Computer Won't Boot Up, Not Hard Drive Problem

specialkman · Oct 27, 2009

I have been working with another helper in a different forum over the last week - http://forums.majorgeeks.com/showthread.php?t=201397

We believe this is no longer a hard drive issue, but rather a virus.

I read the "Read and Run First" post, and was able to do a few things. Unfortunately, right now, I am signed into safe mode as an administrator, and the only way I can get explorer to run was to change the name to aaa.exe and force it to run that way. So I have no Start Menu to right click on, which has limited my ability to do things.

I deleted Viewpoint Media Player.
I tried to download Java, but it wouldn't load.
I ran CCleaner.
I couldn't enable hidden files because I don't have a start menu.
I tried to delete MyWay Search Assistant from the Add/Remove Program files menu, but got this message in response - "The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed."

I downloaded SuperAntiSpyware, Malwarebytes, ComboFix, and RootRepeal. I didn't download MGTools because I was downloading to a USB Drive, and the message said only download to the correct folder. If that was an incorrect judgement on my part, I'm sorry.

I tried running SuperAntiSpyware, but I'm in safe mode, so it wouldn't let me.

I installed Malwarebytes, hit Perform Quick Scan, it acted like it was going to start, then shut down.

I ran RootRepeal. It worked for a little bit (pulled up a handful of files), then it shut down as well.

I'm sure some of this has to do with the fact that I'm in safe mode. But I don't know enough to know if I should try and force it in normal mode (if that's even possible). I tried following the directions the forum laid out. Hopefully I did a decent job. I look forward to some more guidance and getting these bugs off my computer.

chaslang · Oct 29, 2009

I'm not sure if your problems are malware; however we need more information like that provide by our scans to know for sure.

specialkman said: ↑

I deleted Viewpoint Media Player.
Click to expand...

Deleted? Or Uninstalled?

specialkman said: ↑

I tried to download Java, but it wouldn't load.
Click to expand...

Java cannot be installed in safe mode and neither can SUPERAntiSpyware.

specialkman said: ↑

I downloaded SuperAntiSpyware, Malwarebytes, ComboFix, and RootRepeal. I didn't download MGTools because I was downloading to a USB Drive, and the message said only download to the correct folder.
Click to expand...

Just because you download MGtools.exe to your USB, there is nothing that is stopping you from copying it from the USB to the C drive as required and running it. You did say you could run the renamed Windows Explorer. You need to run it and then attach the MGlogs.zip file.

Did you try running ComboFix?

If you cannot run anything and get us some logs, then you may as well start making some of the specialty disks you were given info on in your other thread or you will just have to reinstall.

specialkman · Oct 30, 2009

Just to clarify, I went to add/delete programs and unistalled Viewpoint Media Player.

I downloaded MGTools to my USB drive, put it on the infected computer in the C:. When I double clicked it, another window opened briefly, then shut down. The MGTools folder did get added to the C: and its full of files.

I then tried to run ComboFix. It came up with a message fairly quickly that said "ComboFix has detected the presence of rootkit activity and needs to reboot the machine". I hit okay and it restarted. I rebooted into safe mode where I had been before and re-ran ComboFix. And we went through the whole process again.

I have been able to get one program to run all the way through...Win32kDiag.exe and here was the log I got from that.

Running from: C:\Oct 2009 Cleaners\Win32kDiag.exe
Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ERDNT\Hiv-backup\Hiv-backup
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\explorer.exe
[1] 2007-06-13 04:26:03 1033216 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe (Microsoft Corporation)
[1] 2007-06-13 03:23:07 1033216 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe (Microsoft Corporation)
[1] 2004-08-10 03:00:00 1032192 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe (Microsoft Corporation)
[2] 2008-04-13 17:12:19 1033728 C:\WINDOWS\aaa.exe (Microsoft Corporation)
[1] 2008-04-13 17:12:19 1033728 C:\WINDOWS\explorer.exe ()
[1] 2008-04-13 17:12:19 1033728 C:\WINDOWS\ServicePackFiles\i386\explorer.exe (Microsoft Corporation)

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Minidump\Minidump
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
[1] 2004-08-10 03:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)
[1] 2008-04-13 17:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()
[1] 2008-04-13 17:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-10 03:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)
[1] 1736-08-20 10:04:02 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2008-04-13 17:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
[1] 2004-08-10 03:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\temp\7zS2.tmp\7zS2.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\temp\IXP001.TMP\IXP001.TMP
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\temp\_avast4_\_avast4_
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Web\Wallpaper\inc\inc
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^

Finished!

specialkman · Oct 30, 2009

I kept working with the computer, and made a little progress. I downloaded GMER and it ran for over 2 hours before it crashed...so I didn't get to save that log.

But, when I restarted the computer, I was able to run MGtools. So, I've attached that log.

I'm going to re-run GMER now, but I'm going to call it a night...so if you want that log, I'll have to post it tomorrow.

chaslang · Nov 1, 2009

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Administrator

You only need to get one of them to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.exe

Rkill.com

Rkill.scr

Rkill.pif

Once you've gotten one of them to run then try to immediately run the following.

Now download and Run exeHelper from Raktor

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

A log file named log.txt will be created in the directory where you ran exeHelper.com

Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Now run this: Using Malwarebytes Anti-Malware

Now run ComboFix as instructed in the READ & RUN ME.

Now run this: Using MGtools

Now you need to attach (See: HOW TO: Attach Items To Your Post ) the below logs created while running the above scans

exeHelper log

Malwarebytes Anti-Malware log

the ComboFix log if it ran

MGlogs.zip

specialkman · Nov 2, 2009

I downloaded and ran rkill. Then downloaded and ran exehelper. The txt file from that program is attached.

I tried to run Malwarebytes. I downloaded and copied it several times, and each time, when it offered to update and run, I hit okay. This message always popped up: "Unable to execute file: C:\Malwarebytes...\mbam.exe CreateProcess failed; code 2. The system cannot find the file specified."

I'm seeing there's no mbam.exe file in the Malwarebytes file, which I think is weird since I'm downloading it on my laptop directly to a usb drive, then uploading it directly onto my computer.

I then ran ComboFix...it started and ran for a few minutes...then a message popped up "PEV.cfxxe has encountered a problem and needs to close". I hit don't send and a line came up in the ComboFix window "The system cannot find the file temp04". Then a message popped up "Combofix has detected the presence of rootkit activity and needs to reboot the machine". The file it found was "C:\WINDOWS\system32\drivers\rotscxlkcivtsf.sys". I rebooted into safe mode again and re-ran ComboFix...it went all the way through, then said it needed to reboot...it did, but there was no combofix log.

Then, I ran MGTools...and ive attached that zip.

chaslang · Nov 8, 2009

Uninstall SUPERAntiSpyware and Malwarebytes if still currently installed and delete all previous installer programs for them that you downloaded. Then continue on with the below.

I need to know if you are able to bootup and run in normal boot mode rather than safe mode. Normal boot mode is preferred if it is possibly since it will help us locate malware that may only be loading in normal boot mode but not safe mode.

I recommend that you uninstall Spy Sweeper for now as it is probably doing more to get in the way of cleanup than it is in helping protect you which it obvious severely failed at doing. Is it a paid version?

What is the below folder??? Very bad idea to name it like this if you created this!
Code:
C:\
MYAPP.EXE     Sep 29 2009              "myapp.exe"
Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below old versions of software:
Ad-Aware SE Personal
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.2_03
MyWay Search Assistant
Spybot - Search & Destroy 1.4

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: (no name) - {abfb6708-229c-41b6-8550-2b02053bfd5a} - laroheya.dll (file missing)
O2 - BHO: Firefox mod - {E5768708-806B-4ced-9AE8-7C855EB782F7} - lofd32.dll (file missing)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [79735132] C:\DOCUME~1\ALLUSE~1\APPLIC~1\79735132\79735132.exe
O4 - HKLM\..\Run: [tevenonesu] Rundll32.exe "zuhuyaba.dll",s
O4 - HKLM\..\Run: [jiyiwukes] Rundll32.exe "c:\windows\system32\lewemuku.dll",a
O4 - HKLM\..\Run: [combofix] C:\ComboFix\CF3714.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\RunOnce: [combofix] C:\ComboFix\CF3714.exe /c C:\ComboFixCombobatch.bat
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O21 - SSODL: bahimupuy - {c0c108ed-5093-4359-ae3e-7f3d9401b110} - c:\windows\system32\nodutike.dll
O21 - SSODL: megevizuv - {14f77f23-1f92-4ccb-bd33-3108d6fc49b2} - c:\windows\system32\lotakine.dll
O21 - SSODL: yuhefutov - {054a3f91-187c-40b6-a6c7-d02e1f2c07ac} - c:\windows\system32\vedilune.dll
O21 - SSODL: sanabapus - {14475852-bab9-4f12-b4ed-6f8becdcd97d} - c:\windows\system32\kubuyula.dll (file missing)
O21 - SSODL: hurovigam - {5b9bcd11-3d65-44f7-936f-021c6eb266f7} - c:\windows\system32\kokufara.dll
O21 - SSODL: fumebujin - {f83e42be-59bd-4c41-922f-4895541ca763} - c:\windows\system32\lewemuku.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {c0c108ed-5093-4359-ae3e-7f3d9401b110} - c:\windows\system32\nodutike.dll
O22 - SharedTaskScheduler: mujuzedij - {14f77f23-1f92-4ccb-bd33-3108d6fc49b2} - c:\windows\system32\lotakine.dll
O22 - SharedTaskScheduler: kupuhivus - {054a3f91-187c-40b6-a6c7-d02e1f2c07ac} - c:\windows\system32\vedilune.dll
O22 - SharedTaskScheduler: tokatiluy - {14475852-bab9-4f12-b4ed-6f8becdcd97d} - c:\windows\system32\kubuyula.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {5b9bcd11-3d65-44f7-936f-021c6eb266f7} - c:\windows\system32\kokufara.dll
O22 - SharedTaskScheduler: kupuhivus - {f83e42be-59bd-4c41-922f-4895541ca763} - c:\windows\system32\lewemuku.dll (file missing)
O23 - Service: XGFIXBQCZG - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XGFIXBQCZG.exe (file missing)
O23 - Service: YFZITD - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\YFZITD.exe (file missing)

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your desktop

Run avenger.exe by double-clicking on it.

Do not change any check box options!!

Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Drivers to delete:
XGFIXBQCZG
YFZITD

Files to delete:
C:\WINDOWS\aaa.exe
C:\WINDOWS\system32\AVR09.exe
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\41.exe
C:\WINDOWS\system32\winhelper.dll
C:\WINDOWS\system32\critical_warning.html
C:\WINDOWS\system32\lsm32.sys
C:\WINDOWS\system32\opeia.exe
C:\WINDOWS\system32\BtwSrv.dll
C:\WINDOWS\system32\drivers\rotscxlkcivtsf.sys
c:\windows\system32\nodutike.dll
c:\windows\system32\lotakine.dll
c:\windows\system32\vedilune.dll
c:\windows\system32\kubuyula.dll
c:\windows\system32\kokufara.dll
c:\windows\system32\lewemuku.dll
C:\WINDOWS\system32\laroheya.dll
C:\WINDOWS\system32\lofd32.dll
C:\WINDOWS\system32\zuhuyaba.dll
C:\WINDOWS\system32\bedihidu.dll
C:\WINDOWS\system32\CF14721.exe
C:\WINDOWS\system32\CF31796.exe
C:\WINDOWS\system32\CF31878.exe
C:\WINDOWS\system32\CF31976.exe
C:\WINDOWS\system32\CF32152.exe
C:\WINDOWS\system32\CF4570.exe
C:\WINDOWS\system32\cmd.execf
C:\WINDOWS\system32\duzileru.dll
C:\WINDOWS\system32\fehiwohi.dll
C:\WINDOWS\system32\fisuneje.dll
C:\WINDOWS\system32\fusigoka.exe
C:\WINDOWS\system32\hicunoxema.dl
C:\WINDOWS\system32\hudutoji
C:\WINDOWS\system32\kokufara.dll
C:\WINDOWS\system32\kutosiva.dll
C:\WINDOWS\system32\nazehupo.dll
C:\WINDOWS\system32\puty._dl
C:\WINDOWS\system32\sujuwido.dll
C:\WINDOWS\system32\susujewe.dll
C:\WINDOWS\system32\suwuwuha.dll
C:\WINDOWS\system32\vamoguze.dll
C:\WINDOWS\system32\vedilune.dll
C:\WINDOWS\system32\vehuyafa.dll
C:\WINDOWS\system32\vudutowo.dll
C:\WINDOWS\system32\wuzowohi.dll
C:\WINDOWS\system32\yrem.dat
C:\WINDOWS\system32\zafugiho.dll
C:\WINDOWS\system32\zehedofe.dll
C:\Program Files\Common Files\aroxi.com
C:\Program Files\Common Files\efudibyt._sy
C:\Program Files\Common Files\fixux.com
C:\Documents and Settings\All Users\Application Data\jokugelyr._sy
C:\dmhj.exe
C:\dtluwfgq.exe
C:\klic.exe
C:\WINDOWS\ujenirusyc.lib
C:\WINDOWS\win32k.sys

Folders to delete:
C:\Documents and Settings\All Users\Application Data\09191424
C:\Documents and Settings\All Users\Application Data\76749437
C:\Documents and Settings\All Users\Application Data\3708252
C:\Documents and Settings\All Users\Application Data\79735132
C:\Documents and Settings\All Users\Application Data\10178754
C:\ComboFix
C:\FixCombo

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\09191424
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\76749437
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\37082525

Registry values to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | winupdate.exe
HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\sharedtaskscheduler | {c0c108ed-5093-4359-ae3e-7f3d9401b110}
HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\sharedtaskscheduler | {14f77f23-1f92-4ccb-bd33-3108d6fc49b2}
HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\sharedtaskscheduler | {054a3f91-187c-40b6-a6c7-d02e1f2c07ac}
HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\sharedtaskscheduler | {14475852-bab9-4f12-b4ed-6f8becdcd97d}
HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\sharedtaskscheduler | {5b9bcd11-3d65-44f7-936f-021c6eb266f7}
HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\sharedtaskscheduler | {f83e42be-59bd-4c41-922f-4895541ca763}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | bahimupuy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | megevizuv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | yuhefutov
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | sanabapus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | hurovigam
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | fumebujin

HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer | NoSetActiveDesktop
HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer | NoActiveDesktopChanges

Files to move:
C:\MGtools\temp\XPSP3\eventlog.dllmg | c:\windows\system32\eventlog.dll

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
Click to expand...

Now click the Execute button.

Click Yes to the prompt to confirm you want to execute.

Click Yes to the Reboot now? question that will appear when Avenger finishes running.

Your PC should reboot, if not, reboot it yourself.

A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Then attach the below logs:

C:\avenger.txt

C:\MGlogs.zip

Make sure you tell me how things are working now!

specialkman · Nov 6, 2009

I will follow your directions in a couple hours when I get home...but I wanted to mention 2 things quickly.

1) I have no idea what myapp.exe is. Its not something I named.

2) I cannot reboot in normal mode. I tried yesterday, and it still wouldn't start or let me use ctrl-shift-esc to access any programs.

specialkman · Nov 6, 2009

I started uninstalling programs. It wouldnt let me uninstall ad-aware, both java updates, or myway search assistant. it popped up a message that said:

"The windows installer service could not be accessed. this can occur if you are running windows in safe mode, or if the windows installer is not correctly installed. contact your support personnel for assistance"

it did let me uninstall spybot 1.4. i did have to restart to completely uninstall some of the programs.

when it restarted, something very weird happened. i booted into safe mode, the same way ive been doing for the last few weeks since i got this bug...and this time, it actually booted. it also opened up combofix and opened a window that said "preparing log report". im missing a lot of icons on the desktop, but it looks like most of my personal info is on the computer. i've attached the combofix log that was created.

im not sure if i should continue with your directions (its not that i doubt you...i just don't know enough to know if your fixes will help or hurt at this point). out of curiousity, i restarted and let it boot into normal mode. it did actually boot up this time...and it looks like all my stuff is still on the desktop and still on the computer. it seems to be running slow. and when i search in google, it either loads to a weird site, or not at all. so there's still some sort of bug on here.

let me know what you think i should do next. thank you for all of your help

specialkman · Nov 6, 2009

one more addition...after booting in normal mode, i was able to run hijack this. i've attached the log.

chaslang · Nov 8, 2009

specialkman said: ↑

one more addition...after booting in normal mode, i was able to run hijack this. i've attached the log.
Click to expand...

We don't need it. You need to run my previous fix (which I just edited to add a couple things seen in the ComboFix log) and only attach the requested logs.

Also tell me what is in the MYAPP.EXE folder since you say you don't know what it is.

specialkman · Nov 8, 2009

i'll answer your last question first. in the myapp.exe folder, there are 153 files and 1 folder. most of them have names that mean nothing. there are several applications (ERUNT, hidec, mtee, etc), lots of dat files, some ms-dos batch files, some windows nt command scripts, and a few other things. i know thats not real specific, and if you'd like, i can type out all 154 items.

let me also say that after rebooting, i was finally able to run malwarebytes. it found over 100 problems and fixed them. so that will explain why the avenger log has so many places where it says it couldnt find the file.

i followed the rest of your directions and have attached both logs. the computer boots up fine in normal mode and seems to be running alright. let me know if there's anything else you would like me to check or run.

if not...i cannot thank you enough for your help. you turned my almost dead computer into one that works again. thank you for being patient with me and walking me through it all. i really appreciate the help. thank you again.

specialkman · Nov 9, 2009

as i'm using the computer a little more, i'm noticing two problems, but they might be the same thing.

i tried to look at a twitter page and got this message...
You cannot use the Twitter website without having JavaScript enabled on your web browser. Please re-enable JavaScript and refresh this page.

then, i tried to go to google maps and nothing came up, it just said "loading..." at the top of the page.

not sure if that's all connected to this or not, but i just wanted to give you an update as i use the computer a little more

specialkman · Nov 9, 2009

sorry for the multiple messages, but i noticed a couple other things in the last few minutes.

1) when i open my home page (google), the cursor doesn't automatically appear in the search box (it does on my laptop and my work computer). i know its small, but its something that is different now than it was before

2) my find command (ctrl+f) doesnt work. it pops up when i hit ctrl+f, but when i type in a word, it wont allow me to hit next or previous.

3) my search command on the computer wont work. when i go to start - search, the window pops up with the dog (search companion). but there's nothing in the window, so i can't search anything.

i hope thats it. i know they're all relatively small things, but since they are differences from when the computer was working before, i thought i'd let you know.

chaslang · Nov 11, 2009

Your PC is not in normal startup mode. See step 4 of the READ & RUN ME.

Delete the below file:
C:\WINDOWS\Tasks\jmrpmrla.job

Please download and run Win32kDiag per the below instructions:

Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log

C:\win32kdiag.exe -f -r

Now download Junction,zip to your Windows folder

Please download Junction.zip and save it to your Windows folder (i.e, C:\Windows\Junction.zip This assumes C:\ is your Windows boot drive.)

Now unzip it and put junction.exeinto the Windows folder (i.e., C:\Windows\junction.exe)

Do not try to run it right now. We will run something that uses it later.

Now we need to reset the permissions altered by the malware on some files.

Download and save inhertit.exe to your Desktop: Inherit.exe

It must be in your Desktop or the below fix will not work!

Now run the C:\MGtools\FixPerm.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

A command prompt window opens and also a license agreement from SysInternals will appear for Junction.

Accept the license agreement and the scan will begin.

Wait until it finishes we can take a while to run since it scans your whole harddisk. e patient and don't do anything else while it is scanning.

The command prompt window should close when it finishes.

While this is running, you will get several/many popups that have a title Finish and say OK. Just click the OK button each time. This is an indication that it has found a file and has attempted to fix permissions. Depending on how many files that need to be fixed, you could get only a few or many of these popups.

Now see if you can run SUPERAntiSpyware and Malwarebytes.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Then attach the below logs:

the Win32kDiag log

logs from SUPERAntiSpyware and Malwarebytes if they ran.

C:\MGlogs.zip

Make sure you tell me how things are working now!

specialkman · Nov 12, 2009

as expected, you were right about startup. i re-read step 4, and now that i'm in normal mode, i could easily make those changes. hidden files are now shown (those were all already checked/unchecked appropriately). and it is now reset to normal startup (and i rebooted)

i deleted the windows file you asked me to.

i then ran win32kdiag (the log is attached)

downloaded junction...downloaded inherit...ran fixperm.bat...was able to run malwarebytes (log attached...i didnt fix the couple problems it found because i thought it was a safe program i have)...and downloaded and ran mgtools (log attached).

the computer is running okay...other than the problems i mentioned a couple posts ago, things seem to be alright. unfortunately, those problems are just very irritating.

chaslang · Nov 13, 2009

specialkman said: ↑

was able to run malwarebytes (log attached...i didnt fix the couple problems it found because i thought it was a safe program i have
Click to expand...

It's detecting them because of where you saved them. Do not save files in the root folder.

You should not be running HijackThis. We did not ask you to run it and you should not be running it while running MGtools!!!!!

Your logs are clean but you are running with no protection now and need to get that addressed ASAP. Other issue you have will have to be posted in the Software Forum.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Log in or Sign up

Computer Won't Boot Up, Not Hard Drive Problem

specialkman Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

specialkman Private E-2

specialkman Private E-2

Attached Files:

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

specialkman Private E-2

Attached Files:

exehelperlog.txt

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

specialkman Private E-2

specialkman Private E-2

Attached Files:

ComboFix.txt

specialkman Private E-2

Attached Files:

hijackthis11509.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

specialkman Private E-2

Attached Files:

avenger.txt

MGlogs.zip

specialkman Private E-2

specialkman Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

specialkman Private E-2

Attached Files:

Win32kDiag.txt

mbam-log-2009-11-12 (01-35-27).txt

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member