MY COMPUTER IS BEING RAPED!!! HELP!!!

Not sure how to put this but i’ve watched my computer slowly get worse over the past week.

I’ve ran avast before and after system startup with no luck at all + every time i run spybot search and destroy, it gets rid of over 30 problems (which return days later). When i log on to MSN, apparently i send all my friends links to unknown sites to download random s4%t!!

Ad-aware 2007 fails also. I am normally quite chuffed at the level of defense my computer has but all of them have failed. Even Tune-up utilities 2008 refuses to run. I have run a check using hijack this and the log is attached.

  • PLEASE HELP -

Hi Deltaboy,

Your hjt analysis can be found here: http://www.hijackthis.de/logfiles/7fceff8825345bd0c3f31a397c0a7a42.html
for the consequent three following days.
You sure had a Zangoo infection, and some other nasties.
Pease download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[]Please, never rename Combofix unless instructed.
[
]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

[list]
[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

polonus

2 tries and 2 “severe system crashes” with no log results.

Hi, try it in save mode.

Thanx. Now a silly question, how do I make it run in safemode??? Simply cant remember how.

Here you go

http://www.computerhope.com/issues/chsafe.htm

Thanx, tried one last time and it crashed but produced a log file.

Dont know if it is an accurate log but have a look anyway.

Hi Deltaboy,

Are you using a proxy. Are you familiar with this entry?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = internet.inet.glion.ch:8080 - If you have not installed the proxy yourself tell me,

Now to cure your autoruns infection:

Download and Install Microsoft’s TweakUI: http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx

Obtain and install TweakUI (right hand panel, 147kb in size), and then start TweakUI.

Expand the My Computer branch, then the AutoPlay branch, and then select Drives.

Turn off the checkbox next to every drive letter to disable AutoPlay – except your CD/DVD drive letters

This will prevent autoruns from running on your computer. Make sure you uncheck all drive letters in the list, except your cd/dvd.

Download “Clean Autoruns”:From HERE

http://forums.techguy.org/attachments/103397d1176780296/clean-autoruns.zip

Save and extract its contents to the desktop. It is a folder containing a Batch file, Clean autoruns.bat, Written by Mosaic1. Once extracted, open the folder and double click on the Clean autoruns.bat to run the fix.
If any autoruns are found, the fix will move them to a backup folder.
If any autoruns are found on the root of your drives, it will kill explorer so that the registry entries in the MountPoint(s) key are fixed.
It will produce two files, Part1.txt and Part2.txt , that will show the state before and after the cleaning.

Please post those

Now to protect those drives, I will need you to down load and run this program.

Download this program, Flash Drive Disinfector by sUBs from

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

This utility will do a couple of things. First it will remove any autorun.inf it finds. It will create a SYSTEM protected, read-only, and perfectly harmless Autorun.inf file on any hard drive or removable storage device it finds when run. This file will not only help prevent future autorun infections, it will disable any current Autorun infection its ability to restart,

And finally:
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

polonus

GOODNESS!! Thanx a million Polonus!! I will do all these tomorrow evening and send it to you.

Thanx for the assistance!!

Be in touch,

Deltaboy

Kind Polonus,

The computer was originally purchased at a university and they put in a lot of standard University configurations. I mean, i did not personally put in the proxy, but i assume the university did. I would personally like to get rid of the damn thing and have full control of my computer as i left the University a year ago so i dont need the damn thing but c’est la vie.

Bottom line, its a Uni proxy i think and if u can rid me of it, then do me a favour (another one).

Hi Deltaboy,

Your wish is my command, and if you really want to get rid of this, and some empty entries to be fixed as well: fire up HJT, do a scan and fix the following entries by tagging them and giving enter:


[X] R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = internet.inet.glion.ch:8080 - This entry should be fixed by HijackThis!
[X] R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.myglion.com; - 
[X] www.gliondoc.com; - This is a unknown process, can be fixed

[X] O3 - Toolbar: (no name) - {E1BACF55-35E1-4E47-9247-2D48660E5545} - (no file) - Must be fixed!Unnecessary (deactivated) entry that can be fixed. HostIE.dll - ZangoSearch, http://securityresponse.symantec.com/avc enter/venc/data/adware.zangosearch.html adware variant - also see this_note, http://www.benedelman.org/spyware/180-af filiates/

[X] O4 - Global Startup: Digital Line Detect.lnk = ? - The entry is unnecessary and can be fixed.
[X] O4 - Global Startup: ScanSnap Manager.lnk = ? - The entry is unnecessary and can be fixed.
[X] O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html - The entry &Winamp Toolbar Search has been identified as nasty.

[X] O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://www.gliondoc.com/qp2.cab - ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!

[X] O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://www.myglion.com/iNotes.cab - 
[X] O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://www.myglion.com/iNotes6W.cab - 

polonus

Dear Polonus,

Here are the autorun files as you requested.

Deltaboy

Hi Deltaboy,

You see Deltaboy we all have forgotten more or less about the floppy disk or diskette threats of years ago. That is why some youngsters don’t feel the need for full upgraded real time av-protection, but USB sticks, also known as pen drives or flash drives brought viral threats of old back to-day, so we see a lot of these kind of autorun infections lately here (history revisited)…

If you have a USB stick then have the latest version of the non-resident DrWebCureIt onto it from here:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
,and when you use your flash disk somewhere from home you have protection on the very flash disk you carry, do not forget to upgrade to the latest version from time to time to have the latest version on your flash disk.

You’re doing fine, so now go on with FlashDriveDisinfector on all drives you have, and with all your additional drives inserted (USB, mobil phone etc) so all are effectively cleansed.
After that install ATFCleaner and follow the instructions, leave that on your machine it is nice to have as a crap cleaner, when you are a more advanced user and visits here more often you can go crap cleaning using HJT?!?

polonus

And here comes the warm feeling of having a cleansed computer :slight_smile:

Quick question though. My computer is split into 4 log ons: Localuser, Glion (which is the darned uni server), administrator and guest.

The glion and localuser log on are the more important as i have the most personal files on there. I cannot access the glion files because i tried to rid myself of it by giving full access to Localuser (access that didnt work) but only deleted my glion login account so i cannot access its files.

Now million dollar question. If i kill the glion proxy (by the means u told me, does that mean i can access those files again through localuser, administrator?

Hi Deltaboy,

I would not dare risk it! First secure these files and store them somewhere else so you can access them all the time (try the alternate access route first), and then try to go for the changes, better safe than sorry has always been my way of addressing things. Is your computer better now?

polonus

Sorry for the late reply. The computer is still acting like its got a poltergeist. When downloading, it stops halfway and says that the hard disk is not working / malfunctioning. This is the D: is on about, which has approximately 2 gs left on it and should support an mp3 track. Strangeness. I have not logged unto MSN for a while as i have not been around and not used the computer. But it does not seem to have changed. Tell me if you want me to run combofix again.

Hi Polonus,

The computer has had no changes. On the contrary, now that i run spybot, it tells me that there are Trojans on my computer and it now has to get rid of over 40 problems (Ad-Revolver etc).

Running avast before and after startup brings about the same results every time. It cannot find anything wrong with the computer whereas it is horribly slow, freezing completely on occasion.

Running Ad Aware 2007 always crashes in between. On the taskbar at the bottom right corner of the screen, a windows message is always on alert saying the system has no defenses.

If anyone has an idea what can be done, then please advise also. This is the worst condition the computer has been in to my knowledge so all advice is welcome.

Hi Deltaboy,

Against the malfunctioning messages, download this program and run VBRuntime data:
http://www.clearprog.de/download.php?id=12&lang=en

I hope you haven’t got hardware-problems, but again…
Let us start with a good bit of cleaning and cleansing, and let us do a new combofix later.
First use ATF from here, and click all to remove all crap from temp files:

Then combine this with ClearProg from here: http://www.clearprog.de/download.php?id=58&lang=en

Download ComboFix again, latest version, and run it and attach the logs, together with a fresh
HijackThis log,

good luck,

polonus