Computer problems (HJT, Combofix, AVG AS logs)

[Kirei Blossom]

Hi,

My computer was working fine until one day I foolishly installed the Megaupload toolbar. Within a few minutes, I found out it was harmful and so uninstalled it. However, when I hibernated the system, the normal black screen which shows the Hibernation Progress was messed up with randomly coloured pixels and numbers, and then the computer froze.

So I followed all the instructions in the sticky thread in the Security Area to remove all malware. However, it seems that installing all that software and performing all those various tools and tests messed up my computer even more.

* During installation of Spybot SD, the application kept hanging, and Lavasoft Ad Aware 2007 freezed a couple times during updating. Once on reboot, AVG Antivirus gave an error that there was something missing in the avgcc.exe file.
* When I was running spybot in Safe Mode, it worked fine once and fixed the problems. Just to be on the safe side, I performed the scan again, but a little window in the system tray popped up saying "Spybot.exe corrupt file or unreadable. Please do a Chkdisk." Then the system completely crashed. (I've now uninstalled spybot)
* While running the Ad Aware 2007 scan in Safe Mode, the system crashed and started rebooting itself. (I had to uninstall Ad aware 2007, reinstall my old Ad aware se personal and then run the scan properly)
* AVG antispyware crashed the system again, and once more it turned to Not Responding.

Finally, after many tries I managed to do all the scans and stuff. I feel like following these instructions messed things up even more My computer hadn't been crashing or anything before this. And the messed up Hibernation screen which caused me to follow all these instructions hasn't happened again over the past week.

Well, here are the Combofix, AVG antispyware and HJT logs. Antirootkit didn't find any infection.

I have no idea what's wrong, but I'm thoroughly frustrated with computers now. Any help would be more than appreciated.

 

[Jase123]

Hello Kirei Blossom and welcome to Techpot.

Go to start/run and type in "sfc /scannow" (system file checker)

This will scan your system for any corrupt, missing or incorrect files and fix any it finds.

Note: Make sure you have your windows disk handy.

In the meantime i will check out your attached files.

This thread is for the use of Kirei Blossom only. Please do not post your own virus/spyware problems in this thread. Instead open your own thread in our Security and Web forum.


Regards Jase

 

[Kirei Blossom]

I don't have a separate CD with Windows XP Home edition. My computer came preinstalled with Windows XP and the disks that came with it are only Compaq Quick Restore disks and Compaq Recovery disks.

I don't think I can use any of these?

 

[Jase123]

Still run the sfc /scannow

regards Jase

 

[Kirei Blossom]

Err, okay, I'll try canceling the window every time it asks for the CD..

Finished running the scannow. It asked for the CD about a hundred times, and I kept clicking 'cancel' and 'yes' to Skip this File? I thought it was going to do something once it finished, but nothing happened..

 

[Jase123]

Ok.

Go HERE and do an online scan.
It will delete any findings.

Regards Jase

 

[Kirei Blossom]

Finished the scan. One threat found:
Win32/Qhost trojan (unable to clean -deleted)
C:\Program Files\PIE Patch\backup\hosts

 

[TimeParadoX]

Your HJT log is infected, please fix the following:

All 01 entries

R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Please tell me if this fixes anything, I don't know how to run ComboFix very well, so i'll have to get some help for that part

Also are you running a firewall? ( Windows default one is ok )

 

[Kirei Blossom]

Fixed. The new HJT log is attached.

I'm running the normal Windows firewall.

 

[TimeParadoX]

There are 2 more suspicious files but I don't know if you use the programs or not, do you know if you use these?

Cyberoam Client

LycosMail Upload Control

If you do not use them go to Ctrl + Alt + Delete and cancel them ( if there ) and then delete the following:

O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - mail.lycos.com/hanmail-ax/AttachMail.cab

O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe

Then repost a new log

 

[Kirei Blossom]

I use Cyberroam Client to log into my Internet service.

Err.. my dad uses Lycos mail, but why would there be an Upload Control for it? Would it be okay to delete the lycosmail upload control even though he uses that particular mail service?

 

[Kirei Blossom]

I did a reboot a while ago, and was bombarded with "The system has recovered from a serious error" messages. Anyone have any idea what's wrong? All these major problems seem to have started after I tried cleaning out my system.

Is it okay if I attach the minidump files here, or should I open another thread in the OS section?

 

[Jase123]

Do you have your windows xp disk?

Regards Jase

 

[Kirei Blossom]

My computer came pre-installed with Windows XP. and the only disks that came with it are the Compaq Quick Restore disks, and a Compaq Recovery Disk. (I think the Recovery disk should be used for this purpose, but I'm not sure how to use it and I'm paranoid that it'll start reformatting the hard drive or something if I put it in..)

Actually, maybe the Recovery CD can't be used in place of a Windows XP disk. It says it performs four functions: Emergency Diskette creation, User Backup, User Restore and Factory Restore.

 

[Jase123]

Ok.

1. Temporarily disable System Restore (Windows Me/XP). {How to}
2. Download Free AVG AntiVirus and save it to a desired location. It is your choice if you want to retain this software or remove it after the cleaning process.
3. After downloading, browse where the file was saved and double click to install it.
4. After installation, connect to internet and download all necessary updates.

5. Download SmitfraudFix and save it to a desired location.
6. Reboot your computer in SafeMode {How to}
7. Run AVG and do a thorough scan. Delete all infected files.
8. Close AVG and other open Applications.
9. Run and follow the SmitfraudFix procedure, that you downloaded earlier.
10. You may now reboot in normal mode if it does not reboot automatically.
11. After reboot, download and scan with CCleaner.

Regards Jase

This thread is for the use of Kirei Blossom only. Please do not post your own virus/spyware problems in this thread. Instead, open your own thread in our Security and the Web forum.

 

[Kirei Blossom]

I've already done all of those tests and fixed whatever they found before I posted my hjt, combofix and avg antispyware logs. They were included in the long list of instructions for how to completely disinfect the system.

 

[TimeParadoX]

Kirei, post a new ComboFix log and HJT log so I can check to see if it's fully cleaned, the errors we will work out after this step

Also Jase, stop telling her to do ScanNow since that won't really help anything :|

 

[Kirei Blossom]

Fresh combofix and HJT logs.

Also Jase, stop telling him to do ScanNow since that won't really help anything :|

correction: stop telling *her* to do ScanNow

I ran another AVG antivirus scan, and even though the result says "No Infection", It gives me this result:
Object: C:\WINDOWS\System32/drivers/etc/hosts
Result: Change

Another thing: Even though I don't have my Win XP disk, I found that the files are installed in my D: drive in folderI386. However, after scannow asks for the CD, it doesn't give me an option to point it to that location. Plus, the folder is buried pretty deep inside a zip folder. (Path: D:\CPQDRV\250505\00A\008\250505.ZIP:\WINDOWS\I386). Is there any way I could use these files to do a scannow?

 

[TimeParadoX]

correction: stop telling *her* to do ScanNow

Sorry about that

Object: C:\WINDOWS\System32/drivers/etc/hosts
Result: Change

Did you change it yourself?

Is there any way I could use these files to do a scannow?

ScanNow is useless in a virus situation, because ScanNow "fixes" broken files like DskScan, so unless the virus messed up your hard drive there is no need for it

Well... your HJT logs are pretty much clean, those 2 files I was talking about earlier arn't harmful so there is no need to delete them unless suspected of causing problems

 

[howard_hopkinso]

Kirei Blossom: your log files are clean.

However, your mindumps are all corrupt and unreadable. This is often a sign of faulty hardware, such as ram etc.

Go and test your ram as per the instructions HERE.

You might also want to take a look at this tread HERE.

Please let us know the results.

Regards Howard

 

[Kirei Blossom]

Thanks for all your help everyone. It's a relief to know my log files are clean. (Though a slightly different headache with the RAM test now..) You guys are all smart - you should try and build a self-fixing computer one of these days.

I'm now getting only one symptom, which is that each time I restart the computer, it pauses for a few seconds at the "Welcome" screen, then everything loads and after a few seconds I get a "System has just recovered from a serious error" message. It's happening every single time now..

The "Change" result that came in my AVG antivirus report, what does it mean? I didn't change the hosts..

I also got a mmc.exe related Application error for no reason, even though I was only browsing the internet and not doing anything related to Management controls.

Do you think I should do a sfc/ scannow? Is there any harm in doing it - like, might it undo my driver updates and hotfixes and stuff I've done over the years?

 

[Jase123]

just type: sfc /scannow to immediately have it run and check for the altered/deleted files.

And as far as i know it will not roll back any updates.

Regards Jase

Please Note: When you have no replies in between your last post, then please use the edit button.

Thanks.

 

[TimeParadoX]

The "Change" result that came in my AVG antivirus report, what does it mean? I didn't change the hosts..

The Host Change files might have happened when I told you to delete those hosts entries in your HJT log.

After you get your error message worked out, you should read this: https://www.techspot.com/vb/topic31474.html

It will tell you how to make windows more secured so this problem won't happen again

It also gives you a premade HOST file so if you do get infected, they won't be able to contact their servers :haha:

 

[Kirei Blossom]

Sorry for asking all these questions, but I think its better if I ask in here rather than open new threads:

1. I reset my pagefile, according to instructions given on the "Before posting your minidumps, please read this" thread here. Just wanted to clarify.. before I changed it, it was 768mb-1536mb. And after I did a defrag I reset BOTH the minimum and maximum values to 768mb. (yes, I have 512 mb RAM.) Is this okay, for both min and max values to be the same?

2. I stumbled upon this microsoft page: You receive a "System Has Recovered from a Serious Error" message after every restart. Would you guys recommend me to download the file listed in the Resolution section of that page? I only have the normal XP home edition, and I haven't kept windows update turned on because it never seemed to successfully download anything.

 

[TimeParadoX]

1. I reset my pagefile, according to instructions given on the "Before posting your minidumps, please read this" thread here. Just wanted to clarify.. before I changed it, it was 768mb-1536mb. And after I did a defrag I reset BOTH the minimum and maximum values to 768mb. (yes, I have 512 mb RAM.) Is this okay, for both min and max values to be the same?

Hmm... It might be ok for them to be the same, Mine are 672-1337mb haha but each computer is different, so you could start a new thread for that question and get more information.

2. I stumbled upon this microsoft page: You receive a "System Has Recovered from a Serious Error" message [...] turned on because it never seemed to successfully download anything.

You should try to update your Windows by going to Internet Explorer and go to this website: http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us and see if this fixes anything, I had MAJOR problems with my computer befor I updated, when I did all of them went away