TechSpot

Strange computer issues after fake 'antivirus' installed itself

Inactive
By D@nny
Nov 9, 2010
Topic Status:
Not open for further replies.
  1. So I had this fake antivirus mess with my computer. i painstakingly ran combofix which again seemed like a mistake.Last time IT completely destroyed my computer on start up i had some no boot disk error. Now I ran it and it just restarted my computer and the second time I ran it to see if it would work the combofix.exe file disappeared from my computer but so did the fake anti virus from my taskbar. Anyway it turns out my computer had been making no system restore points and cant create any manually due to this error 0X80070032. My kernel debugger is activated and this isnt allowing other programs to run.

    - I've turned on UAC.
    - Ran malwarebytes whether its flash scan quick or full. nothing found.
    - Ive attached a hijack this log and am going to run the other scanners


    Guess I should have read this sticky earlier: Do not run Combofix without our guidance. lol
    I'm currently following the 8 preliminary steps. How does techspot decide which antivirus to recommend? Before it used to be AVG, and now its Avira?

    Attached Files:

  2. D@nny

    D@nny TS Rookie Topic Starter Posts: 193

    Looks like Avira free found TR/Patched Gen in object partmgr.sys .
    Looks like it was removed successfully
    Start scanning boot sectors:

    Starting to scan executable files (registry).
    C:\WINDOWS\System32\drivers\partmgr.sys
    [DETECTION] Is the TR/Patched.Gen Trojan

    The registry was scanned ( '1929' files ).


    Beginning disinfection:
    The registration entry <HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools> was removed successfully.
    C:\WINDOWS\System32\drivers\partmgr.sys
    [DETECTION] Is the TR/Patched.Gen Trojan
    [NOTE] The registration entry <HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\partmgr\ImagePath> was removed successfully.
    [NOTE] The registration entry <HKEY_LOCAL_MACHINE\System\ControlSet001\Services\partmgr\ImagePath> was removed successfully.
    [NOTE] The registration entry <HKEY_LOCAL_MACHINE\System\ControlSet003\Services\partmgr\ImagePath> was removed successfully.
    [NOTE] The file was moved to the quarantine directory under the name '56d7ceb1.qua'.
    [NOTE] The registration entry <HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\partmgr\ImagePath> was removed successfully.
    [NOTE] The registration entry <HKEY_LOCAL_MACHINE\System\ControlSet001\Services\partmgr\ImagePath> was removed successfully.
    [NOTE] The registration entry <HKEY_LOCAL_MACHINE\System\ControlSet003\Services\partmgr\ImagePath> was removed successfully.


    End of the scan: Tuesday, November 09, 2010 08:42
    Used time: 01:37 Minute(s)

    The scan has been done completely.

    0 Scanned directories
    2415 Files were scanned
    1 Viruses and/or unwanted programs were found
    0 Files were classified as suspicious
    0 files were deleted
    0 Viruses and unwanted programs were repaired
    1 Files were moved to quarantine
    0 Files were renamed
    0 Files cannot be scanned
    2414 Files not concerned
    6 Archives were scanned
    0 Warnings
    1 Notes

    Thanks for Avira techspot!
  3. D@nny

    D@nny TS Rookie Topic Starter Posts: 193

    Looks like Avira thinks DDS is a trojan, Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
    detected in file 'C:\Users\Administrator\Desktop\dds.scr.
    Action performed: Deny access
    I've told it to ignore it and let it run. Since DDS is just a diagnostics tool i think ill skip this step until a techspot forum helper asks for it.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I just can't let this comment go without my comment: First of all, you have enough posts here to have seen the sticky not to run Combofix without being specifically instructed to do so by the helper and then with supervision before you ran it!.

    And to compound this, you intentionally ran a program-again-that caused a significant problem the first time you ran it! So you will need to understand and accept the following if you want us to help:

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    As for this:
    'TR/Crypt.XPACK.Gen [trojan]' IS a Trojan
    And dds.scr is the legitimate entry for the DDS program, not a virus. It is seeing the .scr file extension which is both for a screensaver and a script file.

    So please sit back and allow the assistance if you want it.
    Run the steps in the Virus and Malware thread. All of the links there are legitimate. You can accept the downloads. Uninstall the HijackThis you ran. It is an outdated version and we don't use it to 'screen' for malware. I will have you run HJT later with link to current version.

    Download the programs and save to your desktop. Click on File> Check 'Work Offline'> then disable the antivirus program to run the scans.

    As for this:
    AVG had an excellent, free antivirus program until of came out with v8 and combined an antimalware program with the AV. At that time, most of us stopped recommending AVG and suggested either Avast or Avira- both are known to be good, free AV programs.

    As time goes by and malware changes, some security programs don't keep up. Additionally, almost everyone want to get 'free' programs! So there is always continuing evaluation being done. And Avast or Avira are only recommended for those who do not currently have a valid, updating, working antivirus program. We do not recommend it for people to change if they have that.

    IF you continue to have problems running the scans, please let me know specifically what the problems are. Once those logs are in, I can review them to determine how to proceed.
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    By the way, we have all logs pasted into the replies now and multiple replies can be used if needed. That may be new to you. It makes our searches to identify entries as we can search from out browsers and not have to copy and past each in a search.

    Please read the program instructions carefully. It appears that you have a functioning Norton Security suite installed. If the subscription is current, there was no need for you to use Avira:
  6. D@nny

    D@nny TS Rookie Topic Starter Posts: 193

    I dont understand how come avira found a trojan in the DDS file?
    Also everything seemed to be running smoothly until I ran Temporary File Cleaner from step 2 in the 8 preliminary steps to take. My screen went black upon shut down and my pc kept making beeping noises. From then on out its been bsodding. Last known configuration also bsods and so does safe mode. Could the trojan have done this? I already reformatted which I really wanted to avoid this time so I cant tell you what the error string was. This is really upsetting wth TFR.

    Also I don't know if Norton was running active or not but it wasnt in the task bar. I think I shut it down permanently but now its back again with the reformat. Would uninstalling it be enough to remove it or do I need to take more measures before installing a different anti virus?
  7. D@nny

    D@nny TS Rookie Topic Starter Posts: 193

    Also Bobby if i divide my C: into two partitions will the other one be safe from a potential virus attack? And when I reformat C to its original factory settings the other drive will be left untouched?
  8. D@nny

    D@nny TS Rookie Topic Starter Posts: 193

    Dixml backsup C: by making an image of it that I can put on another drive. But how will I be able to access this drive in the event of a bsod? I wont but I can see the point of why some people want to back up their C drive. it saves time instead of having to install everything again like i am now
  9. D@nny

    D@nny TS Rookie Topic Starter Posts: 193

    HP allowed me to make a set of operatnig system recovery disks when my pcs built in recovery partition wasnt accessible. That doesnt mean that I can instal vista with those disks on another parition or does it? Say I want to move my windows vista files to a separate parition but vista came preinstalled on this pc and i dont have a vista disk. Am I able to use those recovery disks to reinstall vista on a separate partition?
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Every time you make a reply, I get an email notice. You made 4 separate replies within an hour, so I got 4 emails. IF you need to add or change anything in a reply and no one else has posted after you, kindly use the Edit feature to do this. The exception is only for posting logs.

    If you just want information regarding partitions, please post the question in the Windows OS forum. I explained why DDS was flagged.

    So far, you have not followed out preliminary Virus and Malware Removal> that's what we do in this forum:
    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Closed due to inactivity. Please PM your helper if you need this thread reopened.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.