PC Hijacked

June 14, 2009 at 20:21:53
Specs: Windows XP, 4CPU 3.00GMZ 512MB
Hi,

My desktop background has changed to "WARNING YOURE IN DANGER YOUR COMPUTER IS INFECTED WITH SPYWARE ......Secure yourself now and remove all spyware from your PC."

It started when I got a virus alert from Avast, I clicked on delete as I have done successfully in previous times but this time the message kept coming up.

Now I am not able to open any programs, websites, log on, or anything else. I have a new icon (System Security Version 4.51) on the right bottom task bar with a warning "Application cannot be executed. The file aswUpdSv.exe is infected. Please activate your antivirus".
Also a "System Security" window keeps popping up, it starts scanning and lists viruses and trojans. I keep clicking on "Stop" the scan and then on "continue unprotected" but I cant get rid of it. I tried to run the antispyware but none would work.

Please Please help !


Programs:
AVast 4.7 Home Edition
CCleaner
Spypot
Adaware
SuperAntispyware
Spyware Blaster


See More: PC Hijacked

Report •


#1
June 14, 2009 at 20:36:01

Report •

#2
June 14, 2009 at 20:42:05
Yes anything that would work.

Report •

#3
June 14, 2009 at 20:55:22
Hi,
Note: I can help you remove virus manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

2) Can you also make a new HijackThis log and upload it to rapidshare.com. HijackThis: Here

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

Related Solutions

#4
June 14, 2009 at 23:59:54
Also try to do a restor on your system that might help also scan your system to remove the problem completely.

Want A Weekly Update on Latest System Security Problem http://www.systemsecurityinstitute.org


Report •

#5
June 15, 2009 at 04:51:47
Hi,

I am not able to run AVZ.exe.
I saved HijackThis on my desktop and clicked on "run" but nothing happens.


Report •

#6
June 15, 2009 at 04:58:46
Try this set of logs. Make sure you redownload AVZ:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

2) Download and Run DDS which will create a Pseudo HJT Report as part of its log: DDS Tool Download Link. When done, DDS will open two (2) logs

   1. DDS.txt
   2. Attach.txt

Upload the logs to rapidshare.com and paste download link in your next reply.
Note: Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#7
June 15, 2009 at 05:26:15
I was not able to run avz after downloading it again. I clicked on DDS tool link then "run" but nothing happens either

Report •

#8
June 15, 2009 at 05:34:37
Try to run both in safe mode.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#9
June 15, 2009 at 06:23:50
Finally worked in safe mode :)

http://rapidshare.com/files/2448029...

http://rapidshare.com/files/2448029...


Report •

#10
June 15, 2009 at 06:36:07
Wrong file for the first one it should be: virusinfo_syscure.zip please read instructions carefully.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#11
June 15, 2009 at 06:42:16
Sorry about that

http://rapidshare.com/files/2448089...


Report •

#12
June 15, 2009 at 07:04:45
Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('C:\WINDOWS\system32\userinit.exe','');
 QuarantineFile('C:\windows\ld09.exe','');
 QuarantineFile('C:\Documents and Settings\All Users\Application Data\90717336\90717336.exe','');
 QuarantineFile('C:\Documents and Settings\All Users\Application Data\10707344\10707344.exe','');
 QuarantineFile('C:\WINDOWS\system32\wmmest.dll','');
 DeleteFile('C:\WINDOWS\system32\wmmest.dll');
 DeleteFile('C:\Documents and Settings\All Users\Application Data\10707344\10707344.exe');
 DeleteFile('C:\Documents and Settings\All Users\Application Data\90717336\90717336.exe');
 DeleteFile('C:\windows\ld09.exe');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.

2) After reboot execute following script in AVZ:

begin
CreateQurantineArchive('C:\quarantine1.zip');    
end.


A file called quarantine1.zip should be created in C:\. Upload that file to rapidshare.com and private message me download link.

3) Boot into normal mode rerun AVZ and try to create a new log from normal mode.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#13
June 15, 2009 at 08:24:45
Still need Response Number 12 Part 3) (redo Response Number 6) in normal mode.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#14
June 15, 2009 at 08:32:23
Done step 1 and 2. Then I went back to normal mode , the desktop screen that I had before is back though all my folders have disappeared including the task bar everything is gone just a blank page !!!

Report •

#15
June 15, 2009 at 08:36:55
Run this in safe mode:

Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#16
June 15, 2009 at 10:30:57
I want to make sure before running Combfix , does it matter if it is in safe mode or safe mode networking ?

Report •

#17
June 15, 2009 at 10:36:12
No it doesn't make a difference whichever loads is fine.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#18
June 15, 2009 at 11:08:19
I am sorry but I am still stuck trying to figure out how I can disable avast ... avasat icon does not appear in safe mode. I tried to go to start - properties - taskbar- clicked on show always for avast icon - then unclick hide inactive icons.
I have never used safe mode before so I am not really familiar with it but I will try to figure it out and will send the log soon

Report •

#19
June 15, 2009 at 11:13:28
Its ok continue i doubt avast is loaded in safe mode if you don't see icon for it in task bar.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#20
June 15, 2009 at 11:37:17
Actually I thought it might be the case but when I clicked on combofix I got a warning:

Combofix has detected the following real time scanner(s) to be active : antivirus :avast! antivirus 4.8.1335 [VPS 090615-0]

Antivirus and intrusion prevention programs are known to interfere with Combofix's running. This may lead to unpredictable results or possible machine damage Please disable these scanner before clicking OK

Of course, I have not clicked on Ok but trying to figure out how to disable


Report •

#21
June 15, 2009 at 12:36:29
You can start avast and disable (Stop On-Access Protection). If you can't find it try to uninstall avast and reinstall it back later. If your not able uninstall in safe mode press ok and continue with combofix.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#22
June 15, 2009 at 14:08:54
Finally, uninstalled avast and started scanning Combofix.

A window appeared "This machine does not have the microsoft windows recovery console installed. Without it , Combofix shall not attempt the fixing of some serious infections.

Note : This requires an active internet connection.
Should I click Yes or No ???

I am in safe mode now, if yes is it still possible to change to safe mode networking without any harm?

Sorry to bother you so much but it is a bit confusing for me


Report •

#23
June 15, 2009 at 14:13:22
Its good idea to have recovery console. I suggest you install it. However if you can't install it you can continue with out it. To install it you will follow the direction combofix gives you. You will need internet to download it from microsoft site.

You can read about recovery console here: http://en.wikipedia.org/wiki/Recove...

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#24
June 15, 2009 at 17:12:42
I was able to successfully scan Combofix scan and got a log. I wanted to reboot then upload to rapidshare.

I could not restart the computer at all. I left it for hours and tried several times but no luck. When I press on the power button, the 4 diagnostic lights blink green and yellow for a few seconds then off.

I looked at the owner's manual and did some search on the net .... few suggestions which I did such as reinstalled USB devices , checked cable connection.

I read that if the computer is in a power saving mode (which I think mine is) one should press the power button, move the mouse or press a key on keyboard to wake the computer but that did not work either.

Sorry to trouble you even more but I really dont know whatelse to do. Any suggestions? Sorry about all this mess


Report •

#25
June 15, 2009 at 17:25:41
Hardware problem are hard to diagnose over the internet it could be any number of problems. Try hardware section on this forum. Once you are back and running let me know so we can continue with the removal process.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#26
June 16, 2009 at 11:41:55
Hi,

This morning I was able to start my PC just fine. I wanted to send you the Combofix log but when I logged on to safe mode nothing is there, a blank page no folders or a task bar. Same thing happened when I logged in normal mode too!


Report •

#27
June 16, 2009 at 11:45:01
Can you get to command prompt or Start Run? Follow: http://www.updatexp.com/scannow-sfc... run "sfc /scannow".

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#28
June 16, 2009 at 12:32:26
No I cant. In normal mode I get to the desktop background that I have always had, but there is nothing to click on completey empty. In safe mode I get to a black background with safe mode written on it in each corner, but nothing too.

I was wondering when I log into safe mode ...there are two choices now when asked to select the operating system to start 1) Microsoft wndows Recovering Console 2) Microsoft windows XP Home Edition. I have clicked on option 2.
Should I try option 1 ...would that help?


Report •

#29
June 16, 2009 at 12:39:23
You can try to recover and go back. However i really suggest you format and reinstall because your system files seems affected by whatever was on your system. Also get your hardware checked for possible malfunction.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#30
June 16, 2009 at 13:27:36
I found a way to get to command prompt and I typed Http://www.updatexp.com/scannow-sfc...

It said "http:" is not recognized as an internal or external operable program or batchfile.

I tried without http ...same message


Report •

#31
Report •

#32
June 16, 2009 at 14:44:01
C:\Documents and settings\ Alwazir:sfc:scannow
I get this message

Windows file protection could not initiate a scan of protected system files. The specific error code is 0.000006ba [The RPC server is unavailable]

Its strange before I type my passward to log to the system ... it still states the number of my emails everytime ..maybe that does not mean anything ....


Report •

#33
June 16, 2009 at 14:47:19
Where did you look for combofix log?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#34
June 16, 2009 at 14:53:56
I dont know how or where to do that. T
The only place I was able to get it to is command promp by logging on to safe mode with command prompt.

Report •

#35
June 16, 2009 at 15:22:41
There isn't much you can do with command prompt. Try running chkdsk /f if that doesn't let you log in safe mode properly only other way is to reinstall windows.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#36
June 16, 2009 at 15:40:59
ok will run chkdsk/f now

I also tried to go into Microsoft Windows XP Recovery console in safe mode command prompt .....it asks which window installation would you log onto ....two options 1)C:\windows or exit. I typed 1 and got C:\windows>

Can I do something here or is it the same thing as command prompt?


Report •

#37
June 16, 2009 at 15:49:25
http://pcsupport.about.com/od/fixth... - Follow instructions there and try to restore earliest possible date.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#38
June 16, 2009 at 16:34:53
Finally :)

I was able to restore to the earliest possible date it allowed March 17, 2009.

Here is Combofix log :

http://rapidshare.com/files/2453653...


Report •

#39
June 16, 2009 at 16:45:57
First run: Response Number 31

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#40
June 16, 2009 at 17:27:42
Done ...ran sfc/scannow successfully

Report •

#41
June 16, 2009 at 17:31:42
Please follow these steps in order numbered and post summary log after each step.

1) If you use Windows System restore, turn it off > reboot. How to turn it off/on: http://support.kaspersky.com/faq/?q... Run a full scan with:

Download and run Kaspersky AVP tool: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool:

# Check below options:

    * Select all the objects/places to be scanned. 

# Click Scan
# Fix what it detects
# Attach Scan log/Summary to your next message.

Illustrated tutorial: http://img32.imageshack.us/img32/76...

2) Run a full scan with http://www.eset.com/onlinescan/

# Check the box next to YES, I accept the Terms of Use.
# Click Start
# When asked, allow the activex control to be installed.
# Click Start
# Check below options:

    * Remove found threats
    * Scan archives
    * Scan for potentially unwanted applications (Advance Settings).
    * Enable Anti-Stealth technology (Advance Settings).

# Click Scan
# Wait for the scan to finish
# When it finishes it will create a log file here: C:\Program Files\ESET\ESET Online Scanner\log.txt
# Attach this logfile to your next message.

Illustrated tutorial: http://img155.imageshack.us/img155/...

Note: Turn system restore back on, if you wish; this to remove malware from system volume information files.

3) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, fix anything detected.

4) House cleaning. Run full Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#42
June 16, 2009 at 21:23:49
Here is the first log you requested:

http://rapidshare.com/files/2454142...

It took awhile to scan, its getting real late so will post the other 3 first thing


Report •

#43
Report •

#44
June 17, 2009 at 06:55:26
Go to windows update and update all the security patches. Then follow:

1) http://onecare.live.com/site/en-Us/...

2) http://onecare.live.com/site/en-Us/...

3) Install back your antivirus and run a full scan with it.

Your done !! no need report back. Only if you still have malware problem.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#45
June 17, 2009 at 09:40:30
Hi Neoark,

Thank you sooo much for your help and your patience. Truly truly appreciate it.

Is it a good idea to flush and set a new restore point?

One more thing :)
The following programs are already on my PC. Kindly, would you suggest any changes or additions to antispyware / adware programs?

CCleaner
Spypot
Adaware
SuperAntispyware
Spyware Blaster


Sould I keep these 2 programs to scan once in awhile delete
Malwarebytes Anti-Malware and Kaspersky AVP tool

take care
maysa



Report •

#46
June 17, 2009 at 09:45:42
If you followed Response Number 41 it already deleted your old restore points.

Uninstall: Spybot, Adaware and Spyware Blaster.

Keep 1 antivirus and another malwarebytes/superantispyware.

Uninstall and delete kaspersky AVP tool as it doesn't have update feature its only meant to be used on one time basis.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •


Ask Question