Help with my HJT log please.

[PixieB]

Hello,
After couple of days of stress with my pc problem I found this site and I folowed all the steps as they listed in thread about viruses removal steps instruction (all 15 of them)

History of the problem:

My computer got infected by virus serial99.com and it did nasty things to it. I couldnt bring Task manager, couldnt find 'Run' and 'Shut down' button when I click Start. My browser got overtaken by this evil thing.
Thanks to you guys and this forum I managed to fix few problems that serial99.com caused to my computer. I followed every step in order. And attached the final HJT scan log. Please , be so kind and check if everything is ok.

Additional info from scan: Panda Anti-Rootkit result: No rootkits have been found.

I still experience few problems with opening web pages (very slow) and one of them is when something went wrong with registry keys me and my husband desided to run windows set up from windows XP cd ( don't ask me why..T_T) and it stuck somewhere .
When I start my PC it brings me to Troubleshot screen where I have to choose what to run : Windows XP Home Edition (which our current) or Windows XP setup. Please,help me get rid of it, how do I do this?

Thank you in advance.

 

[Jase123]

Hi PixieB, Welcome to Techspot!

My name is Jason, on these forums I am known as Jase123. I will be helping you with your current problem.

HiJackThis logs do take some time to review and research. I would appreciate it if while you are waiting, you could please do the following for me:

Please make an Uninstall List using HiJackThis.

To access the Uninstall Manager you would do the following:

• 
  1. Start HijackThis
  2. Click on the Config button
  3. Click on the Misc Tools button
  4. Click on the Open Uninstall Manager button.
  5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.

As we work together to resolve your problem, please read these instructions carefully. You may wish to print them off or copy them to Notepad.

Lastly, please keep these points in mind:

• If you have questions, please DON'T hesitate to ask!
• The instructions I give are specific to your current problem and should not be used on other systems.
• Please post your replies only to this topic, and please DO NOT start a new thread.
• Since there may be multiple issues with your system, please continue to follow this thread until I have given you an "All Clean!"

I am reviewing your log now, and will be back with you shortly. Thank you for your patience.

Regards Jason

This thread is for the use of PixieB ONLY. Please do NOT post your own virus/spyware problems into this thread. Instead, open a new thread in our security and the web forum.

 

[Jase123]

Your system is infected with W32/RBOT-AGZ WORM!

Side effects;
* Turns off anti-virus applications
* Allows others to access the computer
* Modifies data on the computer
* Steals information
* Downloads code from the internet

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread
HERE and decide what it is you want to do.

(moderator edit)

This thread is for the use of PixieB ONLY. Please do NOT post your own virus/spyware problems into this thread. Instead, open a new thread in our security and the web forum.

 

[momok]

Hi,

Please let us know if you wish to clean or format your system. We'll provide you with the required instructions thereafter.

If you intended to clean your system, you have not posted all the requested logs (ComboFix and AVG Antispyware) so please do so.

Regards,
momok

This thread is for the use of PixieB only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.

 

[PixieB]

Thank you guys for your replies. Here is requested unistall list attached.
And yes i would like to clean system again and post all logs. Well i did it yesterday but i had problems with ComboFix and didn't save AVG Antispyware log because when it finished 1 hour scan it just fixed probelms and closed. Is there any place i can look for log file?

 

[momok]

You should be able to find the folder located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\

Could you try downloading combofix again (you can find it in my signature) and run it? Be sure not to touch your mouse or keyboard during the entire scan process - just let it do its job.

I would like to see a fresh HJT log together with the AVG AS and ComboFix logs too please. Thanks.


Regards,
Your friendly momok =)

This thread is for the use of PixieB only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[PixieB]

Hello again Jason and momok. Thanx for helping me , i ll do my best to follow all your instructons.
Here are fresh new scan logs . I stll couldn't manage to find txt log from AVG so i had to write it myself in notedpad the scan results data .

 

[momok]

Hi,

Download LSPFix from http://cexx.org/lspfix.htm
1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
3. Check the "I know what I am doing" checkbox.
4. Select (highlight) all instances of 'c:\windows\system32\rlls.dll' in the left column under "Keep".
5. Click the arrow >> so it goes over to the right column under "Remove".
6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
7. Restart your computer

You may wish to copy and paste these instructions on notepad for easier reference later.

1. Boot into safe mode under your normal user name. See how HERE
   
2. Next turn on "Show all files and folders, including hidden and system". See how HERE
   
   
3. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
   
   O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
   O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm590YYGB
   
   Close HJT.
   
   
4. Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread. Do not copy and paste the logs.


Regards,
momok =)

This thread is for the use of PixieB only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[PixieB]

Done all exactly you told me to.
here are new fresh logs.


thank you for helping me!
Ready for next steps....

 

[momok]

Hi,

Your logs look clean now.

1. Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)
   
   
2. Turn off system restore (XP/ME only). Learn how to do that HERE.
   This will remove all the remaining nasties from your old restore points.
   
   
3. After that turn system restore back on.
   This would have created a new safe and clean restore point for your system.
   
   
4. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
   May I recommend you to read this article.
   This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
Your friendly momok =)

This thread is for the use of PixieB only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[PixieB]

Hi,
Thank you again for dealing with my problem, momok.
I just realised i was using all the time AVG 7.5 InternetSecurity program not AVGAntispyware one....=( does it make big difference?
AVG 7.5 InternetSecurity has Virus Vault , not Quarantine.Should i delete all files from there? Or do i need to install AVG 7.5 Antispware and do more scans?
thank you.

Edit: I did the rest of steps, deleted files from Vault and set new restore point.

I still have some weird issue with computer, at start up the Troubleshoting brings me to Windows XPSetup if i don't choose to run XP Home . I do pick Windows XP HomeEdition , then when windows loading , blue screen pops up for second or 2 and it says PARTIZAN software or somthing. Do you have any idea what it can be?

Edit: Before Windows loads , it types exactly : ' RegRun Partizan....Greatis Software ' then windows loads.

Thank you again for helping me!

 

[momok]

Hi,

Oh I forgot about that. Let's fix that.
It appears that you (or somebody) had been meddling with your system bootup settings. I can't be sure what has been changed, so we'll try this a step at a time.

1. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
   
   

   File::
   C:\txtsetup.sif
   C:\BOOT.BAK
   C:\$LDR$

2. Save this as CFScript on the desktop.
3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
   
   
4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Thereafter, please post fresh HJT and the resultant ComboFix log from the above instructions as attachments into this thread. Let me know if you are still experiencing that startup problem.


Regards,
momok =)

This thread is for the use of PixieB only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.

 

[PixieB]

Hi momok,

I followed your instructions , here are new fresh logs.

Still experience issues at start up.

1. Before Windows starts i get this message:

'Please select operating system to start :
WindowsXP Home Edition
WindowsXP Setup '

(it was all my fault in begining to run windows xp installation cd to try fix registry >.<)
I hope you can help me fix it.

2.Still got this messege as well before Windows loads:
'RegRun PARTIZAN .... Greatis Software ... '

thank you.

 

[Rik]

Have you used anything like BootXP in the past?

 

[PixieB]

Hi Rik,

I have no idea, Im sorry. I gave PC to repair couple of times in past.

 

[Rik]

Click on your start button then the run command, type msconfig, click on boot ini then the "Check all Boot Paths" button and see what that says.

 

[PixieB]

Hi,
it says :

[Boot loader]

Timeout=5
Default=C\:$WIN_NT$.~BT\BOOTSECT.DAT

[Operating Systems]

multi(0)disk(0)rdisk(0)partition(1)WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin/fastdetect
C:\$WIN_NT$.~BT\BOOTSECT.DAT="Microsoft Windows XP Setup"

 

[Rik]

C:\$WIN_NT$.~BT\BOOTSECT.DAT="Microsoft Windows XP Setup" is the line in your boot.ini that you really dont need.

I'm just going to do a little research on the safest way to remove it.

 

[Rik]

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

You then need to locate the boot.ini file which is in the root of your c drive. Right click on it and "open with" and selest notepad.

You then need to locate the line in my previous post and type rem[space] in front of it (as in spacebar, it's important that this space is there correctly). The reboot your pc and report the result here.

 

[PixieB]

Thank you Rik for helping me
I will be waitng patiently for your reply. (Im really scared now to touch anything without instructions of people who know what they doing ^^ )

 

[Rik]

So, have you done what I suggested and did it work?

There are also a few minor things in your HJT log that could do with sorting.

 

[PixieB]

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

You then need to locate the boot.ini file which is in the root of your c drive. Right click on it and "open with" and selest notepad.

You then need to locate the line in my previous post and type rem[space] in front of it (as in spacebar, it's important that this space is there correctly). The reboot your pc and report the result here.

I have some questions:
1. Do i need to go on safe mode to do this or no?
2.Can you show me exactly for line hsould look like after i type rem[space] , please.
Note: sorry you are dealing with housewife and thank you for your patience.

 

[Rik]

Safe mode is not needed for this.

You need to locate the line - C:\$WIN_NT$.~BT\BOOTSECT.DAT="Microsoft Windows XP Setup" within the boot.ini file then change it to, rem C:\$WIN_NT$.~BT\BOOTSECT.DAT="Microsoft Windows XP Setup"

You will need to reboot your pc in order to see if it has worked.


No need to apologize at all. I'm happy to help.

 

[PixieB]

Hi,
I located boot.ini file in C:\ and did changes but it won't let me save them , says 'cannot save ,boot.ini is for read only'

 

[Rik]

I will have to some more research. Just about to cook dinner so I will get back to you as soon as i can, watch this space.