Posts by PhilliePhan

Hi, thanks for your time.
Here's the log you requested

OK - That looks better. Still a few steps to do, though.

-- If your Norton has expired, you'll need to renew or replace it.
If you want a free alternative, uninstall Norton and replace it with Comodo Firewall + AV
But, you gotta have an up to date AV!

-- Is this folder still on your machine? --> c:\program files\ewido

-- I recommend uninstalling these as they pose security risks:
c:\\Program Files\Kontiki
c:\\Program Files\Kazaa Lite
c:\\Program Files\BearShare Applications

LASTLY:
-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log.

And . . . We'll go from there :)
PP

I hope this is what you are looking for.

That'll work :)

To start, please go into Add / Remove Programs and Uninstall these:

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment Standard Edition v1.3.1_11
Java(TM) 6 Update 15
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1

Messenger Plus! 3
Messenger Plus! Live

Then, please go to http://www.java.com/en/ to download and install the latest version of Java.

--- Has your Norton AV Subscription lapsed? You'll need up to date AV.....

If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Please post the combofix log for me.

Will check back as time permits.

Cheers :)
PP

Hi thanks for your help.
I'm working my way through your suggestions.

Allrightythen!

PP:)

I was reading something on another thread how registry cleaners are not good; i use 2 of them, should i not be? And also, how can i stop this from happening. My antivirus programs/scans are:

I don't care too much for registry cleaners - often they do more harm than good and you'd be hard pressed to see any improvements after using them.
More and more people are infected by P2P stuff each day - you might consider this the new front line for malware. It is easy to infect a machine when it is inviting you to do so.... That would be the first place to take preventive measures to not get infected again.

-- A defrag every day is a bit of overkill. Even once a month is overkill in my book. Although, if you add and remove a lot of data on a regular basis, you might need to do this more often.

-- Be sure to keep your Norton up to date.
-- MBAM once a week with updated builds and definitions is a good idea.
I might replace SpybotSD with SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
A bit of a different tool - similar to Spybot's "immunize" feature.

-- I also like Erunt as an alternative to System Restore, though using both won't hurt anything:
http://www.larshederer.homepage.t-online.de/erunt/

-- Some good "real-time" protection is a must. I like WinPatrol:
http://www.winpatrol.com/

I also like A-Squared, though I …

Hi, I think my computer has some problrms.
Please help if you can.

You've got some baddies.

-- Please delete your current HJT. It is outdated. No need for new version at this time.

-- Please post the scanlogs requested in the linky below and I or one of the other volunteers will have a look as time permits.

http://www.daniweb.com/forums/thread134865.html

Things are a bit hectic this time of year, so responses may be a bit slow.

PP:)

I think its gone for good. Only thing that annoys me is my antivirus sometimes pops up that i have virus in the systemrestore folder

Great!

-- Did you adjust your security settings in IE to deal with the error message?

-- Let's remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste ComboFix /Uninstall into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Flushing System Restore will stop those AV messages.
If combofix does not uninstall properly (due to beta or that it is not on desktop) let me know.

Cheers :)
PP

I'd be just as inclined to ignore it as I did before but I just wanted to see if it was a known problem. Kaspersky reports in as being alive and well from its own control panel.

This is a known problem for many AV products - I think more to do with Security Center and Vista than the AV.

There are a few different programs available to reset Security Center, if you care to search for them.
Often, it helps if you uninstall your AV before resetting Security Center. Then, Reboot after the uninstall / run the reset tool or manually reset Security Center / Reboot again / reinstall AV product.
That often does the trick.

'Course, that is a bit of a hassle to go through when your AV is reporting that it is functioning properly.

Cheers :)
PP

Okay, so i forgot to extract the contents to the desktop (it was in file folder) so i had to rerun avenger...glad i actually read the log :D.

Great - Go ahead and delete those two files.
If you are more comfortable renaming c:\windows\system32\fbhco.dll to fbhco.OLD rather than deleting it, then do that.

The other one obviously needs to go.

Other than those and this folder - c:\program files\Common Files\tya62hfb - I think you are good to go now.

How are things running?

PP:)

or is it still possible that something has severed the ties between Windows and the AV or worse?

It's probably just Vista being Vista....

If you haven't solved this already, you can try this:

-- Open an Elevated Command Prompt
-- At the prompt, type: net stop winmgmt ENTER

Keep the command prompt open.

-- Navigate to C:\Windows\System32\Wbem\Repository
Then, either delete the Repository Folder or, better yet, Rename it to Repository_OLD

-- Go back to your command prompt and type: net start winmgmt ENTER and close the prompt.

Give it some time to rebuild and you ought to be good to go.

Cheers :)
PP

Thanks for the reply, and i really appreciate you helping me even with all the work you gotta do :).
Im going to go ahead and say its safe to use
"I'm reasonably satisfied that the BETA is safe for use by forum helpers."

Happy to help - my worry is that I'll get sloppy when pressed for time and miss something.

Anyhoo, that log looks OK to me outside of a couple things.
I do not know what these are:

c:\windows\system32\dpunicor.dll
c:\windows\system32\fbhco.dll
RightClick on these and see what property and version info is listed, if any. You'll need to have the Viewing of Hidden Files enabled to see them it not already enabled.

Better yet, go here ---> and use the Browse Button at the top of the page to navigate to each of those items and and Submit them for analysis. Let me know what you find. If even one scanner reports malware, let me know.

S2 7abs3rho7;nmahnds;"c:\program files\Common Files\tya62hfb\zmaodn92.exe"
I think this might be related to Viewpoint foistware, but not sure.
You'll need to check the Folder as well - what else is in that folder?

It looks as though TDSSKill "cured" the infected atapi.sys, but I'd like to do this anyway:

-- Download the attached File.zip and extract the contents to the Desktop

If you don't still have this on hand, download The Avenger …

do you think ill be fine using the "CF Beta"
http://twitter.com/BleepinComputer

That's your call.

I'm sure sUBs would not release it at this point unless he was confident it was working properly - but again, there are no guarantees.

I would still like to get a handle on what exactly is still infected here as the various logs tell a varying story.

-- There is no rush on my end as I am pretty swamped with work these days. Ball's in your court - if you want to go ahead with kittyfix, it's up to you.

PP:)

Thanks. In the meanwhile, i want to throw out that im still constantly getting a "virus" found in C:\system restore (75% of time), or in the C:\ drivers.

That is to be expected. Once we get this sorted out, we'll flush System Restore. Just ignore that for now - not going to hurt anything and it's good to have a restore point on hand if needed. Even an infected one.
Atapi.sys and others are probably still infected - that's where the drivers folder comes in. We'll need to replace the infected drivers. Combofix will usually do this, though we might have to DL fresh copies of the infected drivers.

And also 75% of the time i open IE7 (i thought it was 8) i get popup "ad.yieldmanager.com" Its blank thought..and IE 7 said pop-up blocked.

I wouldn't worry about that at the moment - bigger fish to fry....

Edit: is there any programs that stand out "Uninstall now!!"
http://img.photobucket.com/albums/v439/Tug_bran612/programs.jpg

Remove Adobe Reader 7 and then update to Adobe Reader 9 for better security.
http://www.adobe.com/products/reader/

Remove J2SE Runtime 5.0 and Java 6 Update 7

Leave Java 6 Update 17 alone - that is the one you want to keep right now.

PP:)

Thanks for the reply...but

Yeah - that happens now and then. Usually due to a bad interaction with a piece of malware. Not sure if that's the case this time as I was away from compy for much of the weekend.
Go ahead and delete your current copy of combofix - no reason to have that on hand.

Guess we'll have to wait until sUBs addresses the issue and makes it available again.

PP:)

Still at work =\, but do you know how i got this? Like, i thought the antivirus/spywares/etc. was doing the job. Would you care to look at my program list and tell me what i should get rid of?

It is hard to say how you got infected - looks to me as though much was cleaned before you posted here.
A lot of times I see a ton of P2P clients/apps on infected compys. Also, could be some sort of "drive by" download.

We can have a look at updating/removing stuff once we get this sorted out.

Volume in drive C is PRESARIO
Volume Serial Number is

CMD said file is not found.

That is odd, since combofix noted it was infected. We may need to download new copies if they have been removed.

Let's try this again and see what shakes out:

Please Delete your current copy of Combofix
Then follow the instructions in the link below as you did before to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Make sure all AV and anti-spyware are temporarily disable for the run. Please post me the log.

Cheers :)
PP

I doubleclicked the EXE and ran it instead of going into CMD and running it. I thought i was suppose to copy what you typed and paste it in the program you posted.

Ok - it ran and cleaned the first time through. The only difference between that and the command I posted was the log output.

The second run was clean, so we're good there.

But once im in the Recovery Console, what do i want to do there?

Hold off on that for now and let me see that Look.txt from previous post.

PP:)

uhh also i ran this wrong, and re-ran it >< I dont know if thats the original log

How did you run it wrong? Did it prompt you to delete anything?

The log you posted is clean - otherwise it would have shown something like "atapi.sys is infected by TDSS rootkit" and then cured it.

-- Please open a command prompt START > RUN > type cmd ENTER
At the prompt, type dir /a /s "iaStor.sys" >C:\Look.txt
and hit ENTER.

Please post me the Look.txt.

Also, you never told me if you tried the Recovery Console and the fixmbr command.

PP:)

I just want to say here and now, i really appreciate the help. And no problem in posting late...at least its not like a regular forum where people read it, and no one help. This really is a nice fourm.

There are a lot of good forums, but most are overwhelmed with requests for help and have few regular volunteers. Factor in the holidays and you might have quite a wait.
I have a friend who runs the malware forum at another site and, while they offer excellent advice, they run 2-3 days between replies....

I copied the first one in CMD, but it said it couldn't find the second one though, but i carried on.

That's what I figured - we'll need to look for it. Probably need to come up with two uninfected copies.....

-- Did you try the Recovery Console and fixmbr? We'll have to do that again once we get rid of the modified files.

Then i left my computer running, and came back to this screen.
http://img.photobucket.com/albums/v439/Tug_bran612/found-1.jpg

That is not surprising - we may need to download a clean copy.

Let's first try whacking at this with a different tool:

Please download TDSSKiller.zip and Extract TDSSKiller.exe from the ZIP to your Desktop.
-- Click START > RUN and type or Copy&Paste the following command into the Run Box and hit ENTER:

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\LogIt.txt -v

Let the tool run. …

Sorry for the late reply - really tied up with work these days.

Please try the following:

Click START > RUN > type cmd and hit OK
At the prompt Copy&Paste the complete text in Red below and hit ENTER:

Copy C:\windows\ServicePackFiles\i386\atapi.sys C:\

Then, with the command prompt still open, do the same for this one:

Copy C:\windows\ServicePackFiles\i386\iaStor.sys C:\

NEXT:
Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight Everything in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to move:
C:\iaStor.sys | C:\windows\system32\drivers\iaStor.sys
C:\atapi.sys | C:\windows\system32\drivers\atapi.sys

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

THEN:
Reboot into the Recovery Console (you should now have the option to select that option on reboot).

-- At the command prompt, type fixmbr and hit ENTER.

Then reboot to Normal Windows and …

Any help would be greatly appreciated

Do you have any reason to suspect malware?

Let's try this:
-- Download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

I or another volunteer will check back as time permits.

PP:)

IE8 is working, but sometimes when i open it, i get some popups and sometimes it opens my C drive?

Well . . . That combofix log is ugly. You have some nasty rootkitted malware. Probably not responsible for the IE8 issues since other browsers work, but definitely more serious and worrisome....

• Do you have your Windows CD?
• Are you able to make backups of your important data (music / pictures / work product and the like)?

You should keep this computer offline as much as possible and, if it is part of a network, disconnect it from the network until it can be cleaned.

I'd like to have a more detailed look as some things:
Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php

• DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.

  • When GMER opens, it should automatically do a quick scan for rootkits.
  • When the quick scan finishes, click the Save Button and save the scanlog to your Desktop as GMER One.

• If upon running GMER you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO

• Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)

• Along the Right Side of the GMER GUI there will be a number of checked boxes (GMER GUI. Please Uncheck the following:

  • Sections
  • IAT/EAT
  • Drives or Partitions other than your Systemdrive (usually C:)
  • Show All (be sure this …

Im pretty sure i have a virus/malware of some sort.
I cannot get IE to work, some programs i cant update (or connect to internet). Thing is, i cant find anything thats wrong with the computer. Several scans show nothing, but i wish i could go into safe mode and scan there...but i cant =\

Well, there is some malware showing in that log, so let's try this:

If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Follow the instructions in the linky very carefully to run it and then post the combofix log for me.

Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Will try to check back as time permits.

PP:)

:( anything i can do to get this thing eliminated? I looked at the sticky's, and tried running those programs, but no luck. I also cant go into safe mode. It just restarts.

Sorry for the lack of replies - it's the holidays and most of the regular volunteers are pretty busy. That and most IE8 issues are hard to track down if not obviously due to malware....

Not sure about your IE8 issues.
If IE7 works OK, the IE8 troubles are probably not malware-related.
Did you try reinstalling it? Seems to be a lot of this going around.

Honestly, while this is not a solution, go with Firefox or Opera - Both are much better browsers.......

I'd be more worried about not being able to get into Safe Mode at this time.
Were you infected with malware recently?

PP:)

Hopefully though there won't be a next time!

^^^What she said!!

Actually, though, in your case I think a reformat was the right way to go - I was just a bit leery of the homemade XP CD.

Glad it all worked out OK :)

PP

yes it is

Do you have a utility on the compy to burn recovery media from this partition? It would probably be START > All Programs > Tools or Accessories, if not obvious....

That would be best, if you are unable to do a system recovery from that partition.

d is a partition do i set it up the same as the c partion i just need to know this last thing then its go time

Do you need a second partition?

Is d:\ your original recovery partition?

yeah i have my product key and lets say i try my disk and something goes wrong could i still buy a cd or could the damage be so bad that my pc is ruined for good.

You're not going to ruin anything. Worse comes to worse, you can buy a legit OS CD and use that.
All you are doing is wiping the hard drive - no worries. If you run into problems with your current CD, wipe the HD again and use the new Windows CD.

could you recommend a good free anti virus program also i noticed the site had nothing to say about my d drive couldn't malware hide in there what am i supposed to do about that

Try Comodo AV + Firewall

Is D:\ a separate drive or partition. If partition, wipe it. If separate drive, scan to be sure not infected.

the boot and nuke site said i should use eraser for windows is this necessary to remove the second copy of windows?

Where does it say that?
If you run DBAN, it will wipe the drive and everything on it - doesn't matter how many copies of Windows are on it......

PP:)

to answer your question yeah i can burn iso on this computer of coarse not the ill one.

I'd rather try a bootable recovery console, than the homemade XP CD, to be honest. Very leery of that.
With the recovery console, we could repair MBR and Boot.ini.
Unfortunately, my time is very limited these days.

Still, a reformat is the right way to go here, but, without a true Windows CD, the potential for error(s) is great.

-- Do you have a copy of your Windows Product Key? You'll need that.

and as for safe mode last week or a little later i tried to go into safe mode and my computer restating itself i tried a few more times and same result so that's a no go.

I would've liked to know that a few days ago ;)
If combofix had run successfully, it'd have told us if the safeboot key was borked....

when all this started i figured i might have to reformat my drive and i saved some stuff movies,mp3's, a bunch of pictures some packed in rar and cbr format, and some programs can viruses, malware, whatever hide in those files i already know they can hide in the programs I'm not going to use any of those but what about the other stuff?

Your movies / mp3s / pictures are probably OK. You have to be carefull copying executables and such.

Given that you copied i386 …

Hang on for a bit and let me go over the thread and try to answer those questions :)

Will post them shortly.

Seems so, I won't know what to do with myself now, lol ... it is kinda sad :(

HA! I know - same here!
Hey - at least I learned some things along the way about Vista and Laptop touchpad sensitivity....... I'm sure they will come in handy down the road for people with similar issues!

Email (here or look on my blog info) me about the Christmas card and thank you again for all your time and patience. You have been very gracious. :)

I sent you a PM with my info.

You're quite welcome - I enjoyed the challenge!

Merry Christmas :)
PP

I feel kinda dumb. ;) Thank you!

Well . . . . I didn't think of it either . . . .

Happy to have been of service :)

I feel a tinge of regret in saying this, but it appears the Ulysses of Daniweb threads has come to a close. (unless an unaddressed issue remains)

What do you think? Should we mark this one as "solved?"

PP:)

What anti-virus software are you using? Also what operating system?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:31:46, on 29/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe. . . . . .

C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe

:)

just recently i lost the ability to go in to safe mode

-- What do you mean by that - what happens when you try?
(tap F8 on restart)

-- Don't panic just yet :)
While a reformat is generally best in these cases, I suspect you may run into problems without the proper Windows CD.

-- Are you able to burn an ISO for a bootable CD?

PP

you have been extremely helpful and very House M.D. like and I thank you, it is working much better than it was :)

You're welcome :)

-- I was talking to a friend and she mentioned she had a similar problem with her laptop cursor jumping around and it was due to her touchpad.
In your control panel / mouse settings, do you have the option to disable the touchpad when typing?
Or, maybe try TouchFreeze
See if that makes any difference.

PP:)

IT WAS AT 17 HOURS is this normal?

Yes - That is normal. No worries. Just let it run and delete the baddies it is unable to neutralize.

-- Can you attach that Zip from AVPTool for me please.

Since combofix can't run and MBAM can't remove the baddies, I thought AVPTool would be the next best option.
If it doesn't get them, we'll have to manually remove them with an ARK tool.

-- When Judy had you run combofix the first time, did you install the recovery console?
-- Did you look in the Qoobox folder for combofix.txt?

PP:)

ok i got the log but before i get to that i got a few questions i've been looking around the net and few people with problems similer to mine have been told to disable systum restore because it could save infected files,

That is not the proper procedure. We like to operate under the assumption that "an infected restore point is better than none at all" in the event that the repair process goes awry and we need to take a step back.
We flush System Restore AFTER the repair process is complete.
-- Also, many of the cleaning tools we use will set restore points before they run for this very reason.

and also i noticed more then a few files camp out in my temporary internet files folder couldnt i just delete everything in the folder to make sure everything is gone

Sure - or use a tool such as CCleaner or ATF-Cleaner....

i've spotted some suspicious stuff in the root of my c:/ drive like a folder called qoobox another one called pkbtemp with a 16 mb text file called syskeys, a file named w2ksect.bin and a hidden file named iph.ph w2ksect.bin now to the log this was before i removed the infections

Qoobox is a component of Combofix.
PKBTemp and Syskeys are components of FindWPP - they should have been deleted when you closed the logfile. You can safely delete those now.
w2ksect.bin is probably a component of …

ok i did what you said and my computer still freezes when i connect to the internet and i still cant run combofix heres the avenger log

Did you reboot and try combofix?

If that doesn't work, let's try another powerful tool:
Please Download Kaspersky's AVP Tool

-- Save AVP Tool to your Desktop.
-- DoubleClick the AVP Tool setup file to run it.
Follow the prompts and it should install to your Desktop Folder
-- AVP Tool will open.
-- Click the Manual Cure Tab
-- Click the Gathering system information Button and let it run
-- When it finishes, click the link “Open folder” to access the folder where the report is saved.

Please save the log and post it for me.

THEN:
Please select the Automatic Scan Tab
Be sure the following boxes are checked:
• System Memory
• Startup Objects
• Disk Boot Sectors.
• My Computer.
• All other drives

-- Please click the Scan Button.
AVP Tool should Neutralize any objects it finds. If some are left un-neutralized, Click the Neutralize All button.
Note: If an object cannot be neutralized, select DELETE at the prompt.

When finished, please click the Reports Button and save the log where you can find it easily.

Please post that for me.

Also, let me know if …

It has gone crazy, plugging my son's keyboard in and it worked initially, then did the same thing.
C:\Windows\Users\Auberey\AppData\Local\temp\Setup.exe
yesterday some of the tabs in my website program stopped working and it made me use keyboard shortcuts, then it quit letting me type at all so I restarted it and it was working ok, but it did the same thing this morning.

What's the setup.exe from?

At this point, I am not sure what to tell you - there are so many different areas to investigate that it would not really be feasible to do that in a forum setting.
The first thing I would look at would be the driver(s). Update/reinstall them.
Also, if it only occurs within a browser, I'd reinstall that as well.

Sorry I can't be more helpful - does House M.D. diagnose computers?

PP:)

OK - Let's have a whack at this AVG:

Please download the attached RemAVG.zip and extract RemAVG.reg from the Zip to your desktop.
-- DoubleClick on RemAVG.reg and allow the contents to merge into the registry.

That ought to take care of that.

-- Any progress with the keyboard?

PP:)

ok i stopped svchust and enterd the command heres the log

Great!

Now, do the Avenger step from post #57 and see if combofix will run.

Let me know how you fare.

PP:)

I am going to be away from the computer for a while, so I'll assume you were able to copy atapi.sys to C:\atapi.sys as in post #56.

If it is not still on the ill machine, please download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight Everything in Red below and copy it using Ctrl+C or RightClick > Copy:

Files to delete:
C:\WINDOWS\svchust.exe

Files to move:
C:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

** If you have to type the commands, please note the spaces.

If Avenger runs successfully, please give combofix another go. See if you are able to download a new copy via the ill computer now.

If you ARE able to download a fresh copy, do this:

If you already have Combofix on the ill machine, DELETE it.

Then follow the instructions …

i havent tried this but i know where my i386 couldint i just overwrite the the bad atapi.sys file from there myself

It may not allow you to do so. No worries - we'll do it a different way.

-- Open task manager and see if you can stop svchust.exe from running. Note the spelling.
Let me know.

-- Also, try this at command prompt:
EXPAND C:\WINDOWS\I386\atapi.sy_ C:\atapi.sys

if that doesn't work, try:
COPY C:\WINDOWS\I386\atapi.sy_ C:\atapi.sys

PP:)

I've got to run, so I'll assume you can get a command prompt.

Let's do this:

Open a command prompt and type the following exactly as I have posted it. Copy and paste would be better so you don't miss any spaces. (If C&P is not an option on ill machine, you might want to copy and paste to notepad on your working machine so you can see the spaces better before typing them)
Obviously you want to hit ENTER after each line and, if prompted to delete or allow over-write, say yes. Let me know of any errors that come up::

TSKILL "svchust" /A

DEL /F C:\WINDOWS\svchust.exe

COPY C:\WINDOWS\I386\atapi.sy_ C:\WINDOWS\system32\drivers\atapi.sys

Now, see if Combofix will run. If not, try MBAM. If either runs, please post the log. Be sure to update MBAM before running, if possible.

If neither runs, REBOOT the ill machine and then try to run them again.

Let me know how you fare - I'll check back as time permits.

PP:)

heres the log

Well . . .I need to update that a bit LOL!

Anyhoo, I think it shows enough to get started.

Are you able to get a command prompt on the ill computer?
START > RUN > Type cmd OK

PP:)

did it again and that was it...

Great - I'll post some removal steps late tonight or Monday to remove the AVG stuff from registry.

PP:)

Should I do the Grisoft thing again?

Please do.

It will make removing it easier ( yeah - I know I'll probably regret saying that.....)

PP:)

PhilliePhan to the rescue!!!!

LOL!
I was trying to reply the other day, but I couldn't access the thread - got some sort of phpbb error (I think) . . .

PP:)

[HKEY_USERS\S-1-5-21-4215972033-1050644244-1932678965-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List]
"File1"="C:\\Users\\Auberey\\Documents\\regedit for Grisoft.txt"

Is that the whole thing?

I figured there'd be more - no worries if not.

PP:)

wow! very impressive

Well . . . Unfortunately it is not very lucrative at the moment :)

which is why I was so happy to find Daniweb and that you and Crunchie were/are so willing to help.

Luckily for you, we are not nearly as overwhelmed as some other forums.
I have a friend who runs a popular forum and they are currently running 3-4 days between replies. At that pace, this thread would take a year to complete :)

Let's do this for the old Java:

Please download JavaRa.zip to your Desktop and Extract it to its own folder.

-- Make sure ALL browsers are CLOSED.
-- DoubleClick on JavaRa.exe to run it and then select your language of choice.
-- Click Remove Older Versions.
-- Follow the prompts and a log will pop up. You can post this if you wish.

PP:)

can you explain how a program can just block me from the internet and how to unblock it i think i would have a better chance of success if i could run more then potentially out dated malware and spyware

There are a number of different ways malware accomplishes this. Lately, modifications to legit files along with some rootkitted components seems to be the method of choice.

In your case, atapi.sys has been modified. We will need to address that as well as some other changes in order to allow combofix and MBAM to run.

I do not have a lot of time, but I'll try to get you guys back on track - these issues can sometimes be a bear. Sometimes they do not end well - If you are able, I suggest backing up important data (pictures / music / work product) if you have not done so already.

PP:)

nope nothing is better it just wont go away and when i connect to the internet my computer slows wayyyyyy down or feezes i hate this

Are you able to download the attached FindWPP.zip and Extract the FindWPP Folder from the ZIP and place it on your ill computer?

If so, do that and then open the FindWPP Folder and run RunThis.bat (DoubleClick it).

Let it run for as long as it needs. A log will pop up - please post it for me.

PP:)