PC gets worse each day - browsers not working - cannot complete 8 steps

[tztexas]

I want to run the 8 steps but cannot.
my browsers IE and firefox get redirected to my C drive.
I did run malwarebytes and that helped one time. Now I cannot run it.
Programs I am able to run.
AVG 8.5
crapcleaner

I cannot run malwarebytes, IOBit, spydoctor. I am told that files are missing or corrupt and I should reinstall, however when I try I am informed I'm missing files (I cannot include the error messages, at this time I am not at home)

I tried but cannot "Restore advanced settings" in IE. I click OK and it stalls.

My system cannot install "some" new apps.
I cannot access the internet via the browser, but I can ping the internet. I have a share connection to my other PC and that is the only reason I can access the antivirus/spyware programs you suggest.

I even ran or tried to run these programs from safe mode and still could not.

I was able to run hijackthis a couple of days ago, but I can no longer run malwarebytes.

Symptoms
1. very slow startup
2. I need to manually power down the PC
3. I do have trojan-backdoor-stinkbreath found by spysweeper but I could not clear it because I could not log into spysweeper via internet to pay for it.
4. Cannot run most antivirus, anti spyware programs.

I am unable to run the 8 steps. I might be able to run several.
I am at the point to save what I can from the hard drive and reinstall XP Pro, but I'd rather get the PC cleaned.

Any ideas?
thanks

 

[tztexas]

one thing I forgot

What I believe started this whole mess was
Antivirus Software Pro. (in my system tray)
I knew I didn't install this and found out this was virus/spyware. I used malwarebytes to remove it. However, there are other viruses/spyware that probably came with this and I can't find them.

 

[raybay]

You have a good approach to dealing with the issue yourself...
But I have never seen an infestation prevent SAFE MODE from running from a cold boot.
Running removal tools in SAFE MODE will probably be key to getting your system back to safe operation. You are also correct about Antivirus Software Pro being an evil.
Are you going to SAFE MODE from a cold boot?
You might consider switching from AVG 8.5 to Avira Antivir free or AVAST free antivirus, and also have SuperAntiSpyware and MalWareBytes.org (there is another irritating program that calls itself MalWareBytes and you do not want to use that... so look for the .org in your search.
Have all these handy for when you get it to boot properly... even install them while it is misbehaving...

Do you have access to another PC where you can load this drive as a Slave, and run the programs from the main drive?

 

[aqua]

did you try to reinstall your network card driver?...maybe is corrupted

 

[tztexas]

Actually from the problem PC, I can access a shared folder on my good PC. That is where I load the anti-virus, anti-spyware programs and I can execute them, which installs them on the problem PC.

I also removed my restore points.

The only way I can access safe boot is by using msconfig, setting it up to safe boot and then shut down and start the PC. For some reason I do not have the safe boot option using F8 (or is it F1). But I do get into safe mode with a cold boot.

I also found information to remove files/registry entries manually. I may try that, but at first I will try running software that you recommend.

I did run hijackthis a couple of days ago. I am not an expert, but nothing caught my eye looking at the log. I am hoping to be able to run malwarebytes and hijackthis again with a log so I can submit it.

And yes, it is very strange that I am having problems running and installing in safe mode.

thanks

 

[tztexas]

reply to aqua

No I have not attempted to reinstall my network card driver.
I can access the problem PC to a good PC within my home network. I can also ping yahoo.com, and google.com

I can actually see on the bottom of the IE browser (very quickly) it displays opening yahoo and then it changes to a destination on my C drive with an error.htm.

 

[tztexas]

attached a couple of files

I know I am not following the 8 steps exactly. I am unable to.

I did attempt to install malwarebytes from malwarebytes.org to make sure I was using the same one. I got an error message when about 70% completed on the install progress bar. It is attached.

I also attached the hijackthis log.

I ran these at normal process, not in safe mode. I did disable add-ons through IE and I closed all items in the system tray, though they seem to be listed on the hijackthis log.

I will post more if I can make any additional progress.

 

[raybay]

"Do you know what this might be? Or to what it refers: " vbalsgrid6.ocx " You have some device or component on your system that is out of date or improperly installed which seems to be stopping the rest of the installation of test and removal tools.
Then you have AVG 8 installed, which is old an ineffective. I sugges you remove that using Add and Remove, then install AVG 8.5 if you must, or Avast free, or Avir Antivir free.
Then run a scan again.
If WebRoot Spyware is still up to date, it will be protecting you from most evils.

 

[kritius]

But I have never seen an infestation prevent SAFE MODE from running

Sorry, had to laugh.

Download SDFix

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Goto Start Menu > Run > then copy and paste


%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Restore_SafeBoot_WindowsXP_SP2.reg

This should restore safe mode.

 

[tztexas]

My logs

I was able to run some applications using another login. However, after I rebooted from running super anti-virus, I could no longer run applications, or transfer files to my good PC.
Attached are several files

Steps in Fixing Issues.txt (my step by step on what I was doing)

Malwarebytes log
super antivirus log

 

[tztexas]

last log file HijackThis

I was finally able to get the hijackthis file (attached)

thanks to everyone who has and is helping me on this.

 

[aravindmay25]

malware removal procedure

I want to run the 8 steps but cannot.
my browsers IE and firefox get redirected to my C drive.
I did run malwarebytes and that helped one time. Now I cannot run it.
Programs I am able to run.
AVG 8.5
crapcleaner

I cannot run malwarebytes, IOBit, spydoctor. I am told that files are missing or corrupt and I should reinstall, however when I try I am informed I'm missing files (I cannot include the error messages, at this time I am not at home)

I tried but cannot "Restore advanced settings" in IE. I click OK and it stalls.

My system cannot install "some" new apps.
I cannot access the internet via the browser, but I can ping the internet. I have a share connection to my other PC and that is the only reason I can access the antivirus/spyware programs you suggest.

I even ran or tried to run these programs from safe mode and still could not.

I was able to run hijackthis a couple of days ago, but I can no longer run malwarebytes.

Symptoms
1. very slow startup
2. I need to manually power down the PC
3. I do have trojan-backdoor-stinkbreath found by spysweeper but I could not clear it because I could not log into spysweeper via internet to pay for it.
4. Cannot run most antivirus, anti spyware programs.

I am unable to run the 8 steps. I might be able to run several.
I am at the point to save what I can from the hard drive and reinstall XP Pro, but I'd rather get the PC cleaned.

Any ideas?
thanks

Hi,
Donot worrry, follow the below mentioned steps

1. First you shoutdown the system.
2. start the system in safe mode by pressing F8 key in the boot mode.
3. backup all the data in C:\ to External storage device its better to write it to CD\DVD
4. If u can identify the path of the malware installed u try to delete it in command prompt. First you delete all the malware files inside the folder then in windows prompt you can delete the folder.

5. If you are not sure where the location is donot worry.
6. you have to restore the system restore option.
path -> START-PROGRAMS-ACCESSARIES- SYSTEM TOOLS - SYSTEM RESTORE
Here you will get the available restorable dates and click the date earlier to the infected date it will restore the data and u will be able to use safely your system.


Regards,
Arvind. T.

 

[tztexas]

more info to add

I have not backed up the C drive yet, and my system restore files are gone because I stopped them in order to run an antivirus and antispyware. Some of the viruses gave locatations of being in the system restore.

***************************************************************************
I have more info.

ToDay 07-11-2009
Though I was able to install Avira antivirus, I was not able to retrieve the latest
definitions.

It found TR/Agent.21438.B (2 instances)
I have the log for this

***

When trying to open IE
At the bottom of my IE browser (when you see the page it is opening) I see this
C:\WINDOWS\system32\shdoclc.dll/dnserror.htm
I am researching how to fix the problem.

I can open my web browser by using a webpage I created, and executed from the good PC. However, I cannot access the internet with either browser.
I also uninstalled FireFox and reinstalled Firefox 3.5.

I ran IPCONFIG /flushdns
I also performed IPCONFIG /All and I do have DNS Servers

 

[LookinAround]

But I have never seen an infestation prevent SAFE MODE from running from a cold boot.

Sorry, had to laugh.

Kritius: Sorry can't help but join you in the giggles :haha:

tztexas, I can speak for kritius' track record in the A/V forums, and suggest you'd do well trusting yourself in his capable hands

 

[tztexas]

This gets stranger each day. I was able to drag and drop to folders and now I cannot. I was able to access another computer and move/copy files and cannot. I created a new folder under shared documents and this worked. However, if I truly still have a virus/spyware, it has to be an IA type. Because once a function works for me, once I restart or start from cold boot, it no longer does. ie. Start | Search no longer works. I am doing most of what I can through DOS.

I am transferring some files from the bad PC to the good one. Translated, I am transferring files from my Wife's computer to my computer. What ever site she accessed that caused her issue, could come up again on my machine. However, I do have super anti-spyware and Avira anti-virus running on my PC.

Thanks guys for all your help.

 

[GoSoft]

is it possible for u to format your c drive and reinstall xp.
Your computers looks as if its a breeding ground for viruses.
This is only a opinion and you should wait for a professional to come.

 

[LookinAround]

Make sure you wife has good A/V software!

In the meantime, stop the xfr and use your wife's computer to burn a Knoppix CD, use it to boot up your computer. Then transfer all your files to a flash drive or external Disk. Something you can isolate until you can be sure the files aren't infected

See [post=766270]How to recover your folders/files when Windows won’t boot[/post]

 

[tztexas]

GoSoft,
I was thinking of reinstalling the OS after I pulled off the files I believe are worth keeping.

LookinAround,
There are two Anti-virus apps running now on hers and mine. (her system is shutdown for now).

I have AVG8.5 and Avira running. Is it overkill, or counter productive to have two anti-virus apps running simultaneously?
thanks

 

[snowchick7669]

txtexas, you are getting ALOT of help from all sorts of people. I would listen to just kritius and LookinAround on this one, as you will get confused and start running around in circles following each different instruction.

kritius is a known malware helper and LookinAround is an established hardware/software helper.

Reinstalling is used as a last resort in most cases

 

[tztexas]

SnowChick,
I agree with you. I don't plan on reinstalling anytime soon. I still plan on trying to get the system to work.
thanks

 

[tztexas]

Any ideas?

I appreciate the help I've been receiving.
From the logs I've submitted, are there any other suggestions I can try?
thanks

 

[Bobbye]

I am reviewing the various logs you have attached. Please do NOT try to do any other 'fixes' unless kritius comes back and picks up the thread.

I will be back as soon as I've had a chance to review the logs and the error you got on Malwarebytes.

But if you keep changing things around, it will be a waste of time for both of us.

Edit: I didn't mean to slight anyone here. But when multiple helper are sending you in different directions, it can get confusing.

I do notice signs of piracy though:
C:\Documents and Settings\All Users\Documents\Downloads\Cracks\officeXP_Crack\Microsoft_Office_XP_Activation_All_Versions_and_Service_Packs.zip
[DETECTION] Is the TR/Agent.21438.B Trojan

:\Documents and Settings\All Users\Documents\Downloads\Cracks\officeXP_Crack\OfficeXP_Activator.exe
[DETECTION] Is the TR/Agent.21438.B Trojan

 

[tztexas]

I might have said this earlier. This machine was purchased many years ago from someone in the neighborhood. That is one reason I could not try to fix the OS, if it had anything wrong. Because I had an XP CD from another machine and when I tried to install or check the OS on this, it told me my CD was older than the OS on the PC. AVIRA removed this anyway when I ran the antivirus.

So if I ever get this cleaned up, I believe I have 4-5 licenses within the XP OFFICE software I have. I didn't need to install it on this problem PC, because it already had it on.

 

[Bobbye]

Okay, I would like you to follow this as best you can-=without doing anything else to the troubled system!

First, you may have your computers networked, but you don't 'share' antivirus programs. You install the AV on each computer. This may be different in a large work environment on UNIX systems, but for home computers, you put the AV on each.

I have gone back and read all the posts and reviewed all the logs.

The most evident malware you have is a rogue hosts hijacker:

Rouge software. Hosts file hijacker.> Antivirus System PRO
the IPs:
aware-protect.com
209.44.111.61
209.44.111.62
ns1.aware-protect.com
ns2.aware-protect.com

More here: http://www.mywot.com/en/scorecard/aware-protect.com


Regarding the following:

#5Actually from the problem PC, I can access a shared folder on my good PC. That is where I load the anti-virus, anti-spyware programs and I can execute them, which installs them on the problem PC.

Is this something you've always done or something you're trying since you have malware? Are you using the other computer like a flash drive? Don't! If you can't access and download a program on the problem computer, load it on a flash drive and then install it on the problem computer.

#5For some reason I do not have the safe boot option using F8 (or is it F1). But I do get into safe mode with a cold boot.

This is how you get into Safe Mode. Were you thinking you could just switch over to Safe Mode from Normal Mode?
How To Boot into Safe Mode
[*] Restart your computer and start pressing the F8 key on your keyboard.
[*] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

I did run hijackthis a couple of days ago. I am not an expert, but nothing caught my eye looking at the log.

That's our job-so let us do it! Usually most of the entries are benign but we see those that are not.

AVG
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this:

) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I will let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

Please reopen HijackThis to 'do system scan only.'
CHECK the following entries if present:

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.62 surety.microsoft.com
O1 - Hosts: 209.44.111.62 aware-protect.com
O1 - Hosts: 209.44.111.62 www.aware-protect.com
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-21-1708537768-1202660629-1060284298-1005\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup (User '?')
O4 - Global Startup: APC UPS Status.lnk = ?

Close all Windows except for HijackThis and click on 'Fix Checked'.

Boot into Safe Mode
[*] Restart your computer and start pressing the F8 key on your keyboard.
[*] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Go to Start> Run> type in msconfig> enter> Selective Startup> Startup tab> UNCHECK the following if present:
AVG guard v7.5> this is no longer supported. It is included in v8
All Advanced System Care entries (allowing this to be changing the system while cleaning should not be allowed to start up.
Any entries for Antivirus System PRO
When through> Apply> OK

Control Panel> Add/Remove Programs> UNINSTALL any entry for Antivirus System Pro.

Reboot the computer into Normal Mode. NOTE: Ignore the nag message and close it after checking 'don't show this message again.' Stay in Selective Startup.

Reset Cookies This will prevent the pages and pages of Tracking Cookies that you have gotten.

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others.

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus: https://addons.mozilla.org/en-US/firefox/addon/1865
Easy List: http://easylist.adblockplus.org/

Please run the following in Normal Mode if you can:
UPDATE and run Malwarebytes
Run Superantispyware
Run AVG scan and save log
Rescan with HijackThis

Attach new logs for each on next reply.

I will have you update Adobe when we're finished. Yours is way out of date and presents a vulnerability.

 

[tztexas]

Bobby,
I will attempt to do some of this.
Let me tell you a little more about this 'problem PC'
For some reason when I try F8, I get the boot up menu and safe mode is not an option. It is on my other systems. That is why I have to perform Start | Run | MSConfig and change the boot.ini to be safe mode.

I did not normally use my good pc as a flash drive. Sometimes I would copy files over this way from PC to PC. The Problem PC would not install AVIRA, something about a windows installer problem.

I have 4 USB ports on this machine and the odd thing now is that the only one that works is the one I have my mouse connected to. I connected a 4 port USB to the working port, but then no port on the 4 usb ports will work.

The AVG 7.5 - is already gone. I could not find it in the add/remove of the control panel, so I searched everywhere in the registry for it and removed it.

I haven't had the machine on since (I think) Sunday.

I just tried F1 on boot up and it was not the boot menu. During POST I did see F8 as the boot menu, but I know safe mode doesn't exist

As I mentioned in a previous post, I purchased this computer years ago from a neighbor. If I had pirated MS Office on it, maybe I have some kind of OEM OS on it that is not a full version of XP PRO.

I am going to print out the instructions you provided for me (which I really appreciate the time you spent to do this). I will check later tomorrow in case you posted a reply to the additional information I have provided.

Since I cannot use F8 into Safe Mode, will changing to safe mode within msconfig work as a work around for the instructions you provided?
thanks