Jump to content

HELP my PC is infected


Recommended Posts

Hello,

I have AVG Free running and full version of Malwarebytes (MWB). I wanted to try a different AV tool rather than AVG so  initially downloaded AVAST and ran the scanner, which found nothing. I deleted AVAST via Uninstall Programs successfully. I then downloaded Emsisoft and ran a full scan. It found Setting.DisableRegistryTools (A) and I have quarantined it. It also found  2 Malware items.

 

I now cannot run anything on the PC apart from Emsisoft which  seems to work.  I get a windows box with Unable to start correctly with error code 0xc0000005. I have tried to look at the log for the 2 x malware but notepad will not run for this. Browsers get the same error, and and….

I still think AVG is running, there are some avg tasks in the task manager list but it does not appear in the notification area of the PC (bottom right).

I am not sure if I am infected or whether running 2 x AV systems (And MWB) is causing the problem (I forgot to suspend AVG). So, time to stop and get some help before I dig a BIG hole, if I am not in one already!!

 

I have tried to run EEK (downloaded from another PC) and it failed with unable to start correctly message 0xc0000005. FRST64 ran and stopped half way through with error for mod_frst.exe, unable to start correctly, same error code. I took the option OK and the scan continued ok, logs attached.

 

Couple of notes: Notepad now seems to run, which it still does not when I try to show the Malware inside Emsisoft. I have Trusteer Rapport running but not set to protect any web sites that I was using.

Thanks very much for your assistance. My trial of Emsisoft, on one hand is not going so well, on the other it is the only product that has found this issue, so could be brilliant!!

 

 

FRST.txt

Addition.txt

Link to post
Share on other sites

Do the following:

Download AdwCleaner and save it on your desktop.

  • Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  • Double click on adwcleaner.exe to run the tool.
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Confirm each time with OK.
  • You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  • Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.

    NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.

Download Junkware Removal Tool and save it on your desktop.
  • Run the tool by double-clicking it.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
Copy the below code to Notepad; Save As fixlist.txt to your Desktop.
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3433331520-3874042528-2132194530-1000 -> {5A6CABD6-AB8C-4F18-9E33-E3C774D0B689} URL = 
SearchScopes: HKU\S-1-5-21-3433331520-3874042528-2132194530-1000 -> {648D93A9-0F44-4A89-B7DC-DDA3C396052D} URL =
BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File
Toolbar: HKU\S-1-5-21-3433331520-3874042528-2132194530-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
2014-08-01 18:50 - 2014-08-01 18:50 - 0000093 _____ () C:\Users\Derek\AppData\Roaming\ARCompanion.log
2013-08-16 06:28 - 2013-08-16 06:28 - 0000055 _____ () C:\Users\Derek\AppData\Roaming\WB.CFG
2010-03-09 21:57 - 2012-02-12 10:24 - 0003584 _____ () C:\Users\Derek\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-07-18 21:49 - 2015-03-29 09:23 - 0007618 _____ () C:\Users\Derek\AppData\Local\Resmon.ResmonCfg
2010-09-14 18:53 - 2010-09-14 18:53 - 0000056 ____H () C:\ProgramData\ezsidmv.dat
C:\Users\Derek\TyreProfile.dat
C:\Users\Derek\AppData\Local\Temp\SkypeSetup.exe
AlternateDataStreams: C:\Windows:nlsPreferences
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to post
Share on other sites

Hello Kevin,

Thanks for the information which I have tried by downloading on another machine and then copying to the infected machines desktop. Unfortunately when trying to run either ADWCLEANER or JRT I get the same message box "Unable to start correctly" with the error code 0xC0000005.

 

btw, the source of the virus found (on the quarantine list) is HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS, not sure if this is helpful.

Link to post
Share on other sites

HI,

Error code 0xC0000005 is an access violation code. Unfortunately, there are several things that cause that particular error message; malware, and a bad RAM module are 2.

Run a fresh scan with FRST, attach the new FRST scan log to your reply.

Link to post
Share on other sites

Do the following:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3433331520-3874042528-2132194530-1000 -> {5A6CABD6-AB8C-4F18-9E33-E3C774D0B689} URL = 
SearchScopes: HKU\S-1-5-21-3433331520-3874042528-2132194530-1000 -> {648D93A9-0F44-4A89-B7DC-DDA3C396052D} URL = 
C:\Users\Derek\TyreProfile.dat
AlternateDataStreams: C:\Windows:nlsPreferences
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to post
Share on other sites

Hi Kevin,

Unfortunately the system is still giving the same error when I try to run applications. The main screens of things like Malwarebytes and AVG come up ok, but Firefox etc give errors.

I tried to see if ADWCLEANER AND JRT would run and they give the same error.

Link to post
Share on other sites

This is looking more and more like a hardware issue. You may want to run a RAM test.

Let's try a different tool.

Download RogueKiller from one of the following links and save it to your desktop:

  • Link 1
  • Link 2
    • Close all programs and disconnect any USB or external drives before running the tool.
    • Double-click RogueKiller.exe to run the tool (Vista or 7 users: Right-click and select Run As Administrator).
    • Once the Prescan has finished, click Scan.
    • Once the Status box shows "Scan Finished", just close the program. <--Don't fix anything!
    • Attach the RogueKiller report to your next reply.
      • The log can also be found on your desktop labeled (RKreport[X]_S_xxdatexx_xtimex)
      • The highest number of [X], is the most recent Scan
Link to post
Share on other sites

I don't seem to be able to get passed the problem of the system error. Trying to run RogueKiller and  got the same error.

 

I tried to run PCTools on the system (Dell Inspiron 1764) and this worked. I ran the full scan including the system memory test and the advanced pattern test and all tests passed. Should I run any other hardware scans ?

 

Thanks for your continued help.

Link to post
Share on other sites

You can restore those items, they are not present by default and their removal should have had no effect on system performance.

We can try another tool it is a bit more aggressive then the other tools we hare used.

Download ComboFix from Link

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

!!! IMPORTANT !!! Save ComboFix to your Desktop

NOTE: ComboFix is an advanced utility, and is not like traditional automated tools. It will delete anything that it knows is bad without asking for confirmation, it will save backup copies in it's quarantine automatically, it will restart your computer, and it will produce a log that allows me to analyze and determine if there is anything left over. This log will not contain any personal information, or information about any of your documents, pictures, music, videos, etc. It only compiles information on which applications/drivers/etc were installed within the last 30 days, any applications that have certain properties that could be used for malicious purposes, and most of the load points on your system that can be abused by malicious software. If there is a false positive, and something gets deleted that should not, then I can write a script for ComboFix that will tell it to restore specific items that it deleted.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    See HERE for help

  • Double click on Combo-Fix & follow the prompts.
When finished, ComboFix will produce a log.

NOTE:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

3. If you get a message that states "illegal operation attempted on a registry key that has been marked for deletion" restart your computer.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

  • ComboFix (C:\combofix.txt)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Link to post
Share on other sites

Thanks for the information. I tried to run Combo-Fix but ended up with the same error, Unable to start correctly with error code 0xc0000005.

It seems that anything that I attempt is being blocked by something and not working. I tried removing the malware found by Emsisoft and as you suspected it made no difference. I ran the Emsisoft scanner to re-quarantine it. Before I tried the above I did suspend MAlwarbytes, but could not suspend AVG as it kept coming back with the same error 0xc0000005. Do you think it coudl be AVG blocking something?

Would it be worth trying to run anything in Safe Mode??

Seems we are getting nowhere at the moment and the best option may be to do a full restore??

Thanks again for your assitance.

Link to post
Share on other sites

Hi Kevin,

I ran ADWCLEANER in safe mode without the option to Fix anything and then re-booted and, for some reason, things seem to be running properly without error. Although I think I may be in some sort of special mode as MWB and AVG are not running.

So I have started and the top of your requests for information and run Adwcleaner scan and then cleaning option,  log attached

I ran JRT which ran until it got to a point then I had an error box: MS Visual C++ Runtime library Runtime Error: Program c\windows\sysWOW64\reg.exe : R6016 – not enough space for thread data. I forgot to note at which point in the process it came up. Took the option OK and it continued.

Then had the same error while “Checking Registry” Took option OK, and continued.

Then had the same error while “Checking Mozilla Firefox” Took option OK, and continued.

I did not run the FRST64 with the fixlist.txt file

I have re-run the original requests EEK and FRST scans.

EEK updated signatures, which took a very long time. Then ran scan. Log attached.

I then ran the FRST scan 2 x logs attached

 

I restarted the PC and now only have AVG and Emsisoft running as AV products and not MWB. I am now gettting the original error back when I try to run anything. I cannot seem to stop AVG running could it be a conflict between the two AV products?

 

I hope all this makes sense.

 

Addition.txtAdwCleanerC3.txtFRST.txtJRT.txtscan_151110-124330.txt

Link to post
Share on other sites

Do the following:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File
IE Session Restore: HKU\S-1-5-21-3433331520-3874042528-2132194530-1000 -> is enabled.
2015-11-05 21:32 - 2010-02-27 00:05 - 00000000 ____D C:\ProgramData\PCDr
Reg: reg replace "HKEY_USERS\S-1-5-21-3433331520-3874042528-2132194530-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM" /v "DISABLETASKMGR" /f
Reg: reg replace "HKEY_USERS\S-1-5-21-3433331520-3874042528-2132194530-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM" /v "DISABLEREGISTRYTOOLS" /f
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to post
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

Reg: reg delete "HKEY_USERS\S-1-5-21-3433331520-3874042528-2132194530-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM" /v "DISABLETASKMGR" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-3433331520-3874042528-2132194530-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM" /v "DISABLEREGISTRYTOOLS" /f
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to post
Share on other sites

Hi,

System seems to be running ok now, a bit slow but maybe that is because I have AVG Free running with Emsisoft and MWB??!!

Are there any other scans that I could run to check things? I have run AVG, MWB and Emisisoft without errors.

 

Another query, maybe related.....I am running a trial version of Emsisoft but when I go into the Emissoft Security Centre Overview display the first block is in red and says "No Protection" I tried clicking on the box to see if it would change this, nothing, and then went into the Surf Protection option, clicked Activate Surf Protection in the top left corner, and get the mouse icon (hand) which sits there for a while, but nothing changes. I have tried re-booting the system but the same issues arises. Is there another setting somewhere that I should set?

Thanks again for all you help.

Link to post
Share on other sites

Emsisoft utilized a network filter that can conflict with other protection software. Running AVG, EAM, and MWB alongside each other is a bit heavy. Just running EAM and MWB is more than adequate protection.

The EAM no protection warning is that after updating to EAMv11?

Link to post
Share on other sites

I am running EAM v11.0.0.5911 Freeware license.

I am going to move from AVG to EAM. Would EAM running happily with the full version of MWB or would it be best to use the free version of MWB and just use it as an additional scanner from time to time?

 

p.s. the system is still running fine, thank you.

Link to post
Share on other sites

EAM and MWB should happily coexist with each other on the system.

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
  • Click the Run button.
When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad.

Empty the Recycle Bin

Download to your Desktop:

- CCleaner Portable

  • UnZip CCleaner Portable to a folder on your Desktop named CCleaner
Run CCleaner
  • Open the CCleaner Folder on your Desktop and double click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
  • Click "Options" and choose "Advanced"
  • Uncheck "Only delete files in Windows Temp folders older than 24 hours"
  • Then go back to "Cleaner" and click the "RunCleaner" button.
  • Exit CCleaner.
Turn off System restore to flush all your restore points then turn system restore back on. See How To Enable and Disable System Restore.

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Run Windows Update and update your Windows Operating System.

Install and run the Secunia Personal Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

Articles to read:

How to Protect Your Computer From Malware

How to keep you and your Windows PC happy

Web, email, chat, password and kids safety

10 Sources of Malware Infections

That should take care of everything.

Safe Surfing!

Link to post
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...