Virus?? Rootkit?? H.e.l.p. ~ I'm Flunking Avast for "Super Dummies" {-101}

Wow where do I begin. I have no idea when everything went ballistic. What I noticed 1st was typing one thing in Y!s search and being sent to some weird search result page with 3-4 choices that was not even my original entry question. I am on W7 64 bit (home edition) and totally clueless how to get out of this mess. I remember emails being sent to ppl in my address book for some Canadian Pharmacy at Y!

Yahoo actually locked my email for 3 hours as a result, assuming I was sending spam. Later I discovered Yahoo knew this was happening to their mail system so I was pretty upset when I read the only thing we could do was change our passwords, after my lockout. That kept happening to me over and over. So I thought all was behind me…nope! Adobe Flash went bonkers on Firefox so I had to use Chrome if I needed it. Now it nada at Chrome and Firefox suddenly kicked back in.

I play backgammon online (turn base) the page started showing only half screen in Firefox, so that’s when I downloaded Chrome–things really went ballistic when I downloaded IE9 – and I deleted it in less that 3 weeks flat.

I have PC Health Adviser and everyday some dll report greets me. (sorry I should have wrote the name down) upon logging on.

Then Microsoft Essentials suddenly refused to work, next Windows firewall is acting screwy, I am the only one on my PC and it seems I now have my name listed 3-4 times as users and administrators. I tried editing it earlier (fingers crossed hoping not to screw things up worse…no worries…I am not authorized to make decisions on my own PC

Everything I have downloaded will download but I cannot run any installed programs at all.

I managed to get PC Tools’s Spy Doctor, which shut down Avast’s shields and I looked up and icons in my startup began disappearing. The programs are still listed there just suddenly invisible with missing desktop icons. MalwareBytes just poofed an hour ago. All that is left is the folder contents but no launcher.

Avasts logo is now a white square.

If I open IE I feel as if I am on a hypnotic trip! The bottom corner of the page flashes web addresses so fast they blur. When I was reading on the redirect virus I really took my time to try many things I read about – nothing worked.

Locating that TDSS in the Win32 was useless. I was all over that folder. Then…I read to go to Eset and download the OLMARIK CLEANER exe. That’s when I found out I can download “sometimes” many times my downloads poof, and I could install an application (sometimes) but could not run it. So Olmark sits amongst the Virus.Redirect Virus graveyard of useless programs that won’t run. Oops I have 360 pro P2P I also noticed within its folders as I stumbled through the byte jungle that I kept seeing Limewire, which I never downloaded. I just did a search for it and now cannot recall where I was at in C drive when I noticed it.

Here are some of my error messages:

“ShellExecuteEx failed code 1058”

“Process Explorer from Syinternals is not running and not in path”

“C\programs…cannot be started,either because it is disabled or because it has no enabled devices associated with it”…amongst many error messages.

When I was in the forum earlier today 7/5/11 trying to type in the password I just submitted to get some help here, about 900 items rolled down like ticker tape from non acessible-font to .png’s - to things I had no idea was even on my PC…at least that’s what I assumed.

I must admit I have learned alot in the last 48 hours but this is too techie for my 1 frozen brain cell. My Avast has caught many viruses and malicious items, MalwareBytes caught alot, but nothing is working. I may have screwed up with the Spy Doctor (another online site suggestion I read in an article online. I installed it (hmmp) ran it and that time it worked…sigh and about 4-5 hrs later I found out it had a built in antivirus. Groan… Yesterday Adobe Flash stopped working. Error Message "Adobe 8 or higher needs to be installed to view this page. I have aDOBE 10

I know 2 cannot run together so when I went to unstall it…well you know…No Can Do. I suddenly do not have Aministrative right to change anything, install/uninstall…since who knows what I am actually listed under???

Even as I am typing this I landed at NXSecure…thought I had lost my post! – uh I think that is the good ole Redirect still ticking me off. Oddly enough I have not been redirected Sooo… as I read and learned about rootkits…

NOW I am panicking!!!

Avast wants to do a Boot Scan, (I never done that before) don’t forget this female is clueless… The oil goes in the fuel tank right ;D

After reading up on that Redirect Virus, I now have a desktop cluttered with things I simply cannot even run. I read a article on doing a scan in safe mode but when I came here… someone asked that and (perhaps) they did not have the PC problems I do but I need some HELP a.s.a.p.

Avast, the Uniblue trio, Malwarebytes, Crap Cleaner, Microsoft Essentials gave no warning before I noted the above to you. I am very limited with msconfig’s etc…doing things like that is very scary to me… so I need someone to r.e.a.l.l.y. simplify things so I can slowly follow directions “and” please be patient with me. A thin skinned female is on board here who finally decided to take Graphics classes online after many many years has passed by…ok so it’s a few decades

Looks like that may be down the can if this PC which is not paid for goes belly up. I have not did a backup disc in about 7 months, oddly enough I planned to do one this week…seriously…“I had that funny feeling” …Duh just my luck eh?. :frowning:

I am sending a image to view(hope it comes through,) not sure what is needed but let me know.

Thanks to any/everyone who can offer some help. “Thanks in advance”

¸.•´¸.•*´¨) ¸.•*¨)
(¸.•´ (¸.•` ¤ Drive carefully. It’s not only cars that can be recalled by their Maker.
Mystique of Indy

Download OTS http://oldtimer.geekstogo.com/OTS.exe to your Desktop and double-click on it to run it

Make sure you close all other programs and don't use the PC while the scan runs.
Select All Users
Under additional scans select the following

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

Under the Custom Scan box paste this in

%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
When the scan is complete Notepad will open with the report file loaded in it.
Please attach the log in your next post.

Edited to add custom scans

Please ensure that all logs are saved in the ANSI format


http://i262.photobucket.com/albums/ii83/mystiqueofindy/Avast/th_avast-boot-results-1.jpg

This is the scan result from the Boot Scan early this a.m. I downloaded the exe but don’t forget I can not run anything, I tried again when you left me the link. The sys still has me locked up when I attempt to run any new app. I forgot to mention all this 1st started in Apr after installing a windows update.I had just installed the latest Windows update. I removed it, all was well afterwards.

I cannot do a System restore either (which won’t help, but that too is unavailable for me to utilize if it was a option.

This is the message which still appears when attempting to open any application.

C\Users\MystiqueofIndy\Desktop\OTS.exe
The service cannot be started, either because it is disabled, or because it has no enabled devices associated with it.

??? Is there any other way to report data to this forum to assist in resolving my issues?
Hopefully I can follow your instructions. I will open up my email here for any and all help.
MystiqueofIndy@Yahoo.Com

Thanks in advance as usual
Mystique of Indy

¸.•´¸.•*´¨) ¸.•*¨)
(¸.•´ (¸.•` ¤ Be who you are and say what you think, because those that mind don’t matter and those that matter ~ don’t mind.

Can you boot into safe mode and run OTS?
How to boot in Safe mode: http://www.computerhope.com/issues/chsafe.htm

Monday I was able to boot into safe mode. I seem to have caught the virus physically the PC has …so time has slipped by while I was ill. I tried to do it today and the drivers loaded when I clicked F8 and I waited forever for it to let me in as usual…but that did not happen today. I know not to click F8 several times or it will can get stuck. Is there any other way to get this in safe mode, [or am I toast?] so I can get the Download OTS http://oldtimer.geekstogo.com/OTS.exe open so I can provide Data for the forum so my main problems will be known? In case you have not read my previous comments (sorry about the length of useless info at 1st) but I can download programs but cannot execute them to open, so I have no way thus far since safe mode is refusing to cooperate. The software Left123 (in case he is not online)?? Does anyone here do remote assistance or is that too dangerous with my current problems??

HELP!

I made it into Safe mode, still could not run the OTS left sent. Same message no device is present. Any other options?

Hi there lets try a multi programme approach to this

Download RogueKiller to your desktop

[*]Quit all running programs
[*]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[*]When prompted, type 1 and validate
[]The RKreport.txt shall be generated next to the executable.
[
]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

THEN

Note: If using Firefox right-click on any download links and choose Save As

Please download OTH to your desktop
Please download OTL to your desktop

Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.

http://oldtimer.geekstogo.com/OTH/OTH_Main.gif

Then select Start OTL. OTL will now run

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

[*]Click the Internet Explorer button, attach these logs in your topic.

Thanks! I am holding the software. I still cannot get admin nor user control to do misconfig/system config/ make a new user/ safe mode/ clean so I am still stuck. I will submit data for the forun…just need to find a way to still get control = since it is still not acknowledging me and claiming no devices have services or enabled…so I can do what is requested. :stuck_out_tongue:

Just to clarify - you can not get to safe mode or normal mode - is that correct

Are you able to use another computer to burn a cd for us to use as a way of accessing the sick system

No I do not have one to use. Isn’t there a way to get around or force the system to allow me control. I read upon inheriting objects. Not clear on it. Tried a few minutes ago but as a Admin, and even a user it is stating I have control …and System of course. This is so frustrating as you can imagine. I am going to try that clean boot again in a few…I’ll let you know if that or safe mode wants to cooperate today…I hope :slight_smile:

If you can get into any type of windows then please try the following programmes

Download RogueKiller to your desktop

[*]Quit all running programs
[*]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[*]When prompted, type 1 and validate
[]The RKreport.txt shall be generated next to the executable.
[
]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

THEN

Note: If using Firefox right-click on any download links and choose Save As

Please download OTH to your desktop
Please download OTL to your desktop
Please download the attached file Scan.txt to your desktop

Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.

http://oldtimer.geekstogo.com/OTH/OTH_Main.gif

Then select Start OTL. OTL will now run

[*]Double-click on the Custom Scans box and a message box will popup asking if you want to load a custom scan from a file
Select Scan.txt that you downloaded

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

[*]Click the Internet Explorer button, Attach these logs here.

Ok I was able to get into some form of Safe Mode-Networking? since the main Safe Mode did not respond.

Here is the data from that for you Left123 and the things you wanted checked…

I am so sorry everyone. I meant to extend a major THANK YOU for all you have done and your patience with me. Know that it is deeply appreciated!

Sincerely
Mystique of Indy

Ok young lass to work, I see we have used just about everything except the kitchen sink, so there is probably stuff that I am not seeing

From whichever mode works

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Win32 Services - Safe List]
YY -> (HyperDeskCustomThemeEnabler) HyperDesk's Custom Theme Enabler [Auto | Stopped] -> C:\Windows\Installer\MSIEFB2.tmp
[Registry - Safe List]
< FireFox Extensions [User Folders] > -> 
YY -> XUL Cache   -> C:\Users\Terry Swanigan\AppData\Roaming\Mozilla\Firefox\Profiles\65dz43sz.default\extensions\{011511f6-c896-4ea5-9172-6b9810b2fe18}
YY -> XUL Cache   -> C:\Users\Terry Swanigan\AppData\Roaming\Mozilla\Firefox\Profiles\65dz43sz.default\extensions\{5abc7167-f5f0-4f34-90b2-371f58765b44}
YY -> No name found   -> C:\Users\Terry Swanigan\AppData\Roaming\Mozilla\Firefox\Profiles\65dz43sz.default\extensions\{5b175400-2368-11de-8c30-0800200c9a66}
YY -> XUL Cache   -> C:\Users\Terry Swanigan\AppData\Roaming\Mozilla\Firefox\Profiles\65dz43sz.default\extensions\{d39910a8-4637-457a-a7fb-ffbb50ee7daf}
< FireFox SearchPlugins [User Folders] > -> 
YY ->  mywebsearch.xml -> C:\Users\Terry Swanigan\AppData\Roaming\Mozilla\Firefox\Profiles\65dz43sz.default\searchplugins\mywebsearch.xml
YY ->  search-the-web.xml -> C:\Users\Terry Swanigan\AppData\Roaming\Mozilla\Firefox\Profiles\65dz43sz.default\searchplugins\search-the-web.xml
YY ->  SearchquWebSearch.xml -> C:\Users\Terry Swanigan\AppData\Roaming\Mozilla\Firefox\Profiles\65dz43sz.default\searchplugins\SearchquWebSearch.xml
YY ->  SearchResults.xml -> C:\Users\Terry Swanigan\AppData\Roaming\Mozilla\Firefox\Profiles\65dz43sz.default\searchplugins\SearchResults.xml
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {00000001-AB3B-4334-9DA2-EC6B2A02AFC6} [HKLM] -> C:\Program Files (x86)\FileServe Manager\FileServeBHO.dll [FileServeManager]
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {28387537-e3f9-4ed7-860c-11e69af4a8a0} [HKLM] -> Reg Error: Key error. [MediaBar]
YN -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> Reg Error: Key error. [AVG Safe Search]
YN -> {9D425283-D487-4337-BAB6-AB8354A81457} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} [HKLM] -> Reg Error: Key error. [Windows Live Messenger Companion Helper]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{28387537-e3f9-4ed7-860c-11e69af4a8a0}" [HKLM] -> Reg Error: Key error. [MediaBar]
YN -> "{9D425283-D487-4337-BAB6-AB8354A81457}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> "{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c}" [HKLM] -> Reg Error: Key error. [MediaBar]
YN -> "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> "10" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-861273354-3512467208-1425694936-1001\] > -> HKEY_USERS\S-1-5-21-861273354-3512467208-1425694936-1001\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{4B3803EA-5230-4DC3-A7FC-33638F3D3542}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{9D425283-D487-4337-BAB6-AB8354A81457}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{BA14329E-9550-4989-B3F2-9732E92D17CC}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D7E97865-918F-41E4-9CD0-25AB1C574CE8}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{DD662A0C-12FE-4B38-BA53-247F7EC82F46}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< File Associations - Select to Repair > -> HKEY_USERS\S-1-5-21-861273354-3512467208-1425694936-1001\SOFTWARE\Classes\<extension>\
YN -> .exe [@ = exefile] -> Reg Error: Key error.
[Registry - Additional Scans - Safe List]
< 64bit-Disabled MSConfig Folder Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\
YN -> C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk -> 
YN -> C:^Users^Terry Swanigan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^AdsGone.lnk -> 
[Files/Folders - Created Within 90 Days]
NY ->  New folder -> C:\Users\Terry Swanigan\Desktop\New folder
NY ->  Tarma Installer -> C:\ProgramData\Tarma Installer
NY ->  Gogii -> C:\Users\Terry Swanigan\AppData\Roaming\Gogii
NY ->  WhiteSmoke -> C:\Program Files (x86)\WhiteSmoke
[Files/Folders - Modified Within 90 Days]
NY ->  PerfectOptimizer_home.job -> C:\Windows\tasks\PerfectOptimizer_home.job
NY ->  New folder (4).exe -> C:\Users\Terry Swanigan\Desktop\New folder (4).exe
NY ->  0.bak -> C:\0.bak
NY ->  0 -> C:\0
NY ->  68a727e3 -> C:\ProgramData\68a727e3
NY ->  1214077848 -> C:\ProgramData\1214077848
NY ->  1752658100 -> C:\ProgramData\1752658100
NY ->  7u70ysffrj0161u2863bs27 -> C:\Users\Terry Swanigan\AppData\Local\7u70ysffrj0161u2863bs27
NY ->  7u70ysffrj0161u2863bs27 -> C:\ProgramData\7u70ysffrj0161u2863bs27
[Files - No Company Name]
NY ->  68a727e3 -> C:\ProgramData\68a727e3
NY ->  7u70ysffrj0161u2863bs27 -> C:\Users\Terry Swanigan\AppData\Local\7u70ysffrj0161u2863bs27
NY ->  7u70ysffrj0161u2863bs27 -> C:\ProgramData\7u70ysffrj0161u2863bs27
NY ->  1214077848 -> C:\ProgramData\1214077848
NY ->  1752658100 -> C:\ProgramData\1752658100
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[
]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Aye Aye Captain…but it’s “lassie” if I am female correct? I was just about to nab the instructions for the Rogue Killer so I will send both reports back in a few. Captain ;D

Cracking up…forgot to say I will add the kitchen sink next report too…LMBO! After I put my laptop in and give it a good scrubbing. Just haven’t decided whether to add bleach or not. j/k!!! :smiley:

Ok noted after I did the OTS that it was not specified if all programs were to be closed so I ran both closed and open (mainly explorer) I also wanted to say first link for Combo is a dead link. Second worked fine.

I had the aswMBR.exe so I went ahead and ran that at the end. Problems still exist but I know we are still attempting to determine whats happening. My taskmaster only shows process/services…cannot get it back into full view…any suggestions? I will still read up on it in the main time.

As always THANKS a heap!

You could try, after opening Task Manager, click on the little space above it to restore full view.
I’ll use bob3160’s great picture to tell you what I mean:

Argh that be right me 'andsome

I think my PC problems have effected my brain. I could have sworn I posted this yesterday…no wonder there was never a reply …shaking my head.

First link on the Combo link is dead …2nd one work however.

I did the OTS scan twice. I was not sure if you wanted all programs closed or not so I ran it both ways just to cover base. Also included Malwarebyte scan log.

Thanks a heap !!!