Need Help Malware issues

[Juliet]

Forgot to mention that sometimes an antivirus will/can stop connections to some web sites. Can you try to temporarily disable your antivirus to see if connections were stopped?

Right click on the Avast icon in the system tray
Scroll up to Avast! shields control
Select the desired option from the list

10 minutes,
1 hour,
until the computer is restarted or
permanently.

Reverse to enable.

[bbmoon]

Sorry to report, I think its running worse.

I did reset the modem/router and delete temp file and cookies. That process was also part of the IE reset that we did earlier. Sorry, no change.

I did get to Tweaking.com and downloaded (saved to desktop) Windows Repair. It will start the install process then stop with "Encountered a sharing violation.." error. it will not load.

Many troubles today. Physical memory dumps, IE not even opening or opening and crashing, multiple errors reports, some regular software programs on the computer will not open (Quick Books)

I am providing some photos of some of the errors I had today, hoping there might be a clue as to what is wrong.

IMG_4337.JPGIMG_4336.jpgIMG_4338.JPGIMG_4339.JPGIMG_4340.JPG

[bbmoon]

IMG_4342.JPGIMG_4343.jpgIMG_4344.JPGIMG_4345.JPGIMG_4346.JPG

[Juliet]

Did you temporarily disable your antivirus?

Something is reading and or preventing the installation files from working.


Go to Start, then to Run, and type in "SFC.EXE /SCANNOW" (without the quotes - and with a space between the SFC.EXE and the /SCANNOW). The press Enter.

The program may (or it may not) ask you for your Windows XP installation CD - please insert it at the prompt. If it doesn't ask you for the CD this means that it wasn't necessary to replace any files.

~~~~~~~~~~~~~~~~~~~~~~~~

Click on Start >> My Computer >> Right click on the C\: Drive icon - (Local Disk (C) and select Properties
Now click on the Tools tab.

Now click on the Check Now... tab

Select both check disk options and click on Start.

Click on the Yes button.

Next, click on Start >> Turn Off Computer >> Restart

Note: Upon Reboot(Restart), CHKDSK will start and carry out the repairs required.

~~~~~~~~~~~~~~~~~~~~~~~~~~`

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.
Emergency Backup Procedure - Tech Support Forum

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

How to use ComboFix

Download ComboFix from here:
Link 1
Link 2
Link 3

Place ComboFix.exe on your Desktop <--Important

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
  
  You can get help on disabling your protection programs here
• Double click on ComboFix.exe & follow the prompts.
• You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)
• Your desktop may go blank. This is normal. It will return when ComboFix is done. Combofix may need to reboot your computer more than once to do its job this is normal.
• When finished, it shall produce a log for you. Post that log in your next reply
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  
  Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer
  
  ---------------------------------------------------------------------------------------------
• Ensure your AntiVirus and AntiSpyware applications are re-enabled.
  
  Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
  Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
  ---------------------------------------------------------------------------------------------
• If there are Internet issues after running ComboFix:
  Internet Explorer:
  Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". Also clear any proxy address and port. ok, apply (only if applicable), ok.
  Firefox:
  Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.
  Chrome:
  Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
  Safari
  Launch Safari
  Go to general settings menu
  Then in Preferences/ Advanced
  Then on line click Proxies change settings ...
  Click Internet Options, then click the Connections tab, click Network Settings.
  Disable option (uncheck) for the use of proxy server ...
  

[bbmoon]

I have turned off anti-virus for all the new fixes from your last reply. Sorry, I typically did not turn virus off on every process unless it was part of the directions before.

I did the SFC.EXE and inserted Windows CD when asked. That seemed to go ok.

Next I did the CHKDSK process. After reboot CHKDSK went through a long 5 step process and stopped after a list of "bad sector" fixes. After the 5 steps and the fixes the CHKDSK screen just stayed on, the computer did not boot to Windows. After waiting hours, I restarted the computer and it went to CHKDSK process again. This time I left it overnight to run (just to be sure it was finished) and it still stoped after step 5 and the repair fixes and just stuck there. It will not boot to Windows it only wants to run the scheduled CHKDSK.

[Juliet]

Man, it sounds like we're going from bad to worse.

The tool shouldn't take long at all and if it couldn't fix bad sectors it's (in theory) is to notify you.

Please boot into safe mode and attempt to run these suggestions

Go to run,type: cmd
In cmd type:
chkntfs /xC:

This stops the chk disk.CHKDSK



Remove the Chkdsk.exe or the Autochk.exe program from Scheduled Tasks

Click Start, point to All Programs, point to Accessories, point to System Tools, and then click Scheduled Tasks.
Click either Chkdsk or Autochk in the list of scheduled tasks.
Under Folder Tasks, click Delete this item.


Method 2: Check the Session Manager registry entry
Follow these steps, and then quit Registry Editor:

Click Start, click Run, type regedit, and then click OK.
Locate and then click the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\BootExecute
On the Edit menu, click Modify.
Type autocheck autochk *, and then press ENTER.

https://support.microsoft.com/en-us/kb/831426

[bbmoon]

I got the CHKDSK problem cleared. But, still experiencing same multiple problems.

I have combofix loaded on desktop. I tried to run Combofix, but had multiple failures. I have attached some of the error messages as photos (also crashes, memory dumps and freezes). Tried to run Combofix in Safe Mode and got similar failures. Tried to go back and run the SFC.EXE /SCANNOW and now it will not run.

At one reboot, I did see a pop up message from SpyBot SD about a malious file detected but it did not show itself long. Since I was unable to get the other suggestions running, I thought I would try a SpyBot scan and it appeared to be working. I ran out of time and had to leave computer with it running with SpyBot scan going and will check it in the morning.

Wow, this is a challenge.

Having trouble uploading photos to forum from iPad. Will send error photos from PC later.

Thanks for helping.

[Juliet]

Man, we're up the creek if this is pointing to hardware failure. Also, some or most of the tools we use for diagnosing is mostly for newer operating systems.

What Spybot could have been pointing to is not a known infection that in the past causes this much corruption. Sometimes it reports items located in temp files and other locations which can also be in quarantine folders. And again, I can be completely wrong.

Let's try

Disable antivirus and SpyBot, let's make sure those applications are not interfering.


Please download Farbar Service Scanner and run it on the computer.

Make sure the following options are checked:

• Internet Services
  Windows Firewall
  System Restore
  Security Center
  Windows Update

Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

~~~~~~~~~~~~~~~~~~~`

Please download the Event Viewer Tool by Vino Rosso
http://images.malwareremoval.com/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

If one doesn't work please go to the next.

~~~~~~~~~~~~~~~~~~~~`

• Right-Click FRST.exe / FRST64.exe and select Run as administrator to run the programme.
• Click Yes to the disclaimer.
• Ensure the Addition.txt box is checked.
• Click the Scan button and let the programme run.
• Upon completion, click OK, then OK on the Addition.txt pop up screen.
• Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.

[Juliet]

Malwarebytes Anti-Rootkit

• Download Malwarebytes Anti-Rootkit
• Once the file has been downloaded, right click on the downloaded file and select the Extract all menu option.
• Follow the instructions to extract the ZIP file to a folder called mbar-versionnumber on your desktop.
• Once the ZIP file has been extracted, open the folder and when that folder opens, double-click on the mbar folder.
• Double-click on the mbar.exe file to launch Malwarebytes Anti-Rootkit.
• After you double-click on the mbar.exe file, you may receive a User Account Control (UAC) message if you are sure you wish to allow the program to run. Please allow to start Malwarebytes Anti-Rootkit correctly.
• Malwarebytes Anti-Rootkit will now install necessary drivers that are required for the program to operate correctly.
• If you receive a DDA driver message like could not load DDA driver, click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer and will start automatically.

• Please click by the introduction screen on the Next button to continue.

• Next you will see the Update Database screen.
• Click on the Update button so Malwarebytes Anti-Rootkit can download the latest definition updates.

• When the update has finished, click on the Next button.

• Next you can select some basic scanning options. Make sure the Drivers, Sectors, and System scan targets are selected before you click on the Scan button.
• Malwarebytes Anti-Rootkit will now start scanning your computer for rootkits. This scan can take some time, so please be patient.

• When the scan with Malwarebytes Anti-Rootkit is finished, the program will display a screen with the results from the scan.
• Make sure everything is selected and that the option to create a restore point is checked.
• Next click on the Cleanup button. Malwarebytes Anti-Rootkit will then prompt you to reboot your computer.
• Click on Yes button to restart your computer.

• There will now be two log files created in the mbar folder called system-log.txt and one that starts with mbar-log.
• The mbar-log file will always start with mbar-log, but the rest will be named using a timestamp indicating the time it was run.
  
  • For example, mbar-log-2012-11-12 (19-13-32).txt corresponds to mbar-log-year-month-day (hour-minute-second).txt.
  
  
• The system-log.txt contains information about each time you have run MBAR and contains diagnostic information from the program.

[bbmoon]

Thanks for the next round of help. I have not got to work on the new suggestions yet.

See attached photos of my error messages from yesterday.

Thanks

FullSizeRender.jpg
IMG_0172.jpg
IMG_0173.jpg
IMG_0174.JPG
IMG_0177.jpg