IE, Control Panel and more acting weird.

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

You can skip the ComboFix part of the above procedure since you already ran it.

 

Actually it is about 5 times shorter than it used to be.

You need to attach the requested log from ComboFix.

NOOO! You should never being using Selective Startup except for temporary debugging.

 

Sorry I see you posted ComboFix in your first message. However I just noticed your MGlogs.zip file was from safe boot mode. You need to post logs from Normal Boot mode as requested in the READ ME. Make sure you are in normal mode and run C:\MGtools\GetLogs.bat

Then attach the new C:\MGlogs.zip file that is created.

 

Yes.

You must never use MSconfig for long term solutions. It is only meant for temporary debugging. Due to how you were using it, you got yourself into a condition where your registry has been modified now for System Services. This is one of the many many reasons why we emphasize that people should not be using MSconfig. We will try to fix this issue while removing your malware problems.

First the below is for your Education!

How to deal with startup processes.

• First you should uninstall any software that you do not use.
• Second if you have processes still trying to load at startup even though you have uninstalled them. You can simple use HijackThis to easily remove the startup. That way you will not have to manually edit the registry.

Third for software you do not want to uninstall but you don't want it to load at startup, look in the program for an option not to load when Windows starts and disable it this way. If you cannot find an option like that you have two possible actions:

• if you never want it to load at startup, use HJT to permanently remove the startup.
• if you sometimes want it to load at startup, use a program like Startup CPL to enable or disable as you see fit.

I don't like the looks of the below file. Do you know what it is from?

Code:

"C:\WINDOWS\"
wc98pp.dll    Jul 12 2007       51712  "wc98pp.dll"[

If you don't know what this file is for/from then rename the file to wc98pp.dll.bak and leave it that way for a week or so to see if it causes you any problems with any programs running.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below old versions of software:
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
Symantec Network Driver Update

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Symantec NetDriver Warning] C:\PROGRA~1\SYMNET~1\SNDWarn.exe (User 'Default user')

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

I just edited my previous message to add a fix. I see that you logged in while I was editing so be sure to click refresh to see the full message.

 

Make sure you exit all protection software and then run the Avenger fix again because it did not run properly. Then attach the new Avenger log and a new MGlogs.zip file.

This may be an issues for the Software Forum as you could be having an issue with a broken or incomplete installation or an issue with Windows Installer. You could however see if the below helps:

Windows Installer CleanUp Utility

 

It is not caused by any remaining malware. It is possible that the malware may have done something to cause the problem but I'm not sure this is the case.

Did you try running the Windows Installer Cleanup routine. Exactly when does Windows Installer popup and tell me exactly what it says. Don't translate. Give the exact word for word message.

Now do the following:
Start -> Run
type eventvwr.msc
Click 'OK'

Click System, scroll down the page, and look Windows Installer type errors.

Right-click on the error and select 'Properties'. I need to know exactly what is in the Description Field. Word for Word.


Also run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created.

 

Okay your problems still do not appear to be malware related. I suggest you do the below to cleanup what we have done and then I suggest you post in the Software Forum with you Windows Installer problems.


If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN
   • Now type combofix /u in the runbox and click OK.
   • Note: The space between the X and the /U, it must be there.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.
9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
12. If you are running Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
13. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!