Completed all steps for removal. please help

Discussion in 'Malware Help (A Specialist Will Reply)' started by DrMango, Oct 30, 2009.

  1. DrMango

    DrMango Private E-2

    Im running windows xp. service pack 2
    only started having problems tonight. i had searched for an episode of "flashforward episode 6" on google. got a link that look trustworthy on ask yahoo. clicked to dl video controller so i could watch. problems occured after that. i get redirected on all searches etc. spybot wont run. avg completely disapeared from my computer after a restart..
    found this site.

    Followed all steps possible.
    I have a 64 bit computer so i had to skip a the parts listed.
    completed all steps in registration email. got to the xp cleaning section.
    installed and used superantispyware. when rebooted and tried to run again for log file. I got message: windows cannot access the specified device, path or file... i tried to use alternate start and nothing happens. used repair and got message that i dont have privaliges. how can i retreive log file. i cant even find any txt files in superantispyware folder..it did find and delete 5 trojans and 1 other file

    moved onto install of mb.exe
    i renamed files as told to. started program after install. chose quick scan as told. program closed on its own. reinstalled program, double checked re-naming of files etc. and used full scan this time, program closed again.
    cant run other programs because im on 64 bit processor...

    installed mgtools to c:\mgtools.exe
    double clicked .exe with no av running and black window briefly apears, then disapears. nothing happens..

    ran win32diag.exe
    program stops

    Running from: C:\Documents and Settings\Owner\Desktop\Win32kDiag.exe

    Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

    WARNING: Could not get backup privileges!

    Searching 'C:\WINDOWS'...



    Found mount point : C:\WINDOWS\addins\addins

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP188.tmp\ZAP188.tmp

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP268.tmp\ZAP268.tmp

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28C.tmp\ZAP28C.tmp

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B6.tmp\ZAP2B6.tmp

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD5.tmp\ZAPD5.tmp

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\assembly\temp\temp

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\assembly\tmp\tmp

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Config\Config

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\ime\imejp\applets\applets

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\ime\imejp98\imejp98

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\java\classes\classes

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\java\trustlib\trustlib

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\mui\mui

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

    Mount point destination : \Device\__max++>\^

    Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

    Mount point destination : \Device\__max++>\^

    Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe



    so i dont know what to do next.
     
    Last edited: Oct 30, 2009
    DrMango, Oct 30, 2009
    #1
  2. DrMango

    DrMango Private E-2

    why is my post completely gone? i followed all steps in the registration email. i was up till 1:30 am doing all the things asked of me. i wake up looking for good news and i have my whole post gone?

    Kyle
     
    DrMango, Oct 30, 2009
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!
    Don't know what you are talking about as we see both posts you have made. Perhaps you just don't know how to look for you own posts. It will not remain on the first page for very long as this forum is extremely busy. If that was not the problem then it was probably due your having posted inline information from your scans when you were instructed not to do this. Inline logs will cause posts to be trapped in spam filters and they will not show up.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click and choose Run as Administrator


    You only need to get one of them to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    1. Rkill.exe
    2. Rkill.com
    3. Rkill.scr
    4. Rkill.pif
    Once you've gotten one of them to run then try to immediately run the following.


    Now download and Run exeHelper from Raktor
    • Please download exeHelper to your desktop.
    • Double-click on exeHelper.com to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file named log.txt will be created in the directory where you ran exeHelper.com
    • Attach the log.txt file to your next message.
    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    Now run this: Using Malwarebytes Anti-Malware

    Now run this: Using MGtools



    Now you need to attach (See: HOW TO: Attach Items To Your Post ) the below logs created while running the above scans
    • exeHelper log
    • Malwarebytes Anti-Malware log
    • MGlogs.zip - normally it is C:\MGlogs.zip - only attach this log from MGtools.exe DO NOT attach any logs seen in the MGtools folder.
     
    chaslang, Nov 1, 2009
    #3
  4. DrMango

    DrMango Private E-2

    acutally i did NOT see my original post, as it completely disapreared from this forum. it was reinstated by one of your nice forum members today. the only post visable on here was the second one i made about my thread disapearing. I followed all instructions to the TEE. i ran all of the programs you have listed

    Rkill.exe
    Rkill.com
    Rkill.scr
    Rkill.pif

    none of which got anything to run at ALL. when i try to run your next link i get "Internet Explorer cannot display the webpage" and malwarebytes wont even open at all. ive ALREADY tried that program as per instructions that ive already tried to follow.

    and as far as mgtools goes. i already covered that in the post that is clearly visible by you

     
    DrMango, Nov 2, 2009
    #4
  5. DrMango

    DrMango Private E-2

    btw im looking for help with my program im not an idiot. i know how to see my own posts.. i know that i posted a thread and that it wasnt there in the morning and then 2 days later someone on here was nice enough to post it back up for me. im on here for help not. i followed all steps listed.
     
    DrMango, Nov 2, 2009
    #5
  6. DrMango

    DrMango Private E-2

    im sorry about my posts last night as i was pretty drunk and had just got home. im sorry about the inline log post. I had tried all the rkills etc before. I need a new link for the exehelper and ill try them all again to see if one will work for me now..

    again. thank you for any help provided by your staff. I just want my computer to run properly again. thank you

    Kyle
     
    DrMango, Nov 2, 2009
    #6
  7. DrMango

    DrMango Private E-2

    ok so the link worked for me when i tried it this time. I followed all steps, downloaded rkill and it opened and ran. then used exehelper. exehelper ran and created log file, which i attatched. I tried to run malwarebytes as asked to. I renamed etc. program installed and opened properly but when i clicked "scan" the window closed and the program shut down. When i tried to re open it it gave me the same msg as usual. windows cannot access...
    Installed and ran MGtools as requested. Installed to C drive and ran program. black window opened for less than one second and closes. There was a folder created just like it says it would but no ZIP file named MGlogs.zip was present. I searched the computer for a file named MGlogs.zip and couldnt find one anywhere on C drive.

    So MB.exe automatically closed on its own and MGtools wouldnt run as far as i can tell. I restarted my computer, re ran a different rkill and still couldnt get either of them to run...

    What next please?

    Kyle
     

    Attached Files:

    DrMango, Nov 3, 2009
    #7
  8. DrMango

    DrMango Private E-2

    I need some more assistance as to what i should do next please. Im stuck where im at and my computer runs like crap. i cant run half the programs on my computer because they get shut down imedietly. Please any advice is very appreciated

    Thanks

    Kyle
     
    DrMango, Nov 6, 2009
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Everytime you make additional posts (most of which are really not necessary) you are costing yourself further delay in getting any answers. Have you read this pinned/sticky thread: Don't Bump! It Only Hurts You!!! The most expedient thing to do is make one post and wait for us to answer. An additional post 2 days later would cost you 2 more days thus making the totally wait at least 4 days.



    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Please download and run Win32kDiag per the below instructions:
    • Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
    • Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log
    C:\win32kdiag.exe -f -r



    Now download Junction,zip to your Windows folder
    • Please download Junction.zip and save it to your Windows folder (i.e, C:\Windows\Junction.zip This assumes C:\ is your Windows boot drive.)
    • Now unzip it and put junction.exeinto the Windows folder (i.e., C:\Windows\junction.exe)
    • Do not try to run it right now. We will run something that uses it later.

    Now we need to reset the permissions altered by the malware on some files.
    • Download and save inhertit.exe to your Desktop: Inherit.exe
    • It must be in your Desktop or the below fix will not work!
    Now run the C:\MGtools\FixPerm.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).
    • A command prompt window opens and also a license agreement from SysInternals will appear for Junction.
    • Accept the license agreement and the scan will begin.
    • Wait until it finishes we can take a while to run since it scans your whole harddisk. e patient and don't do anything else while it is scanning.
    • The command prompt window should close when it finishes.
    • While this is running, you will get several/many popups that have a title Finish and say OK. Just click the OK button each time. This is an indication that it has found a file and has attempted to fix permissions. Depending on how many files that need to be fixed, you could get only a few or many of these popups.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Then attach the below logs:
    • C:\avenger.txt
    • the log from Win32kDiag
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Nov 9, 2009
    chaslang, Nov 9, 2009
    #9
  10. DrMango

    DrMango Private E-2

    thanks chaslang! here are my logs. Everything you told me to do worked perfectly this time. no problems at all. i did have to click "ok" about 20 times before the agreement for SysInternals came up for me when running "C:\MGtools\FixPerm.bat"


    I will edit this post within 15 minutes to let you know how everything works..

    Am i able to remove all of these programs and stick to just one program from here on out, like spybot search and destroy? is there a better single "do it all" tool that you would recommend to me?

    THANK you so much for your donated time to help me out with this stupid malware problem. i will be more careful and better protected for the future.

    Kyle
     

    Attached Files:

    DrMango, Nov 9, 2009
    #10
  11. DrMango

    DrMango Private E-2

    i wasnt quick enough to edit my original post but i was able to run spybot search and destroy now. for 5 problems

    "double click"
    "microsoft.windowssecuritycenter.antiVirusOverride"1 entry
    "microsoft.windowssecuritycenter.firewallOverride" 1 entry
    "win32.fraudload.edt" 2x malware entries

    i was able to fix and remove these items

    thanks for your help. so far it all seems to be running better!

    Kyle
     
    DrMango, Nov 9, 2009
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay now you need to run SUPERAntiSpyware and Malwarebytes per the instructions in the READ & RUN ME and attach logs from these scans.

    The above two programs are much much much more effective than Spybot. Spybot can be kept just to use it's Immunize and SDhelper features. While you can still use it's scanner, it is not going to help you as much as the above two programs.
     
    chaslang, Nov 11, 2009
    #12
  13. DrMango

    DrMango Private E-2

    superantispyware was a complete computer scan and the malwarebytes was a quick scan. didnt have a lot of time tonight. can do full one if needed tomorrow, or whenever you respond again

    Thank you for all the help!

    Kyle
     

    Attached Files:

    DrMango, Nov 11, 2009
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your Malwarebytes log shows that you took no action. Did you fix what it found? You must remember to fix/quaratine first and then save the log.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Nov 13, 2009
    #14
  15. DrMango

    DrMango Private E-2

    i did quarantine and fix the problems found. I just did a full computer scan with MB.exe and it found 0 threats.
    did the full cleanup and removed all programs. Thank you for all the help and i hope i can be diligent and stay this way!

    Thank you and hope i dont have to post here again lol!

    Kyle
     
    DrMango, Nov 13, 2009
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Nov 15, 2009
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds