Badly Infected Laptop

Welcome to Major Geeks!

Please download the MGtools.exe file as instructed in the READ & RUN ME. The boot into safe mode and try running it. If it runs then attach the MGlogs.zip file that is created. If you get the Runtime Error 481 message then go into the C:\MGtools folder and locate the GetLogs.bat file and double click on it to see if it will run without creating an error. Let me know what happens.

 

I'm not really seeing too much in the way of malware issues in those logs. You will have to try and get some real malware scanning tools to run. Possibly using another user account if necessary.

I do have some things that you need to do though.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to PsExec
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below Services (if you do not find them or get any errors, just continue):
  • Webroot Spy Sweeper Engine
• Click OK until you get back to Windows.

• Next, run C:\MGtools\analyse.exe which is really HijackThis, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste PSEXESVC into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below Services (if you do not find them or get any errors, just continue):
  • WebrootSpySweeperService
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/&s=8T6d7hoKxNoMR_k_W8HYYGXKCUo
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: Fly - C:\WINDOWS\SYSTEM32\smart.dll

After clicking Fix, exit HJT.





Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot (into normal boot mode), now run Ccleaner!


Now run the C:\MGtools\GetLogs.bat file by double clicking on it.




Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

What happened exactly? Is Spy Sweeper showing in Add/Remove programs?

Delete the below folder ( you may need to delete all files in the folder first)

C:\MSI6b122.tmp

Also look in the C:\Windows\Installer folder for any more of these MSIxxxxx.tmp files (where xxxxx is a random letter/number combo) and delete them if found.

Now run this Windows Installer CleanUp Utility to see if there are any bad installs or uninstalls trying to run.

Now try to uninstall all those old Sun Java versions.

What happens when you try to run in normal boot mode?

 

This all really sounds more like problems in the registry and in the Windows OS. As I said earlier there really was no significant malware found in the logs. It would probably be a better idea for you to be posting in the Software Forum. Runtime errors could indicate registry problems. Something that may be worth a try if you can do it would be to create a NEW user account with administrator priviledges and see how the new account works. If you can create it and it works better, you could try running some scanners from this account to see if anything is found.

Also see if you can do the below.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

 

Please clarify! Did you try to create it or did you actually create one?

I suggest that you post in the Software Forum since you problems do not appear to be malware. Sounds to me like you may be better off reinstalling.

 

You're welcome. Surf safely and be sure to apply the guidelines of what is in the below to the PC after reinstalling.

How to Protect yourself from malware!