money here but would be willing to pay something to you or the site for help.
Thanks again

Hi,

I don't have a phone right now, lightning borked it...and cell phone is dead.. :sad:

I removed your email, just incase a spam bot tries to harvest it..

This will most definitely 100% work:

We are going to be using a Windows Recovery Environment to help disinfect the system so it may boot again.

Download the OTLPE Standard REATOGO Windows Recovery Environment.

• Place a blank CD-R disc in to your CD burning drive.
• Download OTLPEStd.exe and double-click on it to burn to a CD using ISO Burner.
• Reboot your system using the boot CD you just created.
  
  Note : If you do not know how to set your computer to boot from CD follow the steps here
  
• Your system should now display a REATOGO-X-PE desktop.
  
• Double-click on the OTLPE icon.
  
• When asked "Do you wish to load the remote registry", select Yes
  
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  
• OTL should now start. Change the following settings
  • Change Drivers to Non-Microsoft
    
  • Press Run Scan to start the scan.
    
  • When finished, the file will be saved in drive C:\_OTL\MovedFiles
    
  • Copy this file to your USB drive if you do not have internet connection on this system
    
  • Please post the contents of the OTL.txt file in your reply.

I give up. Nothing here works for me. I am not sure why. But thanks for the help. I am going to send the pc to someone and see if they can fix it.

Hi,

Your welcome, but there are still more things we can try, as for getting a computer repair shop to do it, it will cost a lot whereas we will do it for free.

If you decide to continue with this thread I will be happy to help further.

Well,
I have tried everything. All that you have tried to help me out with and a few other things. The pc with not go into safe mode. I have Vista and have been told that when it is in safe mode it will say safe mode in all four corners of the screen.

when i do try safe mood it just causes it to restart the same page. I can not get the proxy to switch and the apply tab does not work. The virus has my usb port and my cd drive blocked as well.

Let me know if you think there is anything we can do. The guy that is going to look at it is a few states away so i would have to ship it off to him. He reworked my daughters pc online but since i can not get online he can not see my pc and what is going on.
The virus has blocked everthing on it. But i have seen people post the same problems i am having and then say they got it fixed but wont say how the did it.
I am just at a loss here as to what to do. I need this pc working in a real bad way. Please let me know what you think on this.
Thanks for your help btw, Not many people are willing to help each other out these days.

Hi,

There are a few more things we can try.

First, a few questions so I can figure out how to approach this in the most effective way possible.

1. Are you able to get on the internet at all?

2. What does it say when you try to open things?

No, i can not get online at all. When i try it says internet explore can not display the webpage. But when i am not trying to get online internet explorer will pop up with porn site and keep popping it up in new windows.

If i could every find the sob that started this I would take him out right in the middle of the town square at high noon.

Hi,

Try to run this in Safe Mode, or try transfering this over with a USB Drive or CD.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

The problem is i cn not get safe mode to work. And the cd drive is blocked along with the ubs port.

Hi,

I have asked for a little bit of help, please sit tight.

Hi,

This is about as simple as it gets, please follow the tutorial on how to slave a hard drive here: http://www.dtidata.com/resourcecenter/2007/04/23/how-to-slave-hard-drive/

Once you have slaved the hard drive, please run ComboFix on the infected hard drive and post that here.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Showmeglass on 07/22/2010 at 21:39:50.


Processes terminated by Rkill or while it was running:


C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Showmeglass\Desktop\rkill.exe


Rkill completed on 07/22/2010 at 21:39:56.

here is a report. I need to see if it is cleared up now and will make another post.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4339

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

7/22/2010 10:19:19 PM
mbam-log-2010-07-22 (22-19-19).txt

Scan type: Quick scan
Objects scanned: 131884
Time elapsed: 10 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lghmbiru (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Showmeglass\AppData\Local\Temp\90420fd5.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Showmeglass\AppData\Local\wkujhalgt\pdloaactssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

I am all back together here. And it was easy. Here is what happened.
I have vista. I tried to restart in plan safe mode.Not sure if that worked or not. But anyway, i clicked on the start button and then typed into the search
files and file holders I think and hit enter.

This brought up my explorer with google on it. Freaked me out,lol
So i then went to the removeal page here and got the link to that malware download and got it to download. Let it do its thing and BAM, I was good to go.
That is a hell of a program and will be buying a few of them this weekend.

Hi,

C:\Users\Showmeglass\AppData\Local\Temp\90420fd5.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.

This means you probably have TDL3, which means it has patched a system file, so please do the following:

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com


Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.