HELP! with my computer virus

Status
Not open for further replies.
Dear Howard,
Well PREVX1 did nothing to remove the UCleaner, even though it claimed it would. Oh well. Also, I tried your other suggestion; using HJT to FIX the 04, and 06 lines. It also did not work... 06 restrictions present, and 06 control panel pu resent were FIXed, yet the UCleaner remains. Let me know if you if you have another idea to remove it. I am posting a fresh HJT for your viewing pleasure.
Thank you for the help,
Davidstl
 
If you haven`t done so already, uninstall PREVX1.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Ultimate Cleaner

Close control panel

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

RT73o2aEZ2[1].exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKCU\..\Run: [Ultimate Cleaner.install] "C:\Documents and Settings\The Currie's\Local Settings\Temporary Internet Files\Content.IE5\SFQ9A7QZ\ucleaner_RT73o2aEZ2[1].exe" continue

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Documents and Settings\The Currie's\Local Settings\Temporary Internet Files\Content.IE5\SFQ9A7QZ<Delete the entire folder if you can.

Search your system for Ultimate Cleaner and delete all references found if you can.

Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

Click edit and choose find. Type Ultimate Cleaner into the dialogue box and click the find next button. Regedit will now search your registry for any entries that contain a reference to Ultimate Cleaner and display them in the righthand pane. Right click on any such Ultimate Cleaner entries and choose delete.

Now click edit again and choose find next. Again, delete any entries that reference Ultimate Cleaner.

Repeat the above, until no more Ultimate Cleaner entries are found.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log and let me know the results.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Dear Howard,
Okay, I followed your instructions in the last post and the regedit seems to have deleted the u_cleaner. Finally. And I'm posting my new HJT log for you. I want to say thank you. This has really been a learning experience.
And I will Uninstall PREVX1. It sucks anyway. What will happen to Quarintined items when I Uninstall? They won't get placed BACK on my computer, will they?
Thanks again,
Davidstl
 
Your HJT log is now clean.

I`m sorry it took so long to get rid of that bugger, but I`ve never come across it before.

You shouldn`t have any problems in uninstalling PREVX1, if the backups are left behind, just delete them.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Dear Howard,
Thanks for your help. You really know your stuff. And thanks for making my directions easy to follow. I'll let you know if I have any more problems. I think the U_Cleaner was hiding in something called Add New Hardware Wizard\Parallel Device. There was an yellow or red question mark icon or something next to it too. Anyway, thanks again for your help.
davidstl
 
I Need Howards Help

Dear Howard,
I uninstalled AVG AntiVirus in order to try out Avast AntiVirus for awhile.
I did not like the way Avast worked, so I quickly uninstalled IT... And now I have redownloaded AVG but the software will not extract or open up onto my desktop, even though the Wizard says that AVG has been successfully installed. Do you have any idea why AVG is giving me a hard time?
Davidstl
 
I Need Howards Help

Dear Howard,
I just tried the new AVG link you provided, but with no luck. My computer says: "AVG has been successfully installed", but I can't locate it on my Desktop or in my Start Button menu. I am at a loss here. If it is on my computer I would like to run it.
Also, I ran an AVG AntiSpyware scan today and along with 37 tracking cookies it found 3 high risk threats which it Quarantined. Why Quarantine instead of Delete? The threats found are:
c:\windows\system32\durvilz.exe
c:\systemvolumeinformation\_restore{DOBCD2DC-86DF-4E42-9CAA-96BECF3A6981}\RP844\AO235941.exe
c:\documentsandsettings\localservice\localsettings\temp\~ds39990.tmp

The AVG AntiSpyware called these threats a: Trojan.Durvil
I wanted to know if they can be safely deleted or should they remain in Quarantine?

Thanks for responding so quickly,
Davidstl
 
I have mreged your thread into this one.

Something`s obviously not right, so we need to run the full monty on your system again, I`m afraid.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, Combofix and AVG Antispyware logs as attachments into this thread, only after doing the above.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Dear Howard,
I am home from work again today due to snow and ice; so i have time to work on this. I am going to begin running the scaners and tools you provided. I will get back to you with the results and post a series of logs.
Thanks for your help,
Davidstl
PS I WAS getting a error message at start-up saying:
Installer initialization failed due to following error:
Error initialization of the language file "c:\programfiles\grisoft\AVG7" failed
General failure
However, I am no longer getting that message
 
Dear Howard,
That all took some time, but I have the HJT, ComboFix, and AVGAntiSpy logs. I had a problem with Look2Me. I never ran. I would double click its icon and nothing, so I would try again this time checking the box "run this program as a task" and still nothing happened...
And still no luck with AVG AntiVirus.
Davidstl
 
Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.linksummary.com/

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Click on the fix checked button.

Close HJT and reboot your system.

Other than the above, your HJT log is clean.

Your HJT log shows quite clearly that you`re running the AVG antivirus programme. therefore, I`m not sure what the problem is.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Dear Howard,
Please walk me through a method of removing AVG Anti Virus. My computer says AVG is running, but I can't find it. It's in my Add\Remove program list, but I can't Add OR Remove it for some reason. And now I can't even use Avast Anti Virus or Yahoo Anti Virus. They claim they can't install and run until I remove the AVG Anti Virus. Which I DON'T have working. When I attempt to Uninstall AVG I get this message:
Installation Failed. Error Initialization of the language file "c:\programfiles\grisoft\AVG" failed. General failure.
Huh? I was UNinstalling.
Any recomendations?
Davidstl
 
Ok, lets disable and remove it manually.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

AVG E-mail Scanner (AVGEMS)
AVG7 Update Service (Avg7UpdSvc)
AVG7 Alert Manager Server (Avg7Alrt)
AVG Anti-Spyware Guard

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

guard.exe
avgamsvr.exe
avgupsvc.exe
avgemc.exe
avgas.exe
avgcc.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\System32\NavLogon.dll
C:\PROGRA~1\Grisoft\AVG7<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Dear Howard,
I Disabled, Deleled, and Fixed what I could, but there where some errors.
Firstly, I still can not use any AntiVirus software because I'm told I'm already using AVG AntiVirus. The other two problems occured while tring to delete the NavLogon.dll and the AVG7 files and folders.
Concerning NavLogon.dll...
Error Deleting File or Folder
can not delete NavLogon: Access is denied. Make sure the disk is not write-protected and that the file is not currently in use.
Concerning AVG7 files...
c:\programfiles\grisoft refers to a location that is unavailable. It could be on a hard drive on this computer, or on a network. Check to make sure that the disk is properly inserted, or that you are connected to the internet or your network, and then try again. If it still can not be located, the information might have been moved to a different location.
I am not a computer person, so I don't understand these messages. I'm attatching a fresh HJT log.
davidstl
 
The next thing to do is uninstall the Yahoo antivirus from add remove programmes.

C:\Program Files\Yahoo!\Antivirus

Then, try doing a system restore to before you installed avg. Obviously, somethings gotten corrupted somewhere. maybe a system restore will sort it out.

Let me know the results please and post a fresh HJT log.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Dear howard,
I have uninstalled the Yahoo security software and I "attemped" a System Restore, but I don't really know what that is. I had to search it first, and I'm not sure what it did, if anything. Also, in my searching I discovered the problem file was AVGSE.DLL. A Yahoo search page suggested I move the avgse.dll file from my Program Files to My Documents BEFORE trying to delete or remove it from my system. This WORKED. I then was also able to delete the NAVLOGON file next without a problem. And in the end I have reinstalled AVG7.5 AntiVirus and it is running fine. There seems to be a Firewall aspect to the program download this time which wasn't present in the eariler downloads of AVG. Thanks again for your suggestions and help. Maybe, I should stop tinkering with this machine now that it's running again. I'm attaching a fresh HJT log for you to see. Let me know if you see something I should correct.
Thank you,
davidstl
PS not that it matters but I NEVER did get Look2Me to open and run. It said Look2Me will now restart your computer and start scaning...it never did.
 
Don`t worry about the Look2Me, your HJT log is clean as a whistle.

The version of AVG you`re running, is not the free version as the free version doesn`t have a firewall. See HERE. It seems you have downloaded and installed a trial version.

Since your problem appears to be solved, I think you`re now good to go.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
A Quick Question About Avg Antivirus

Dear Howard,
Every time AVG Antivirus runs it lists these six items:

FILE RESULT/INFECTION
kernel32.dll change
wsock32.dll change
user32.dll change
shell32.dll change
ntoskrnl.exe change
hosts change

AVG doesn't indicate what ACTION should be applied to these results, and I don't understand them. These items never appeared in past scans, can you interpret them for me please. There is also a PATH listed for each item. c:\windows\system32...
Should I be concerned? My computer is working and running fine, by the way.
Thanks to you.
Davidstl
 
Do the following.

Download the AVG Antirootkit programme. Disconnect from the net and install the programme, then restart your computer.

Run the programme and click the click "Perform in-depth search." Allow AVG to complete the scan. The AVG scanner will give the "Rootkit path"
* Select the Rootkit Driver by placing a checkmark against it and click "Remove selected items." Next, agree for the terms and conditions that is displayed by AVG and click "OK" to reboot the PC. Reconnect to the net.

Post a fresh HJT log and let me know the results of the AVG Antirootkit scan.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
A Quick Question About Avg Antivirus

Dear Howard,
I downloaded and ran the AVG Rootkit program, and the the results were zero. No rootkit found. I am sending a new HJT Log for you to see.
Thanks,
Davidstl
 
Your HJT log is clean.

I can`t find anything nasty on your system. I don`t think you`ve anything to worry about.

This is taken from the AVG forums HERE.

It is normal that AVG shows that files, the MBR or Boot record to have changed. These are done during normal maintainance, when you or windows updates files or have had to correct errors on the drive. The only time that you should worry is if they also show as infected.

To get AVG to quit showing them as changed, open the AVG Test Center, click the F3 key on your keyboard and tell it to accept the changes. If it still shows something as changed after this.. delete the file named AVG7QT.DAT in C:\ and AVG will rebuild it the next time it is run.
Click to expand...

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
you must alter this first! C:\DOCUME~1\THECUR~1\LOCALS~1\Temp\HijackThis.exe
move it to programme files, place it within its own folder, then change its name to 'analyse this 1991'.
it is important that you do this, as there are bugs that hide from it under the the original name.
in the meantime, have hijack this fix these by placing a tick in the box that corresponds the process

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
 
Well spotted tomrca, I hadn`t noticed that HijackThis.exe hadn`t been renamed.

The 09 file missing entries aren`t actually missing and are caused by a small bug in HJT. Therefore, those entries should be left alone.

davidstl: please rename HJT as per these instructions HERE and post a fresh HJT log.

Regards Howard :)

This thread is for the use of davidstl only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.

Similar threads

Senius
What would my FPS be low with 4090?
Replies
1
Views
830
Nelson28
N
S
Inactive Ransomware virus
Replies
5
Views
2K
Broni
Broni
W
  • Locked
Inactive I need help getting rid of a virus
Replies
3
Views
2K
Broni
Broni

Latest posts

Back