Unable to open any programs after 'vista security' virus.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by tngirl, Apr 3, 2010.

  1. tngirl

    tngirl Private E-2

    A couple days ago I was on...Gooveshark(I don't really remember though but that's a safe site right?), when a 'vista security Antivirus' box popped saying you're not protected you have a bunch of infections. It looked oddly similar to windows defender, which I don't use-I have McAfee, but i knew it was spyware because it wasn't mine, looked suspicious, and because I googled it:). I downloaded SUPERantispyware and ran it, but I didn't change the preferences, I'm not sure how much that matters; besides, I downloaded it from another site and wasn't given any instructions beyond how to download. I also didn't know to save it to C:\, Firefox didn't let me choose (I have now changed it to 'always ask me where to save files'). If i remember correctly SAS only found three infections and quarantined/deleted them and I restarted my computer. Ever since I haven't been able to open anything without a "choose a program to open this file:" window appearing. The only way I can open Firefox is if i click on it from the 'open with' window.

    I ran the READ AND RUN post and followed it to the t. I also read any post I found similar to my problem-none helped. I thought it would be safer to start a new post.

    Problems I had with running the scans: I was unable to save to root (C:\) a box apppeared saying I didn't have permission to save there, the only thing i could save there was MGtools. When I tried running the programs (i.e. SUPERantispyware, Malwarebytes, RootRepeal and MGtools) the 'what program would you like to use to open this file' box appears. Except ComboFix download failed, TWICE, reason given: 'C:\ComboFix.exe could not be saved, because you cannot change the contents of that folder. Change the folder properties and try again, or try saving in a different location.'

    Other problems with READ AND RUN steps:I couldn't update Java because I can't open anything after I downloaded it. I couldn't empty quarantine type folders because I can't open McAfee, the 'what program would you like to use to open this file' box appears. I couldn't disable 'disk emulation software because I couldn't open Defrogger after downloading, the 'what program would u like to use' appears. I tried googleing how to do it manually but didn't have any luck finding/understanding (whats the diff.?).

    I could disable UAC and I restarted the computer. Step 3 in the Cleaning Procedure obviously didn't work out b/c I couldn't open anything. Should I continue after Step 4- I stopped there.

    Additional Info: My computer runs on 32 bit version of Windows and I have Vista. I bought my computer used about 2 years ago so I don't have any Cd's. I tried rebooting in safe mode and running SUPERantispyware, which didn't work (I did this before following the READ&Run post!) and now my computer seems to be permanently in a lower resolution. And I'm not great with computers, obviously, I kind of hate them sometimes.:)

    I hope I wasn't too specific but I just wanted to give all and any info. Especially since I don't have any logs to post since I am unable to run any scans.

    I would REALLY, REALLY, REALLY times a MILLION love&Appreciate HELP, no matter when it comes. THANKS.
     
    tngirl, Apr 3, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Kestrel13!, Apr 3, 2010
    #2
  3. tngirl

    tngirl Private E-2

    I downloaded it and save to C:\ (i was supposed to do that right?). When I clicked on it to run a window titled Registry Editor pops up with message: "cannot import C:\Users\owner\AppData\Local\Temp\Temp1_xp_exe_fix.reg: Not all data was successfully written to the registry. Some keys are open by the system or other processes."

    Thanks for Responding.
     
    tngirl, Apr 3, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    We need to try and get logs somehow...

    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.
    GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
     
    Kestrel13!, Apr 5, 2010
    #4
  5. tngirl

    tngirl Private E-2

    When I entered cd \MGtools I got: The system cannot find the path specified.
    when I entered ShowNew I got: 'ShowNew is not recognized as an internal or external command, operable program or batch file. I got the same when I entered getrunkey.
     
    tngirl, Apr 5, 2010
    #5
  6. tngirl

    tngirl Private E-2

    IT"S A MIRACLE!!! I just tried opening programs and they're working!!! (without the annoying 'open with' box. I can open McAfee and SUPERantispyware!!! I haven't done anything to fix my computer since i posted on here!! My computer still doesn't seem right though and there is a Windows security alert icon on the task bar that seems suspicious. Should I rerun the READ& RUN Sticky?
     
    tngirl, Apr 5, 2010
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Well from what I gather you were not able to complete any of the R&R. So yes, run the procedures in the correct order and attach logs once done. :)
     
    Kestrel13!, Apr 5, 2010
    #7
  8. tngirl

    tngirl Private E-2

    I ran the read and run sticky and have uploaded my logs (not sure if I uploaded the right thing for MGtools). While running ComboFix McAfee kept popping up with 'registry change detected' windows I exited them after awhile-I know it said no to touch the computer while it was running but it seemed to stall combofix. I thought I had totally disable McAfee. Then first time I ran RootRepeal it kept stalling at C:\Windows\winsxs\Manifests\ (does it usually stop there for a long time), I thought it was because of McAfee b/c of what happened while running ComboFix, I waited maybe and hour and stopped it and reran it (probably wasn't supposed to do that). The second time I ran it( I fell asleep waiting for it, it was on C:\Windows\winsxs\Manifests\ for a long time. When I woke up it was gone- the only window open was McAfee, which had run a scan- I was POSITIVE I had disabled it! Then I ending up unistalling McAfee (out of anger) I hope this didn't mess anything up. then I reran rootrepeal again and this time it stopped at same place (..manifests..) and made a error beeping sound and closed..so that's why there's no log for that. BTW: when rootrepeal was running in the right column it said Locked to Windows API! don't know if that matters.
    Also there is a red shield with an x on it in the taskbar-should i be worried about this, (when point my mouse over it it says windows security alerts)?And there is a red,green,blue and yellow shield on various program icons on my desktop-werent there before all this started.
    I'm sorry I took so long to finish scanning. THANKS
     
    tngirl, Apr 9, 2010
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You neglected to attach any logs at all.
     
    Kestrel13!, Apr 10, 2010
    #9
  10. tngirl

    tngirl Private E-2

    I'm really sorry I must have done it wrong.
     

    Attached Files:

    tngirl, Apr 10, 2010
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    1. I take it you were once using mcafee for anti virus but have since uninstalled it? You currently have no anti virus protecting you. I see remnants from it lurking around.

    2. Please go to Jotti's malware scan

    (If more than one file needs scanned they must be done separately and logs posted for each one)
    • Copy the file path in the below Code box:
      Code:
      C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    • At the upload site, click the browse button.
    • Next click Submit file
    • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
    • This will perform a scan across multiple different virus scanning engines.
    • Important: Wait for all of the scanning engines to complete.
    • Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

    Then do the same for the below files and also let me know the results:

    Code:
    C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    3. Could you please get this: 7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 into a zipped file and attach it for me in your next post? To do this, see the below:

    Please go to start > Run and paste in the following:


    log retrievable @ C:\collect.zip

    4. Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
c:\users\owner\AppData\Local\1632078083.dll
C:\Users\owner\AppData\Local\0S70
C:\Users\owner\AppData\Local\20xYJkS83BHk4
C:\Users\owner\AppData\Roaming\Microsoft\Windows\Templates\0S70
C:\Users\owner\AppData\Roaming\Microsoft\Windows\Templates\20xYJkS83BHk4
C:\ProgramData\0S70
C:\ProgramData\20xYJkS83BHk4

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\NoExplorer]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    5. Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).
    6. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Also don't forget the collect.zip and the results from jotti.

    Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Apr 12, 2010
    #11
  12. tngirl

    tngirl Private E-2

    When I entered the codes you gave me into jotti it said 'File is empty (o bytes)!'
    ComboFix and mgtools ran fine, I've attached the logs.
     

    Attached Files:

    tngirl, Apr 12, 2010
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Do not worry about that, they are legit files for your operating system.

    Now we need to use ComboFix once more.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
c:\windows\TEMP\TMP0000000CBD17FDC9E5940C35
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Also delete all files in the below folder except ones from the current date (Windows will not let you delete the files from the current day).

    • C:\Windows\TEMP

    Please download the McAfee Consumer Product Removal Tool

    Run this > Reboot your machine > and Run it again to get rid of remnants of McAfee.

    Now I would like for you to install some anti virus! You can choose from the list of reccommended we have here if you like:

    How to protect yourself from malware (Scroll down to section 2, antivirus)

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Apr 14, 2010
    #13
  14. tngirl

    tngirl Private E-2

    I ran ComboFix and the McAfee removal tool twice. I also installed Avira AntiVirus personal edition. then ran mgtools again I have attached the logs.
     

    Attached Files:

    tngirl, Apr 15, 2010
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    That's better. You can now follow the final steps below: :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Apr 15, 2010
    #15
  16. tngirl

    tngirl Private E-2

    THANKS SO MUCH!!! Thanks for the time and energy..I'm no good with computers so I know how much work you must have put in to understand them so well!!! and I appreciate you letting be benefit from that knowledge. REALLY I can't thank you enough for putting up with me. I will follow your last instructions religiously. THANK YOU.THANK YOU. THANK YOU!!!!!!!
     
    tngirl, Apr 16, 2010
    #16
  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're welcome. :) Safe surfing!
     
    Kestrel13!, Apr 17, 2010
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds