Need help

Welcome to Major Geeks!

I'm not seeing too many problems in just the MGtools logs. That is not surprising though since it is primarily an information collector and not a malware scanner. Let's fix what I do see and go from there. But we are going to need to get real scanners to run. Does Norton antivirus find anything if you run a full scan?

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.2_03
My Way Search Assistant
Spybot - Search & Destroy 1.4
Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

Make sure you reboot after uninstalling the above!

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fulldotfinds.com/pubac/ac.php?aid=147&sid=v5
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

After clicking Fix, exit HJT.



Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

What is the below that you have just installed??? Per our instructions, you must not install or run anything we do not request once you begin the cleaning procedure and until we are finished with the cleanup.

Code:

2009-06-02 23:31 . 2009-06-02 23:31 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-02 22:44 . 2009-06-02 22:49 -------- d-----w- c:\documents and settings\Barb\Application Data\WIPE
2009-06-02 22:44 . 2007-06-22 08:08 139776 ----a-w- c:\windows\system32\dhSQLite.dll
2009-06-02 22:44 . 2007-06-18 23:57 219136 ----a-w- c:\windows\sqlite3_engine.dll
2009-06-02 22:44 . 2009-06-02 22:44 -------- d-----w- c:\program files\Wipe

You must run MSconfig and select Normal Startup and remain in this mode as requested in step 1 of the READ & RUN ME. Currently you are in Selective Startup with something in win.ini being controlled.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - HKUS\S-1-5-21-3406139443-3303699381-1382333137-1007\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1 (User '?')
O4 - HKUS\S-1-5-21-3406139443-3303699381-1382333137-1007\..\Run: [MSKAGENTEXE] c:\PROGRA~1\mcafee\SPAMKI~1\mskagent.exe (User '?')
O4 - HKUS\S-1-5-21-3406139443-3303699381-1382333137-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-3406139443-3303699381-1382333137-1007\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-3406139443-3303699381-1382333137-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-3406139443-3303699381-1382333137-1007\..\Run: [system tool] C:\WINDOWS\sysguard.exe (User '?')
O8 - Extra context menu item: &Search - ?p=ZUzeb004YYUS_ZUxdm265YYUS

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

I still see all of the below which need to be uninstall:
Java 2 Runtime Environment, SE v1.4.2_03
My Way Search Assistant
Spybot - Search & Destroy 1.4

Also you need to install the current version of Sun Java as requested in msg # 2 and in the READ & RUN ME


If you are having a problem getting anything to uninstall, try using the below:
Your Uninstaller! 2008


Also delete the below file:
C:\WINDOWS\SYSTEM32\UACfxvjticqpcnojju.log


I see Norton AntiVirus in your install list but it does not appear to be loading. Is it broken?

 

Let's finish cleaning up some misc items including getting rid of the rest of Symantec.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)

After clicking Fix, exit HJT.

Now we need to use ComboFix again.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner to clean out only temp files and nothing else!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

These are more likely a topic for the Software Forum. You should check to make sure the Print Spooler Service is running for the printer problems.

We still have a little more to cleanup. One stuck service from Symantec who just can seem to get their uninstalls to work and also one stuck service from Windows Servic Pack Installs. You did not shutdown Comodo (again you installed something we did not ask you to install and it is getting in our way) last time and ComboFix ran in reduced functionality mode and did not work properly. You must shut down ALL protection before running ComboFix.


Now we need to use ComboFix.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

My instructions did include the below line

It's your choice on whether to reinstall or not. Your Device Manager problem was more of a Windows issue than malware. It is possible that your Plug and Play service was disable and that some system files may have been missing or corrupted. Since you also had issues with print spooler service, I suspect some one has been experimenting with disabling services and may have disable things that they should not have; however it is always possible that malware was disabling Device Manager to prevent you from being able to remove the malware.

 

Your logs are clean and I don't think your network problem is due to malware. I think your system may have gotten messed up /confused by various protection programs especially Symantec. Let's try the below and if this does not help, you will have to work it out in the Software Forum or reinstall as you were thinking.

But first a note!!!! You must not run ComboFix like you did:

Combofix.exe does not belong in that folder on your G drive. It belongs on the Desktop where you have CFScript.txt as stated in all of the instructions. Not following the instructions properly can lead to a fix not working or worse....breaking your PC. Remove the below file from your Desktop and do not attempt to do this anymore:
Shortcut to ComboFix.exe.lnk

Please follow the below instructions exactly as written.


Please run the below then reboot. After reboot run it one more time.

Norton Removal Tool (SymNRT)

Now run this McAfee Consumer Product Removal Tool and then reboot!

Now uninstall COMODO Firewall Pro.


Download and save this combofix.exe TO YOUR DESKTOP.

Now we need to use ComboFix again.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Does your Internet Connection work now!
If it does, you need to reinstall a firewall and an antivirus immediately.

 

Since all of your logs are clean and all the potential sources of possible interference with a network connection have been removed, the problem is either a a broken network card, broken windows software or configuration/setting issue on your end and you will have to debug it in more detail. Just telling me it does not work is not giving enough info. You will need to see if all settings are correct. You need to see if you can ping out of your PC. See if a different browser works. See if there are any problems showing for the network card in Device Manager. Does the network interace show a connection and that it is enabled. What does the output from ipconfig /all show if run from a command prompt. These are all really more of a topic for the Networking Forum.

Depending on how much more time you want to spend on this, you may want to consider reinstalling. The fix still could be very simple. If I was sitting at the PC, I could quickly get answers that I would need to determine the problem.

 

Try the below two tests:

ping www.google.com
ping 63.233.169.147

The first tries to get to Google via URL which means your DNS server has to work. The second uses Google's IP and does not need the DNS server.

If ipconfig /all does not show anything at all (not even an error message like command not found) thne you have no network interface cards being found. Did you run it from the command prompt (not a start, run, box)? Did you put in the proper direction for the slash ( / )? Give me exactly what is displayed after running the command.

 

You're welcome.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!