[Margot530]

Hello,

My problem is very complicated, at least to me. I'm not very comp savvy, so please bear with me. I don't really speak computer, so go easy on me I'll be as thorough as possible, since I can't give you a HJ report yet.

This is the only computer we have, and I use it mainly for work, but some playing around as well

System: XP 2002 Service pk 3

I started experiencing random pop ups and redirects a few weeks ago. Had Norton AV, but no spy ware program installed. Upon being unable to play VCO from IGG (have had the game for several months, with no issues), I began to follow the Admins instructions on how to uninstall and reinstall the game. They have a option to download from a torrent, and/or p2p, but I use the one directly off the site. During the redownload, I got a error that tiled down my screen, faster then I could click or read, and it just continued to tile/pile up. Shortly, my computer just shut off. No warning, no tab closing. It was as though the plug had been disconnected from the socket.

After restarting I was informed that my Norton AV was expired. I removed it, not positive I got it all, but did a search and followed up with CCleaner. Then I downloaded AVG, and ran it. What a nightmare. Seven hours later, it showed many win32.heur stated as viruses and many volume restore and other restores listed as well as some cookies. Two at the top, which were win32.heur required a reboot. I took the recommended steps, but unfortunately I did not make a copy of all the issues to show you here. For all I know, they may not have been viruses at all. Did a search on the win32.heur, and came up empty.

After this, there didn't seem to be any problems, but once I began to do some navigation, and clicked on favorites, I was unable to go to most of the pages, got the notice "error loading page," "can't find address." Two bookmarks were okay...B of A, and PayPal. I manually tried to navigate to some of the sites, but got the same results. Shortly after I discovered this, I was bombarded with threat detections. These, like the errors, came up so fast it was insane.

I gave up, shut both FF and IE down, and opened a file with my movies on it. Probably not the best move, but was afraid to turn the computer off. No serious problems but did experience a few glitches and some AVG pop ups, that just disappeared. The computer had done a restart during the night, and the sign on page had changed to the old fashioned box, rather then the skater icon that states owner, with the password box to the right.

After getting signed in, everything seemed back to normal. I was able to click on my bookmarks and was taken directly to the pages. Wanted to get some anti spyware downloaded, so searched for the free version of AVG. I was able to navigate to any spyware page I came to, but didn't find the AVG. I did some research, and found you guys. Was in the middle of checking out the programs you recommend, and had to leave. Please keep the bold "was able" in mind.

While I was gone, my son decided to try and finish the download of the VCO, what can I say, he's addicted. It's a large program, and was in the process of installation when I came home. Everything went smooth, and he said that it started right off from where it stopped the day before. I noticed that the icon for the game had change to the icon that shows a exe file (hope I have that right...white box with blue on top?). The icon for the install was correct. When I clicked on the exe, I got a pop up that stated "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Tried to go in and run as Admin. but wasn't given the option. When I go to the accounts page, it shows me as owner/administrator.

I've searched around my computer, and many of my applications or programs, have changed to that type of file, and will not allow me access.

I have tried to click on all of your links to spyware programs, and attempted to follow the self help for malware/spyware removal, as well as clicked on links from web searches...I get the page load error, or it wont take me anywhere. Was able to get one program to download, SUPERAntiSpyware, but can't run it due to the same issue as above. Oh, I was able to get to the HJ page through search at Trend, but haven't downloaded it since two of the dl options seem to be exe files, and one is a zip. I don't have winzip and can't get it...perhaps there is another way I can unzip it (free?), but even then, my computer seems to be able to change any program into a exe.

At a loss here, and working at home on this computer is our only source of income.

Sorry so long winded, but wanted to get you as much info as possible.

Thank you so much for your time; I do know it is valuable, and appreciate it very much,

Margot

[Advertisements]

Hi and sorry for the delay - dependant on the variety of heur you have, the final solution may be a reformat and install - however, before we get there lets find out which one it is. I have two complimentary programmes to run. The first may take an hour or so and the second just a few minutes

Download Dr.Web CureIt to the desktop:

• Doubleclick the drweb-cureit icon to start the program.
• press start
• Allow the program to run the initial express scan
• This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
  Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
  
• Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
• Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
• During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
  • Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
• Once the scan is complete, on the menu bar, click file and choose report list.
• Save the report to your desktop. The report will be called DrWeb.csv
• Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
• Close Dr.Web Cureit.
• Please post the Dr.Web.txt report in your next reply

THEN

We will now do a deep search of your processes and files

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window:
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Investigation" check box.
• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both zip files to your next post

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[Essexboy]

Hi and sorry for the delay - dependant on the variety of heur you have, the final solution may be a reformat and install - however, before we get there lets find out which one it is. I have two complimentary programmes to run. The first may take an hour or so and the second just a few minutes

Download Dr.Web CureIt to the desktop:

• Doubleclick the drweb-cureit icon to start the program.
• press start
• Allow the program to run the initial express scan
• This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
  Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
  
• Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
• Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
• During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
  • Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
• Once the scan is complete, on the menu bar, click file and choose report list.
• Save the report to your desktop. The report will be called DrWeb.csv
• Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
• Close Dr.Web Cureit.
• Please post the Dr.Web.txt report in your next reply

THEN

We will now do a deep search of your processes and files

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window:
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Investigation" check box.
• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
  
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both zip files to your next post

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

[Margot530]

Hello Essexboy.

Just a short note to thank you, and let you know the express scan is complete. Found a ton of things. I'm keeping a hand written log, in the event this crashes on me. Even if I have to go to a internet cafe, I will stick with you. This may take quite sometime, so please don't think I up and disappeared.

Thank you so much again for your time, and I'll be back as soon as I can,

Margot

[Essexboy]

Hi Margot the time is no problem - but if there are a lot of files it may be bad news - if you see a lot of this

explorer.exe;c:\windows;Win32.Virut.56;Cured.;
unregmp2.exe;c:\windows\inf;Win32.Virut.56;Cured.;
xpnetdiag.exe;c:\windows\network diagnostic;Win32.Virut.56;Cured.;
notepad.exe;c:\windows;Win32.Virut.56;;
soundman.exe;c:\windows;Win32.Virut.56;;
alg.exe;c:\windows\system32;Win32.Virut.56;;
cisvc.exe;c:\windows\system32;Win32.Virut.56;;
clipsrv.exe;c:\windows\system32;Win32.Virut.56;;
ctfmon.exe;c:\windows\system32;Win32.Virut.56;;
dllhost.exe;c:\windows\system32;Win32.Virut.56;;
dmadmin.exe;c:\windows\system32;Win32.Virut.56;;
hpzipm12.exe;c:\windows\system32;Win32.Virut.56;;

You will need to reformat the system, in which case I can assist in that

[Margot530]

Hi there Essexboy,

Yes, I see a lot of that and more. The computer disconnected from the internet and about an hour later, shut down during the complete scan, and just continues to atempt to reboot. I have it in "Windows Advanced Options Mode" right now.

I don't have any of the disks to download the original software. Hope this doesn't sound too ditzy, but do I need those to reformat?

It's no big deal if I loose personal files...

Thanks again!

[Essexboy]

What is the make and model of your computer as there may be a recovery partition on it - It looks like virut has overrun your computer

[Margot530]

I'm so sorry, I'm using a kids LT and keep getting booted.

It's a eMachines T3120

[Essexboy]

OK you will need to do a destructive recovery I am afraid - attached is a PDF showing how to do this the main instructions are on page 6
[attachment=29826:8510406.pdf] Prior to doing this have a look at our tutorial on reformating here I will be here to assist in any way

[Margot530]

Hello Essexboy,

Wow...I would certainly give it a go, but had me confussed at the words "let's get started." LOL I'm not a complete idiot, but that is a daunting task, even with help from such a great guy

I do have a option. I have another tower...much better one, that I believe the power source has gone out in. It runs fine until another device, such as a monitor is pluged in. It then revs up, and shuts down within 10 seconds. It's my understanding; however, that the mother board and other things may also need to be replaced. I should be able to replace these on my own, but might need some advise along the way.

Now here is where I might contradict myself on the "complete idiot" statement.

I remember when I opened the box, that I saw some little battery shaped objects , of different sizes. Behind them, were scorch marks, along the wall. Any info on that would be awesome. Including what they are called, so I don't sound like such a fool. He He. It did overheat on me a few times... With it having a new $500 hardrive, and being a better computer to begin with, I think I'd rather go that route. If it sounds salvagable, please let me know.

Appreciate your help more then you know!

Margot

[Essexboy]

If you are saying what I think they may be capacitors on your MotherBoard here is a picture of one can you see the bits that were scorched
[attachment=29843:motherboard.jpg] Have you replaced the power supply unit on the other tower and tried it out ?

Doing a restoration is fairly straight forward as soon as you turn on the infected system keep pressing F11 and a menu will pop up, select the Full System Restore (destructive) unless there is something you need to retrieve from the infected system, but if I remember rightly you are happy to let that go

[Margot530]

Wow, something just erased my whole messg to you... Okay, lol, here we go again.

I've been told that is what they are called, but I've looked at pics like that, and it's a view of the inside of the tower case, but not inside the power source box, if I'm not mistaken. I'm tearing into it now, to see if they are in there, so I can let you know (been about a year since I looked at it). Goodness but my blond is showing!

No, I haven't tried to replace it yet... Not overly expensive from what I've read. You are right, I did fully read the instructions, and it wouldn't be that hard.

I guess my main issue now, is that I work online, and if I make a mistake, I wont have a backup. I'd rather attempt that when I have time and wouldn't be rushed. I'm the head of customer support for a web co. and I have a lot of people counting on me. Unfortunately, no one is trained to do my job...

Sorry I get so wordy...

Brb.

[Margot530]

Sorry that took so long.

They are inside the power source box. They are the ones right up against the cover.

There are 4. 2 black, and 2 orange in that particular area; though, there are many others, these are the only ones against the cover.

The sequence is blk orng, blk, orng. Three are about a inch and a half tall...the outer orng is about 1 inch tall, and very small around.

Both orange have wires coming out of the top.

Both black have the appearance of batteries with the outter casing, and silver tops... the first black ones top is slightly bowed (bad sign, I'm sure). The two black ones have writing on them (JAMICON) and the other say's (TK 105 degree c ).

There is no writing on the orange ones, but they have blk/blue stripes.

Oh, before I forget. When the inner fan is reinserted, is there a certain oil, paste or what have you that needs to be applied. I remember reading something about that.

Probably over did it with the info, but wanted to cover the bases.

Hope you have a great night! And thank you so much for putting up with me

[Essexboy]

I think the technical term for the condition of your PSU is severely broken

If you replace it you may get the tower up and running again as long as there was no surge on the Motherboard

[Margot530]

"Severely broken" LOL, thanks for the giggle.

I'm keeping my fingers crossed.

I really appreciate your help, and would love to keep you posted. If it's okay, I'll just drop a short pm to you.

[Essexboy]

Ahh as you asked so nicely I will keep the thread open for you