HJT from safe mode

[ctop]

hi there

was running multiple virus programmes earlier without too much trouble, went away and came back, can now only really get my pc to work from safe mode.

HJT attached, any ideas on what to do/remove from safe mode, apologies if this is answered elsewhere i was browsing the other forums earlier but the problem has escalated and my access is quite limited, thanks for any help.

 

[Rik]

You need to have a read of this - If your system is infected. Read this before deciding whether to CLEAN or REFORMAT.

Then if you should wish to proceed with cleaning your system you need to go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as ATTACHMENTS into this thread, only after doing the above.


This thread is for the use of ctop only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ctop]

ive managed to get some stuff cleared using a-squared in safe mode, normal mode now working and my resolution is back so i can see what i am doing, im working through the advice given above and will get back to you when i have some results

mmm...

run into a problem at step 12, i could not get into safe mode other than in admin account (was the only visible acount i had) so i created two new accounts (one an admin, one not) and turned on guest account as well to try and get into safe mode via them, this has now made my original admin user account disappear which is the one i had done the previous 11 steps through...

things are working better but any ideas where my other account has gone? i dont seem to be able to access the .exe files i downloaded in the previous steps and whenever i try to change the msconfig to stop startup programmes i get an error saying i may need to log on as admin, even when i am in admin user account...


let me know if you need a report log of any kind posting up

have attached the latest HJT (analyse.exe) report if that helps

 

[howard_hopkinso]

Hello and welcome to Techspot.

Your running an outdated version of HJT, see HERE.

Also, you haven`t attached the rest of the requested logfiles.

Do not use msconfig to make any changes, unless otherwise instructed to do so.

If you have disabled anything in msconfig, you should re-enable it immediately. That is so we can see what`s running on your system.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of ctop only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ctop]

have attached all logs and avg anti-root returned nothing following instructions, also fixed all anti-spy findings

any thoughts?

thanks

 

[howard_hopkinso]

All items in your AVG Antispyware log say "No Action Taken". That`s because you haven`t told AVG Antispyware to quarantine it`s results as per the instructions. See this pictorial guide.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

whInstall
Webhancer

Close control panel.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT, Combofix and AVG Antispyware log.

Regards Howard

This thread is for the use of ctop only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ctop]

thanks, how does this look now?

 

[Rik]

You STILL havent renamed hijackthis.exe as per the instructions. This needs to be done as some malware can hide from it.



This thread is for the use of ctop only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ctop]

right hows this, did rename but then updated hjt and the update wasnt renamed, just did it to analysethis.exe in prog files destination folder.

 

[howard_hopkinso]

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

Fix all 02 and 03 entries that say (no file)

Other than that, your HJT log is clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of ctop only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ctop]

thanks for the help, have done the fixing

all seems fine now, lost my original admin account along the way but never mind

thanks again