Combofix/Windows Recovery Console problem

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mqw1968, Aug 28, 2008.

  1. mqw1968

    mqw1968 Private E-2

    Am currently proceeding through the READ & RUN ME FIRST Malware Removal guide for Windows XP and am trying to implement the Combofix step (the previous steps have unearthed nothing apart from some MyWebSearch stuff during the Malwarebytes Anti-malware run)

    Not having the original system CD, I have downloaded the appropriate Windows Revovery file from http://support.microsoft.com/kb/310994 and saved to the desktop

    When I drag & drop this file onto the Combofix icon it appears that the Recovery Console is at first being created but then I get an error dialog box opening, entitled:

    327882R2FWJFW\hidec.exe

    "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item"

    AVG then opens an alert window identifying a "Potentially Unwanted Program!"

    C:\327882R2FWJFW\hidec.exe

    Threat name: Potentially harmful program HideExec.EV Detected on open


    Naturally, I have not allowed the Combofix to proceed further. Any help would be appreciated
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Before going any further, why are you running the READ & RUN ME. What malware problems are you having that caused you to come here to run this cleaning procedure.


    If you block the ComboFix procedure from running then obviously it will not work. It you wish to continue, you should either disable or shutdown AVG also if AVG still pops up a message about a "Potentially Unwanted Program" (aka PUP) you need to disregard it as it is what we are trying to run. This can be a two way street. The tools we are running could also call AVG a PUP. ;)
     
  3. mqw1968

    mqw1968 Private E-2

    Hi chaslang!
    I'm sorting out a PC that belongs to a friend's daughter and which had been infected by FunWebProducts and MyWebSearch garbage related to her installing "fun" add-ons to Windows Live Messenger as far as I can tell (idiotic Smiley crap, methinks), along with continual CiD pop-ups

    The PC had no updated AV installed - just a horribly out of date legacy version of McAfee, which I uninstalled - and no anti-malware had ever been run. AVG, Spybot and AdAware got rid of most of the problems, but there remained some things related to FWP & MWS which Spybot/Adaware seemed unable to totally remove....hence my search for some more learned assistance.

    The first 3 steps of the XP Cleaning procedure (SuperAntiSpyware. SpyBot and Malwarebytes AntiMalware) went smoothly, with the MAM actually finding the hard-to-shift remnants of MyWebSearch.

    I didn't want to allow the Combofix to proceed as it was apparent that the Windows Recovery Console procedure had not run properly. I hadn't disabled AVG at that point as that instruction only comes after the WRC creation in the Combofix guide.

    Anyhow.....I did get the WRC procedure to work after booting in Safe Mode and Combofix has been duly run and log created.

    BUT.....now I can't get MGTools to run properly. analyse.exe (HijackThis) crashes and I get the ProcessDLL.exe error. The zip file is created, however. Do I actually need to install the .NET stuff to get MGTools to function, or are you just advising that it should be installed for the all-round benefit of web-browsing?

    To be honest, there's not much that I can see wrong with the operation of the PC now - boots and shuts down fine and web-browsing is free from pop-ups. I'd just like some confirmation that there's not something niggly lurking in the registry that may eventually start to cause problems again. Is it worth posting the log files as they are, or is there something that can be done to get the MGTools to run correctly?

    Thanks for all your time and effort on here, btw. I'm always amazed by the breadth and depth of experience and understanding on forums like these
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You do not need to install .NET just for MGtools. That only affects one scan and is not always needed. It is more useful with more troublesome malware. However yes it is becoming more common place for .NET to be required for some online sites and also for many many other programs to run properly.

    Just attach ALL 4 requested logs and we will check them out.
     
  5. mqw1968

    mqw1968 Private E-2

    Point noted about Windows .NET update - will check that out later. First three logs attached here as requested
     

    Attached Files:

  6. mqw1968

    mqw1968 Private E-2

    MGTools log attached here
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean.


    Now we need to cleanup some items from running ComboFix.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix.
    3. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
  8. mqw1968

    mqw1968 Private E-2

    Excellent news! Thanks, chaslang. Will run the registry modification/clean-up processes you detailed and report back if there are any problems.

    Many thanks again for all your efforts with this site. Am finding that the various guides are a mine of useful information, pieces of which i already knew, but it's great to have all this stuff consolidated into clear concise instructions or recommendations.
     
  9. mqw1968

    mqw1968 Private E-2

    fixme.reg procedure was successful. All remaining clean up carried out as suggested.

    Case closed, i believe :-D

    Many thanks :major
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds