Antivirus programs wont open

[multimedia]

All right so another of my computers is infected.

I saw that Personal AV somehow made it on there even though I havent used the computer in months. So I deleted the folder in the Program Files. Also in there is a folder called sFX which I cannot delete

However there is still a problem. Firefox does not work as it gives me the timed out message. When it does work, all search engines do not work. Although I can go to the sites such as google.com or yahoo.com, search results do not show up.

Also, when I try to doubleclick on the usb drive, it brings up Notepad and gives me an error with Catalyst Control Centre. Another error is with Generic Host Process for Win32 Services.

Did everything in the read and run me first except step 6
This is because even after installing these programs they will not run.
Superantispyware just wont install, giving me an error

Any ideas?

[multimedia]

btw here are the MGlogs which I forgotten to attach

[multimedia]

new MGlogs

[chaslang]

What is the below huge file? If unknown, you should delete it.

Code:

C:\Documents and Settings\Hiep\My Documents\
nf1258.exe    Jun 18 2009   449548956  "NF1258.exe"

Now you need to edit your C:\Windows\win.ini file and delete the below line at the end of the file.
DLL_PATH=C:\Program Files\DoubleD\GamingHarbor Toolbar\4.1.3.20290



Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: Media Access Startup - {25B8D58C-B0CB-46b0-BA64-05B3804E4E86} - C:\Program Files\Media Access Startup\1.5.0.850\HPIEAddOn.dll
O2 - BHO: NP Helper Class - {35B8D58C-B0CB-46b0-BA64-05B3804E4E86} - C:\Program Files\Internet Saving Optimizer\3.4.0.4340\NPIEAddOn.dll (file missing)
O2 - BHO: System Search Dispatcher - {CDBFB47B-58A8-4111-BF95-06178DCE326D} - C:\Program Files\System Search Dispatcher\1.3.0.840\ssd.dll (file missing)
O3 - Toolbar: GamingHarbor Toolbar - {5617ECA9-488D-4BA2-8562-9710B9AB78D2} - C:\Program Files\DoubleD\GamingHarbor Toolbar\4.1.3.20290\stb0.dll (file missing)
O4 - HKLM\..\Run: [PersonalAV] C:\Program Files\PersonalAV\pav.exe
O4 - HKLM\..\Run: [MSDRV] NetFilter.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp11.exe

After clicking Fix, exit HJT.



Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Quote:

Files to delete:
C:\Program Files\PersonalAV\pav.exe
C:\WINDOWS\system32\SET12.tmp
C:\windows\NetFilter.exe
C:\WINDOWS\010112010146118114.dat
C:\WINDOWS\0101120101464849.dat
C:\WINDOWS\010112010146120114.dat
C:\WINDOWS\0101120101464949.dat
C:\WINDOWS\934fdfg34fgjf23
C:\WINDOWS\ld12.exe
C:\WINDOWS\pp10.exe
C:\WINDOWS\pp11.exe

Folders to delete:
C:\Program Files\Media Access Startup
C:\Program Files\BrowserCtl
C:\Program Files\sFX

Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run | PersonalAV
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run | MSDRV
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run | pp

Registry values to replace with dummy:
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager | PendingFileRenameOperations

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now see if you can run SUPERAntiSpyware, Malwarebytes, ComboFix, and RootRepeal.


Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\avenger.txt
• the logs from SUPERAntiSpyware, Malwarebytes, ComboFix, and RootRepeal if they ran.
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[multimedia]

Well I did everything you said but theyre still not working. Firefox is also opening another tab that looks like an ad everything I start it.
I did however get RootRepeal to work after a number of errors saying it could not read the boot sector.

[chaslang]

Okay the infection may have corrupted some of your downloads and installations. So we will uninstall a few things and delete some previous downloads. Then we will get new copies and install them after a reboot. Follow the steps below in the exact order written.

Uninstall SUPERAntiSpyware and Malwarebytes now.

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Quote:

Folders to delete:
C:\Documents and Settings\All Users\Application Data\{F444439B-B473-48E8-8DE5-4CB929C79A9F}
C:\Documents and Settings\Hiep\Local Settings\Application Data\DoubleD


Files to delete:
C:\Documents and Settings\Hiep\Desktop\ccsetup222_slim.exe
C:\Documents and Settings\Hiep\Desktop\ComboFix.exe
C:\Documents and Settings\Hiep\Desktop\mbam-setup.exe
C:\Documents and Settings\Hiep\Desktop\m.exe.exe
C:\Documents and Settings\Hiep\Desktop\MGlogs.zip
C:\Documents and Settings\Hiep\Desktop\SUPERAntiSpyware.exe
C:\WINDOWS\fdgg34353edfgdfdf

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now download and install and update the below tools again:

• SUPERAntiSpyware
• Malwarebytes Anti-Malware
• combofix.exe

Now try to run SUPERAntiSpyware, Malwarebytes and ComboFix per the cleaning instructions.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\avenger.txt
• the logs from SUPERAntiSpyware, Malwarebytes and ComboFix if they ran
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[multimedia]

Well I've run into a problem, that is I cannot uninstall Malwarebytes either by using the add/remove programs or by trying to delete the folder in Program Files.
Should I use Spybot's File Shredder to try to delete them (not sure if it will works) or no? And since SUPERAntiSpyware wasnt ever installed in the first place thats done

I did the next step but I still cant run the programs besides CCleaner although it always shows up with 24KB in IE Temp Internet Files even after a few runs.

Although, this computer has two accounts. Would that be a problem

[multimedia]

I tried again and managed to uninstall Malwarebytes after trying again. Ran through the steps again and CCleaner had 0 bytes removed instead of the 24KB before I uninstalled Malwarebytes.

Still cant install those programs, Malwarebytes included. Should I uninstall Spybot as well? There is still the ad site that pops up along with the FirefoxStart homepage everytime I open Firefox or click home

[chaslang]

First please run this: Resetting Registry and File Permissions

Then continue with the below.

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Quote:

Folders to delete:
C:\Documents and Settings\Hiep\Local Settings\Temp\is-B0BQ1.tmp
C:\Documents and Settings\Hiep\Local Settings\Temp\is-DJPR9.tmp
C:\Program Files\DoubleD
C:\Program Files\Internet Saving Optimizer
C:\Program Files\Media Access Startup

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions|{872A1C39-DF0B-4c8b-AD84-12BA24A3B781}
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions|{2224E955-00E9-4613-A844-CE69FCCAAE91}
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions|{0BA0192D-94A5-45e3-B2B8-3EC5A1A0B5EC}

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{872A1C39-DF0B-4c8b-AD84-12BA24A3B781}"=-
"{2224E955-00E9-4613-A844-CE69FCCAAE91}"=-
"{0BA0192D-94A5-45e3-B2B8-3EC5A1A0B5EC}"=-

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[multimedia]

Well I did everything. Still having the same problems though, cant install anything.
The malwarebytes installer runs but stops at the end of the percentage bar so I dont think it actually installed

[chaslang]

Quote:

Originally Posted by multimedia

Well I did everything. Still having the same problems though, cant install anything.

What happens if you log in using the Mimi user account instead of the Hiep user account?

Also what happens if you boot in safe mode and use the Administrator user account?

[multimedia]

Same thing. Nothing works in either account in regular mode or safe mode.
I also cant get into the Administrator account in safe mode since I forgot the password to that.
Also google searches are now being redirected while an ad showing a fake virus scan showed up once

Gah is there anything I can do now?

[chaslang]

First please run this: Resetting Registry and File Permissions

Now try installing the below ExploreXP program and tell me what exactly happens?

ExplorerXP


Please run this Win32KDiag - How to run and attach the requested log.


Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\MGlogs.zip

[multimedia]

All right I did everything.
Installing ExplorerXP went fine, no problem in installing and it runs too
However, the Win32KDiag didnt seem to work

[chaslang]

So it looks like you can install programs. You just cannot install certain programs. Can you install and run the below?

Avira AntiRootkit Protection


Also please try running the below online scan:

http://www.superantispyware.com/onlinescan.html

Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. It does not save a log.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

KILLALL::
File::
C:\WINDOWS\system32\drivers\ndisrd.sys
C:\Documents and Settings\Hiep\Local Settings\Temp\e2eD.tmp
C:\Documents and Settings\Hiep\Local Settings\Temp\etilqs_tcVr2jOCotwUx8FKiz9a
C:\Documents and Settings\Hiep\Local Settings\Temp\f41E.tmp
C:\Documents and Settings\Hiep\Local Settings\Temp\irbB.tmp
C:\Documents and Settings\Hiep\Local Settings\Temp\kodC.tmp
C:\Documents and Settings\Hiep\Local Settings\Temp\wF3i4rH_.JPG.part
C:\MGlogs.zip
Folder::
C:\Documents and Settings\Hiep\Local Settings\Application Data\Media Access Startup
C:\Documents and Settings\Hiep\Local Settings\Temp\is-3DLG4.tmp"
C:\Documents and Settings\Hiep\Local Settings\Temp\is-UETUU.tmp"

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[multimedia]

Well I cant install that first one. Gives me an error about the application configuration is incorrect

The second link worked liked a charm though. It managed to work and found plenty of stuff. After using that everything seems too work including malwarebytes, spybot and combofix.

I reinstalled malwarebytes and it seems to work. Only did the quick scan and the logs are attached. Will run through the entire cleaning procedures tomorrow and attach logs (I hope this is the correct decision)

Hopefully I'll be able to get rid of the ads that popup along with firefox homepage every time I open firefox

[chaslang]

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

KILLALL::
FF::
FF - ProfilePath - c:\documents and settings\Hiep\Application Data\Mozilla\Firefox\Profiles\jdntbh1g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.theprizeday.com/today.php|http://en-US.start2.mozilla.com/fire...-US:official\n

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[multimedia]

Still getting that popup everytime I open firefox
Doing the steps and will post later

[multimedia]

And here are the logs from the cleaning procedures.
Nothing found! And I fixed the popup by changing my homepage.
Guess I'm in the clear?

[chaslang]

Quote:

Originally Posted by multimedia

And I fixed the popup by changing my homepage.

That was going to be my next suggestion since your combofix log showed you had the below in your home page setting:

hxxp://www.theprizeday.com/today.php


Since your logs are clean, and if you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!