Install prevention malware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jjmjets, Jul 16, 2009.

  1. jjmjets

    jjmjets Private E-2

    I recently contracted a virus while on the internet. I know this because AVG Free came up with a Warning, but before I was able to read more, the computer restarted itself. Upon reboot, I noticed that b.exe was running so I began taking steps to make sure I had the virus version of b.exe and then removing it. I tried to run AVG, but it hung up during the scan. I couldn’t open Spybot at this time. I decided to boot in safe mode and this allowed AVG to run, but still no Spybot. I then rebooted in normal mode and ran AVG again and Adaware, but still didn’t get rid of b.exe. I then shutdown system restore, and scanned using http://safety.live.com/site/en-US/default.htm. The scan found b.exe and c.exe (I have more specifics if needed).

    While this had removed b.exe, I still could not open Spybot so I knew I still had issues. I then turned to the MajorGeeks “Read and Run Me First” procedure. While I have been able to download all of the tools, I was only able to run CCleaner. All other programs will not install. When clicked, SAS does nothing to the naked eye but a process can be seen in the Task Manager. Malwarebytes runs the install, but won’t complete despite renaming the file to mb.exe as requested. I noticed that mb.exe and mbam.exe are running in processes. The install hangs up when the progress bar reaches the end. I tired to open the program and had no luck so I uninstalled because I can’t tell if it’s fully installed or not. ComboFix from the desktop only opens a process and no install window. When I tried to run RootRepeal, an initialization window opened and then the computer restarted itself. I have tried these installs in safe mode as well with the same results.

    Obviously the trend is that the malware on my computer won’t allow installations. I started to research this and learned that on Windows Home Edition, you can’t check gpedit.msc and that may be the issue. I also found a few threads that used HijackThis as a way around install issues, but I’m not sure this is the next help.

    One other symptom I noticed is that iexplore.exe starts on it's own in the processes menu without openning a window.

    Sorry for the long post. I wanted to explain my previous actions in detail to the best of my ability.

    Thanks.
     
  2. jjmjets

    jjmjets Private E-2

    Ok, I realized that MGtools is not like any of the other programs in the "Read and Run Me First" thread so I just ran that. Here's the file. Hopefully it helps.
     

    Attached Files:

  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's start with this and then see if you can run any of the other scans.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now use windows explorer and see if you can find this file :
    C:\WINDOWS\System32\d?dplay.exe ( probably dvdplay...and if so, right click it and select properties and let me know what you find).

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  4. jjmjets

    jjmjets Private E-2

    Ok, I was able to complete all steps. Here are some results:
    1) The registry edit "successfully entered into the registry."

    2) During the reboot after running avenger, I think the computer rebooted a second time after getting to the windows screen (not sure about this as I wasn't watching, but I heard the reboot click a second time).

    3) During avenger, a box came up saying "Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c". I tried hitting try again a few times, then continue a few times, then finally on the second click of cancel it went away.

    4) The file you asked about was dvdplay.exe and under properties the description was "dvdplay placeholder Application". Under the compatibility tab it said that compatibility modes cannot be set because it's part of Windows XP.

    5) During GetLogs.bat, Sort Utility asked if I should send an error log to Microsoft which I didn't send.

    I used Internet Explorer on the infected PC for this post. I noticed that it started up on the first double-click which is an improvement. However, when I click on most links (specifically links in google searches), I get rerouted to windowsclick.com. Thank you so much for the help. I would be reformating right now without it :(.
     

    Attached Files:

  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Even though I am not seeing these, lets run Avenger again....but first you need to turn off TeaTimer!

    * Run Spybot and click Mode
    * Select Advanced Mode.
    * Then click Tools and select Resident.
    * Now in the right window pane, uncheck TeaTimer.
    * Also while this is open, in the left column now select IE Tweaks
    * and then in the right pane make sure all the Miscellaneous locks are unchecked.
    * Now quit Spybot!

    Run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Now disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    -
    Now run Ccleaner to clean out only temp files and nothing else!

    Now try to run ComboFix and the other scans. Attach those that run and tell me what happens exactly if they do not.

    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip
     
  6. jjmjets

    jjmjets Private E-2

    Ok, the computer seems to have significantly improved. Thanks for all the help so far.

    Yesterday, I tried to do some work on the computer and it was having trouble booting in normal mode. After several tries, it started and I ran a defrag with Smart Defrag (I had one fail the other day so I wanted to finish). It then allowed me to install SAS and I ran a scan with the settings from Read and Run Me First. However, I allowed the scan to complete over-night and in the morning the computer was completely frozen so I restarted.

    Today, I got home and my dad had decided to try and complete some scans. He says he ran SAS which found "a ton of problems" and then closed SAS and AVG and ran Spybot which found two issues:

    Microsoft.WindowsSecurityCenter_disabled
    Win32.TDSS.rtk

    That's the best of my knowledge of his activities. Next I followed your reply:

    1) I checked and TeaTimer was off, but I turned off lock hosts file.
    2) I uninstalled windows messenger with the app
    3) Ran avenger script and comp rebooted, on reboot I got a "Windows-No Disk" exception
    4) MB ran and found a few issues
    5) ComboFix ran
    6) RootRepeal wouldn't run, it gets hung up while initializing and won't go anywhere, I waited several minutes even w/ firewall and all virus stuff off
    7) Ran MGtools

    Below are the logs. I think there are 2 SAS logs b/c I got one from yesterday, but couldn't fix any problems b/c of the freeze.
     

    Attached Files:

  7. jjmjets

    jjmjets Private E-2

    Here's the MGtools log.
     

    Attached Files:

  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sweet......your logs are clean.

    I would just suggest that you find and delete these:
    Now, unless you are having any other malware issues, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
  9. jjmjets

    jjmjets Private E-2

    Hey thanks a lot for all your help! I'm excited to be back at fighting strength. :)
     
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome....safe surfing. :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds