Task Mngr/Add/Remove Gone - HJT log -Thank you!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

canoli

Thread Starter
Joined
Apr 26, 2010
Messages
75
THANK YOU VERY MUCH for taking the time to look at my post. Any help at all will be appreciated.

At 6:37pm last evening I was surfing the net, clicked on a dumb site and up popped what appeared to be a Microsoft alert...the browser window closed and since then I've had all kinds of problems: no task manager, no add/remove programs - every time I want to run a program "Open With" dialog pops up... even when I try to install HJT - but right-clicking and choosing START worked, so I was able to get this log.

I unplugged my cable line to stop the internet and have kept it off most of the time since last night. I've heard a strange "clicking" about every 5 or 10 seconds, that happened for a few minutes - then when away.

I did a scan with UnHackMe and have 4 or 5 virus names that it found and supposedly deleted - actually maybe that was the Avast scan that told me the names. I can't remember now. I took pictures of my screen as the scan was going along, then later went to the Event Viewer and got this info:

here's the viruses I have according to the Event Viewer

Win32:JunkPoly (Cryp)
Win32:Ertfor(Trj)
Win32:Malware-gen
Win32:Qandr (Rtk)
Win32:patched-MA(Trj)

I can tell you the locations they were found in as well if you want - some were in the Temp folder, most in sys32.

Here's my HJT log - and THANK YOU SO INCREDIBLY MUCH for taking the time to help me - if you can...I'm really hoping to avoid the Recovery Console on this laptop, as I have many programs installed, some big ones too - like Adobe CS4 and Office, and a ton of smaller ones as well. Anyway - whatever it takes! Thanks again!!

XP Pro sp3 on a Lenovo T500 laptop - about 16 months old. No prior infections. Avast subscription and Windows Firewall and Spybot are the extent of my protection from viruses/malware/etc. Up till now it's been sufficient. Thanks again!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:25:43 AM, on 4/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\PSIService.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Documents and Settings\RKC\Desktop\procexp.exe
C:\Documents and Settings\RKC\Desktop\windows-kb890830-v3.6.exe
z:\5569a77aee76ea27b465e6bd82bf\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lenovo.com/welcome/thinkpad
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Password Manager Browser Helper Object - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\ServicePackFiles\i386\msconfig.exe /auto
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\PROGRAM FILES\XEMICOMPUTERS\ACTIVE DESKTOP CALENDAR\ADC.EXE
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKCU\..\Run: [Stickies] C:\Program Files\Bret Taylor\Stickies\Stickies.exe
O4 - HKCU\..\Run: [Kana Reminder] "C:\Documents and Settings\RKC\Desktop\Reminder.exe"
O4 - HKCU\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\DOCUME~1\RKC\LOCALS~1\TEMP\NVSVC32.EXE
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\DOCUME~1\RKC\LOCALS~1\Temp\cmd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O4 - Global Startup: WinColor.exe.lnk = C:\Program Files\Pro Imaging Powertoys\Microsoft Color Control Panel Applet for Windows XP\WinColor.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1252886731015
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: Nalpeiron Licensing Service (ASTSRV) - Nalpeiron Ltd. - C:\WINDOWS\system32\ASTSRV.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - Unknown owner - C:\WINDOWS\system32\AtService.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Update Service (gupdate1c9bebe93c143b0) (gupdate1c9bebe93c143b0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LKQCZ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\RKC\LOCALS~1\Temp\LKQCZ.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - Lenovo - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe

--
End of file - 13489 bytes
 

canoli

Thread Starter
Joined
Apr 26, 2010
Messages
75
Can't tell if things are getting better or worse. Microsoft's Malware Removal tool didn't find anything but Avast keeps saying there's a virus, wants to shut down and do a scan. I did that but it didn't find anything. As I said earlier, Avast found 5 or 6 virus/trojans/malware the first time I scanned, right after the symptoms started.

Still can't get to Task Mngr or Add/Remove or Windows Firewall, and every app I click brings up the "Open With" dialog box. On the good side, the C: and the E: drive (E is a 5GB Lenovo "Recovery Partition") are now showing up in Disk Mngmt, which they weren't before (though all my other drives were - I have 3 ext HDDs)

Anyway just thought I'd keep a running account of what's going on with this computer...boy this will teach me to surf indiscriminately, just clicking on anything and everything... I thought I was protected with Windows Firewall and an updated Avast but I guess not.

just got the Avast popup - it says it found File Name: SVC: PRAGMAfpyycwxbvf - Type: Hidden services - lets me choose Delete or Ignore. I deleted it last time it came up, about 10 minutes ago and followed Avast's recommendation to do a boot scan, but it didn't find anything.
 

canoli

Thread Starter
Joined
Apr 26, 2010
Messages
75
Just another update - Avast found the virus again while I was online, recommended I do a boot scan so I did. This time it found C:\WINDOWS\PRAGMAfpyycwxbvf\PRAGMAd.sys is infected by win32:Rootkit-gen [Rtk]

So I deleted it.

Still no Task Mngr, Add/Remove/Windows Firewall...etc. "Open With" still pops up whenever I try to launch a program.

Thanks again for your time!
 

canoli

Thread Starter
Joined
Apr 26, 2010
Messages
75
another update - Task Manager is back. Still can't get to System Restore though. can't Right-Click on My Computer and get to Properties, or go to Programs>Accessories>System Tools - says that the C:\system32\rundll32.exe - Application not found.

anyway - got the Task Manager back - hopefully that means Progress! also, the C: and E: drives are showing up now in Disk Mngmt.
 

canoli

Thread Starter
Joined
Apr 26, 2010
Messages
75
update again - I booted into Safe Mode and was able to run regedit - didn't do anything, just wanted to see if I could get access and I did.

still most of the same problems though - no System Restore "Turned off by Group Policy - see Administrator" - and of course I am logged in as Administrator. In Safe Mode I was able to right-click on My Computer but the System Restore tab is missing - I was able to access everything else, including Device Manager.

also - does the context (right-click) menu normally have the word "start" in it? For applications I mean. I don't recall seeing that before, though I never looked one way or the other.

Thanks again for you help!
 

canoli

Thread Starter
Joined
Apr 26, 2010
Messages
75
and yet another update (sorry if this is all useless - figure the more info the better)

Things seem to be getting back to normal. UnHackMe still doesn't like something and pops up a message but most stuff is working normally. It "feels" like I'm getting closer to cleaning out whatever grabbed me - did Housecall, Spybot (which found a bunch of stuff - I have a list if you're interested), Avast a few times, UnHackMe a bunch of times. So between all that, some in Safe Mode, some not, almost all with the Cable feed unplugged, I've got what appears to be a working computer again.

But there are still some ominous signs. Like a "Windows detected a corrupt file on volume 3" something-something...And another thing that's odd is that System Restore came back - it's on, monitoring - but the Turn Off System Restore option is grayed out. In parenthesis (also grayed out) it says "Disabled By Group Policy".

I did go to grpedit.msc but I didn't change anything. And I didn't change anything in the registry.

Also that word "start" that was in my context menu of program icons - that's gone. had a feeling it wasn't there before this mess. I'm sure by using it I screwed up things even more but that was the only way to open firefox and practically anything else.

Anyway - like I said - sorry if this is OVERKILL on the information - and THANK YOU VERY MUCH whoever you may be who comes to my rescue! :)
 

canoli

Thread Starter
Joined
Apr 26, 2010
Messages
75
ran Malwarebytes - found a bunch of stuff - deleted it - set a Restore Point first.

googled "system restore turned off by Group Policy" and found a registry fix - followed the instructions (backed up the key first) and "Turn off System Restore" is no longer grayed out.

Feels like I'm getting there but I wish I could be sure. Hopefully there's still some help you can give me. I can always post another HJT log if you think that'll be useful.

Thanks again!
 

canoli

Thread Starter
Joined
Apr 26, 2010
Messages
75
Avast keeps popping up with a Suspicious File - but it's weird because their advice is to Ignore it. You can choose Ignore or Delete and they recommend "Ignore." Doesn't that seem a little strange? It's starts with PRAGMA- and then a bunch of what appear to be random letters. I tried deleting it and I've ignored (but I didn't check "Don't tell me about this threat again" so I guess that's why it keeps popping up. No location - Avast says it's a Hidden Service...

Hope someone can take a look and help me out - THANKS!
 

canoli

Thread Starter
Joined
Apr 26, 2010
Messages
75
help...?

I know it says to be patient, and I am....seems like I'm getting buried in newer posts....
 

canoli

Thread Starter
Joined
Apr 26, 2010
Messages
75
Avast keeps popping up with a Suspicious File- PRAGMAffyy....more letters....

Don't know what to do here - I'm sure this computer is still infected ...

Please help if you can - Thanks...
 

canoli

Thread Starter
Joined
Apr 26, 2010
Messages
75
almost 3 days now...can someone tell me whether I should keep waiting or...should I post this again somewhere else?

If you don't think I need help or whatever then please just tell me and I can search elsewhere.

Thanks!
 

JSntgRvr

José
Retired Moderator and Malware Specialist
Joined
Jul 1, 2003
Messages
18,552
Hi, canoli

Welcome.

Sorry for the delay. You are never ignore, but our trained personnel is very busy.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  2. During the download, rename Combofix to Combo-Fix as follows:





  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------​
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------​
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------​
  7. Double click on combo-Fix.exe & follow the prompts.
  8. Install the Recovery Console if prompted.
  9. When finished, it will produce a report for you.
  10. Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.
 

canoli

Thread Starter
Joined
Apr 26, 2010
Messages
75
JS -

Thanks so much for your reply.

I wanted to ask you a question before I run Combofix . My computer is 99% back to normal.
All is well except for one thing. Whenever I boot up Avast pops up a window that says:

Warning: Suspicious File Found.

File name SVC: "PRAGMAfpycwxbvf...."
Type Hidden services

Avast lets you choose "Delete" or "Ignore" and the recommendation from Avast is to "Ignore."
It also lets you choose "Do not tell me about this file in the futures." I won't do that until I'm sure this file can safely be ignored.

So anyway my question is, should I still go through the process with Combofix and whatever else is after that?

Thanks again JS for your reply, and thank you very much for your help. It is very much appreciated.
 

JSntgRvr

José
Retired Moderator and Malware Specialist
Joined
Jul 1, 2003
Messages
18,552
JS -

Thanks so much for your reply.

I wanted to ask you a question before I run Combofix . My computer is 99% back to normal.
All is well except for one thing. Whenever I boot up Avast pops up a window that says:

Warning: Suspicious File Found.

File name SVC: "PRAGMAfpycwxbvf...."
Type Hidden services

Avast lets you choose "Delete" or "Ignore" and the recommendation from Avast is to "Ignore."
It also lets you choose "Do not tell me about this file in the futures." I won't do that until I'm sure this file can safely be ignored.

So anyway my question is, should I still go through the process with Combofix and whatever else is after that?

Thanks again JS for your reply, and thank you very much for your help. It is very much appreciated.
It is one of the Backdoor Trojans. Combofix should help you remove it.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top