Jump to content


Photo
- - - - -

system fix still winning HELP!


  • This topic is locked This topic is locked
10 replies to this topic

#1 brainfog

brainfog

    New Member

  • Members
  • Pip
  • 3 posts

Posted 29 November 2011 - 06:04 AM

First let me say that calling me a newbie would be a kindness. The best that I can say is I'm tenacious.
After sending out an sos to the resident geek. The best he could do was install webroot. He removed some
problems and I was left with it doing a deep scan. No threats found . I did 4 more scans. No desk top
icon, empty folders. no administrative tools, I did a file search on system fix. deleted the files found
still could not delete the desktop window. Did a file search for internet explorer and started searching
for system fix help. Found a site that gave a cracked registration key and fake email to register the
system fix. This worked and they thanked me for my purchase. At which point some of my programs returned.
None of my pc tools returned. no system restore or anything.I think most of My document folders returned , My pictures
returned. NONE of my desk top icons returned. I downloaded and ran Kaspersky TDSSKiller. per a previous
post changing the parameter and it found 191 objects. which I had to skip all. I don't know where my root directory is I am searching my files and folders on C drive. I can't seem to copy and paste from the actual report. I am having to look for the file for mozilla or internet explorer and launch from that to access the internet. As you can see I have very little knowledge just a desperate drive to fix this.I need to resolve this in the next 36 hours so I have time to meet the deadline of a important project.
I need step by step instructions in as simple language as possible. Also tell me which mode to perform and instructions. safe mode or reg. Thanks!

back again I rebooted lost all files in documents. lost ability to find tddskiller now see
that although many file names are in programs they are empty. I downloaded tdsskiller again
and ran another scan in safe mode it showed 131 threats. My options were skip, delete, or
copy to quarantine. I skipped. attached is the report. Any Help???

Attached Files



#2 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 29 November 2011 - 02:50 PM

Hello and :welcome:

First of all, lets see if we can make your files visible again. Please download and run unhide.exe and let me know if that worked.


We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#3 brainfog

brainfog

    New Member

  • Members
  • Pip
  • 3 posts

Posted 29 November 2011 - 08:54 PM

Thank you for your help I was able to get my document folders and desk stop icons. Although I have
program names. they are still empty and I am unable to print. I did every thing you said however
the the dds program would not go to desktop so I had to run it from download so I did not delete it from
desktop below are the two reports.

Attached Files



#4 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 30 November 2011 - 02:39 AM

Hello again, unfortunately the content of the start menu programs has been deleted by the rogue. You'll need to recreate this. Part of it will be recreated by running this file.

TWO ANTIVIRUS PROGRAMS
---------------------------------------
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Webroot or MS Security Essentials.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#5 brainfog

brainfog

    New Member

  • Members
  • Pip
  • 3 posts

Posted 30 November 2011 - 09:06 AM

Did everything you said. I deleted micro essentials and then shutdown webroot (had to do it twice) as I got prompts from combo fix it, and it was not active in the task bar. Combo fix did prompt me to download the recovery console and I did However I noted on the log from combo fix it that is said Webroot was enabled??? Attached is combo fix log.
Please advise.

Attached Files



#6 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 30 November 2011 - 09:46 AM

That is looking a lot better! How are things running now?

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
Your Adobe Reader is now up to date!


Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 7u1.
  • Look for "JDK 7u1 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#7 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 06 December 2011 - 02:48 PM

Are you still with us? This topic will be closed in a few days if we do not hear back from you.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#8 Abion355

Abion355

    New Member

  • Members
  • Pip
  • 3 posts

Posted 06 December 2011 - 04:21 PM

Are you still with us? This topic will be closed in a few days if we do not hear back from you.


Please dont close, I have the same issue and have followed the stops. I seem to be getting the same results E.G. running unhider.exe and seeing items on the desktop but not seeing all the folder.

I have run dds.scr and have the logs. I'm about to try combofix. Any further help would be appreciated.

Thanks

#9 Abion355

Abion355

    New Member

  • Members
  • Pip
  • 3 posts

Posted 06 December 2011 - 05:34 PM

Please dont close, I have the same issue and have followed the stops. I seem to be getting the same results E.G. running unhider.exe and seeing items on the desktop but not seeing all the folder.

I have run dds.scr and have the logs. I'm about to try combofix. Any further help would be appreciated.

Thanks


Just so you know I ran combofix but it appeared to crash with a blue screen warning message. I rebooted the computer and it started up ok, the desktop appeared with all my files, I quickly ran Rkill to stop the "System Fix" problem but on checking my iTunes folder everything was back!! Music, photos, everything. The only issue appears to be no internet access, but to be honest that's the least of my worries.

Whilst I didn't get a direct response from anyone I appreciate the fact that you leave posts active for people to view.

Thanks

#10 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 06 December 2011 - 05:35 PM

Abion355,

Please start your own topic and I promise someone will help you.
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook

#11 screen317

screen317

    MBAM Sentinel

  • Moderators
  • PipPipPipPipPipPip
  • 19,486 posts
  • Gender:Male
  • Location:New Haven, CT

Posted 06 December 2011 - 05:35 PM

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!
Chris Fistonich
Research Team

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users