Cannot run any software!!??

Re: Update

Welcome to Major Geeks!

What error message do you get when trying to load Windows? How far do you get?

Can you boot in Safe Mode?
How about Safe Mode with Command Prompt?

 

Please try using another browser to attach your logs. Also you can try flushing your browser cache and clicking refesh a couple of times. This will often work. Otherwise post them using your laptop.

Why did you run SuperAntiSpyware? It is not part of the READ ME.

Is your copy of Spyware Doctor a paid version or free trial? If free, uninstall it now.
Is your copy of Spy Sweeper a paid version or free trial? If free, uninstall it now.

 

I'm not sure we will be able to fix all of your problems. Your log shows many of the required service for Windows to be either missing or just plain broken. Let's fix what we can a see what happens.

Make sure that you have uninstall Spy Sweeper and Spyware Doctor before continuing.

Now we must disable Windows Defender's realtime protection:

Disable Windows Defender:

• Open Windows Defender
• Click Tools
• Click General Settings
• Scroll down to Real Time Protection Options
• Uncheck Turn on Real Time Protection (recommended)
• Close Windows Defender

Once your log is clean you can re-enable Windows Defender Real Time Protection.

Uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.2
Mozilla Firefox (2.0.0.2)

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis. And click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\WINDOWS\system32\shovth.exe


After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe
O4 - HKLM\..\RunServices: [MSRT] svcmon.exe
O4 - HKCU\..\Run: [Gsxlpzip] "C:\Program Files\Common Files\??crosoft\tracert.exe"
O4 - HKUS\S-1-5-21-1614895754-838170752-682003330-1004\..\Run: [Gsxlpzip] "C:\Program Files\Common Files\??crosoft\tracert.exe" (User '?')
O20 - Winlogon Notify: hggffda - hggffda.dll (file missing)
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

See if you can uninstall it via Add/Remove programs. Either way just continue.

 

That's because only some of the problems actually got fixed completely. Some of the malware came right back. Also remember what I said, "we may not be able to completely fix your PC due to the state that it is in". Your OS is really messed up.

I going to work up a fix using a different method than with Avenger. I'll post it in my next message.

 

You must download combofix.exeto your Desktop. The fix will not work otherwise. Previously you said ComboFIx did not work and I do not see ComboFix.exe on your Desktop and that could be why it did not work.


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [sis32] C:\WINDOWS\system32\winsos.exe
O4 - HKLM\..\Run: [winroot] C:\WINDOWS\system32\winsn.exe

After clicking Fix, exit HJT.


Now print the below instructions because at a point during them you MUST (this is can be critical) shutdown all browsers. I will tell you when to exit the browsers during the muti-part procedure.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner!

• Now run the C:\MGtools\GetLogs.bat file by double clicking on it.
• Then attach the below new logs:
  • C:\ComboFix.txt
  • C:\MGlogs.zip

Do you have your Window XP boot CD?

 

You have not mentioned this before. How did you complete the instructions in message # 9? If could be a better idea to copy and paste the information to a CFScript.txt file on another PC (to avoid possible typing mistakes) and then copy to this PC.

You mean your mouse cannot drag and drop????

Try running the steps in safe boot mode.

If you get to this point (and you probably will even if we remove the malware), you have to be careful that you do not back up anything that could be infected.

You did not answer my question about having your Windows XP boot CD. Do you have a WinXP SP2 bootable CD?

 

Okay based on what I'm seeing from all of your logs accumlated thus far, this infection keeps regenerating itself after we fix things we are seeing. I now believe that part of the reason is the below.

Here are things I have observed

• the infection creates at least one EXE file in every folder (or almost every folder) on your hard disk.
• the EXE file will have the same base name as the folder it is created in. For a few examples:
  • in C:\Windows it created Windows.exe
  • in C:\WINDOWS\PCHEALTH\HELPCTR\Binaries it created Binaries.exe
  • in C:\ it created .exe ( Since C:\ has no basename the base is blank and you just get .exe ) This root folder also has a CCC9DE8D.exe infected file.
  • in C:\Documents and Settings\All Users.WINDOWS it created All Users.WINDOWS.exe
  • and so on for all folders. It probably creates it in folders as they are accessed so some folders may not initially have an EXE.
• these EXE files are always 89088 bytes in size and have a creation date of 2007-12-29
• in some folders more than one infected file exists and it is not using the name of the folder. Like in C:\Windows\system32 where shovth.exe, winsn.exe, and winsos.exe are all being seen.
• I also noticed references to infected files on drive D and drive G . Which drives are these? Are they builtin hard disk or removable media? They are infected to and YOU MUST AVOID using them for anything and do not put them into another computer. If you have other computers, you need to check them ASAP for this infection. Also if you have use a removable device it is more than likely infected and you must clean it too before putting it into another PC where it can infect it.

You could have literally thousands of these files on your harddisk and the only way you may be able to fix this infection may be for you to disconnect from the internet, boot in safe mode, and locate every file fitting the descriptions given above for file size, naming convention, date....etc and delete all of them manually. This means you will have to thru every single folder on your hard disk one at a time to locate the infected files and remove them. And also while in safe mode you would then have to run the fixes given to remove the entries from the registry by running the HijackThis and ComboFix procedures.

Now comes the decision of whether you want to spend the time doing the above especially since you appear to have other major problems within your Windows OS that is causing many services not to run. And this does not seem to be part of this infection. Thus even if you can manage to find and remove all of these infected files, registry keys....etc, your PC will still be in pretty bad shape.


Notes on additional things you can try if you wish to continue


1) BitDefender Online Scanner

I was just thinking about a possible online scanner name BitDefender which could possibly help in finding and removing many of these infected files. You may want to give the below a try just to see what it finds and removed.


****NOTE**** DO NOT INSTALL Bitdefender's Antivirus program. Make sure you follow the directions below and run the ONLINE SCANNER only.

• Click on this link Bitdefender
• agree to the license and then select Scan.
  • DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files.
• Once Bitdefender completes the scan:
  • Click-on the Detected Problems tab. Then select Click here to export the scan report
  • When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt)
  • and then in the File name box enter change to bdscan then click save.
  • This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

If you do not follow these steps properly, you will have an incorrect log or worse a log summary which is useless to us.

Attach the bdscan.txt file as an ATTACHMENT. It could be very large if lots of infected files are found. If this happens, you will probably have to compress the log file into a ZIP file to attach it here.


2) SDfix Scanner

Download SDFix and save it to your Desktop.

• Run the SDFix.exe by double clicking on it.
• Allos it to install into the default location which is c:\SDFix
• Now please reboot your computer into Safe Mode (see this if you don't know how: Starting your computer in Safe mode )
• When you have booted into safe mode, open the C:\SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry entries found and then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Attach the Report.txt file to your next message.

 

Be very careful backing up anything that can be considered an executable file including MP3s. You should have them scanned on a CLEAN PC.

It may be infected just like drive C.

Every drive could be infected. There are no guarantees.

Did you notice all of the files it located that were of that 89088 files size I mentioned? They are all infected and you can delete all of them yourself but I doubt it will help.

 

Before connecting to the internet, your PC should have the below installed

• an antivirus
• realtime antispyware blocking
• additional protect from Spybot's Immunize feature and also Spyware Blaster
• a real software firewall (the one in Windows XP is not adequate)
• in short see this: How to Protect yourself from malware! Obviously you cannot get updates for Windows and some other items until ater being connected but you need to have protection in place.

None of these are trust worthy and your newly formatted drive is at risk if these other items are connected. You cannot clean a DVD-R since it is not rewritable. You could try scanning drives G & H with your antivirus and antispyware tools and also tools mentioned in this link Alternative Scans but you need to be very careful that you do not reinfect you system by opening or accessing infected files from the the other drives and DVDs. You can look for and manually delete all the EXE files like I mentioned. However none of this is guaranteed to get you clean especially if the antivirus programs do not properly detect and remove this infection. Your only truly safe option is to dump everything.

 

Things that should always be running:

• AVG Free Edition
• ZoneAlarmFree
• Comodo BOClean Anti-Malware

a-squared (a²) Free edition is not is a necessary item to install. It just gives a background scanner as additional support for what your antivirus does. It provides no active protection unless purchased.

After you run the free versions of the tools for awhile, decide whether you like them or not. If you do, it would be worth purchasing the full versions to get addition features and also full support. It also supports continued development of programs like this. However, it is not necessary to purchase them as the free tools due work quite well. It is just a matter or limited or no support, and some features will be missing.

The guard.exe service that is part of AVG Antispyware is required for full functionality of the free program even after the 15 day trial is over. You can stop the service from loading and the program will still run to do scans and remove malware but some features of the free tool may not work. Many people do choose to terminate it.

I find strange that you ask about this but did not ask about the processes and service that SuperAntiSpyware also loads. And if you installed Ad-Aware 2007 (which I don't recommed) it will also install a service. You don't reall need to have both AVG AntiSpyware and SuperAntiSpyware installed. One or the other is more than enough with the others that are installed and in fact you don't really need to have either of them since they are only after the fact scanners.

 

You're welcome. Ad-Aware 2007's service cannot be terminated. It will come back. And in fact so will SuperAntispyware's. Services are not normal processes. To stop a service from reloading, you must remove the service entry from the registry. Otherwise some small amount of time after stopping the service, it will just automatically startup again.