Multiple problems related to Antivirus XP 2008

Welcome to Major Geeks!

It appears that the HijackThis program that is embedded into MGtools did not work properly. What happens if you goto the C:\MGtools folder and double click on the analyse.exe program which is just HijackThis renamed to stop malware from blocking it from running.

It looks like you may have some file system and or registry corruption that may not be so easy to fix. Things like your Uninstall Program list and more are missing from the registry. It may be true that you will need to reinstall to properly recover. We can finish removing any remaining malware but this will not repair a damage Windows Operating System.

Do you have your Windows XP CD? The next step may or may not ask you to put it into the CD drive.

Click Start, Run, and enter sfc /scannow and click OK. There is a space after the sfc. This runs System Rile Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.

Is the below something you installed? What is it?
"MoveMinutesQuickCheck"="\"c:\\program files\\moveminute\\05091201\\movemedia.exe\" /boot"


Let's see how much of the below you can run.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You need to run GetLogs.bat and make sure you allow it to finish running and then attach the new MGlogs.zip file. Infact, delete the current MGlogs.zip file you have so there can be no mistake that it is new. Just ignore the errors about the registry editing be disabled and allow it to finish. You may have to keep clicking OK. The problems are related to what the malware has done to you.

Look for it in Add/Remove programs and uninstall it if found. Then run analyse.exe and fix the lines for it if still found.

When?

 

You did not attach anything.

 

Okay let's try something a little differently.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop ( yes overwrite the previous file with this one). Be sure the "Save as" type is set to "all files". DO NOT try to double click on it. Just save the file now and see the next instructions futher down.

• Please go to this link:http://live.sysinternals.com/
• find the psexec.exe file listed in the list and click on it and download and save it to your Desktop. Doing this properly is critical for other steps below.
• Now click Start, Run, and enter cmd and click OK. This will open a command prompt window with a prompt that shows the current folder you are in.
• For you the prompt should show C:\Documents and Settings\Family>
• Now type cd Desktop and hit the enter key. There is a space after the cd. If you do this properly, your prompt will change to C:\Documents and Settings\Family\Desktop>
• Type the below bold text and hit the enter key. This will open the Window Registry Editor. You will have to agree to the SysInternals License Agreement first that pops up.
  • psexec -s -i regedit
• In the Registry Editor click File, Import and then navigate to the fixme.reg file on your Desktop and double click on it to import it into your registry. If it works properly you should get a success message.
• If you get a success message continue on with the below, otherwise stop and explain to me any problems you had.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines (some may not exist anymore) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [MoveMinutesQuickCheck] "c:\program files\moveminute\05091201\movemedia.exe" /boot
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\TEMP
C:\Documents and Settings\Family\Local Settings\temp

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You are supposed to be logging into the user account named Family and using this Desktop: C:\Documents and Settings\Family

LocalService is not an account you are to be using. It is for the system.

Are you saying the when you open a command prompt that you got

C:\Documents and Settings\LocalService>

instead of

C:\Documents and Settings\Family>

 

Well we started to get somewhere when the registry fix worked after using the psexec method. However after reboot you have new versions of the malware and file names have changed too. It appears that this malware is changing file names after each power down and or reboot. Therefore it is critical that from now on you DO NOT reboot or power down your PC after attaching any logs because the fix we would make would be incorrect as soon as you do.

All that being said, you need to see this Using MGtools which eplains the below error you were getting:

An installable Virtual Device Driver failed DII initialization

However since you cannot do registry editing, you will have a problem. You could try using psexec regedit which may allow you to make the fixes.

It is really starting to look like your fastest solution may be to reinstall. This malware as really put a load of road blocks in the way of getting things fixed. However if you want to keep trying to fix it, continue on with the below.

First install the current version of SUPERAntiSpyware and use it to scan and get a new log to attach.


Then download and run the current version of MGtools.exe and attach the new C:\MGlogs.zip file if created properly. Otherwise attach the individual logs as you have been doing.

DO NOT REBOOT or shutdown your PC after attaching these logs.

 

Please run HijackThis (Note: if using Vista, use right click and select Run As Administrator). and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\DOCUME~1\Family\LOCALS~1\Temp\winwddakh.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Family/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

After clicking Fix, exit HJT.

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Family\Local Settings\Temp

Did you attempt to fix that installable Virtual Device Driver failed DII initialization error message?

Now run SUPERAntiSpyware again and attach a new log.

 

Okay now run Malwarebytes and then run GetLogs.bat

Now attach the new logs from Malwarebytes and the new MGlogs.zip file.

 

There are more infected processes running. Have you done any reboots since I asked you not to?

See if you can kill the below two processes with HijackThis like previously done.
C:\DOCUME~1\Family\LOCALS~1\Temp\gmejl.exe
C:\DOCUME~1\Family\LOCALS~1\Temp\winwoli.exe


Then delete all files in below folder. Let me know if you cannot delete any files. A couple of tmp files may be in use by Windows but all of these EXE files need to go.

C:\Documents and Settings\Family\Local Settings\temp

 

Also please run the below and attach the requested log

Running GMER to detect rootkits

 

Please run C:\MGtools\analyse.exe ( This is really HijackThis ) by double clicking on it and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes. If these exact names do not appear, look for any others that are running from this Temp folder and kill them. If you do not find any, just continue.

C:\DOCUME~1\Family\LOCALS~1\Temp\gmejl.exe
C:\DOCUME~1\Family\LOCALS~1\Temp\winwoli.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

After clicking Fix, exit HJT.

Now use the psexec -s -i regedit procedure from message # 11 the import the fixME.reg patch into your registry again.

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\TEMP
C:\Documents and Settings\Family\Local Settings\Temp

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Sorry to hear of your lastest problems.

This is probably the best & most trustworthy option now anyway.

The below may be useful:

http://rcc.bgsu.edu/info/Windows_XP_Installation

You can also get help in the Software Forum if you need any.

​

You always stand the risk for backing up infected files especially if any of them are executable type files; however if you are mostly backing up your own personal data, the risk is lower. There are just no guarantees. A full rescan after you reinstall would be a good idea.


You're welcome. Make sure you work thru the below after the reinstall.

How to Protect yourself from malware!

 

Exactly which files did you copy back when the problem return. It sounds like youhave something that is carrying the infection and that it goes undetected. Did the problem come back after just copying files back or did it occur after installing something??? There is a big difference.

 

Okay but did you play any of them. These files (at least some) can be considered executables and could potentially cause an infection.

This is a potential problem especially if a hacker type site has logged your IP address. Your PC needs to have protection in place before you connect to the internet. You should have had copies of your antivirus, antispyware, and firewall programs on CD and reinstalled them before physically plugging in your cable to the internet. This protection should all be in place even before you

• attempt to get any updates for Windows or any other programs
• copy anything back from your external drive.

You may need to start over.

 

If may be necessary to start over from a new reinstall and go more slowly to see if you can identify where the problems are coming from. It still is possible that your backups are not infected and that you are just getting reinfected from the internet due to connecting before proper protection is in place.

Your antivirus scanner or online scanners may or may not detect the problems. It may be a slow process to scan all files in question.

For antivirus, Avast, Avira, and AVG get about equal recommendations. Some people are starting to dislike the bloat of the new AVG8. For antispyware, the paid version of SUPERAntiSpyware is a favorite.