[willymacmusic]

Originally infected with Antispyware Pro 2010. All attempts to load Spyware Doctor where cut short by AP2010.
Attempted to manually uninstall AP2010, but many of the steps listed included files or processes that where not found on this system
Did incur ntuser.dll errors, as well as bafoline.dll errors.
Eventually was able to load and register Spyware Doctor in Safe Mode and ran initial scan in safe mode (Not Recommended)
After running Spyware Doctor over and over, it was appearing that the Antivirus Pro virus had been eliminated.

Once it appeared that the system was operating stable, I installed and registered PCTools Registry Mechanic and optimized the system registry. This went O.K., and it appeared that my old pal Spyware Doctor had lived up to its reputation.

To ensure no further invasions, I set the Spyware Doctor to run an Intelli-Scan upon system boot up.
The first time I rebooted, the scan detected a few cookies, a medium level and a high level trojen threat. Of coarse, I opted to fix these infections, and was informed that the infections had successfully been removed, but a system reboot was needed to completely remove one of the infections.

Now, every time I reboot the computer ...

---------------------------------------------------------- SPYWARE DOCTOR -------------------------------------
Run Spyware Doctor Intelli-Scan

Scan Results
There are 1 threat(s) and 11 infection(s) in your computer
Threats - High - Trojen.Generic (11 infections)

Process
-alg.exe (\\?\globalroot\Device\_max++>\C5310A00x86.dll)
-TFService.exe (\\?\globalroot\Device\_max++>\C5310A00x86.dll)
-pctsSvc.exe (\\?\globalroot\Device\_max++>\C5310A00x86.dll)
-jqs.exe (\\?\globalroot\Device\_max++>\C5310A00x86.dll)
-jusched.exe (\\?\globalroot\Device\_max++>\C5310A00x86.dll)
-spoolsv.exe (\\?\globalroot\Device\_max++>\C5310A00x86.dll)
-svchost.exe (\\?\globalroot\Device\_max++>\C5310A00x86.dll)
-svchost.exe (\\?\globalroot\Device\_max++>\C5310A00x86.dll)
-svchost.exe (\\?\globalroot\Device\_max++>\C5310A00x86.dll)

File
Trojen.Generic detected in \\?\GLOBALROOT\DEVICE\_MAX++\C5310A00X86.DLL
-----------------------------------------------------------------------------------------------------------------------------------

Click on [Fix Checked] - Congratulations, all infections successfully removed!

Reboot required - reboot now? - click [Yes] (note: Spyware Doctor is currently set to perform intellegent scan on system boot)

System appears to reboot normally...

Spyware Doctor initializes Intelli-Scan (as predicted)

@ 76% Total Progress, Trojen.Generic Threat is detected with 11 infections.

Allow scan to complete. Upon completion, the system scan screen appears to enable initiating a scan, but the errors are no longer reported.

Hovering over the icon in the system tray does reflect 11 infections.

Having performed this vicious circle several times already, I'll move on to the next phase of troubleshooting... AVG 9

-----------------------------------------------------------------------------------------------------------------------------------
AVG 9 Installation Attempt - fail

Install avgdm90_free_0686_010.pack from USB Drive...

Error with download manager... noticed that Spyware Doctor has begun a new scan. Stop scan manually and shut down Spyware Doctor.

SD indicates reboot required (to install required updates.) Go to settings and unselect "Run Scan on Windows Startup"

Reboot... appears to have booted normally...

Shutdown Spyware Doctor... taking forever to shut down...done

retry to install AVG... select free version...
need to update Roxio... old version 5... no support... attempt to remove with control panel, but no access to the Add/Remove Programs app!

continue with AVG installation... AVG wants to uninstall Spyware Doctor. WTH, I guess I can always reinstall it.
Select [Uninstall Spyware Doctor] in AVG inst. app. and app crashes. Still unable to access the Add/Remove Programs app in Control Panel.
Manually Select [Start] [Programs] [Spyware Doctor] [Uninstall...]

Windows Security Alerts icon has appeared in the system tray

Abort AVG installation.
-----------------------------------------------------------------------------------------------------------------------------------
Malwarebytes Anti-Malware Installation Attempt

Installation complete - select to Update and Launch MAM - [Finish]
Installed properly (apparently)
Start Quick Scan... ran about 4 seconds then disapeared. No sign of program in Task Manager...
Click Desktop Icon for MAM...
Error - "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to the item."
Abort MAMB Installation!
-----------------------------------------------------------------------------------------------------------------------------------
I Give UP! I'm hoping someone can get me through this one. I've never been through this much malware, and I see a few computers! Downloaded HJT... ran setup... HJT setup app crashed! HELP ME!

I've been on this forum many times, and have contributed cash. If anyone thinks they can help me... please tell me what to do next!

Thanks for the help.... Willy Mac

[willymacmusic]

OK.

Today I managed to get the Spyware Doctor reloaded, and the System restore to allow me to have a little control of the system again.

FIrst SD scan found tons of infections, but system reboot is required... we'll see

[willymacmusic]

Had to get away from it for a while, but it's time to fix this thing. I restarted the computer which is automatically set to run Spyware Doctor upon start-up. This time, there were only 10 infections (in lieu of the 11 infections I was getting last week) Here are the results of the scan:
Scan Results
There are 1 threat(s) and 10 infection(s) in your computer
Threats - High - Trojen.Generic (10 infections)

Process
-alg.exe (\\?\globalroot\Device\_max++>\BDE7E0D0.dll)
-pctsSvc.exe (\\?\globalroot\Device\_max++>\BDE7E0D0.dll)
-jusched.exe (\\?\globalroot\Device\_max++>\BDE7E0D0.dll)
-jqs.exe (\\?\globalroot\Device\_max++>\BDE7E0D0.dll)
-spoolsv.exe (\\?\globalroot\Device\_max++>\BDE7E0D0.dll)
-svchost.exe (\\?\globalroot\Device\_max++>\BDE7E0D0.dll)
-svchost.exe (\\?\globalroot\Device\_max++>\BDE7E0D0.dll)
-svchost.exe (\\?\globalroot\Device\_max++>\BDE7E0D0.dll)
-svchost.exe (\\?\globalroot\Device\_max++>\BDE7E0D0.dll)

File
Trojan.Generic detected in \\?\GLOBALROOT\DEVICE\_MAX++\BDE7E0D0.DLL

Upon completion of the scan, I get the message:
Restart Required

Smart Update needs to restart Spyware Doctor in order to install new updates, do you wish to continue Yes/No

This occurs before I have the opportunity "Fix Checked" so I have to decide weather to update or fix virus infections! Aghhh!!!

Here goes...
1. Select [No] to Restart request - Message box closes normally
2. Select Fix Checked (No Restore Point requested) - SD reports that all infections successfully removed! At this point, another message window pops up and again warns:

Reboot Required
Spyware Doctor requires a Windows Reboot to complete the removal of some infections. Would you like to reboot now?

3. Select [Yes] to Reboot Request... System appears to reboot normally, and Spyware Doctor begins it's intelli-scan on system boot.

4. Before SD finishes Intelli-scan, the Restart Required pop-up appears - select [No]

5. This time there is 1 threat (Trojan.Generic) and 12 infections.
The File has changed to \\?\GLOBALROOT\DEVICE\_MAX++\EE5347D0.x86.dll,
...and two new processes have been added to the list, Update.exe and TFService.exe.

6. Select [Fix Checked] - Once again, the SD app says all infections successfully removed, and again the Reboot Required pop-up has returned.

I could continue this circle all week, but it isn't getting me any closer to fixing this problem.

7. Select [No] to Reboot Request. - Select [Finish] and close Spyware Doctor.

8. Load Internet Exporer and check for Windows Updates... when I attempt to go to update page, the page can't be found... press F5 to reload the page, and I'm redirected to various other paid sites! (btbar.com, etc) Obviously being redirected.

Finally got Automatic Updates App to pop-up for about 5 seconds, then disappear.
The update.exe process is visable in Task Manager, but if I try to End this process, it immediately returns, so I assume this is one of the infected processes detected by SD earlier.

9. Close Task Manager, and rerun SD - SD still wants to reboot, but I will re-scan first...

This time, there is tne threat (Trojan.Generic) and 6 infections. The root file is still EE5347D0.x86.dll, and the processes are spoolsv.exe, pctsSvc.exe, and 3 svchost.exe processes.

Select [Fix Checked] - Same results... successful removal... reboot required.

Exit SD without rebooting.

Attempt to run HJT... program loads, looks as though the program is compiling the list, but before anything can be written, the program crashes, and it's like it never ran. If I try to re-run HJT, I get

C:\Program Files\Trend Micro\HijackThis.exe.
Windows cannot access the specified device, path, or file. You might not have th appropriate permissions to access the item.

This is very frustrating. Won't someone please give me an idea of where to turn next? I've spent many hours on this computer, and am feeling beaten for the first time! HELP!

[jmw3]

Hello & Welcome to TechSupportGuy

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

In the meantime please note the following:

• Any recommendations made are for your computer problems only and should NOT be used on any other computer.
• Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
  1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
  2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
• If you get stuck or are unsure of something please ask for a further explanation, do not guess.
• It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Thanks

Win32kDiag
Download Win32kDiag.exe by a_d_13 from Here & save the file to your desktop.

• Click Start->Run Then copy/paste the following command (the bolded text) into the Run box & click OK:
  
  "%userprofile%\desktop\win32kdiag.exe" -f -r
  
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop. Copy/ paste the contents of the log & post in your next reply.

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2

• Double-Click on dds.scr and a command window will appear. This is normal
• Shortly after two logs will appear, DDS.txt & Attach.txt
• A window will open instructing you save & post the logs
• Save the logs to a convenient place such as your desktop
• Copy the contents of both logs & post in your next reply

Gmer
Download GMER Rootkit Scanner from here.

• Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
• Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.

To post in next reply:
Win32kDiag log
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log

[willymacmusic]

JMW3

Thank you for responding. I can tell you that this was one sick little computer. At it's age, I hated spending so much time on it, but the owner is in her 80's and she only uses it for e-mail.

Anyway, her husband brought me the original Gateway Software and requested that I just re-install Windows and wipe the drive clean. After spending so much time already, I couldn't really give him any reason why not to go this route, so that's what I did.

Thanks again for your helpful suggestions, and I'm sure with your help, we could have gotten to the bottom of the problem. If you have a moment, the re-installation fought me tooth and nail, and I've included my repair notes for anyons entertainment. It will make you laugh out loud. Thanks again... Willy

Used paper clip to open drive and installed RI disk

Chose to remove existing partition and reformat the C: drive
c: Partition [New (Raw)] 38154 MB
Error on installation - hardware problem (ATAPI)


Attempting format - Failed


Setup was unable to format the partition. The disk may be damaged.


Make sure the drive is switched on and properly connected to your computer. If the disk is a SCSI disk,make sure your SCSI devices are

properly terminated. Consult your computer manual or SCSI adapter documentation for more information.


You must select a different partition for Wiindows XP.

To continue, press ENTER.


Deleted existing partition and asked setup to create a new partition 38154 MB


Partition Created... formatting... same error message as before


Attempted to create 2 partitions 15 GB and 23 GB - Quick NTFS Format failed... same error message
... NTFS Format Failed same error msg

Exit Set-up (F3) System restarts... Error loading operation system (well yeah!)

Inserted Windows 98 Restore disk from anaother system to attempt to partition/format but the disk wants the drive to already have a

partition! Exit setup and access the tools on the disk:

Run GWSCAN.exe - Select Verify Drive - No Errors Detected for this drive. (note: this is a western-digital utility and may not properly report

erooers for this drive)

Run fdisk
- deleted DOS partition 1 & 2 (everything)
- Created Primary DOS Partition
- Reboot with Gateway Windows XP System Restore disk inserted

Select to boot from CD
- Windows Setup loading
-Select to Setup Windows XP
- Select to format and install the system with NTFS on Partion1 [Unknown]
- ...this portion of setup completed successfully... reboot to continue - Reboot to CD
- Setup will install Windows XP on partition

C: Partition1 [NTFS] 14998 MB ( 14531 MB free)

Select Leave the current file system intact (no changes)

Setup chokes on copying a couple files to the hard drive, but retry worked on both files

Reboot... do not select to boot from CD... Windows Starts!!!!!!!

Setup Continues... then it happens

Fatal Error
An error has been encountered that prevents setup from continuing

One of the components that Windows needs to continue setup could not be installed.

Data error (cyclic redundancy check)

If you are installing from a CD, there might be a problem with the disc; try cleaning the disc or using another disc. Press OK to view the setup

log.

Error:
SXS.DLL: Syntax error in manifest or policy file "D:\I386\asms\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.MAN" on line 4.

xxx

Error:
Installation Failed: D:\I386\asms. Error Message: Data error (cyclic redundancy check)

OK.. I'll give it a try...

Clean disk - reinsert - reboot

Setup is being restarted... and appears to have gotten a little farther this time

Regional and Language Options, etc... completed 1st menu... Installing Network

Installing Start Menu Items (yes, I'm starting to get excited!)

Registering Components (Oh Yeah!)

Saving Settings

System reboots...

Yippee... bells and whistles... confetti fallig from the ceiling... Welcome to Microsoft Windows!!!!!!!!!!!!!!!!!

[jmw3]

Hello willymacmusic

Thanks for letting me know about the nuke & pave.... that surely was an epic battle
There is an infection at present which hijacks the disk controller file - atapi.sys - so that may have had something to do with the initial format failure.

Good to see you came out on top. If there is nothing else then I'll move on to a new topic

[willymacmusic]

Thanks a million!