Malwarebytes wont download

Welcome to Major Geeks!

Please remember to remain in one thread and not to bump.

Why did you attach the RootRepeal program that we had you download??????

You need to run SUPERAntiSpyware and properly update it as requested. Then run a new scan and attach the new log.

Your logs indicate that you have both SpySweeper with AntiVirus and AVG installed. If this is true, you need to uninstall one of them immediately as instructed in the cleaning process.


Also you need to attach the log from Mgtools as requested in the cleaning process.

 

You did not update SUPERAntiSpyware and run a new scan and attach the new log I requested.

You also did not update Malwarebytes. You are about 230 database versions out of date. You must ALWAYS update your scanners before running them. Databases sometimes change several times per day. Run Malwarebytes again and first update it. Then run a new scan, make sure you fix anything found then save the low. And also attach this new log.

Yes it has. Look at your ComboFix, Malwarebytes, and 1st SUPERAntiSpyware logs. Lots of malware has already been removed. However you just have an incredible amount of very bad infections and a lot still remain, including a very dangerous Master Boot Record infections. This may take a few iterations. Someone needs to rethink how this PC is being used.

You did not uninstall SpySweeper per the MGtools log. Did you uninstall it after running MGtools? MGtools.exe does not below on your Desktop. Please delete it.

You also have an older infection that replaces valid startup files with infected copies. It may be necessary to uninstall some programs to fix this. Start by uninstalling the below which are infected. Do not reinstall yet. You can reinstall if desired once we have complete all of our cleaning and we send you on your way.
Google Desktop
Google Toolbar for Internet Explorer

Please run the below tool from Prevx Make sure that you allow it to fix the MBR infection if it detects it (which it should). It may show a button saying Cleanup Now. Make sure to click it.

Prevx 3.0 use the button that says Download Prevx 3.0

After running the Prevx scan, reboot and then continue with the below.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 6
Trojan Remover 6.8.1
URL Assistant

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O3 - Toolbar: Fast Browser Search Toolbar - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O4 - HKLM\..\Run: [FBSearch] "C:\Program Files\Search Guard Plus\SearchGuardPlus.exe"
O4 - HKLM\..\Run: [SGPUpdater] "C:\Program Files\Search Guard PlusU\sgpUpdaters.exe"
O4 - HKLM\..\Run: [renowipihu] "Rundll32.exe" "kavutiro.dll",s
O15 - Trusted Zone: http://*.buy-internetsecurity10.com
O15 - Trusted Zone: http://*.buy-is2010.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.is10-soft-download.com
O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{C05D7590-5587-45EC-9488-3025285DBA7B}: NameServer = 93.188.163.119,93.188.166.63

After clicking Fix, exit HJT.



Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below code box into it. Be sure to scroll all the way thru:

Code:

KILLALL::
AtJob::
 
File::
C:\vrhdwa.exe
C:\owhjo.exe
C:\clbwkit.exe
C:\cdgxgtxp.exe
C:\mvhe.exe
C:\scoamk.exe
C:\Program Files\795046.dat
c:\documents and settings\Debbie\rundll32.exe
c:\documents and settings\Debbie\rundll32 .exe
C:\Documents and Settings\Debbie\settings.dat
C:\Documents and Settings\Debbie\stsystra.exe
C:\Documents and Settings\Debbie\stsystra .exe
c:\documents and settings\HelpAssistant\stsystra.exe
c:\documents and settings\Debbie\Application Data\Simply Super Software\Trojan Remover\oiqBA.exe
c:\program files\795046.dat
c:\windows\system32\helper32.dll.vir
c:\windows\system32\drivers\atapi.sys.vir
c:\windows\msa.exe.vir
c:\windows\system32\warning.html.vir
c:\windows\system32\winlogon32.exe.vir
c:\windows\system32\smss32.exe.vir
c:\windows\system32\OLD177.tmp
c:\windows\system32\OLD174.tmp
c:\windows\system32\kavutiro.dll
C:\program files\internet explorer\wmpscfgs.exe
C:\WINDOWS\system32\stsystra.exe.delme139
C:\WINDOWS\system32\warning.html.vir
C:\WINDOWS\Temp\$$$dq3e
C:\WINDOWS\Temp\$67we.$
C:\WINDOWS\Temp\msetupd.log
C:\WINDOWS\temp\xsw2
 
Folder::
C:\Documents and Settings\HelpAssistant
c:\program files\Search Guard Plus
c:\documents and settings\All Users\Application Data\McAfee
c:\program files\Common Files\PC Tools
c:\program files\Spyware Doctor
C:\Documents and Settings\All Users\Application Data\RegCure
C:\Program Files\Registry Mechanic
c:\documents and settings\All Users\Application Data\RegCure
 
RenV::
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                         .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                        .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                       .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                      .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                     .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                    .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                   .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                  .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                 .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm                .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm               .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm              .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm             .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm            .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm           .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm          .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm         .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm        .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm       .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm      .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm     .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm    .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm   .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm  .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Corel\Corel Photo Album 6\mediadetect .exe
c:\program files\Dell\Media Experience\dmxlauncher .exe
c:\program files\Dell PC Fax\fm3032 .exe
c:\program files\Dell Photo AIO Printer 926\dlcxmon .exe
c:\program files\Dell Photo AIO Printer 926\memcard .exe
c:\program files\Dell Support\dsagnt .exe
c:\program files\Dell V105\dldnamon .exe
c:\program files\Dell V105\dldnmon .exe
c:\program files\Google\Google Desktop Search\googledesktop .exe
c:\program files\Google\Google Desktop Search\rundll32 .exe
c:\program files\Google\Google Desktop Search\stsystra .exe
c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\googletoolbarnotifier .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\QuickTime\qttask                           .exe
c:\program files\QuickTime\qttask                          .exe
c:\program files\QuickTime\qttask                         .exe
c:\program files\QuickTime\qttask                        .exe
c:\program files\QuickTime\qttask                       .exe
c:\program files\QuickTime\qttask                      .exe
c:\program files\QuickTime\qttask                     .exe
c:\program files\QuickTime\qttask                    .exe
c:\program files\QuickTime\qttask                   .exe
c:\program files\QuickTime\qttask                  .exe
c:\program files\QuickTime\qttask                 .exe
c:\program files\QuickTime\qttask                .exe
c:\program files\QuickTime\qttask               .exe
c:\program files\QuickTime\qttask              .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\QuickTime\qttask            .exe
c:\program files\QuickTime\qttask           .exe
c:\program files\QuickTime\qttask          .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Registry Mechanic\regmech .exe
c:\program files\SUPERAntiSpyware\superantispyware .exe
c:\program files\Trojan Remover\trjscan .exe
c:\windows\ehome\ehtray .exe
c:\windows\system32\DLA\dlactrlw .exe
c:\windows\UMStor\res .exe

Fcopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys
 
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"=-
"SUPERAntiSpyware"=-
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"=-
"QuickTime Task"=-
"DMXLauncher"=-
"FBSearch"=-
"Google Desktop Search"=-
"ISUSScheduler"=-
"SGPUpdater"=-
"renowipihu"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )






Now attach the below log:

• the new updated Malwarebytes log
• the new updated SUPERAntiSpyware log
• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

The original procedures in the READ & RUN ME FIRST give you links to perform manual updates. Please use them. There was an error in my previous procedure with combofix. I needed to use a CODE box instead of a quote to maintain spacing. Please re-read and re make the CFScript.txt file

 

One of the first things I asked you to do in the last fix was to download and run PrevX and to click the Cleanup Now button. Based on your logs, you did not run PrevX because I don't see it installed. You will have to run the fix over again.

Also you are running MGTools improperly:
C:\Documents and Settings\Debbie\Local Settings\Temporary Internet Files\Content.IE5\C1S9XVGK\MGtools[1].exe

You are not downloading it and saving it to C:\MGtools.exe as instructed.

 

Okay! We have seen a few people complaining of this while others have not. Which one did you download from the download page. Look at the page again. There are 3 things you can click on and tell me which one you selected.

 

Okay that was the correct one. I guess Prevx changed their mind about providing this fix for free which is what there websites had stated. It used to work.

Let's see if we can do it with GMER and ComboFix. If this does not work, you will need your Windows boot CD. Do you have it?


Now do the following:

• Click Start > Run and copy & paste the following text (exactly as shown with the quotes) in the code box into the Run box and then click OK:

Code:

[B]"%windir%\mbr.exe" -f[/B] 

• This should create and mbr.log file on your Desktop which I want you to attach here. Attach it first and then move on to the below instructions.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Debbie\Local Settings\Temp
Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).




Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

See if it is in C:\Windows or C:\

It just needs to be a Windows XP boot CD of any version so that the Recovery Console can be booted to and so the fixmbr can be run. Using the Recovery Console that ComboFix installs does not seem to work for this infection.

Should be okay.

 

Yes! It did not work. Try the next instructions anyway but the Windows CD is likely going to be needed.

 

To keep you going while I'm not around I will post the steps on using fixmbr. If you still see the below files after running the previous fix with ComboFix:

C:\WINDOWS\Temp\$$$dq3e
C:\WINDOWS\Temp\$67we.$
C:\WINDOWS\Temp\xsw2

Then continue on with the below using your Windows Boot CD. You will need to change your BIOS options to make sure you boot from the CD first rather than from the hard disk.


We will need to boot to the Recovery Console to remove this infection. You will need your Windows XP boot CD.

Now boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

You can read the below to help you do this:

http://support.microsoft.com/kb/307654


After running the fixmbr command and boot back to normal mode, continue with the below.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

We were posting at the same time. You need to do what I posted in msg # 22 since the MBR infection is still there. I will be gone for a few hours now. You will know you are fixed when those files no longer appear or when you can manually delete them.

 

Did you run my last fix with the Recovery Console and fixmbr? Those bad files still showed in your log.

 

Okay the bad files are now gone. How are things working?

 

We are going to be uninstalling your copy of FireFox and reinstalling the new version again, but in a certain order. So do the below to save bookmarks:

• Run FireFox and click Bookmarks.
• Then select Organize Bootmarks.
• Then on the next window click File and then select Export. Save the bookmarks.html file to your Desktop for later use in importing.

Now download and save the installer for the current version of FireFox but DO NOT install it yet. Get it here: Mozilla FireFox

You will need exit FireFox now (if any of it is running) and use Internet Explorer to continue with the below until we reinstall FireFox.

Start by uninstalling FireFox and then reboot. Do not skip the reboot.

After reboot, delete the below folders:
C:\Program Files\Mozilla Firefox
C:\documents and settings\Debbie\Application Data\Mozilla

Now reinstall FireFox from the file previously downloaded.
Import your bookmarks file. (similar process to exporting).


Any change?

 

Great!


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome.

If you like Norton and don't mind paying for their software then it is okay.

Not sure what you mean? Are you referring to using Teatimer? If not, then Spybot is just a scanner and a very inferior one. You will find and remove many more problems using SUPERAntiSpyware and Malwarebytes as scanners which is why my steps recommended keeping them.

I cannot say for sure but many many many.... people get infected from FaceBook. Also many people get infected from online gaming sites.