Please help...task manager probs and more

[ames1223]

I'm almost sure I've got a virus. This was my dad's computer and it had a lot of spyware, etc on it and yesterday I had all these pop ups, then my internet wouldn't work, then it would but only the messengers none of the browsers, stuff keeps downloading, etc. It's a mess. I downloaded AVG 7.5 antivirus, the spyware (as well as spy doctor 5.0) and the AVG anti root kit. I also used Hijackthis v1.99.1 because I saw a lot of reference to this (oh and also my task manager is missing it won't allow me to open it. When I do ALT CTRL DEL it says the admin has restricted access but I'm the admin). Here is the log from Hijackthis:

Help is MUCH appreciated. I don't know a whole lot about computers especially this stuff.

Edited by Moderator: No need for a double post if there are no replies between your current post and the last post, unless bumping the thread. In that case, please wait at least 24 hours before doing so. Otherwise, simply use the "Edit post" button instead.

also something called Outerinfo.com keeps downloading onto my comp and it has several pop ups. I delete and uninstall it and it comes right back.

nevermind!!! Can this be deleted I see Momok responded to my other post with help! Sorry!

 

[Doozerr2]

Don't know if you're uninstalling via windows program removal or this standalone removal. You might want to try this to at least get rid of the pop ups.

 

[ames1223]

thanks I tried it and I'll let you know if it works!

 

[CCT]

That 016 entry is BAD NEWS!

I am just getting this started for momok:

Read this FIRST:

https://www.techspot.com/vb/topic65943.html

Then, follow these steps if still interested:

https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/


ps: pls send a pm to momok re this

 

[ames1223]

How would I just take everything off and start from the ground up basically? There's a lot of files I don't use anyway as I just got the computer, the only thing important are my pictures which I've burned to a CD. I mean would that be a good approach (you mentioned totally reformatting or cleaning it).

I had already started doing the things on that thread this morning before I let.

Now Windows Media Player won't work either

 

[momok]

Hi,

Note: Please do not copy and paste your logs in the future. Instead, post your .log or .txt files as attachments to this thread.

Download LSPFix from HERE.
1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
3. Check the "I know what I am doing" checkbox.
4. Select (highlight) all instances of 'abcdefgh.dll' in the left column under "Keep".
5. Click the arrow >> so it goes over to the right column under "Remove".
6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
7. Restart your computer

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

GPLv3
IESet
csrss
Npxs
Domain Service
Net Agent

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\System32\xomnicyx.dll",realset

O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [csrss] C:\WINDOWS\csrss.exe
O4 - HKCU\..\Run: [Npxs] C:\WINDOWS\?ppPatch\w?nlogon.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)

O15 - Trusted Zone: *.west.com
O15 - Trusted Zone: *.workathomeagent.com
O15 - Trusted Zone: *.workhomeagent.net
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtend.net/code/chm/xpre.chm::/xpreload.ocx

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\vrcfpwyv.exe (file missing)
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)

Close HJT.


Navigate in Windows Explorer and delete the following files and folders in bold.
C:\WINDOWS\System32\xomnicyx.dll
C:\WINDOWS\csrss.exe

Conduct a search for all instances of IExplorer.dll and delete them. For these following two entries, see the note below.

C:\WINDOWS\AppPatch\winlogon.exe
C:\WINDOWS\AppPatch\

(Note: There will be two AppPatch folders if you search in your C:\WINDOWS directory. To identify the above entries to be deleted, check the AppPatch folder that is out of alphabetical order from the rest of the folders, probably right at the bottom after WinSxS or below the rest of your system files. It should contain winlogon.exe. It is only displayed that way because of certain special ASCII characters that displays as the normal alphabet.)

Reboot into normal mode and rehide your protected OS files.

After that, continue with the rest of the instructions in the thread CCT provided.

Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of ames1223 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ames1223]

ok I will do this also but I just finished the steps provided by Howard so I wanted to post my latest HJT and Ad Aware reports and I will repost once I do these steps. My task manager did come back!!!!!! Thank you both SOOOOO much (oh and I also got rid of the nasty Outerinfo pop ups!!!)

*edit to add combo fix log

 

[ames1223]

ok it said I already posted them in my other thread in the security section, sorry I don't know how to link to that thread!

 

[momok]

Hi,

Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.
Drag the Combofix-Do.txt that you downloaded earlier over on to Combofix.exe and release.

This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

Thereafter, please post fresh HJT and AVG Antispyware logs from normal mode and the ComboFix log from the safe mode instructions as attachments into this thread.

How was the AVG anti-rootkit scan?


Regards,
Your friendly momok =)

This thread is for the use of ames1223 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ames1223]

Ok here are the combofix logs and the fresh HJT. Working on AVG Anti-spyware log.

I still can't remove certain programs but I haven't had ANY pop ups or any other problems.

The antirootkit came back fine, said nothing was found.

*I can't get my HJT log (I renamed it as .txt file) to upload. It keeps saying upload errors.

 

[momok]

Hi,

Have you deleted the fake AppPatch folder as per my previous instructions? If not, please do so. If you had any problems deleting it let me know.

Leave your HijackThis.log as it is and upload it. However, do these following instructions before running a scan on it to obtain a fresh log.

Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.
Drag the Combofix-Do.txt that you downloaded earlier over on to Combofix.exe and release.

This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

Thereafter, please post fresh HJT and AVG Antispyware logs from normal mode and the ComboFix log from the safe mode instructions as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of ames1223 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ames1223]

I checked and I only saw on AppPatch while in safe mode.

here are the latest logs:

Combofix
HJT
AVG Anti Spyware

 

[momok]

Hi,

I noticed that your AVG log displays 'No Action Taken' for all the files detected.
I require you to run AVG again and quarantine the files. Pictorial instructions HERE.

Right now, are there still 2 AppPatch folders in your C:\Windows\ directory? Have you managed to successfully delete the rogue one that I instructed you on how to identify?

You may wish to copy and paste these instructions on notepad for easier reference later.

Please follow these instructions carefully.

Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.
Download the attached "avengerscript.txt" (from my attachment) and save it to your desktop.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

svchost

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)

O2 - BHO: (no name) - {5CB0B17F-43D3-4BD7-9870-DDC3CF2B2F90} - C:\WINDOWS\system32\ddccd.dll (file missing)

O4 - HKLM\..\Policies\Explorer\Run: [svchost] C:\WINDOWS\svchost.exe

Close HJT.

Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the attachment avengerscript.txt you have just downloaded, click on it and press open.
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as well as c:\avenger.txt as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of ames1223 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ames1223]

I thought I had it set to that but I followed the pictorial and I will rescan after following these new instructions.

I haven't deleted the appPatch I guess I'm unsure of what exactly I'm looking for. I do see one AppPatch but I thought I was looking for one out of alphabetical order and that had winlogon.exe...is that not correct?

*I just ran avenger and after it rebooted it said it couldn't find the file (something like that I assume that would be the log?). When I checked the folder (C:\avenger) all it had was backupreg.

 

[momok]

Hi,

Could you please try running avenger via the same instructions again? However, before that, please unhide your OS files and open your C:\Windows directory.

Look through the folders and at the very top, you should find an AppPatch folder, in alphabetical order. Scroll down to the bottom and see if you find a second AppPatch, or a random character '?'ppPatch folder. When you find it, open it, and you should find a winlogon.exe in it.

Open Task Manager and kill the process winlogon.exe before deleting the entire rogue folder and its contents. Let me know if you have problems finding it.

After running avenger, please post fresh combofix, avg antispyware, hijackthis logs as well as C:\avenger.txt in your reply.


Regards,
Your friendly momok =)

This thread is for the use of ames1223 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.