[pearce15]

Hi there,

I am back with even more detrimental problems with my pc...

here is a gist of the processes that went on before the windows message appeared: windows was auto-updating in the background afterwhich it restarted and after booting halfway, the screen went blank. I restarted my comp, then a windows message appeared which informed me that an AVG app was conflicting with my system, on top of that, it also informed me that my pc could be a victim of counterfeit windows software.

After restarting and booting again, I managed to get into my desktop. This time there is an icon and my desktop wallpaper is now black with the watermark star logo on bottom right hand corner as well as on my taskbar. All my original personal settings were overidden.

I now have no internet connection and no connection status icon on my taskbar at all. In the meantime, tried uninstalling AVG but was still unable to connect to any network.

Am really desperate as my pc seem to be a constant target. I reckon it could be a hoax - the counterfeiting software notice.

Pls help!

[Advertisements]

Hi there this looks like it may take a while but I am sure that somewhere along the line we could resolve it.

First if you are transfering data to the infected computer via USB then we will need to protect the host computer

So download and run this programme on the uninfected host computer and any USB sticks you intend to use

• 1 - Flash Drive Disinfector
  Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Having protected the Host I will now need to look at the infected system to determine the best way to approach your problem. If this programme fails to run in normal mode then run it in safe mode

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

• Close ALL OTHER PROGRAMS.
• Open the OTScanit folder and double-click on OTScanit.exe to start the program.
• Check the box that says Scan All User Accounts
• Check the Radio button for Rootkit check YES
• Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
• Under Additional Scans check the following:
  • File - Lop Check
  • Reg - BotCheck
  • File - Additional Folder Scans
  • File - Purity Scan
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[Essexboy]

Hi there this looks like it may take a while but I am sure that somewhere along the line we could resolve it.

First if you are transfering data to the infected computer via USB then we will need to protect the host computer

So download and run this programme on the uninfected host computer and any USB sticks you intend to use

• 1 - Flash Drive Disinfector
  Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Having protected the Host I will now need to look at the infected system to determine the best way to approach your problem. If this programme fails to run in normal mode then run it in safe mode

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

• Close ALL OTHER PROGRAMS.
• Open the OTScanit folder and double-click on OTScanit.exe to start the program.
• Check the box that says Scan All User Accounts
• Check the Radio button for Rootkit check YES
• Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
• Under Additional Scans check the following:
  • File - Lop Check
  • Reg - BotCheck
  • File - Additional Folder Scans
  • File - Purity Scan
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[pearce15]

Hi Essexboy,

yes its gonna be a long while and this is my 3rd problem in 6mths. =(

attached is my logfile.  OTScanIt.Txt   191KB   514 downloads

[Essexboy]

OK nothing jumped out at me on that one. Could you take a full size screen shot of your system or failing that the area where the clock is

So I will use a fairly strong cleaning tool first, if that shows nothing I will then take a deep look at your processes

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[pearce15]

Hi there,

here is a screen capture

I am unable to connect to the internet hence was unable to download the required recovery console files.

These were the warnings I received while running combofix:

Here is the logfile:  log.txt   11.04KB   524 downloads

[Essexboy]

Still nothing showing. Could you do the following

Go to Start->All programs->Accessories->System Tools->Activate Windows.

If that is not possible

Please run the MGA Diagnostic Tool and post back the report it shall produce:

• Download MGADiag to your desktop.
• Double-click on MGADiag.exe to launch the program
• Click "Continue"
• Ensure that the "Windows" tab is selected (it should be by default).
• Click the "Copy" button to copy the MGA Diagnostic Report to the Windows clipboard.
• Paste the MGA Diagnostic Report back here in your next reply.

The MGA Diagnostic Tool will return a report on whether or not the Product Key is invalid, or if Windows Validation is being blocked.

[pearce15]

Hi there,

I was unable to find Go to Activate Windows under Start->All programs->Accessories->System Tools->

Before proceeding to run the MGA Diagnostic Tool, I tried to do a system restore to the last time I had everything running smoothly. Low and behold, my pc is back to normal. *phew*

So I decided not to proceed with the MGA Diagnostic Tool. I tried to reinstate my AVG app but there's some wierd message that got churned up.

Here are the snapshots of the messages. Hope this can be resolved in order to have at least an anti virus app running in the background.

[Essexboy]

What I would recommend at this stage is remove AVG and try another AV for the moment. If you do not like the one I recommend then I will give you another option later


Please go HERE and download avast! 4 Home Edition to your desktop.
Disconnect from the internet and uninstall AVG.
Locate the file that you just downloaded, double-click on the file to launch the installation of avast!

Click Next on the avast! Setup window and on the next window with the ReadMe File.
Now you will see the Legal Agreement, just click I agree, and then click Next to continue.

You will be prompted with Configuration window, make sure that you choose Typical configuration and then click Next. Click Next to the windows that will follow, when the installation will finish, you will be given an option to schedule a boot time scan, select No

Now you have to restart your machine, select Restart and then click Finish.

After you restart you will get a message about avast! it will give you the general "Hello and Thank you for choosing our Product." Also after you restart you will notice 2 new icons in the bottom right corner of the screen.

VERY IMPORTANT - after restarting, right click on the @ in the taskbar and select Updating, then highlight and click Program.

You will get popup after its done updating. If avast! had to download anything for your computer you may get a message asking you to restart.

After you have updated avast! right click the small icon a in task bar and click Start Avast! AntiVirus

Click Program Registration and you will be taken to their website. Fill out the form and then check you e-mail. Once you get an e-mail from them (usually about 1 minute after submitting the form) copy and paste the serial they provided into the highlighted box. Then click ok.

After this, you will need to Schedule Boot-Time Scan with avast! Click on the little button placed up in the left corner, and select Schedule Boot-Time Scan. Read also this tutorial HERE it may make it easier to you to follow the steps.

Next, choose

• Scan all local disks
• scan archive files
• click on Schedule

On the next dialog Operating system restart needed select Yes
Now avast! will restart your computer and start to scan before Windows fully loads.

IMPORTANT NOTE since your system had infections on it, avast! will give you dialog box with recommended actions, and options, please make sure if this happens, to click the Move to Chest button, and not to delete any reported files.

Post the bootlog report

The boot log will be located here C:\Program Files\Alwil Software\Avast4\DATA\report\AswBoot.txt

[pearce15]

Hi again,

I guess I am back to where we first started. =(

After choosing Typical configuration and then clicking Next, I selected no for a scheduled boot time scan, and was about to restart my pc when I realized Windows auto update running in the background and it was almost complete. I thought that if I were to reboot the same problem as before would arise. There was no way out of this. As expected after rebooting, I am back to where we first started. I tried to access my last restore point that was a good configuration but unfortunately luck ran out and I am left with only today's restore point which was the one after the mishap took place.

I realized too late - to disable the auto update feature in windows. Now I am lost. Hope you can help me!

Where do we go from here...

[Essexboy]

OK what is the current staus of your system are you back to the counterfeit display ?

What we could try initialy is reset windows updates

• Download WUFix.zip and unzip to your desktop.
• Double-Click WUFix.bat to run fix.
• You will see a window open and commands processing. When the window closes the fix will have completed.
• Restart the computer.

This fix will clear the proxy cache, places Windows Update sites in the Trusted Zone, places Windows Update sites in the exception list of IE Popup Blocker, starts all dependent services, registers required DLLS, empties the Windows Update temporary folder (with backup), renames the catroot2 folder, retains update history and Event log, and deletes BITS pending download queue.

Once done, go back to the Windows Update Website (You must use the Microsoft Internet Explorer to do this). Check your history.

[pearce15]

Hi there,

I am still in the counterfeit display and after running WUFix and restarting, the same display appears. Also, am still unable to connect to the internet. Nothing has changed so I can't proceed with the other steps.

[Essexboy]

Do you have a windows CD ?

[pearce15]

Yes I do. The same one which I used to install the one I am using. Its Windows XP SP1.

[Essexboy]

OK then first we will try sfc and see if that cures the problem

From the Start menu, select Run.
In the Open field, type sfc /scannow (Note: There is a space between sfc and /scannow)
Select the OK button.
Follow the prompts throughout the System File Checker process.
Reboot the computer when System File Checker completes.

[pearce15]

Hi there,

seems like it doesnt recognise my cd. It asks for Windows XP Professional CD. Could it be I installed with SP2 updates along the way from the web?
I do not have an SP2 version of Windows XP in disc.