Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Possible infection.Can someone help please.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Possible infection.Can someone help please.

Unread postby Hiwatt » January 7th, 2008, 12:28 pm

Hi there.except from borrowing an xp pro disc,is there no other way I can access my computer.It boots as normal it's just that there isn't any dialog box where I should enter my password.I don't know anyone with an xp pro disc and I'm desperate to get my computer back.ANY help would be greatly appreciated.Thankyou.(p.s I'm the only user of the computer and the admin account should still be there)
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm
Advertisement
Register to Remove

Re: Possible infection.Can someone help please.

Unread postby Hiwatt » January 9th, 2008, 12:45 pm

Hi there,I really need help with this please.I don't have a windows xp pro cd.When I enter cd erdnt\subs it's saying the file or directory can't be found.Is there any other way I can get in to my computer via the recovery console.I've read that you can do a system restore with the recovery console but obviously I don't know how to do it.I'd really appreciate if you could stick with me on this and try and help me to get m computer back.Thankyou very much.
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm

Re: Possible infection.Can someone help please.

Unread postby ndmmxiaomayi » January 10th, 2008, 10:40 am

Hi,

Sorry for the delay. I've missed your reply.

You can do a system restore via recovery console, but it's a tedious process.

1. Boot up to the Recovery Console as per the previous instructions.

2. Type in cd \ and press Enter.

3. Type in cd "System Volume Information" and press Enter.

4. Type in dir and press Enter. You will see _restore long string of numbers and letters.

5. Type in cd _restore long string of numbers and letters and press Enter.

6. Type in dir and press Enter.

7. Inside this folder, you will see RP**, where * are numbers. Type cd RP second biggest number

8. Type in cd snapshot and press Enter.

9. Type in ren %windir%\system32\config\software.bak and press Enter.

10. Type in ren %swindir%\system32\config\system.bak and press Enter.

11. Type in copy _REGISTRY_MACHINE_SOFTWARE %windir%\system32\config\software and press Enter.

12. Type in copy _REGISTRY_MACHINE_SYSTEM %windir%\system32\config\system and press Enter.

13. Type in exit and press Enter to exit Recovery Console. See if you could boot up and log in. If not, repeat and try the third biggest number or some other numbers for Step 7.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Possible infection.Can someone help please.

Unread postby Hiwatt » January 10th, 2008, 11:39 am

Hi there thanks for replying.I'm glad to report that after a nightmare week,Ive now finally got my computer back.A friend was able to access my folders and do a system restore.I now have a program called combobatch running at startup,I think it's something to do with this post.Once my computers returned to it's normal state I'll be leaving it well alone :) What should I do now then?Thankyou.
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm

Re: Possible infection.Can someone help please.

Unread postby ndmmxiaomayi » January 10th, 2008, 11:43 am

I could do nothing for now. Wait till Microsoft gets back to you on the Office issue. Combobatch... hmm... don't know what's it related to.

Can I have a new HijackThis log also.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Possible infection.Can someone help please.

Unread postby Hiwatt » January 10th, 2008, 12:25 pm

Hi,I thought the combobatch might be related to combofix?It's running at startup,I've disabled it though.Below is a new hijack this.Thankyou.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:23:41, on 10/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1278819140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5457565359
O20 - AppInit_DLLs:
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 4375 bytes
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm

Re: Possible infection.Can someone help please.

Unread postby ndmmxiaomayi » January 10th, 2008, 12:47 pm

Hi,

Yes, you are right. :)

Please open HijackThis and select Do a system scan only.

Put a check (tick) next to these lines:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O20 - AppInit_DLLs:

Click Fix checked. Close HijackThis.

How's the system now?
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Possible infection.Can someone help please.

Unread postby Hiwatt » January 11th, 2008, 5:46 am

Hi there,the computer seems to be running ok,just two things.The entry for combobatch is still there and there's no option to remove it via add/remove programs and I deleted the windows installer file but it won't let me empty it from the recycle bin.It says"cannot delete DC2 access is denied"It wont let me restore it either?Thanks.
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm

Re: Possible infection.Can someone help please.

Unread postby ndmmxiaomayi » January 11th, 2008, 9:36 am

Hi,

I don't see the Combobatch file running in your log.

As for the other error, it's related to Windows Domain. Is this computer part of a Windows Domain?
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Possible infection.Can someone help please.

Unread postby Hiwatt » January 11th, 2008, 3:32 pm

Hi there,once I get this problem solved I'll be leaving the computer alone.I'm not part of a windows domain.This is the windows installer that you told me to download to try and update adobe.It's in the recycle bin but wont let me empty it or move it elsewhere.It's preventing me from emptying the recycle bin atall.Do you think if I done a system restore to before I downloaded it,it would solve the problem?Thanks.
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm

Re: Possible infection.Can someone help please.

Unread postby ndmmxiaomayi » January 12th, 2008, 12:39 am

Hi,

You can try. Otherwise, you can backup all your files and do a complete reinstall of Windows.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Possible infection.Can someone help please.

Unread postby Hiwatt » January 12th, 2008, 10:03 am

Hi,I can't fet rid of this windows installer file.It's jamming my recycle binAny idea how to get rid of it it's really annoying.I've tried system restore to the day I installed it but it just reapeared on the desktop with the other one still in the recycle bin.Thanks.
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm

Re: Possible infection.Can someone help please.

Unread postby Hiwatt » January 12th, 2008, 10:20 am

Hi,I'm just trying to tidy up a bit all the stuff that's leftover from this fix then we can leave this alone.There's a folder with the windows installer and quite a lot of other stuff in it.It's just called(b46b630505b2e2f349a1d8e6c3)What's this?Thanks.
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm

Re: Possible infection.Can someone help please.

Unread postby ndmmxiaomayi » January 12th, 2008, 10:31 am

Where is this folder located?

If it's inside C drive, it's a Windows Update.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Possible infection.Can someone help please.

Unread postby Hiwatt » January 14th, 2008, 6:08 am

Hi there,I've found out that the above folder was created when I installed the windows installer kb893803.Is there anyway to get rid of this and the windows installer file that's jamming my recycle bin please?Thanks.
Hiwatt
Regular Member
 
Posts: 122
Joined: December 16th, 2007, 12:20 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 39 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware