Cannot complete step 4, I need some help

Make sure you have the LATEST version of HJT (currently 2.0.0.2) from HERE.

Double-click on the file you just downloaded.
Click on the "Install" button to install.
It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis
Please do not change the default install location.

[center]Very Important.[/center]

You need to rename HijackThis.exe to Crusty.exe. This is because some malware can hide from HijackThis.exe. Follow these instructions in order to do so.

Go to the C:\Program Files\Trend Micro\HijackThis\HijackThis.exe file and right click on HijackThis.exe. Choose rename. Click in the title box and hit the enter key to clear what`s there.

Now type Crusty.exe into the title box and hit the enter key. Right click on the Crusty.exe file and choose "Send to desktop Create Shortcut".

You can now close the HJT directory.

Run Hijackthis

Next click on the "Do a system scan and save a log file" button.
Hijackthis will scan and then a log will open in notepad.
Attach the HJT log into your post.

Under no circumstances, should you add anything to the HJT ignore list.

Please post the HJT log as an attachment.

Hi vaxinius

Boot to Safe Mode Networking, this allows Internet access, regular Safe Mode does not!

Go here and do the copy paste operation (ignore the warning in red as we had a typo that has been corrected). https://www.techspot.com/vb/topic118177.html

Stay in Safe Mode Networking and do the following.

Immediately do the 8 Steps as advised by Kim above.

Get the programs updated and executed and attach all logs.

Mike

Mflynn,

the linked step you sent me may have worked. Not sure if the act of scanning in safe mode is the reason why an infected file is showing up in MBAM or because I used the custom command line (your linked instructions) in the prompt to shake something out from under the "tree." MBAM spotted the infected file almost instantly in the scan which leads me to believe its in C: early in the alphabet. Continued the scan but MBAM froze up in the same typical manner as it has done before. So in order for me to actually finish the scan process I've cut the scan down to just one hard drive (C: and partitions D: and E: ) The Scan seems to freeze at random intervals last scan I got as far as X: (I have 2 total hard drives, second hard drive is set in partitions X: and Z:, and first hard drive is C: D: and E: )
At this point nothing previously suggested has stopped this program from freezing on my comp. I take pretty good care of my computer nothing usually freezing up so I cant really think of anything to suspect on my comp that would cause MBAM to freeze other than the virus.

Okay so this is the first time the scan has finished but MBAM still freezes as it always has. Only scanned first hard drive, but I got 5 infected files. I've attached the log file for MBAM. Should I continue with the 8 step process having MBAM only scan my first hard drive or do I need to be concerned that the virus will "hop over" to X: or Z:?

I also removed the 5 infected files after the scan.

Vax

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Locate and delete the following bold files and/or folders(if there).

C:\WINDOWS\x2v43907.dll

Reboot into normal mode and rehide your protected OS files.

Now please post a HJT log as I requested in my first reply to you.

Hi vaxinius

Yes by all means for now only scan the Windows boot drive normally C:. that is where 99% of Malware is.

The sad thing here with all your trouble scanning is that after all the time it took to scan you did not click next and delete the found Malware. You apparently just closed the program.

That is why the logs report "No action taken"!

So now you must scan again and select to remove what is found. Once you remove what is found run again and it may find more. Attach bot logs. Try to update everytime as one thing removed could break this loose also.

Once MBMA has run twice and/or is updating begin the same process with SAS!

Mike

hmm, i guess i accidentally sent an mbam log from when it froze perhaps? Because i know i did tell it to delete the 6 found infected files. Funny how it says "no action taken" when i actually told it to "fix selected problems." But now when i scan with mbam it says no infected files found, so it must have done something.

Okay i scanned a few times with SAS, went back and fourth between the two MBAM and SAS until i've found nothing. Im going to continue on to the next step, thanks for helping me clear things up.

GillianBrown im going to continue to follow the 8 step instructions because using hijackthis is already in the steps so ill just do them in the order that is given.


*edit* heres the link to my hijack this log. https://www.techspot.com/vb/showthread.php?p=699879#post699879
Vax

All your logs are clean.

Awaiting HJT log.

Okay i renamed hijackthis.exe to Crusty.exe and sent a shortcut to the desktop. Used that shortcut to rescan using hijackthis. Made a new log file, now i haven't closed the results of the scan yet because im still thinking theres someting in there i should perhaps "fix." Having said that, the same symptoms of infection Windows Data Excecution Prevention Program is still stopping some program from accessing improtant system files, and i still have unusual freeze ups and crashes. So any ideas?

Thanks again for your continuing assistance and Merry Christmas.

Vax

Hi Vax

HJT Scan only select and remove the below
O2 - BHO: (no name) - {1485870A-9A20-35F5-86B5-42AF502C8B00} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Ok how is all running what do we need to work on now?

Mike

Yup, all clean mate.

Providing you're not having any problems, you should be good to go.

Merry Christmas.

Okay here's hopefully the last hijackthis log file i should need to post...

I will update as necessary if anything else comes up.


Vax

Unfortunately, your HJT log is from safe mode.

Also, those two deactivated 2 bho entries are still showing.

I just want to be absolutely sure your system is clean, so please do the following.

Download combofix.exe to your desktop. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "1" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt

Please post the Combofix log as well as a fresh HJT log from normal mode.

Nope, im still getting the same message from DEP saying something is trying to access sensitive files on C drive

How bout get me the post number where you gave that info concerning DEP etc?

Mike

okay this is a copy of the code i got...

Type : BEX P1 : explorer.exe P2 : 6.0.2900.2180 P3 : 41107ece
P4 : unknown P5 : 0.0.0.0 P6 : 00000000 P7 : 0177e860
P8 : c0000005 P9 : 00000008

Viewing the technical info about the error report gives me this...

C:\DOCUME~1\Vax\LOCALS~1\Temp\WERcf4f.dir00\explorer.exe.mdmp
C:\DOCUME~1\Vax\LOCALS~1\Temp\WERcf4f.dir00\appcompat.txt

Now that you mention it, i also had a fatal error involving DR Watsons Post Mortem Event Debugger, but didn't have time to write anything down as it crashed my PC. I haven't been able to duplicate that error since. But the first error with the codes above i can make again and again when ever i click on any of the drives in "my computer."

I put a bit of the error code in google and came up with this...http://forum.soft32.com/win4/Window...on-access-windows-explorer-ftopict179170.html

As per with what my suspicions are, i think i may have found out what my problem is. I installed a codec pack called "ACE mega codec pack" previous to my issues. If we're to perform a system restore, (as i did make a check point before installing the codec pack) would that put any malicious files back onto my computer or have they been permanently deleted by hijackthis, MBAM and SAS?

Yes it would if it was there.

Can you just not uninstall it now from Add/Remove?

then with My Computer browse thu Program files and delete what is left

Mike

Yup, that worked. No more symptoms. But apparently i did have a virus on my computer, or something because it was removed with SAS MBAM and hijackthis, and NOT my virus scan. By the way, why doesn't my virus scan detect these things, isn't that its job anyway?

Regards,

Vax