Free Malware Removal Forum

[bob350]

hi i recently installed antivirus pro 2009 onto my laptop thinking that it was a real and legitimate antivirus program. When i found out that it was a virus i removed it - however i didnt buy the program so i only had the scanner (free version) installed. I was able to remove the program after a little while but the popup alert saying that my computer is infected still appears and wont go away. Also none of my antivirus programs open/work and the internet doesnt work properly either (im using another computer posting this), plus i cannot install any new antivirus programs as it wont let me install anything so therefore im kinda stuck and not sure what to do. Ive tried running it in safe mode and the scanners still wont install and open and system restore doesnt work either, however i can use my usb to transfer stuff - it still detects and opens that without any problems.

Please help me and if possible could u describe the steps with detail as im not an expert on computers

Bob

[Dakeyras]

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hi bob350 and welcome to Malware Removal

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!.
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
• Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Extra note: Please be aware as I am still in training all of my fixes/posts require prior checking by a Expert. So some delays may be inevitable, please be patient and I will reply again asap.

Next:

In the mean time I have a few questions if I may. Please post back with the answers as this will help myself best evaluate a prudent course of action, thank you.

1. Can you inform myself which Operating System your laptop uses and what the other computer has also we have access to.
2. Is it OK to format your USB drive or not?
3. Is the infected computer part of a LAN(Local Area Network)?
4. If yes to the above are you using either a Router or a Hub?
5. Is HijackThis installed at all on the infected computer?

Word of caution: Please keep the infected computer disconnected from the Internet until I state otherwise please, thank you.

[bob350]

Hi Dakeyras, sorry i took so long to post but ive been busy abit, um ok my answers to the questions are:
1.my laptop runs xp professional, and my home computer runs xp home edition
2. not sure why u need to format it- but i guess so, but it works when i plug it in
3. yes but i have a wireless network and i use that instead
4. i have a netgear d-link (dg834g) router
5. no, and i cant install it as it wont let me

[Dakeyras]

Hi

Hi Dakeyras, sorry i took so long to post but ive been busy abit, um ok my answers to the questions are:
1.my laptop runs xp professional, and my home computer runs xp home edition
2. not sure why u need to format it- but i guess so, but it works when i plug it in
3. yes but i have a wireless network and i use that instead
4. i have a netgear d-link (dg834g) router
5. no, and i cant install it as it wont let me

No problem and thank you for answering my questions.

As to why I asked if OK to format your USB drive. This I enquire about as a matter of course for both safety reasons and to ensure we have enough storage space available for the downloading and transferring of any specific applications I may need to use.

Please be patient and I will post back with a suitable course of action

[bob350]

ok then, no problem

[Dakeyras]

Hi

It may prove beneficial if you print of the following instructions or save them to notepad.

We will be using the Non Infected computer you mentioned in your last post we have available for use and the USB Flash/Thumb Drive.

Please boot-up/start(if not running) the aforementioned computer.

• Please download Flash_Disinfector and save it to the desktop.
• Do not use this yet! We will be shortly.

Next

• Attach the USB Flash/Thumb Drive
• Double click on the desktop icon My Computer or if not present Start >> My Computer
• Make a note of the drive letter assigned to your USB Thumb Drive. For example it may be as follows: USB (E:)
• Now go to Start >> Run and type in the following exactly:
• Format X: <--- substitute X with the previously noted USB Thumb Drive drive letter designation and make sure to include : (colon) also
• Now click on OK
• Now the C:\Windows\system32\format.com window will launch.
• The wording will be something similar to the below:

Insert a new disk for drive X:
and press Enter when ready....

• Ignore this part and just hit the Enter key
• The format will now begin.
• At the prompt Volume label (11 characters, ENTER for none)?
• Either name your drive what you wish, say bob350 for example or just hit the Enter key
• Your USB Thumb Drive is now formatted and if it was infected, it should now be clean.

If for any reason you could not carry out the above, please perform the following instead:

Remove your USB/FlashDrive safely from the Non Infected computer.

• Double click on Flash_Disinfector click to run it.
• You will be prompted to plug in your flash/usb drive. Plug it in.
• Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
• When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
• Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.

Next:

Please download the following to your Flash/USB Drive:

• Fix Policies
• GMER
• HiJackThis
• Random's System Information Tool
• Do not use the above yet!

Next:

Remove your USB/FlashDrive safely from the Non Infected computer.

Next:

Note: Keep your infected computer offline during all of the below. Any logs/reports requested will have to be saved to your USB Drive.

• Make sure your infected computer is switched off and connect your USB Thumb Drive.
• Now boot it up in to Normal Mode.
• Navigate to your USB Thumb Drive

Next:

• Navigate to your USB/Flash Drive again
• Click once on Fix Policies to highlight it
• Now under File and Folder Tasks
• Select Move this file
• In the Move Items that appears select Desktop and click on the Move button

Now carry out the same above procedure so that the following also are on the Desktop of your Infected Computer:

• HJTInstall.exe
• gmer.zip
• RSIT.exe

Next:

• Double-click on FixPolicies.exe.
• Click the "Install" button on the bottom toolbar of the box that will open.
• The program will create a new Folder called FixPolicies
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
• A black box should briefly appear and then close.

Next:

• Double-click on HJTInstall.exe.
• Choose the default location of C:\Program Files\Trend Micro\HijackThis as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!
• Click the Install button.
• Accept the license agreement .
• The progam will place a shortcut on your desktop. This will make it easier for you to access the tool when required.
• Now close the application as we do need to use this yet!

Next:

• Double click on the desktop RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open:
  
  • log.txt will be opened maximized.
  • info.txt will be opened minimized.
• Please save the contents of both log.txt and info.txt to your USB/Flash Drive.

Next:

• Unzip gmer.zip it to a folder on your desktop
• Double click on gmer.exe to launch GMER
• If asked, allow the gmer.sys driver load
• If it warns you about rootkit activity and asks if you want to run scan, click OK
• If you don't get a warning then
  
  
  
  • Click the rootkit tab
  • Click Scan
  
  
• Once the scan has finished, click copy
• Paste the log into notepad using Ctrl+V
• Save it to your desktop as gmerrk.txt
• Click on the >>> tab
• This will open up the rest of the tabs for you
• Click on the Autostart tab
• Click on Scan
• Once the scan has finished, click copy
• Paste the log into notepad using Ctrl+V
• Save it to your desktop as gmerautos.txt
• Now please save/transfer both logs to your USB/Flash Drive.

Power down switch of your infected computer, then remove your USB/Flash Drive.

Now please return to the Non Infected computer we have access to, power up if switched off then:

Flash_Disinfector

• Double click to run it.
• You will be prompted to plug in your Flash/USB Drive. Plug it in.
• Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
• When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
• Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.

When completed the above, please post back the following:

• Both GMER logs.
• Both RSIT logs

[Dakeyras]

Hi

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.

[NonSuch]

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.