Trouble with "READ & RUN ME FIRST. Malware Removal Guide"

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by muukiithefinn, Apr 7, 2008.

  1. muukiithefinn

    muukiithefinn Private E-2

    Hi there,

    Long-time reader, first time poster....

    I've been running through the steps on the READ & RUN ME FIRST page, trying to fix up this computer I've inherited.

    I've gotten as far as the Windows XP Cleaning Procedure page and tried to run combofix.exe as instructed and ran into a snag:

    The little blue window was up and running through it's scan when it seemed to pause. It never re-started, and I waited for well over an hour. I didn't touch my mouse through the whole process, and no other browsers were running or anything.

    At this stage there were no other icons or toolbars on the desktop at all. Just the paused ComboFix window.

    I made the decision to re-boot, and now ComboFix won't run at all. I've tried deleting it and re-downloading but the same thing keeps happening: when I run the program, the blue window pops up for a fraction of a second and then disappears. Nothing else happens.

    My desktop clock is still in 24 hour time.

    What gives?

    Any advice is appreciated...
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Just skip ComboFix and continue.

    This happened because ComboFix never finished.

    You can fix your clock from Control Panel ->Regional and Language Options and then on the Regional Options tab click the Customize button then on the next form click the Time tab. Then change the Time format to what you want. It explains there what the lower case and upper case letters will do. Upper case H is giving you 24 hour clock settings.
     
  3. muukiithefinn

    muukiithefinn Private E-2

    So, CAN I get ComboFix to finish? You suggest that it's not that important, but isn't it possible for this problem to be caused BY malware?
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not I did not say it is unimportant. I just said skip it since you have a problem getting it to run.

    Yes this can happen due to malware which is one of the reasons we say you must rename it to cf.exe. This solves the problems with some malware that tries to block ComboFix. However about 1% of all PCs just cannot run ComboFix for unknown reasons.
     
  5. muukiithefinn

    muukiithefinn Private E-2

    I see. I did rename it, but this still happened. I guess I'm one of the 1% then...
    I'll guess I'll carry on through the steps, thanks.
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well it looks like just recently, more and more people are having this same issue. It could be that malware has caught on to our trick of renaming ComboFix.exe to cf.exe or they may even detect the program in other ways. Please do me a favor and try it one more time, but rename it to CFix.exe and change the instructions accordingly to run this. If this does not work then please just continue on thru all other steps.
     
  7. muukiithefinn

    muukiithefinn Private E-2

    OK, that was weird. I did as you instructed and left the room while the scan seemed to be running.

    When I came back to the computer it had a pop up window that stated:

    DLL Initialization Failed
    The application failed to initialize because the window station is shutting down.
    (there was also a big OK button)

    When I hit the OK button, the computer froze.

    After re-boot, ComboFix popped up and completed some tasks (?) and issued a report!

    It made sure to tell me not to run any programs while it was working.

    Is that the way it's supposed to work?

    I've attached the scan log...
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not quite. The DLL Initialization Failed message is not normal. The rest is.

    Note I saw Spybot's Teatimer running. You need to disable Teatimer as requested in the READ ME. It may have even been causing you difficulties getting ComboFix to run.

    Please continue on with the rest of the READ & RUN ME and attach the other requested logs (SUPERAntispyware, Malwarebytes, MGtools)
     
  9. muukiithefinn

    muukiithefinn Private E-2

    Strange, I DID disable tea timer previously. There is something odd on this machine, methinks. Is it possible that some malware is screwing with the settings like this?

    I should maybe mention at this point, that at the very beginning of this process, I tried to remove a program called "AutoUpdate" using the Add/Remove function, but it reappears every time I repopulate the list. Perhaps the problems are related to this?

    I will continue and post the results later today hopefully.
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Once we get the logs, we can continue to help you more. Autoupdate may be a valid program.
     
  11. muukiithefinn

    muukiithefinn Private E-2

    Okay, suddenly I'm having difficulty attaching files. Perhaps malware related? I press that button now, and nothing happens. Even with my pop-up blocker disabled.

    Can I email them somehow, or do you have another alternative? I have all the scan logs now.
     
  12. muukiithefinn

    muukiithefinn Private E-2

    Nevermind, I have it working now...

    Here they are.

    Again, thanks for all your help. Hopefully we can fix this!
     

    Attached Files:

  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As I suspected, AutoUpdate is just due to you having installed DivX. It is not a problem. You don't have any malware. You do have a major problem though. You ignore the early paragraphs of the READ ME where we specified to only use one antivirus. You have AVG Free and Norton Internet Security installed. One of these has to be uninstalled immediately.

    You should also do the below which is just a couple of performance tweaks and removal of some unnecessary items.

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {39D64E27-E012-4EC6-D054-64550DF17F4C} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

    After clicking Fix, exit HJT.
     
  14. muukiithefinn

    muukiithefinn Private E-2

    Sorry, I didn't ignore the instructions at the begining, but I was confused I suppose. This machine had AVG Free and the Norton Firewall, and I didn't realize that Norton Firewall is part of an anti-virus program, so I left them both. In fact, now that I've uninstalled AVG Free, the Windows Security Centre is giving me warnings that I have NO anti-virus software. Should I have uninstalled Norton instead? Is it really an anti-virus program? Pardon my confusion here.

    No malware is good news, and you are correct: there IS a lot of crud and useless stuff here that I should remove. It seems this machine's previous steward just threw as many programs as possible at the performance problem, hoping for the best.

    I'm sure I'll be able to find a post here somewhere that will recommend which programs to keep, etc.

    For instance, I think I'll start by dumping the other version of HJT, and the old version of Ad-Aware that's on here.

    I have performed the tweaks as instructed and it seems to have helped at least a bit. Some time (and better maintenance!) will tell a more complete story.

    Thanks again.
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs shown Norton Internet Security Suite which is a full suite of protection software which includes an antivirus program, firewall, and other things (some unnecessary). Thus if you do not have an antivirus installed now, there is something wrong with your Norton installation. If you are going to keep Norton installed, it is highly UNRECOMMENDED to use a different antivirus program. Thus if you want Norton, reinstall their software. Otherwise uninstall ALL of Norton and install programs as recommended in the below:

    How to Protect yourself from malware!


    I do not recommend using the new Ad-Aware 2007. It is not worth the resources that it wastes by having a service running full time. It offers no active protection (unless you buy it) and it is just not that good at finding and removing real malware issues. It just makes many people panic by falsely telling you that cookies and MRU's are critical problems.
     
  16. muukiithefinn

    muukiithefinn Private E-2

    Thanks. All of these conflicting programs are definitely a big part of the problem. I've also discovered that the Norton Firewall was running concurrently with the Windows Firewall, which I gather is also UNRECOMMENDED.

    Funny thing: when I tried to disable Norton, it gave me a steady stream of pop-up warning windows which wouldn't stop until I turned it back on.

    This annoys me enough that I'll likely uninstall all of Norton's programs and run AVG instead with another Firewall. I have read on another thread that pre-installed Norton can be a pain to remove, and may take a few tries. I'll follow recommendations there, and at the "How to Protect yourself from malware!" link you provided.

    Should I start a new thread somewhere else if I have further questions about what anti-virus & anti-spyware I should be running, etc...? Not sure of the ettiquitte on that.
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After uninstalling I recommend that you do the below.

    Run this: Norton Removal Tool (SymNRT)

    And then reboot and then run the removal tool one more time.

    Yes since it is not related to the title of this thread. ;)
     
  18. muukiithefinn

    muukiithefinn Private E-2

    Okay, I figured as much. Just one more question regarding the "Run & Read Me First" then: Should I hold onto the programs I downloaded through this process, or should I remove them from my hard-drive?

    Thank-you for all your help. Major Geeks rules!
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Since some of the programs change quite frequently to keep up with malware, it is normally best that somethings be redownloaded when need. ComboFix and MGtools are the two that most definitely fit this description. I will give you our standard final instructions below which should explain things. You can decide for yourself if you wish to keep SUPERAntispyware and Malwarebytes around for on demand scanning.


    If you are not having any other malware problems, it is time to do our final steps:
    1. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\cf" /u
        • Notes: The space between the cf" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\cf folder from combofix.
    2. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    3. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    4. If you are running Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    5. After doing the above, you should work thru the below link:
     
  20. muukiithefinn

    muukiithefinn Private E-2

    Looks like I'm not quite out of the malware woods yet. I loaded Avast! to give it a try instead of AVG, and once I finally got it up and running (I had problems similar to when I loaded & ran Combo Fix), it found 2 viruses. Avast could not repair them, so I chose move/rename instead. They are still in there and I get a warning from Avast every time I run it or a-squared.

    The files:

    C:\Program Files\Alwil Software\Avast4\DATA\moved\A0120064.dll
    C:\Program Files\Alwil Software\Avast4\DATA\moved\pskavs.dll.vir

    Am I getting a false detection here, or do I really have viruses? This machine is still very sluggish (especially when typing) and it won't allow me to update CWShredder, which is symptom I came across on another infected machine.

    Should I go back to the start of the "READ & RUN ME FIRST" Guide?
     
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    They are not problems! They are just things in Avast's Quarantine and the pskavs.dll was not a problem to begin with. Avast falsely detects some of PandaActiveScan as problems. The other file is just from System Restore and may even be the same pskavs.dll detection within a System Restore file.

    Hopefully you uninstall AVG before installing Avast. You must never have multiple antivirus programs installed.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds