[johnvo]

Hi all. I have the same problems as the others do: Google redeirects and Malwaresbytes and other
applications cannot run because of the viruses and malwares. I've followed the steps given, but
none of them seems to solve the problems in fixing my PC.I downloaded and installed GMER, OTL
and ComboFix but all of them crashed while scanning. ComboFix detects the presence of rootkit
activity and asked my to reboot. I did, and then when Windows loads after restarting,
ComboFix just disappears by itself when it says it is preparing to run. What should I do now?
Thanks!!!

Edited by johnvo, 10 October 2009 - 03:22 AM.

[Advertisements]

Hello and welcome to Geeks to Go! I'm Dave and I'll be helping you out. Let's get started.

Please delete your current copy of ComboFix as well as the folders C:\ComboFix and C:\Qoobox if they exist, and then try these instructions for me, first in normal mode, and then in safe mode if you have problems completing them in normal mode:

Please visit this webpage for download links and instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

Click on any of the links at that website to download ComboFix. At the window that appears, please change the name of the file from ComboFix to cf.com. This name is important and must be exactly as I have given it to you here, including the .com file extension. After changing the name, click on the drop down menu for the box labeled Save as type: and change it to All files. Once you made these changes, save the file directly to your desktop.

Return to the above link and continue with the instructions provided there for running ComboFix. Be sure that you read ALL of the instructions on that page carefully and follow them exactly. It is particularly important to disable all your protection programs before running ComboFix. If you need further help figuring out how to disable a specific program look here for instructions. Installing the recovery console if you're running an XP machine is another critical step. Although these prelimiary steps may seem unnecessary, by following the directions in that guide closely you give ComboFix the best possible chance at a successful run and minimize the likelihood of having serious problems occur after an attempted removal of malware.

Once the program has finished running its log should pop up automatically, or if for some reason you lose it it can found at C:\ComboFix.txt. Please post the log's contents in your next reply.

Cheers,
Dave

[Transience]

Hello and welcome to Geeks to Go! I'm Dave and I'll be helping you out. Let's get started.

Please delete your current copy of ComboFix as well as the folders C:\ComboFix and C:\Qoobox if they exist, and then try these instructions for me, first in normal mode, and then in safe mode if you have problems completing them in normal mode:

Please visit this webpage for download links and instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

Click on any of the links at that website to download ComboFix. At the window that appears, please change the name of the file from ComboFix to cf.com. This name is important and must be exactly as I have given it to you here, including the .com file extension. After changing the name, click on the drop down menu for the box labeled Save as type: and change it to All files. Once you made these changes, save the file directly to your desktop.

Return to the above link and continue with the instructions provided there for running ComboFix. Be sure that you read ALL of the instructions on that page carefully and follow them exactly. It is particularly important to disable all your protection programs before running ComboFix. If you need further help figuring out how to disable a specific program look here for instructions. Installing the recovery console if you're running an XP machine is another critical step. Although these prelimiary steps may seem unnecessary, by following the directions in that guide closely you give ComboFix the best possible chance at a successful run and minimize the likelihood of having serious problems occur after an attempted removal of malware.

Once the program has finished running its log should pop up automatically, or if for some reason you lose it it can found at C:\ComboFix.txt. Please post the log's contents in your next reply.

Cheers,
Dave

[johnvo]

Thank you for your reply. I did exactly as you've instructed, but ComboFix found that
I have rootkits and told me to reboot. After rebooting Combofix freezes in the
command window while my PC also stops responding. I had to press the power button and
restarted, this time Combofix just appears for a second and then it closes by itself
without scanning or diagnosting anything. I've tried several rootkits removal
apps, but they all crash during the scan. You have any suggestions?

Edited by johnvo, 10 October 2009 - 08:08 AM.

[Transience]

If you haven't yet, please try running ComboFix in safe mode. Also, when it warns you about rootkit activity, please write down exactly what the message box says and post it for me in your next reply, paying careful attention to make sure any filenames it gives you are exactly correct, because this will be a big help in taking care of this problem.

[johnvo]

The problem is still the same, even in safe mode. This is what it says:" Combofix dectects the
presence of rootkit activity and needs to reboot the machine". It didn't scan for anything.

Edited by johnvo, 10 October 2009 - 09:38 AM.

[Transience]

Okay I'd like you to try CF in one more way with a different file extension to see if that changes things before we move on.

Please delete your current copy of ComboFix as well as the folders C:\ComboFix and C:\Qoobox if they exist, and then try these instructions for me, first in normal mode, and then in safe mode if you experience problems in normal mode:

Please visit this webpage for download links and instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

Click on any of the links at that website to download ComboFix. At the window that appears, please change the name of the file from ComboFix to cf.bat. This name is important and must be exactly as I have given it to you here, including the .bat file extension. After changing the name, click on the drop down menu for the box labeled Save as type: and change it to All files. Once you made these changes, save the file directly to your desktop.

Return to the above link and continue with the instructions provided there for running ComboFix. Be sure that you read ALL of the instructions on that page carefully and follow them exactly. It is particularly important to disable all your protection programs before running ComboFix. If you need further help figuring out how to disable a specific program look here for instructions. Installing the recovery console if you're running an XP machine is another critical step. Although these prelimiary steps may seem unnecessary, by following the directions in that guide closely you give ComboFix the best possible chance at a successful run and minimize the likelihood of having serious problems occur after an attempted removal of malware.

Once the program has finished running its log should pop up automatically, or if for some reason you lose it it can found at C:\ComboFix.txt. Please post the log's contents in your next reply.

Edited by Transience, 11 October 2009 - 03:01 PM.

[johnvo]

Just did what you said. Still, Combofix didn't scan for long. It's the same result;
my pc has rootkits. In safe mode, after I double-clicked Combofix the blue screen
instantly came up with this text " A problem has been detected and Windowns was shut down
to prevent damage to your computer". The maker of Spyware Doctor imformed me in the email
that I have a DNS infection changer because I couldn't use its product to update before
I could use it. They threw in a different one, Spyware Doctor with Antivirus for me to
try, but to no avail. I want to post a log below from RootkitRevealer so you can see it for
yourself what's going on.
Here goes:

HKU\.DEFAULT 0 bytes Error mapping hive file: The system cannot find the file specified.
HKU\S-1-5-19 0 bytes Error mapping hive file: The system cannot find the file specified.
HKU\S-1-5-19_Classes 0 bytes Error mapping hive file: The system cannot find the file specified.
HKU\S-1-5-20 0 bytes Error mapping hive file: The system cannot find the file specified.
HKU\S-1-5-20_Classes 0 bytes Error mapping hive file: The system cannot find the file specified.
HKU\S-1-5-21-606747145-515967899-682003330-1004 0 bytes Error mapping hive file: The system cannot find the file specified.
HKU\S-1-5-21-606747145-515967899-682003330-1004_Classes 0 bytes Error mapping hive file: The system cannot find the file specified.
HKU\S-1-5-18 0 bytes Error mapping hive file: The system cannot find the file specified.
HKLM\HARDWARE 0 bytes Error mapping hive file: The system cannot find the file specified.
HKLM\SAM 0 bytes Error mapping hive file: The system cannot find the file specified.
HKLM\SECURITY 0 bytes Error mapping hive file: The system cannot find the file specified.
HKLM\SOFTWARE 0 bytes Error mapping hive file: The system cannot find the file specified.
HKLM\SYSTEM 0 bytes Error mapping hive file: The system cannot find the file specified.
C: 0 bytes Error mounting volume

Edited by johnvo, 12 October 2009 - 08:34 AM.

[Transience]

Does the computer boot normally? Are you able to access the internet and run other programs (unrelated to malware removal) as usual? Is there any pattern in what types of files you can open and which you can't? Do you receive any error messages when programs crash? If you can describe this for me in as much detail as possible that would go a long way to helping me figure out what this is.

Cheers,
Dave

[johnvo]

I think my pc has been completely hacked into. It cannot run in safe mode now.
In normal mode PC, Firefox and a bunck of other applications often crash. The only
way left, I think, to fix all of this is to reinstall windows. Unfortunately for
me I do not have a cd; I've lost it. There's a file at Microsoft that I have to
download in order to reinstall XP without a cd, but I cannot download anything there
(must be security-related downloads disabled by viruses}. Do you think you can get the
file and pm or email it to me; I'd be greatly indebted to you. I have a Spyware
Doctor with Anti-virus to give you in return if you want it. Thank you for having
been a good sport in trying to help me out.

[Transience]

Sounds like a reformat is the best course of action at this point.

As for reinstalling windows XP without the CD, can you show me where you're finding your information? I'd be happy to try to get you the file you need, but I'm not sure what you're talking about.

I would recommend you give this procedure for reinstalling XP without the CD a try. It's pretty simple, let me know if you need any assistance.

Cheers,
Dave

[johnvo]

I'm talking about a "setup disks" file from Microsoft. I've learned about it
through the link you've posted for me; it's http://www.bleepingcomputer.com/
combofix/how-to-use-combofix. That site also shows how to reinstall windows
without a cd. It includes a section on manually installing the "Windows Recovery
Console". Here's its instructions: "If you use Windows XP and do not have the
Windows CD, ComboFix includes a method of installing the Windows Recovery console
by downloading a file from Microsoft. To install the Windows Recovery Console when
you do not have the Windows XP CD, please follow these instructions:

1. Click on the following link to go to Microsoft's Web site:

http://support.microsoft.com/kb/310994

I just read the steps from the source that you recommended to reformat windows but
I failed because I couldn't locate the copy file of my XP. It's just not there.
I'd appreciate it if you go to the above Microsoft link and download the file there.
I'm using XP home edition SP3, so you need to click on the link that looks exactly
like this: http://www.microsoft...;displaylang=en (http://www.microsoft...displaylang=en. After that
please PM or email it to me. Thanks for all the support. As a token I'm giving you
a pretty decent AV application, Spyware Doctor with Antivirus. Here is the link:
http://www.pctools.c...asetup-beta.exe. Licensed Name is SDAV 7
Beta and License Code is 3874-E258-38F3-F443-9E04-A281-F3AB-4EF7-44DE-2080. It's all
clean as it was sent to me directly from the maker itself, so don't worry that
it might contain a virus.