Virus?!?! no more tricks up my sleeve, don't know what to try next

[MPTech]

I built a new PC for my friend a couple months ago with XP Home SP3 and it was running GREAT. MSI mobo, 2g ram, and AMD 64 X2 2.1GHz. It was a respectable budget build (not a speed demon, but more than ample for the email and surfing he does).
he called me last week and said he was receiving Virus errors. I saw a message pop up 1 time, but never saw it again.
Some strange things are occuring though, that I still cannot account for.
I can access the internet, access his email, search Google, etc, all the normal stuff.
BUT......
I installed the latest AVG (v8.0) and it wouldn't allow me to download the latest defintions, I get an "Update Failed" error message. (I ran AVG anyways without the latest definitions and found 111 Infected Objects removed/healed.
I also tried to download the latest AVG and the latest definitions from Google Search links and received ""Internet Explorer cannot display this webpage".
I tried to run Ad-Aware and received "Internet Explorer cannot display this webpage / SSL download failed" and tried to run Webupdate and it failed too. So I ran the definitions with Ad-Aware 2007 v0033.0000 (no definitions updte) and found 10 Trojan Horses, so I removed them as well.
I tried to run Spybot and it wouldn't "connect to the server" and it wouldn't allow me to re-install it either.
I tried to install HiJackThis and I received an hour glass, then it went away and didn't install.

I also went to Internet Options \ Security and "Reset all zones to default level" and attempted all of the above actions with the same results.
I also tried stopping all executables before attempting these, using "EndItAll" and had no luck.
And I tried all of these actions from safe mode, with the same results.
At this point I've exhausted all options that I can think of.
Oh, I also tried restoing it to a couple different points 2 and 3 weeks ago and I click "next" and nothing happens.

An ideas what's going on here? or how to get beyond this issue?

[Broni]

First of all, get rid of AVG, which has been having issues since ver. 8.0 was introduced.
Free alternatives:
- Avast! free antivirus: http://filehippo.com/download_avast_antivirus/
- Avira free antivirus: http://www.free-av.com/en/download/index.html


- free Comodo Internet Security (firewall + AV): http://www.personalfirewall.comodo.com/

If you decide to install Avast, or Avira, make sure, Windows firewall is turned on.
If you decide to install Comodo, make sure, Windows firewall is turned off.

Install, update, run full scan, and we'll go from there...

[MPTech]

I also tried updating Spyware Blaster and received " update for the Spyware blaster program is available but cannot be downloaded through thi updater"
When i clicked the link: http://www.javacoolsoftware.com/sbupdate.html
I received the previous error " Internet explorer cannot display the webpage"
(this worked just swell from my computer (on the same network).

I also tried running SpywareGuard Live Update and received:
"There is an error getting the update information from the server"

again, worked fine from my PC on the same network.

[Train]

Try Safe Mode with networking to update.

Do this first and leave that antique stuff alone for now.

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to screw_you.exe

1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Under Configuration and Preferences, click the Preferences button.
* Under [b]General and Startup" tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* Back on the main screen, under Scan for Harmful Software click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under Complete Scan, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.
NOTE: Tracking cookies can be omitted from the log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

3. Download, install, and run HijackThis:
http://www.snapfiles.com/get/hijackthis.html
Post HijackThis log.
Do NOT attempt to "fix" anything!


DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

(Above layout courtesy of Broni)

[Train]

Now if your real desperate.
http://vil.nai.com/VIL/stinger/

[Broni]

You need to start with my reply #2.

[MPTech]

Broni & Train, thanks for the help so far, but not fixed yet.

Broni, I uninstalled AVG completely and made sure the firwall was on.
I installed and ran AVAST! and Avira (I was concerned about both, but Avast didn't detect anything) Avira found 2 issues: fakealert.aqe.4 Trojan and BDS/Small.gwz back-door.
I quarinteened both of them, but still can't load any Definition Updates. I also unistalled SpyWareBlaster and SpyBot. I was able to install SpyWareBlaster and the definitions this time, but still can't install SpyBot.

Train, I renamed HJT and it installed and I posted the Log here:
http://discussions.virtualdr.com/sho...54#post1258754

I downloaded SUPERAntiSpyware and the definitions on my other PC and copied them over on a jump drive, but I still can't get it to install, even if I change the .exe name. (I also tried in Safe mode, with no luck either).
I'm getting this message:
SUPERAntiSpyware Free Edition has encountered a problem and needs to close. We are sorry for the inconvenience. Send Error Report / Don't Send

Am I dealing with a Virus? (I don't know what he did or where he got this)

[Broni]

First of all, you can't run two AV programs.
You need to uninstall either Avast, or Avira.

Leave Superantispyware alone, for now. Run Malwarebytes, post its log, and post fresh HJT log.
All right here. Someone will move this thread.

[MPTech]

I knew I shouldn't install 2 AVs, but I was desperate and they didn't seem to conflict. Regardless, I uninstalled Avast.

I was able to install MalWareBytes, but it would not execute. When I click it, the hourglass appears for a few seconds then disappears.

I rebooted and tried SuperAntiSpyware again and this time it ran. It found 9 registry items, all related to RootKit and I was able to remove them.
MalWareBytes still didn't work and the issue exists with SpyBot as well (won't execute).

I was able to execute Ad-Aware and download the current definitions now.

If I can't resolve this thing today, I'm going to throw in the towel and do a Ghost Image restore from when I first built it. (I'll back up his data first, but I know he's installed and configured a number of items that he'll lose. I've already prepared him for this and he's Ok with it, but it bothers me that the problem was not resolved).

[usil]

You may very well have a rootkit. Download Blacklight and/or AVG Anti Rootkit. Run the scans and let us know if it finds anything,

[MPTech]

What are the symptoms of RootKits?

Whatever it is, it seems to be preventing me from running some AVs or Spyware tools and/or access the Internet to download S/W and update the definitions.

I'm about ready to bag it and just restore to the previous clean image and instal some better AVs / Anti-Spywares.

What should I be installing? (I'm thinking Avira, SuperAntiSpyware, MalWare, Ad-Aware, Spybot, Comodo, SpyWareBlaster, and SpyGuard. anything else? )

[Train]

Avira, SuperAntiSpyware, MalWare

Same as I run on the laptop and the native Vista firewall.

Had no problems in almost 2 years of usage.

[MPTech]

I'm not sure what my friend did either.

I've run similar tools on mine and set it up the same way for him. I've never had a problem with a Virus, RootKit, Firewall crasher, or any significant issue. I know he has 3 older kids, but I think they have their own PCs. Don't know what he did or got into, but this one has proven to be quite nasty.

I'll try the blacklight and AVG Root Kit tonite, but I'm really leaning towards backing up his data and wiping it clean! I've already spent too many hours on this issue. (Just wish I knew what the Root Cause is (no pun intended!)

[Train]

I'll try the blacklight and AVG Root Kit tonite, but I'm really leaning towards backing up his data and wiping it clean! I've already spent too many hours on this issue. (Just wish I knew what the Root Cause is (no pun intended!)

That is what I would do.
See if there are rootkits and what they are.

Save what is needed and start from scratch.

Now you know why after a couple hours max., the techs go that route. FASTER!

[Broni]

As for rootkits...

Download gmer.zip: http://www.gmer.net/files.php
Unzip the file, and double click on gmer.exe, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.