Fake security pop up -- even in safe mode.

Status
Not open for further replies.
D

danpf

Starting 2 days ago i started getting fake security pop ups about viruses infecting the machine with links to a website for security software. Internet explorer also started by itself numerous times trying to get me to follow links. I followed the directions in a previous post here :

https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

and followed all the directions. While doing some of the scans in safe mode, i continued to get the pop ups. After completing all the instructions i have just restarted this computer in normal mode and immediately get a message from internet explorer that I was not connected to the internet: work offline or try again. That was the last thing that has happened. I have not gotten any of the popups or explorer starting. (yet)

here's my logs... i would appreciate any help/advice you can give.

Thanks
Dan

attachments didn't post... i'll try it again
 
Delete all files in AVG Antispyware quarantine.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Bodog Poker

Close control panel.


Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:


File::
C:\WINDOWS\SYSTEM32\xxyayyy.dll
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\pmkhg.dll
C:\WINDOWS\system32\iifghgg.dll
C:\WINDOWS\system32\rnamxwsz.dll.vir
C:\WINDOWS\system32\jemwlicy.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\cbxvssr.dll.vir
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\system32\vturr.dll

Folder::
C:\Program Files\Bodog Poker
C:\VundoFix Backups
C:\qoobox
C:\WINDOWS\system32\Mz18r
C:\Temp\mZOr

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Host Process"=-
Click to expand...


Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"="msv1_0"
Click to expand...
Save this as "fix.reg" Choose to save as *all files and place it on your desktop.

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Regards Howard :)

This thread is for the use of danpf only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
done...

however when combofix was finishing and restarting windows a error message came up in a box:

"nircmd.cfexe dll init failed"
it said it was because windows was shutting down.

here's the logs
 
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:


File::
C:\x.dat
C:\Documents and Settings\Dan Fairbanks\x.dat
C:\winlogon.exe
C:\Documents and Settings\Dan Fairbanks\z.dat
C:\n.bat
C:\z.dat
C:\WINDOWS\system32\pmkhg.dll

Folder::
C:\qoobox
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyayyy]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmkhg.dll
Click to expand...


Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard :)

This thread is for the use of danpf only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
All clean.

Delete the following folder.

C:\qoobox.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of danpf only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thanks tons for all your help!!!!!

You guys are GREAT!

This thread is now closed: If you need this thread unlocking, please pm a moderator with a link to the thread.

Only the original thread starter can do this. Anyone else, will be ignored.
 
Status
Not open for further replies.

Similar threads

Cal Jeffrey
PS VR2 works "out of the box" on PC but only in cinema mode
Replies
5
Views
643
MakeMSGreatAgain
M
S
  • Locked
Inactive Please help: Infected-or-not?
Replies
2
Views
3K
Broni
Broni
Cal Jeffrey
Everything you need to know about Blizzard's Diablo IV beta
Replies
10
Views
730
Ohnooze
Ohnooze

Latest posts

Back