No permissions for SAS, MBAM, COMBOFIX, only root and MGTools

Discussion in 'Malware Help (A Specialist Will Reply)' started by jdoginc, Aug 9, 2009.

  1. jdoginc

    jdoginc Private E-2

    I read the other threads, and tried to go through the registry but my registry did not have many of the keys, i figured it was computer specific. I also am having an issue with my laptop, i forgot to attach some logs, I have however, reattached the remainder of my logs. Any help would be greatly appreciated and I eagerly await! This is the best site ever! Hooray for the Mods and Admins that take the time to help us out!

    jdoginc
    p.s. i have attached to logs I can run
     

    Attached Files:

    jdoginc, Aug 9, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You ran SAS on Aug 6, 2009. Please attach this log first and then continue with the next instructions.:
    Code:
    "C:\Documents and Settings\HP_Owner.GINGER13\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\"
Aug  6 2009       32712  "SUPERAntiSpyware Scan Log - 08-06-2009 - 21-36-57.log"

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below old versions of software:
    Java(TM) 6 Update 13

    Also uninstall the below adware:
    Media Access Startup


    Please double-click the RootRepeal.exe previously downloaded.
    • Select File then Scan
    • On the Select Drives form select drive C by "ticking" the box for drive C and click OK
    • When the scan is complete - highlight each of the following file(s) (one at a time if more then one is listed) by left clicking it. Then use right mouse click and select the Wipe File option only for each file.
      • C:\WINDOWS\win32k.sys:1
      • C:\WINDOWS\win32k.sys:2
    • After Wiping all files, immediately reboot your pc!
    After reboot, run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O15 - Trusted Zone: http://www.auctionarms.com
    O15 - Trusted Zone: http://www.facebook.com
    O15 - Trusted Zone: www.midwayusa.com
    O15 - Trusted Zone: www.thefiringline.com
    O23 - Service: AntipyPro_12 (AntipPro2009_12) - Unknown owner - C:\WINDOWS\svchast.exe (file missing)
    O24 - Desktop Component 0: (no name) - http://blst.msn.com/as/wea3/i/_blue/shadow.gif

    After clicking Fix, exit HJT.

    Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.




    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Now delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\TEMP
    C:\Documents and Settings\HP_Owner.GINGER13\Local Settings\Temp\

    Now try to run SUPERAntiSpyware, Malwarebytes and ComboFix per the cleaning instructions.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.


    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).




    Then attach the below logs:
    • C:\avenger.txt
    • the logs from SUPERAntiSpyware, Malwarebytes and ComboFix if they ran
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Aug 13, 2009
    chaslang, Aug 11, 2009
    #2
  3. jdoginc

    jdoginc Private E-2

    Hey Chaslang
    My apologies for not getting back to you sooner. I am consumed on another thread here. I was also in the middle of something with TimW. I believe I was talking about my laptop and my uncles computer between the two. I fixed my laptop but still having ISSUES with the uncles comp. (this thread is about his computer) On my other thread, i lost the ability to launch executables. I did a million and one things, they are on the other thread. (did things like exefix.reg, deleted monopod, etc) I JUST saw your reply. I cannot find that log from 8-6, but i do have one from 8-14, not sure what it is though. I disables messenger, I think. It says it has been installed, I then get a delete error in the upper left corner, "An error occured while deleting file C:\program files\messenger\custsat.dll The specified procedure could not be found. (error #127)" I hit cancel box. I then receive a message saying "copy error" Do you want to continue setup wizard without copying this file? and an INF intall failure..I then removed Java, could not find media access.
    Ran root repeal, found neither file
    and analyse this will not run
    not sure if you want me to deal with regedit. since i cant run it. I was able to get to it last night, I did so many things, not sure which one got me in. once i got in, that was when i deleted monopod, etc. I did command, "copy regedit.exe regedit.com" then it said "1 file copied" I then typed regedit.com and it got me into regedit. when i was there I began searching for a file to delete, when i told the computer to search it search then kicked me out of regedit, I then made it back in somehow and cant get back in again. I really do not know what to do.
    p.s. i tried uploading that sas file, but it said invalid file. Appfix package
     
    jdoginc, Aug 14, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just finish the rest of my instructions with the Avenger fix and make sure to redownload MGtools.exe as requested. I just updated it again a few minutes ago.
     
    chaslang, Aug 17, 2009
    #4
  5. jdoginc

    jdoginc Private E-2

    Thank you! I feel so much better, I was starting to get very depressed! Ill try to make this as brief as possible..
    1. Ran Messenger disable, checked bottom two choices, "Apply", removed but with error deleting, "c:\program files\messenger\custsat.dll error 127"; pressed "cancel", asked if i "wanted to setup w/out copying file", "yes", same error then clicked "no", received "Advanced INF INstall.... INF install failure."
    2. removed java
    3. no media access startup found
    4. ran root repeal
    5. MGTools worked, lots of "access denied" lines
    6. Cant run analyse this
    7. successfully added Regedit 4
    8. ran the avenger, 1st step complete, then symantec endpoint kicked in(should I have disabled it?
    9. rebooted but no log file displayed on startup
    10. lost internet ability
    11.saved java to thumb drive from laptop, successful install of java
    12. cannot delete "mta69078.dll, mpj64624.dll both application extensions 606kb, modified on 6/26/09
    13. cant run sas, mbam, or combo..when i run combo, the green bar fills and then nothing.
    14.ran ccleaner
    then thought I might be able to take the SAS from thumbdrive, repair install, i get a message "error 1321. Windows Installer has insufficient privileges to modify this file, C:\program files\superantispyware\superantispyware.exe..ignored..says its successful..removed old version, reinstalled new, same error message
    15. reinstalled mbam, tried to update definitions, but no internet connection. mbam began to run but then shut off.
    16. dloaded combofix to thumb, pasted to desktop, ran, it REALLY REALLY tried, desktop icons blinked, arrow and hourglass ran...but then stopped.

    I have attached avenger and rootrepeal and mglogs.zip
     

    Attached Files:

    jdoginc, Aug 17, 2009
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now download and save this XPsp3bu.exe to your C:\ root folder. You must do this properly. Now run the XPsp2bu.exe program by double clicking on it. You may or may not notice a quick flash of a black window. This is normal. The program runs quickly and just extracts some files we need.


    We will now run Avenger again to remove some malware and also to replace some files that are missing that you need. Also we will attempt to have Avenger run ComboFix automatically at reboot time. Not sure if this will actually will work but be prepare to see ComboFix and allow it to run if you see it pop up.

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O15 - Trusted Zone: http://www.auctionarms.com
    O15 - Trusted Zone: http://www.facebook.com
    O15 - Trusted Zone: www.midwayusa.com
    O15 - Trusted Zone: www.thefiringline.com
    O23 - Service: AntipyPro_12 (AntipPro2009_12) - Unknown owner - C:\WINDOWS\svchast.exe (file missing)
    O24 - Desktop Component 0: (no name) - http://blst.msn.com/as/wea3/i/_blue/shadow.gif

    After clicking Fix, exit HJT.


    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 20, 2009
    #6
  7. jdoginc

    jdoginc Private E-2

    hey chaslang!
    Thank you again for taking the time, really!
    1. ran xpsp3bu
    2. ran messenger delete, error 127 again, followed by inf, but success message.
    3. cant run analyse.exe
    4. pasted into avenger 1st step successful, (failure message afterwards, didnt get to read it), then it rebooted.
    5. c:\cleanup.exe "windows cannot access, then symantec popped up
    6. combofix ran (along with a "windows cannot find logon.exe"
    7. combofix updated, cf restarted, created system restore, stage 2 completed, logon.exe message again, symantec popped up, (it was disabled, it even said so in the taskbar)
    8. combo finished
    9. mgtools success.

    I also just opened my tools menu, and there is a "windows messenger" option.
    I will attach the cf log as well, it was HUGE!

    p.s. i will attach in the next post
     
    jdoginc, Aug 21, 2009
    #7
  8. jdoginc

    jdoginc Private E-2

    here are the logs..thanks again. I am not saying this to bait your attention to my thread. I have searched a little for donations, does major geeks accept them? is there a place for them? Not that I will be able to do anything soon, or alot, but i do want to do what I can when i can.

    Thank you again!!
     

    Attached Files:

    jdoginc, Aug 21, 2009
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No we do not have a formal process for donations although some of us have PayPal accounts; however this is purely at your discretion.

    First please uninstall both Malwarebytes and SUPERAntiSpyware and delete any previous copies of their installers that you may have downloaded.


    Now we need to use try and use ComboFix since it was able to run last time
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Also delete all files and subfolder in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\temp

    Now download, install, update and try to run scans using the below links for SUPERAntiSpyware and Malwarebytes:
    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • the logs from SUPERAntiSpyware and Malwarebytes if they ran
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 21, 2009
    #9
  10. jdoginc

    jdoginc Private E-2

    everything worked as you specified it would. There were no temp files to delete except for perflib..... also, i could not get my symantec to quit, I disabled it, but then it would turn back on shortly, i even went in to task manager to quit process (didnt think it would work, but i was hoping). Question about my symantec, out of the three scan options: on demand, specified times and startup, the startup is grayed out, like it is an option i have to pay for, but it is paid for, like the virus made it unavailable. should i reload it onto my computer? Here are the logs, I am scared to even have my uncle use his computer, so i will wait until after the logs check out.
    Thank You!
     

    Attached Files:

    jdoginc, Aug 21, 2009
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    You will have to try uninstalling it. Then reboot. After reboot try reinstalling it.

    Your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Aug 25, 2009
    #11
  12. jdoginc

    jdoginc Private E-2

    I really do appreciate it. Another guy on here, who will remain nameless, told me to get rid of my windows and start over. I had two different threads, for two problems, they ended up being the same. So, I cannot thank you enough for sticking with me. And now if i could just find out how to close a thread.

    Jdoginc
     
    jdoginc, Aug 25, 2009
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    That was because you had not used the current version of MGtools in your other thread and thus the source of your problem was not visible. You were about 4 months out of date.
     
    chaslang, Aug 28, 2009
    #13
  14. jdoginc

    jdoginc Private E-2

    guess I dont need to close this thread after all. I "cannot find logon.exe..."keeps popping up. I was never able to run analyse this, so i just did. I deleted:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O15 - Trusted Zone: http://www.auctionarms.com
    O15 - Trusted Zone: http://www.facebook.com
    O15 - Trusted Zone: www.midwayusa.com
    O15 - Trusted Zone: www.thefiringline.com
    O23 - Service: AntipyPro_12 (AntipPro2009_12) - Unknown owner - C:\WINDOWS\svchast.exe (file missing)
    O24 - Desktop Component 0: (no name) - http://blst.msn.com/as/wea3/i/_blue/shadow.gif

    The only one that was not there was O23. But I did delete the rest. I was looking this over and I see there is an F2-reg-.....logon.exe" is that the one I dont want to keep popping up? I also see "O1...viruskill2009" which has some microsoft labels, but I dont remeber dealing with that at all.
    sorry, bet you thought you were rid of me!
     

    Attached Files:

    jdoginc, Aug 28, 2009
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes this is a new problem that was not there before. Also a couple other items showed up in your hosts file. Do the below.



    Download HostsXpert and then follow the below steps.
    • Unzip HostsXpert.zip
    • It will create a folder named HostsXpert in whatever folder you extract it to.
    • Run HostsXpert.exe by double clicking on it.
    • Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
    • Click Restore Microsoft's Hosts File and then click OK.
    • Click the X to exit the program
    Now download the current versions of ComboFix from the below link. Save ComboFix.exe to your Desktop

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    F2 - REG:system.ini: Shell=Explorer.exe logon.exe

    After clicking Fix, exit HJT.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:



    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 2, 2009
    #15
  16. jdoginc

    jdoginc Private E-2

    Everything went well, or at least ran. Once again, cant thank you enough!

    j
     

    Attached Files:

    jdoginc, Sep 2, 2009
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks like you reinfected youself when you installed some Sukoku junk and also JuicyAccess Toolbar. You need to choose your websites more carefully. If you keep reinfecting yourself as soon as we are finished cleaning your PC, it means you are not following the instructions we gave you in the How to protect yourself link. If this continues to be a problem, we may refuse to help you.

    Begin by uninstalling the below:
    JuicyAccess Toolbar
    Sukoku 1.0 build 114


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Sep 6, 2009
    chaslang, Sep 6, 2009
    #17
  18. jdoginc

    jdoginc Private E-2

    My apologies for not following your directions to the "t". I am working on my uncles computer. He constantly is on firearms forums. He opens countless "jokes" while in there are well. He also opens countless forwards from people he knows. Nonetheless, they forward anything they find and I am sure many times he or they send/open things that are infected. Since I sent you that last post. he has been infected with Windows security center and windows police pro. I fully understand if you no longer are willing to help. I hope that once this gets taken care of, (if you help) we will not have this prob anymore. I made it to the registry and deleted,

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Windows Police PRO"
    HKEY_CURRENT_USER\Software\Windows Police PRO
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Police PRO
    HKEY_LOCAL_MACHINE\SOFTWARE\Windows Police PRO

    I try and run programs and I get an "open with" dialog box and sometimes a c:\windows\system32\rundll32.exe errors. I first got one when I tried to go to the control panel to take out juicy and sukoku. I removed many of their occurences in the regedit. I can regedit without fail in ms-dos safe mode. Man, I feel like an idiot. I am at your mercy sir.

    Jason
     
    jdoginc, Sep 7, 2009
    #18
  19. jdoginc

    jdoginc Private E-2

    so fresh start this morning. All of my applications had no file associations, or at least they had them, but upon running them they claimed I needed to go to the control panel and change it in the folder options. My rndll32 s are messed i guess. I went into MGTools, ran "getlogs.bat", "fixcf.reg" and then ran the reg backup in in my root folder. I am now attempting to run your last reply
     
    jdoginc, Sep 7, 2009
    #19
  20. jdoginc

    jdoginc Private E-2

    OK, well, here it is. You said that I was not following your How to protect myself link...i know I read that those that are free in your list are better than Symantec Endpoint because of system hogging. But this symantec is free, I get it from my college. And I/he is not too worried about the system hogging. Also, I hate Firefox. And I DO NOT mean to sound snide in anyweay, but are those the directions I was not following, or are there far many more steps I am ignoring? I ran combofix and getlogs as per your request, here they are, sir. THANKS
     

    Attached Files:

    jdoginc, Sep 7, 2009
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should not be running anything unless we ask you to run it. Running things not requested is the fastest way to break your PC or to confuse to removal process.


    They are also better because they are better at detecting and removing malware.

    ALL the instructions in that link are important. There is so much more in there than just installing applications. FireFox is not a necessity but proper protection, properly updated software.....etc is important. The person using the machine needs to understand the info too or it is just a waste of time trying to fix the PC since like here, they will just reinfect it almost immediately unless the learn safe surfing habits.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 11, 2009
    #21
  22. jdoginc

    jdoginc Private E-2

    My bad for gumming up the works. I just hate to get rid of something that I get for free, that usually costs a lot of money. But I guess even STDs are free too! Ran combo, ccleaner, and mg. Attached the logs, just told my uncle to stay of off his computer until we are all finished here, LOL. Thanks again.

    Ok, so I must be TOO tired even though it is 2 in the afternoon. I ran those, and now I cant find the combo file. I glanced over and it said those files from the cfscript were removed, but I just cant find it! Not sure if I need to rerun just combofix, or run all steps?

    Have a Goodn , not a Badn
     

    Attached Files:

    jdoginc, Sep 11, 2009
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Back in msg # 17 I asked that you uninstall JuicyAccess Toolbar but I still see it. Is there a reason for this? Are you not able to uninstall it? Try using this Your Uninstaller! 2008 to uninstall it if you were having a problem.

    Run C:\MGtools\FixFA.bat by double clicking on it. The reboot the PC.

    Tell me what problems if any remain.
     
    chaslang, Sep 17, 2009
    #23
  24. jdoginc

    jdoginc Private E-2

    DANGGITT! As far as I know, it has been uninstalling. The only problem I had last time, was while running combofix, it tells me that symantec is running. I do all i can to stop that thing, click on disable, run through the program and turn off all of the options, like "dont let symantec be shut down" RTVscan always runs, I try and quit process tree...it just restarts. I will go try this thing and let you know. Thank you again.
    p.s. is there anyway to find out from where it is coming?

    Jason
     
    jdoginc, Sep 18, 2009
    #24
  25. jdoginc

    jdoginc Private E-2

    He nor I have touched the computer since I sent you those logs, and there is no sign of the Juicy access toolbar, so i downloaded the your uninstaller and there is also no sign of it there. However, in the Symantec Endpoint, there is a file that keeps popping up: The first 860 occurences say this>
    Risk=Trojan.Fakeavalert Filename=desote.exe Type=Backup Original Location=C:\WINDOWS\system32\ Status=Infected all from 1031 pm-1146pm on 9/6/09
    ----THEN on 9/7/09 at 1054 am the location switches to=C:\RECYCLER\S-1-5-21-3717218996-3398799259-454773596-1008\
    ----and THEN the original location changes to=c:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\ and stays that way 9/7/09 at 1208pm for about 4000 occurences until 851pm same day

    when i ran mgtools\fixfa.bat, all i got was a black cmd box that blinked. Well, let me know if you REALLY hate symantec.

    Thank YOu again
     
    jdoginc, Sep 19, 2009
    #25
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Delete your old logs and empty your Quarantine from Endpoint and only look at new info. We don't care about the past since we already removed thos problems. We also don't care about anything reported in System Volume Information since that would be System Restore and will be removed when it is toggled after all cleaning is finished.

    Correct. It runs quickly to restore some settings and just ends.

    Not on my list of things to use.

    Download the current version of MGtools and run it. Attach a new log so we can see where things stand.
     
    chaslang, Sep 24, 2009
    #26

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds