Viruses are destroying my computer and I need help

[confuzed27]

I do not know if I am posting this in the right board or not but I am having all kinds of issues with my Dell Latitude D810 with XP. About a week and a half ago I got a pop up with a little red x down by the clock that said windows has detected spyware. I did not click on the x or anything but I used spybot search and destroy and it seems to have gotten rid of it. And since then my computer has since made it so I can not get on the internet and can not run alot of my programs. I try to start my comptuer in safe mode and it runs through the processes and then just freezes on a black screen with a list of system files. When I boot it up in regular mode it gives me the option to open WIndows XP Regular or Windows XP Configuration. If i try and open configuration it just freezes at a black screen. I have put AVG 8.0 Free and HJT on my computer from a home computer. I have all of those logs if that would help with an analysis. I am so confused as to what could be causing this and need your help please!!!!!!

 

[tw0rld]

All infection issues are referred to the following link; https://www.techspot.com/community/topics/updated-4-step-viruses-spyware-malware-removal-preliminary-instructions.58138/. Please complete steps

 

[Bobbye]

I have put AVG 8.0 Free and HJT on my computer from a home computer. I have all of those logs if that would help with an analysis.

It is best to run Malwarebyes first, followed by Superantispyware and THEN HijackThis. you will find the instructions for each on the site referenced by tw0rld. It would be best to follow that order rather than posy the HijackThis log you have now, because those programs will find and remove most of the malware. remaining entries can then be removed by HijackThis.

 

[confuzed27]

Updated

I have went through the entire 8 step process that I was referred to. I have ran all the things that I was asked to in order and have attached the logs to this post. When I restart my computer I get directed to a black screen that gives me the option to either start in Microsoft Windows XP Professional or Microsoft Windows XP Professional Setup. If I click on the setup option, my computer freezes at a black screen so I have to go in using just the regular. My wireless internet connection does not work either. It gives me an address of 169.254.14.128. It worked fine before I started getting those little pop-ups. If I plug right into my computer with the ethernet cable, it does not let me on the internet either. Says limited or no connectivity. The virus vault attachment I have attached is the list of things that AVG 8.0 Free found when I did a complete scan. Please help!!!!

 

[almcneil]

Likely you have removed the spyware or most of it but there is system corruption left over. You need to run a Windows repair to correct that. Do you have a Windows XP Professional CD? You need to run the Windows repair.

Repost if you need help running the Windows repair.

Best,
-- Andy

 

[confuzed27]

I have tried to perform a repair and it does not work. I do not get the option to do a repair when I put in the Windows XP CD. It only gives me the option to do a complete install or upgrade. I tried the upgrade because it said it would not lose my files and that did not work. After I did that before trying all this other stuff is when I started getting that screen where it asks me to select which way to open XP.

 

[almcneil]

I have some bad news for you and that is you have file system corruption. The only way to fix this now is to try a CHKDSK from the Windows Recovery console. But you have a Windows installation already setup to run so you're in a bit of a pickle now. The CHKDSK could mess up the Windows installation setup program. If I were there I'd undo the Windows setup using BartPE which I doubt you have.

Can you backup your files at this point? It might be best to go with a complete reformat & re-install of Windows. Trying to save your current installation from here on is going to be tedious, time consuming and there's not guarantee it will work.

-- Andy

 

[kimsland]

I would recommend uninstalling:

COMODO Internet Security
and AVG8 (there was an issue with AVG8 last week, that caused Internet to be stopped; now resolved with a new update)

Then run inetwiz to re-setup your internet

Please note, I have checked your log and there still may be issues, but I cannot see any other Virus\Spyware activity.
But due to having both programs installed above, there may still be issues with your system

Therefore once back online try Free Antivirus like Avast or Avira
Do a full update and scan, then report back

 

[Bobbye]

confuzed27, it's not the time to try and back up the files. If you can get into the system at all, please let me know. There are some entries that need to be removed. You may be able to do these in Safe Mode without the internet connection:

1. Can you delete the Trojans in the virus vault?
2. Are you a student at Olin Business School - Washington University in St. Louis? You may need to verify the proxy to Port 8080. You may need to set up a port forward.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.olin.ustl.edu:8080

3. Also, is there a reason to have 6 of these connections? This may be your ISP or company but it cannot be verified without an IP or URL showing.

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.local
O17 - HKLM\Software\..\Telephony: DomainName = student.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = student.local
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = student.local
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = student.local

IP169.254.14.128. can't be found-It is not a valid IP, meaning it's been spoofed.

Depending on whether you can even get into the system, it is possible that you may need to reformat. That is not something I say lightly. Is there an IT person at the school who can help you with this?

EDIT: kimsland, it looks like we have arrived at the same place. Your reply wasn't up when I started. Hopefully we can get this system straightened up.

 

[confuzed27]

I have tried to delete Comodo and I get am error everytime I do saying that there is an error deleting a file or folder. It says cannot delete cavshell.dll: Access is denied. It says to please make sure that the disk is not full or write-protected and that the file is not currently in use. What do I do now?

 

[almcneil]

Using the Windows installation CD, boot into Recovery Console. Run a CHKDSK at the dos prompt ("c:>chkdsk /r") See what it finds.

-- Andy

 

[kimsland]

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.local

Isn't this the Domain Server local login user for this computer?
It looks as though the user has two login accounts

1 to the Domain Server
1 to the local computer

The local computer's HJT log has included the Domain student.local account

I could be wrong

 

[confuzed27]

I can not boot my computer in safe mode at all. I start to do it and it freezes when it gets to the point of showing a list drivers. It freezes up when it shows ----
multi(o)disk(0)rdisk(0)partition(2)\WINDOWS\system32\DRIVERS\agpCPQ.sys.

I restarted it in safe mode before I typed this and it is till sitting at the exact same spot now as i finish this reply. I can hear it kinda working and the little green light does flash from time to time like it is trying to do something, but it just sits there.

my computer restarted after being froze for a long time and then i tried to boot in safe mode again, and I am now in safe mode. So what is your guys's next suggestions?

I was also able to get in and do a chkdsk as well. It came up with somestuff if you would like to see those results as well.

 

[almcneil]

I still recommend the CHKDSK in Recovery Console. You clearly have file system corruption and your installation is unstable. If it were me, fixing the file system is most important at this point. If you try removing anything while the file system is corrupt, you could lose the whole Windows installation.

Run the chkdsk as I outlined in a previous post.

-- Andy

 

[Bobbye]

confuzed27, lest you get more confused, I am going to withdraw from this thread. I think you are being pulled in too many directions by too many people and I don't think this is in your best interest. It is possible that all the suggestions are valid, but whether they are all valid for your system is questionable.

 

[confuzed27]

Chkdsk

I have ran the chkdsk program in safe mode and found out somethings. I am wondering what I should do now. It said that Windows found problems with the file system and that I should run chkdsk with the fix option to correct. SHould I run the fix option?

 

[almcneil]

Yes, chkdsk will run automatically on the next restart.

-- Andy

 

[confuzed27]

I restarted my computer in normal mode and chkdsk did not automatically restart. I tried to run it again using the fix option this time and it says that the volume is in use by another process.

 

[almcneil]

Sorry to retrace a step, but you have run chkdsk once already?

-- Andy

 

[confuzed27]

yes i ran chkdsk in safe mode, it said it found errors and told me to type the option f if I wanted it fixed. I did that it and it asked if I wanted it to be checked next time I restarted the computer. I did that and restarted in normal mode, and it did not start automatically and I can not run it with the f option because it says that it is in use by another process.

 

[almcneil]

Then you didn't run CHKDSK on your default partition. Restart to the Windows installation CD and select r" for Recovery Console. Once you're at the DOS prompt, enter 'c:>chkdsk /r' It should take 20 to 40 minutes to complete.

Repost with results.

-- Andy

 

[confuzed27]

I tried to restart to the windows installation cd and typed in r for recovery/repair mode and it asked for my administrator password. I have no idea what that is. I log on as a user on the computer. I do not know what to do now.

 

[almcneil]

Just hit return, it should skip it. If it doesn't, you'll need a password remover (there's a few in the Download section at this site.)

-- Andy

 

[kimsland]

The Downloads section for password recovery help: https://www.techspot.com/downloadid27by4.html

Does not include Windows logon password retrieval

Please try here instead: https://www.techspot.com/vb/post633339-2.html

 

[Bobbye]

I have ran the chkdsk program in safe mode and found out somethings. I am wondering what I should do now. It said that Windows found problems with the file system and that I should run chkdsk with the fix option to correct. SHould I run the fix option?

Well, I see there is more confusion. Shut down ALL Error Checking. Reboot the computer into Safe Mode:
My Computer> Right click on Local Drive- usually C> Properties> Tools> Error Check> click on Check Now> CHECK BOTH BOXES on the screen that comes up> OK> Close the message that comes up and reboot into Safe Mode. Let the checking complete