[clairecherry77]

Hi,

I've got a huge problem with a virus and/or spyware on my PC. The first problem it started causing was, when I search on google.co.uk and then click on a link it always brings up google.com in the address bar and then takes me to straight to an advert page. I've been trying to get rid of it using various anti-malware packages (spybot, AMB and Super anti-spyware) but when I try and search with them it just closes the program and then it won't let me back in to it. Even if I try and download it again and reinstall it. If I run AVG it find a virus called TrojanHorse PSW.Agent.ACTI but can't remove it.

The major problem I have is someone has got hold of my internet banking logon and actually set up a standing order from my account of £1000 per week! Luckily the bank picked it up straight away! I'm assuming that this is down to the virus/spyware.

I have tried to do a scan with HijackThis but again, as soon as I click scan it just closes and then I can't open the program anymore.

Please, please, please help!!!

Many Thanks in advance

[etaf]

is this related to this post ?
http://forums.techguy.org/malware-re...irus-more.html

[clairecherry77]

Well kind of. It's one of my posts but relates to a different problem. That one was resolved and now I have a new one!

Thank you

[etaf]

OK - Thanks

[sjpritch25]

Welcome to TSG

Sorry for the delay!!!

Do you still require Assistance?

[clairecherry77]

Yes please! Desperately! I've had this virus for weeks now and can't get rid of it. I do all my banking online but my bank have cancelled my login until I get rid of it. Any help would be greatly appreciated. Thank you for your time

[sjpritch25]

Please download Malwarebytes' Anti-Malware from Here.



Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:



If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.


========================================

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Extra Registry change it to Use SafeList.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

[clairecherry77]

Thank you for this. I've downloaded Malwarebytes as you said and updated it. When I try and run a scan the program shuts down though. If I try and reopen the software I get the following error message from windows "windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."
I get the same message when I try and use super anti-spyware also. I haven't downloaded the OTL yet as I assume I need to run Malwarebytes first?

Many Thanks

[sjpritch25]

Please download Win32kDiag.exe by AD to your Desktop.
Double-click on Win32kDiag.exe.
It will create Win32kDiag.txt on your Desktop.
In your next reply, please include the log. Thanks

[clairecherry77]

OK done that. Here you go. Thank you

Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1CC.tmp\ZAP1CC.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\ 3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\ 2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Minidump\Minidump
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

[sjpritch25]

You might need to attach the log cause it was cut off. Thanks

[clairecherry77]

OK try again.

[sjpritch25]

Please download Inherit by sUBs and save it to your Desktop.

• Drag and drop the File onto Inherit.exe.
• This shall restore permissions to the application.
• You will then receive an Ok message from Inherit.exe.
• Press Ok.

Please copy Inherit.exe to Malwarebytes folder located here
C:\Program Files\Malwarebytes Anti-Malware

Then drage mbam.exe into Inherit.exe. Let me know if you still get that error message when trying to run malwarebytes. Thanks

[clairecherry77]

I've tried that and it will now let me open Malwarebytes. The problem is when I try and perform a scan it just closes and locks the software again. Thanks again

[sjpritch25]

oh okay

Download Combofix from this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall