Solved

Help I think i have the conficker virus

Posted on 2009-04-01
51
1,065 Views
Last Modified: 2012-06-27
I think I have the conficker virus I have ran all the tools the only ones that would run for me is the f-downadup and fixdwndp  it comes up and says the files is not infected with conficker but the problem I'm having is I cannot access windows updates I cannot access regedit everytime I go to start run regedit the screen goes black and then comes up again I'm completly lost please help
0
Comment
Question by:thinktechsolutions
  • 28
  • 8
  • 4
  • +4
51 Comments
 
LVL 17

Expert Comment

by:houssam_ballout
Comment Utility
0
 
LVL 14

Expert Comment

by:Dhiraj Mutha
Comment Utility
Have you tried MalwareBytes? If you haven't then try it.
Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php

If you can't access the above link then use this link:
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button



If problem persists, use combofix and show us the log.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


Best Solution: Format and Reinstall the OS. This is always better to do once your system gets effected with a Torjan/Virus/Spyware.
0
 

Author Comment

by:thinktechsolutions
Comment Utility
I have recently tried to restart the system in safe and run the removal tools out of all the removal tools I downloaded only 3 of them would work the fixdwndp, f-downadup, fsecure removal tool came up and said infection was possible but could not disinfect. I ran the microsoft quick scan and it says it doesn't find anything. I'm running the full scan right now. I have tried to access the system in safe mode I can access the system in safe mode I cannot access the removal tools in safe mode. I'm currently going through the system and program files directory and not able to find anything please help. This computer is hooked up to the network and formating the computer is not an option.
0
 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
0
 
LVL 14

Expert Comment

by:Dhiraj Mutha
Comment Utility
I will suggest you to run Combofix on the system.
0
 

Author Comment

by:thinktechsolutions
Comment Utility
downloaded combo fix. double clicked combo fix and nothing happens
0
 
LVL 14

Expert Comment

by:Dhiraj Mutha
Comment Utility
Save the file on Desktop and then double click on it.
0
 

Author Comment

by:thinktechsolutions
Comment Utility
When I double click on combo fix a small loading box comes up goes all the way across and then disappears and thats it back to the desktop I'm doing the combofix in normal windows not in safe mode should I be doing it in safe mode.
0
 
LVL 17

Expert Comment

by:houssam_ballout
Comment Utility
try it in safe mode, it should remove a lot of viruses and trojans

0
 

Author Comment

by:thinktechsolutions
Comment Utility
what i had to do was downloaded the combo fix on my laptop and then burn it to a cd I then took the cd and put it in the infected computer because the infected computer is taken off the network so it can not access the internet. i took the cd and put it in to the infected computer open the cd drive right click copy right click paste on to the desktop double clicked see loading screen goes all the way across and then nothing.
0
 

Author Comment

by:thinktechsolutions
Comment Utility
hang on going to boot in to safe mode brb
0
 
LVL 17

Expert Comment

by:houssam_ballout
Comment Utility
0
 

Author Comment

by:thinktechsolutions
Comment Utility
ok when I go in to safe mode nothing comes up blank screen I have to hit ctrl-alt-delete the I go to file and go to new task then i can click on browse and go to combo fix brb
0
 
LVL 14

Expert Comment

by:Dhiraj Mutha
Comment Utility
Try this scan. You can copy it over from another computer if you need to.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
Double-click on drweb-cureit.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).
If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
When complete, click Select All, then choose Cure > Move incurable.
(This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
Now put a check next to Complete scan to scan all local disks and removable media.
In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
In the top menu, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
0
 

Author Comment

by:thinktechsolutions
Comment Utility
ok when I try to run combo fix in safe mode in the process tab on the task manager 2 things come up the first is a process called hide c window the second is swreg.exe and then after that the combo fix loading goes away and nothing comes up but the process are still running going to try fix that houssam sent me brb
0
 

Author Comment

by:thinktechsolutions
Comment Utility
I tried to downloaded drweb cureit but its asking for a username and password
0
 

Author Comment

by:thinktechsolutions
Comment Utility
ok I'm downloading the file now the infected computer is already in safe mode brb
0
 
LVL 14

Expert Comment

by:Dhiraj Mutha
Comment Utility
Guide to Combofix.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I am working on different solutions, you can try all the possible ways. Try using Malware bytes.
0
 

Author Comment

by:thinktechsolutions
Comment Utility
ok the file download going to start scanning brb
0
 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
Well, I've been hanging around in the background during all this frantic activity, waiting to see if combofix or malware bytes mbam will work.  But in the meantime, why not take a look at my comment above.  It mentions 4 programs aimed specifically toward removing Conflicker...
0
 

Author Comment

by:thinktechsolutions
Comment Utility
ok sorry it has taken so long guys I've taken the computer back to my office to work on. So Far combofix is not working. Leetutor the website you provided I can only get 1 one the tools to work Symantecs Conficker (aka Downadup) tool and it says the system is clean. The other tools right below this one will not work at all not in safe mode not in normal mode. I'm trying to manually remove the conficker is what I believe I have or some other varation of it but one thing I have noticed is whenever I try to run a removal tool. I open up take manager when ever the removal tool is executed like sophos or nod or bit defender one it says hide c window in the task manager after that it goes away then swreg.exe comes up and stays on there and the removal tool disappears.
0
 
LVL 17

Expert Comment

by:houssam_ballout
Comment Utility
HAd you try to do system restore?
0
 

Author Comment

by:thinktechsolutions
Comment Utility
No I haven't tried that and while looking at the removal instruction for the virus I deleted all my system restore points
0
 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
Perhaps the Conflicker checks for the name of the program being run.  Try renaming them...
0
 

Author Comment

by:thinktechsolutions
Comment Utility
Tried renaming them that didn't work
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:thinktechsolutions
Comment Utility
Ok I think I'm starting to make some progress I located this file in the startup and under the registry bdpn.exe I have deleted this file. Now when I'm in safe mode a can run the dr web scanner I still have to kill the hide c window but at least the program is up and is now running so far it has found c.bat probally a batch virus and some programs exec files so I hope this thing will finally be clean I'll let you guys know how it goes thank you for all the help I'll report back later.
0
 

Author Comment

by:thinktechsolutions
Comment Utility
hmm not sure why but it keeps listing about 6 different batch viruses and the program locks up I've swtiched the settings to dellete instead of cure and rebooted time to see what happens next
0
 
LVL 15

Expert Comment

by:xmachine
Comment Utility
Hi,

This is my working cure for Conficker infections.

1) To start working, first you need to download the required patches + fix tool:

Windows 2000: http://download.microsoft.com/download/4/a/3/4a36c1ea-7555-4a88-98ac-b0909cc83c18/Windows2000-KB958644-x86-ENU.EXE

Windows 2003: http://download.microsoft.com/download/e/e/3/ee322649-7f38-4553-a26b-a2ac40a0b205/WindowsServer2003-KB958644-x86-ENU.exe

Windows XP: http://download.microsoft.com/download/4/f/a/4fabe08e-5358-418b-81dd-d5038730b324/WindowsXP-KB958644-x86-ENU.exe

Windows Vista SP0 + SP1: http://download.microsoft.com/download/d/c/0/dc047ab9-53f8-481c-8c46-528b7f493fc1/Windows6.0-KB958644-x86.msu

Symantec FixDownadupTool: http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDwndp.exe

2) Create a shared folder on some server to contain the downloaded files (Apply Read-only permission for all users).

3) And you can use Psexec (http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) to import a text file that contains the infected machines and run it using a privileged account like a Windows domain admin.

4) In the batch file, you should replace the server name and shared folder name.

so, for example (run this as domain administrator):

c:\psexec @infected.txt -d -c Clean-Downadup.bat

infected.txt should contains one name/ip per line, like:

...
192.168.1.2
192.168.1.3
192.168.1.4
...

Use netscan to ping a range of IP's and save the results as a text file (http://www.softperfect.com/products/networkscanner/)

Another important points:

1)  Review the current Passwords policy, you can configure a Windows GPO that will require a complex password, with a minimum number of characters.

http://technet.microsoft.com/en-us/library/cc736605.aspx
http://labmice.techtarget.com/security/passwordsec.htm

2) Use Nessus (http://www.nessus.org/download/), and scan all machines using this plugin ID (34476) to check if they have MS08-067 patch installed or not. (BTW, you can use a different tool to check for the installed patch, but this just an example)
 

A Symantec Certified Specialist @ your service

@echo off

color 0A

ECHO. ***********************************************************************************************

ECHO.                ExtremeSecurity.blogspot.com - Do It Securely or Not At All 

ECHO.                                Multi OS W32.Downadup Cleaner v2.0

ECHO. ***********************************************************************************************
 
 

ver | find "2003" > nul

if %ERRORLEVEL% == 0 goto ver_2003
 

ver | find "XP" > nul

if %ERRORLEVEL% == 0 goto ver_xp
 

ver | find "2000" > nul

if %ERRORLEVEL% == 0 goto ver_2000
 

ver | find "Version 6.0.6000" > nul

if %ERRORLEVEL% == 0 goto ver_vista-sp0
 

ver | find "Version 6.0.6001" > nul

if %ERRORLEVEL% == 0 goto ver_vista-sp1
 
 

goto exit
 

:ver_2003

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "Windows Automatic Update Service"

echo Enabling Windows Error Reporting Service (ERSvc) ...

sc config ERSvc start= auto

echo Starting Windows Error Reporting ...

net start ERSvc

echo Enabling Windows Error Reporting Service (WerSvc) ...

sc config WerSvc start= auto

echo Starting Windows Error Reporting ...

net start WerSvc

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

REM echo Removing all AT created scheduled tasks ...

REM AT /Delete /Yes

REM echo Stopping & Disabling Schedule service...

REM sc.exe stop schedule

REM sc.exe config schedule start= disabled

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\WindowsServer2003-KB958644-x86-ENU.exe /quiet /norestart

echo Rebooting System ...  

shutdown -r -f -c "Rebooting system"

goto exit
 

:ver_xp

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "Windows Automatic Update Service"

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

echo Enabling Windows Security Center Service (wscsvc) ...

sc config wscsvc start= auto

echo Starting Windows Security Center ...

net start wscsvc

echo Enabling Windows Error Reporting Service (ERSvc) ...

sc config ERSvc start= auto

echo Starting Windows Error Reporting ...

net start ERSvc

echo Removing all AT created scheduled tasks ...

AT /Delete /Yes

echo Stopping & Disabling Schedule service...

sc.exe stop schedule

sc.exe config schedule start= disabled

echo Disabling "AutoPlay" ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\WindowsXP-KB958644-x86-ENU.exe /quiet /norestart

echo Rebooting System ...  

shutdown -r -f -c "Rebooting system"

goto exit
 

:ver_2000

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "Windows Automatic Update Service"

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

echo Removing all AT created scheduled tasks ...

AT /Delete /Yes

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\Windows2000-KB958644-x86-ENU.EXE /quiet /norestart

echo Rebooting System ...  

shutdown -r -f -c "Rebooting system"

goto exit
 

:ver_vista-sp0

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "wuauserv"

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

echo Enabling Windows Security Center Service (wscsvc) ...

sc config wscsvc start= auto

echo Starting Windows Security Center ...

net start wscsvc

echo Enabling Windows Defender Service (WinDefend) ...

sc config WinDefend start= auto

echo Starting Windows Defender ...

net start WinDefend

echo Enabling Windows Error Reporting Service (WerSvc) ...

sc config WerSvc start= auto

echo Starting Windows Error Reporting ...

net start WerSvc

echo Removing all AT created scheduled tasks ...

AT /Delete /Yes

echo Stopping & Disabling Schedule service...

sc.exe stop schedule

reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f

echo Disabling "AutoPlay" ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f

echo Restoring Windows Defender startup key ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f

echo Enabling TCP Receive Window Auto-tuning ...

netsh interface tcp set global autotuning=normal

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart

echo Rebooting System ...  

shutdown /r /f /c "Rebooting system"

goto exit
 

:ver_vista-sp1

echo Enabling BITs ...

sc config bits start= auto

echo Starting BITs ...

net start "Background Intelligent Transfer Service"

echo Enabling Automatic Updates ...

sc config Wuauserv start= auto

echo Starting Automatic Updates ...

net start "Windows Automatic Update Service"

echo Checking MS WSUS for any missing updates ... 

wuauclt.exe /detectnow

echo Enabling Windows Security Center Service (wscsvc) ...

sc config wscsvc start= auto

echo Starting Windows Security Center ...

net start wscsvc

echo Enabling Windows Defender Service (WinDefend) ...

sc config WinDefend start= auto

echo Starting Windows Defender ...

net start WinDefend

echo Enabling Windows Error Reporting Service (WerSvc) ...

sc config WerSvc start= auto

echo Starting Windows Error Reporting ...

net start WerSvc

echo Removing all AT created scheduled tasks ...

AT /Delete /Yes

echo Stopping & Disabling Schedule service...

sc.exe stop schedule

reg.exe add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x4 /f

echo Disabling "AutoPlay" ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAuto /t REG_DWORD /d 0xff /f

echo Restoring Windows Defender startup key ...

reg.exe add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Defender" /t REG_EXPAND_SZ /d "%ProgramFiles%\Windows Defender\MSASCui.exe hide" /f

echo Enabling TCP Receive Window Auto-tuning ...

netsh interface tcp set global autotuning=normal

echo Fixing Downadup infection (Silent mode - Check log file in C:\)...

\\ServerName\ShareName\FixDwndp.exe /SILENT /LOG=c:\computername%_%username%_logFixDownadup.txt

copy c:\computername%_%username%_logFixDownadup.txt \\ServerName\ShareName\Logs\computername%_%username%_logFixDownadup.txt

echo Patching MS08-067 ...

\\ServerName\ShareName\Windows6.0-KB958644-x86.msu /quiet /norestart

echo Rebooting System ...  

shutdown /r /f /c "Rebooting system"

goto exit
 

:exit

Open in new window

0
 

Author Comment

by:thinktechsolutions
Comment Utility
here is the hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:08 AM, on 4/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CAPM1RSK.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\AVG\AVG8\avgupd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O1 - Hosts: 80.190.143.230 dl10.freeav.net
O1 - Hosts: 80.190.143.239 dl9.freeav.net
O1 - Hosts: 62.146.66.179 dl8.freeav.net
O1 - Hosts: 62.146.66.178 dl7.avgate.net
O1 - Hosts: 80.190.143.236 dl6.avgate.net
O1 - Hosts: 80.190.143.235 dl5.avgate.net
O1 - Hosts: 62.146.66.184 dl4.avgate.net
O1 - Hosts: 62.146.66.183 dl3.avgate.net
O1 - Hosts: 62.146.66.182 dl2.avgate.net
O1 - Hosts: 62.146.66.181 dl1.avgate.net
O1 - Hosts: 62.146.87.172 dl2.antivir-pe.de
O1 - Hosts: 62.146.87.171 dl1.antivir-pe.de
O1 - Hosts: 62.146.210.32 dl4.pro.antivir.de
O1 - Hosts: 80.190.154.63 dl3.pro.antivir.de
O1 - Hosts: 62.146.210.32 dl2.pro.antivir.de
O1 - Hosts: 62.146.210.31 dl1.pro.antivir.de
O1 - Hosts: 80.190.154.66 dlpro.antivir.com
O2 - BHO: Yvakt Class - {00172AD1-F4BD-48C0-AEB5-A4CFE4638393} - C:\WINDOWS\system32\v199.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\SSTEM~1\smss.exe" -vt ndrv (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [] C:\DOCUME~1\Jane\APPLIC~1\RACLE~1\NLOOKU~1.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Xbqbgt] C:\Documents and Settings\Jane\My Documents\W?nSxS\d?xplore.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&6&04.00.08.43&unknown&unknown&http://www.lookingyourbest.com/inamodel/index.html
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://ibg.live.ptsapp.com/systemInfo/ScriptX/smsx.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v1.3 [ENU]) - http://ddrint13.gmacinsurance.com/ddrint/work/iedpwenu.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter hijack: text/html - {0F9A5F09-3BFD-40D3-85FE-36227430A374} - C:\WINDOWS\system32\v199.dll
O20 - AppInit_DLLs: c:\windows\system32\explorer.dll,spool32.dll,C:\WINDOWS\system32\spool32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10290 bytes
0
 

Author Comment

by:thinktechsolutions
Comment Utility
tried running windows live one care and I get a nice box that came up and said were are sory but internet explorer has to close please report the problem to microsoft
0
 
LVL 14

Accepted Solution

by:
Dhiraj Mutha earned 500 total points
Comment Utility
You try everthing, if it does not work then try the below given solution.

Last & Best Solution: Format and Reinstall the OS. This is always better to do once your system gets effected with a Torjan/Virus/Spyware.
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Can you redownload and rename Combofix before downloading to your desktop? and see if it runs, it's easier to use a tool to delete bad files than deleting them manually. Let us know if Combofix still won't run after you rename it before saving to your desktop.


A lot of nasties showing in the log

You can fix these entries in Hijackthis:
O2 - BHO: Yvakt Class - {00172AD1-F4BD-48C0-AEB5-A4CFE4638393} - C:\WINDOWS\system32\v199.dll (file missing)
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O4 - HKUS\S-1-5-18\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\SSTEM~1\smss.exe" -vt ndrv (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [] C:\DOCUME~1\Jane\APPLIC~1\RACLE~1\NLOOKU~1.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Xbqbgt] C:\Documents and Settings\Jane\My Documents\W?nSxS\d?xplore.exe (User 'SYSTEM')
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?1&6&04.00.08.43&unknown&unknown&http://www.lookingyourbest.com/inamodel/index.html
O18 - Filter hijack: text/html - {0F9A5F09-3BFD-40D3-85FE-36227430A374} - C:\WINDOWS\system32\v199.dll  
O20 - AppInit_DLLs: c:\windows\system32\explorer.dll,spool32.dll,C:\WINDOWS\system32\spool32.dll

0
 

Author Comment

by:thinktechsolutions
Comment Utility
actually I fixed quite bit more then those hang on I'll post my new hijack this log. I'm trying the combo fix again brb
0
 

Author Comment

by:thinktechsolutions
Comment Utility
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:10 AM, on 4/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\CAPM1RSK.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM1SWK.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Jane\Desktop\1.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\Jane\LOCALS~1\Temp\IXP008.TMP\NORTON~1.EXE
C:\WINDOWS\system32\winconfr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [NAV] "C:\Documents and Settings\Jane\Local Settings\Temp\IXP008.TMP\NORTON~1.EXE" /RELAUNCH /RUNONCE
O4 - HKLM\..\Run: [DRar Prosessor] winconfr.exe
O4 - HKLM\..\RunServices: [DRar Prosessor] winconfr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O18 - Filter hijack: text/html - {0F9A5F09-3BFD-40D3-85FE-36227430A374} - C:\WINDOWS\system32\v199.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5293 bytes
0
 

Author Comment

by:thinktechsolutions
Comment Utility
Tried renaming the combo fix to a12.exe but I think the virus is picking up on the combo fix loading bar probally
0
 

Author Comment

by:thinktechsolutions
Comment Utility
The only problem I have with format and reinstall this computer is for writing insurances policys and if I had to do a format reinstall it would take the company that installed the software 2-3 days to install and thats way to much down time or else I would have formatted this sucker at the 2nd hour.
0
 

Author Comment

by:thinktechsolutions
Comment Utility
anybody got an idea of what type of virus this could be I believe its way more then one. Has anybody experienced the same type of problems with a virus or spyware before I've dealt with a lot of spyware and virus but nothing like this before
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
No, Hijackthis can't remove some entries..a new one respawns...

How many antivirus do you have 2 or 3? You only need to have one resident antivirus.
We need to make combofix run... we'll try something else.
0
 

Author Comment

by:thinktechsolutions
Comment Utility
actually the only anti virus I got to run was antivira everything else wouldn't even install. do you think I could try running combo fix from a windows live cd. I also has antimalware bytes, spybot  but those won't even update the one I got to updated was superantispyware. Thank you for helping me out this thing is just mind boggling
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
Hi,
Please try the Combofix instructions posted at the PD and see if that works. You don't have to install the Recovery Console but it's recommended.
0
 

Author Comment

by:thinktechsolutions
Comment Utility
sorry but whats pd
0
 

Author Comment

by:thinktechsolutions
Comment Utility
no i can't even access www.bleepingcomputers.com
0
 

Author Comment

by:thinktechsolutions
Comment Utility
does somebody got any advise I can't do anything at this point
0
 

Author Comment

by:thinktechsolutions
Comment Utility
thanks for the suggestions but none of that stuff is working the programs whenI double click on them it just flashes and the websites don't even come up.  I'm lost and have no clue what to do next.
0
 
LVL 3

Expert Comment

by:JMorsch
Comment Utility
i have a similar problem and am working on it...   you can run several cleaning apps through the process explorer window - if you have process explorer originally from sysinternals - with the new task button.   or sometimes you can get things to run when you right click the app and say run as then select the current user.
0
 
LVL 14

Expert Comment

by:Dhiraj Mutha
Comment Utility
Go thru this:

http://support.microsoft.com/kb/962007

This will resolve your problem.
0
 
LVL 3

Expert Comment

by:JMorsch
Comment Utility
i was able to get combofix.exe to run this way but it has not helped my problem
0
 
LVL 14

Expert Comment

by:Dhiraj Mutha
Comment Utility
If that even doesn't work, then i have already told you the best solution.
0
 
LVL 15

Expert Comment

by:xmachine
Comment Utility
Download & run GMER (Antirootkit tool)

http://www.gmer.net/gmer.zip

Extract it to the C: drive

1) Start > run > cmd.exe

c:\gmer.exe      [Enter]

2) Open (Rootkit/Malware) Tab

3) Select all options in the right

4) Click on "Scan"

5) After finish scanning, click on "Save" to save the log file somewhere. Please attach it here to check it for you
0
 

Author Closing Comment

by:thinktechsolutions
Comment Utility
Thank you for all your help in this matter. I ended formating the computer and praying that I never get that type of virus again LOL
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now