Probable Malware/Spyware infestation

If you really cannot run anything at all in normal boot mode nor in safe boot mode, you will have to use another PC to make the OTLPE boot CD mentioned in message # 17 of the below thread and see if you can complete a scan with it and get us the log.

http://forums.majorgeeks.com/showthread.php?t=214161&highlight=OTLPE

 

It may become necessary to try if you cannot run things in normal boot mode.

It all depends on what you can run. Can you run our cleaning procedure: READ & RUN ME FIRST. Malware Removal Guide

 

See if the reason behind this is the below:

Proxy Server - Changing Settings

Can Task Manager be opened?

If downloading the tools is a problem with this PC, download them on another PC and burn to a CD to use in copying to the infected PC. Yes you could use a flash drive but they can be infected and spread infections elsewhere, so only use a flash drive if you cannot burn to a CD. You will need another PC to do this. Hopefully you have one you can use because I may need to have you create a special boot CD.

Yes you need to try this now. Some of these infections will even break the ability to get into safe mode. If one form of safe mode does not work ( like safe mode with networking, try each of the 2 other types of safe mode boot ).

Is this a laptop or a Desktop?

Do you have your Vista boot DVD?

 

Yes as stated in the cleaning procedure, some antivirus programs are problematic and decide that MGtools is a problem when in fact the antivirus program itself is actually more of a problem. You need to uninstall AVG and then run MGtools, preferable in normal boot mode.

Not sure what you are referring to. You need to finish verifying your system is clean before doing anything else.

 

As stated in the READ & RUN ME and specifically in the Using MGtools link, you need to disable or uninstall your antivirus program since it is just getting in the way of cleanup. So either shutdown AVG or uninstall it. Then download and run MGtools and attach the log. You many find the below link helpful to disable AVG

http://www.avg.com/us-en/faq.num-1209

 

It may be working well enough to create a log. Did you bother to check for the MGlogs.zip file?

 

Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.

• Right click the Command Prompt entry and select Run As Administrator.
  • It is critical that you run it this way.
• If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.
• Enter the below commands at the command prompt each followed by the enter key. The bold black larger fonts are commands. The purple/brown is merely informational.

dir c:\ > c:\flist.txt <-- there is a space after the dir and after the \
dir c:\mgtools >> c:\flist.txt <-- there is a space after the dir and after the mgtools
cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
GRK <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
ShowNew <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.





Attach the c:\flist.txt file to your next message.

 

Contrary to what you previously stated, there is a C:\MGlogs.zip file because I can see it in the log you just attached. Please attach the C:\MGlogs.zip file do this now before doing the below where I will ask for another try at running MGtools.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run the below and attach the log from GMER:

GMER - running with a random name


Now reboot your PC.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• the GMER log
• C:\MGlogs.zip

 

The instructions for Using MGtools with Vista explain that you MUST disable UAC and reboot. You did not do this. UAC is still enabled. You cannot properly run MGtools with UAC enabled. We did explain running a registry patch we provided in the MGtools folder to disable UAC for you which is useful when MSconfig cannot be run. You need to follow our instructions properly if you want tools to work.

 

You MUST have UAC disabled before trying to run any of our instructions. Thus if you renabled it, you have to disable it again and then reboot. The instructions in the cleaning procedure clearly stated that UAC must remain disabled until we are finished. It will get in the way of many programs we use including ComboFix and MGtools. UAC does not provide any advanced protection from malware.

Disable it now. Then reboot into safe mode. Then in safe mode, try running the below.

Make sure ALL protection software is disabled!

Try running ComboFix.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

There are still some leftovers from these programs on your PC which we will attempt to remove with the below fix.

Try to run the below in normal boot mode if possible. If not possible, then run it in safe bootmode.



Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\Nwktst.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator). Wait for it to finish ( the black command prompt window will close when finished). If it does not run properly, just continue on.

Now run the C:\MGtools\GRK.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator). Wait for it to finish. A notepad window will open with a log in it when finished. Just close the notepad Window. ( the black command prompt window will close when finished). If it does not run properly, just continue on.

Now run the C:\MGtools\SN64.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator). Wait for it to finish. A notepad window will open with a log in it when finished. Just close the notepad Window. ( the black command prompt window will close when finished). If it does not run properly, just continue on.

Now run the C:\MGtools\UserInfo.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator). Wait for it to finish ( the black command prompt window will close when finished). If it does not run properly, just continue on.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Sorry! That was part of a boilerplate that I forgot to edit out. There is nothing to do with HijackThis. The fix begins with ComboFix.

 

You're welcome. Your logs are clean.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!