Worm/Trojan/Virus-Cannot boot other than safe mode.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Mzchvz, Sep 4, 2009.

  1. Mzchvz

    Mzchvz Private E-2

    I am running 32 bit Vista.I have not had a virus in quite some time. I run Avira as my anti-virus, also on occasion, I'll use house-call just as an added precaution. Yesterday morning all was fine, I left, came back and I had a bunch of pop ups from Avira. as I clicked the deny button for each of them, more popped up. A window, that resembled greatly the windows protection logo, popped up to install. I presumed this was part of the update that had recently taken place.This caused quite a few more issues, all with the same names as the issues previously detected with Avira. The only other thing I can come up with, as to where this came from was an email i received when trying, once again, to delete a tagged.com account.Below are issues I encountered during each step of the r&r.

    -boots only in safe mode
    -will not allow me to uninstall anything (ask toolbar etc)
    -says windows installer is not installed correctly
    -Message when attempting to run super anytispyware.exe:
    a problem has caused the program to stop working correctly.
    -I have rebooted and continue to get the same message box.
    -Was able to install malewarebytes, but when tried to run program, nothing happens
    -tried to run combofix. Again, nothing happens.
    -Rebooted, tried again, still nothing.
    I have used ccleaner for quite some time, and already had HJT, ran ccleaner as directed and ran hjt after everything else. Attatched is the logs from HJT, Rootrepeal and MGLoge.zip.
    These were all I could get to run.
    Thank you.
     

    Attached Files:

    Mzchvz, Sep 4, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Please double-click the RootRepeal.exe previously downloaded.
    • Select File then Scan
    • On the Select Drives form select drive C by "ticking" the box for drive C and click OK
    • When the scan is complete - highlight each of the following file(s) (one at a time if more then one is listed) by left clicking it. Then use right mouse click and select the Wipe File option only for each file.
      • C:\Windows\System32\kbiwkmctomoimx.dll
      • C:\Windows\System32\kbiwkmcvxistuw.dat
      • C:\Windows\System32\kbiwkmofjxxrrv.dll
      • C:\Windows\System32\kbiwkmowpsuywt.dat
      • C:\Windows\System32\drivers\kbiwkmvumxtqqp.sys
    • After Wiping all files, immediately reboot your pc!

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\twext.exe,
    O2 - BHO: (no name) - MRI_DISABLED - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O4 - HKLM\..\Run: [7EE983E52D57964A] C:\Windows\system32\7EE983E52D57964A.exe
    O4 - HKCU\..\Run: [Protection System] "C:\Program Files\Protection System\psystem.exe" -noscan
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    After clicking Fix, exit HJT.

    Uninstall the below software:
    Ask Toolbar
    Java(TM) 6 Update 13
    Java(TM) 6 Update 6


    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\TEMP
    C:\Users\User\AppData\Local\Temp

    Now install the current version of Sun Java from: Sun Java Runtime Environment

    Now try to run SUPERAntiSpyware, Malwarebytes and ComboFix per the cleaning instructions.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • the logs from SUPERAntiSpyware, Malwarebytes and ComboFix if they ran
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 8, 2009
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds