Can't run SpyBot or Hijackthis, SUPERAntiSpyware crashes on install

mrfettucini · Jun 17, 2009

Hi I definitely have a bunch of nasty trojans and/or viruses. They were redirecting all my web pages for a while but I found a tool called Exterminate It! and bought it and I think it got rid of Zlob, SpyDldr.J, CnsMin and some BHO's. CWShredder also removed one thing. My browsers arent redirecting anymore but there are definitely some nasty things still on the computer.

I downloaded Webroot Antivirus, SpySweeper and CyberDefender and ran them and they each picked up a few things but before taking further action and removing things I wasn't sure about I thought I'd come over here and seek some help. Some other things my Avira AntiVir Professional picked up but I don't think cleaned are TR/Dropper.Gen and TR/Alureon.14848J. I also noticed Scansoft Shared in my startup items.

When I try to launch Spybot or Hijackthis they just shut down. I disabled TeaTimer in startup items and it was running currently so I killed the process.

I went through the READ & RUN ME FIRST guide up until the Windows XP steps where I cannot get past the first step of installing SUPERAntiSpyware because it immediately crashes and says An unhandled win32 exception occurred. I tried renaming it to SAS.exe but that didn't work. I also tried running Malwarebytes and ComboFix but they do the same thing as Spybot and Hijack this - they just never start up.

Help!!! This computer has my lifes work on it and, shame on me, I haven't backed up in a while.

Thank you,
Mike

mrfettucini · Jun 17, 2009

mrfettucini said: ↑

Hi I definitely have a bunch of nasty trojans and/or viruses. They were redirecting all my web pages for a while but I found a tool called Exterminate It! and bought it and I think it got rid of Zlob, SpyDldr.J, CnsMin and some BHO's. CWShredder also removed one thing. My browsers arent redirecting anymore but there are definitely some nasty things still on the computer.

I downloaded Webroot Antivirus, SpySweeper and CyberDefender and ran them and they each picked up a few things but before taking further action and removing things I wasn't sure about I thought I'd come over here and seek some help. Some other things my Avira AntiVir Professional picked up but I don't think cleaned are TR/Dropper.Gen and TR/Alureon.14848J. I also noticed Scansoft Shared in my startup items.

When I try to launch Spybot or Hijackthis they just shut down. I disabled TeaTimer in startup items and it was running currently so I killed the process.

I went through the READ & RUN ME FIRST guide up until the Windows XP steps where I cannot get past the first step of installing SUPERAntiSpyware because it immediately crashes and says An unhandled win32 exception occurred. I tried renaming it to SAS.exe but that didn't work. I also tried running Malwarebytes and ComboFix but they do the same thing as Spybot and Hijack this - they just never start up.

Help!!! This computer has my lifes work on it and, shame on me, I haven't backed up in a while.

Thank you,
Mike
Click to expand...

Found that I could run MGtools. My MGlogs zip file is attached.

Thanks,
Mike

TimW · Jun 19, 2009

You were instructed to put msconfig in normal startup mode. Please do that now.

You were also instructed to turn off Teatimer. Which may be partially responsible for your inability to run the scans.

* Run Spybot and click Mode
* Select Advanced Mode.
* Then click Tools and select Resident.
* Now in the right window pane, uncheck TeaTimer.
* Also while this is open, in the left column now select IE Tweaks
* and then in the right pane make sure all the Miscellaneous locks are unchecked.
* Now quit Spybot!

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - (no file)
O2 - BHO: (no name) - {A4CC8907-3EA6-49EE-8B74-D09660120910} - (no file)
O2 - BHO: (no name) - {F286500C-177A-4316-9E88-9814FBB1DC3D} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - (no file)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.6.0_04) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) -
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) -
O20 - AppInit_DLLs: i5u476j8n7.dll,C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
Click to expand...

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SpySweeper"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL"

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A4CC8907-3EA6-49EE-8B74-D09660120910}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F286500C-177A-4316-9E88-9814FBB1DC3D}]

Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now clean out everything in these folders ( you will not be able to remove items from today):
C:\WINDOWS\Temp\
C:\Documents and Settings\end user\Local Settings\Temp\

Now see if you can run the other scans and if so attach the logs.

Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* SAS, MBAM, Combo
* C:\MGlogs.zip

Log in or Sign up

Can't run SpyBot or Hijackthis, SUPERAntiSpyware crashes on install

mrfettucini Private E-2

mrfettucini Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member