malware removal: vbalgrid glitch

Hello, I'm infected (XPpro, SP3):
desktop theme changed,
quicklaunch closed,
Google gadgets disabled,
unable to run most programs,
"Event Monitor user Notification Tool has encountered
a problem and needs to close...";
believe it started with fake McAfee Internet
Security app
and I am part way through READ & RUN ME FIRST guide, section 'Windows XP Cleaning Procedure'.

SuperAntiSpyware was the last successful step and it detected nothing. Malwarebyte's Anti-Malware will not install or run from desktop or USB stick, in normal or safe mode. The following messagebox pops up:
"failed to load control vbalGrid from vbalsgrid6.ocx. vbalsgrid6.ocx ay be outdated..."

Per related threads: did not find TDSSserv.sys in Device Manager; ran MGTools and attached log ZIP.

Holding here so as not to skip any more steps. Please advise.

Thanks! --John

 

Thanks for the swift reply.

I did not experience the false positive mentioned in the first link and windows has been able to start (though that's about all it does) so I started with your second recommendation.

However, I am unable to drag'n'drop anything anywhere so I can't plug CFscript.txt into ComboFix.exe.

My command window does open so I've been using that to copy files from an unaffected computer, etc. via USB stick.

Is there a command line way that I can feed CFscript.txt to ComboFix.exe?

Trying your first recommendation - the bleepingcomputer (so true) topic 311599 link - I arrived at a blue screen with "A problem has been detected..." and "STOP: 0x0000007B..." on two consecutive reboots so I am holding here for further advice.

Thanks!

 

Thanks TimW.

The 'manual' copy in Safe Mode worked fine. I had downloaded and double-clicked XPspbu3.exe previously, per your direction.

On reboot, Google sidebar was full of lots of unrecognized gadgets but, otherwise, my familiar desktop was back. Then it auto-rebooted before I had a chance to resume with AntiMalware and returned to the virus-y look & behavior.

Redoing the svchost copy, rebooting and starting AntiMalware as quickly as possible, it was able to scan about 3700 items before the auto-shutdown. Here's the message:

"Windows must now restart becasue the DCOM Server Process Launcher service terminated unexpectedly"

and it counted down from 60 seconds and shut down right through AntiMalware.

Is there a different tack I can take? Thanks!

 

Unable to disable McAfee: it allows me to open the anti-virus config window, for example, but says it's OFF; when I return to the main screen it is ON again.

Unable to use Add/Remove Programs to remove McAfee. Clicking there elicits no response.

BTW, my McAfee Internet Security screen looks different: green bar across it and the start bar icon is a red shield, not a gray square with a red 'M' in it.

Was able to update & run Anti-Malware by issuing 'Start : Run : shutdown -a' every time (twice) the DCOM error started its countdown. Now it seems to have given up and I am sitting on my normal desktop with limited abilities: no drag & drop, etc.

Anti-Malware db version 4023 Quick Scan found nothing.

Currently running a full Anti-Malware scan. OK?

Where is the DAT folder mentioned by the other user? I do not see one under McAfee.

May I have the link to that thread?

How can I disable/remove McAfee?

svchost.exe has disappeared from c:\windows\System32 again without any other evidence of change. Shall I just keep copying it into there from MGTools for the time being?

Thanks! Your swift and expert attention is GREATLY appreciated.

 

The McAfee fix made a difference - was finally able to disable it and continue with READ & RUN ME FIRST for XP SP3.
Network access: OK
Drag'n'drop: OK
Google gadgets: remained whacky - removed (small price to pay)
Have not yet tested much else.

Ran ComboFix, Anti-Malware, RootRepeal and MGTools - logs attached. How does it look? THANKS!

 

Thanks. Disabled HelpAssistant using the computer management window.

Is that sufficient or should I also follow the HelpAsst_mebroot_fix.exe procedure that you describe in topic 214780?

To my knowledge, I did not set up the use of a proxy server but that HKCU key is indeed present in the registry. Does that need to go?

Do you want a fresh MGTools log?

No apparent problems at the moment. Was there something specific I likely did that caused this McAfee problem? Any specific way to avoid it in the future?

Pending further instructions from you, I am heading for topic 44525 "How to Protect yourself from malware!" Thanks again.

 

HKCU...Proxy server HJT'd; that was easy.

ouch.

yea, wearing a helmet and goggles from now on.

You folks do good work.