can't run SAS or Malwarebytes

Welcome to Major Geeks!


Go to Add/Remove Programs and uninstall the below:
Ask Toolbar
Conduit Engine
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 20
Soft32 Toolbar

Now copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now please download and save the below tool from Grinler @ bleepingcomputer to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

http://download.bleepingcomputer.com/grinler/unhide.exe

Now run it.



Now delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\TEMP
C:\Documents and Settings\Owner\Local Settings\Temp

Now install the current version of Sun Java from: Sun Java Runtime Environment

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You did not follow instructions properly to create a new log which is why you cannot attach. All those logs you are attach should not be attached. They are the same old logs that were already in your first MGlogs.zip file. Please only attach what we ask you to attach. If you cannot attach it, it normally means you are doing something wrong ( like trying to attach the same file again ).

Let me repeat the instructions

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Nope! You need to attach only the MGlogs.zip file created by running what we ask you to run. Do not create your own file and do not rename the file. It is not necessary nor wanted. Only the C:\MGlogs.zip file is needed. It is updated automatically when you follow our instructions. What you attached is not a valid ZIP file nor is it even the proper file name.

 

I see what you did! You made your own compressed file using RAR. Please attach the file we asked for which is C:\MGlogs.zip

It is there. I can tell from your RAR file that it is

Code:

"C:\"
mglogs.zip     9 Jul 2011      152270  "MGlogs.zip"

 

Well that is the correct file name this time but something is not right. All of the items I had you fix with the last Avenger procedure are still showing and your Avenger log indicated that it removed most or them. So something is not right. Let's get an updated log from today so we can be sure.

First please delete and MGlogs.zip files you have ( the ones we created and the ones you have created ).


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

Also what malware problems are you still having?

 

Okay that explains why the log was probably not updated last time. Try the below.


Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
analyse <-- this will try to run TrendMicro Hijackthis. Click Twice on the Accept button to accept the license agreement if it shows. Then run a scan and save a log. Tell me what error messages, if any, you see.
GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.
nwktst<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.



Now look for the C:\MGlogs.zip file and attach it no matter what happened while doing the above.

 

Also no matter what happen with my last instructions, please do the below too.


Goto the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

Be sure to attach your log from TDSSKiller

 

Renaming will not help. This means it is the same file which would mean where you said shownew and nwktst worked, they did not work. Otherwise they would have updated, the C:\MGlogs.zip file with the current logs. Are you sure that you did not get the same error message about not being able to locate zip.exe ?

Look in the C:\MGtools folder. What is the date and time on the below files?
newfiles.txt
nwktst.txt
runkeys.txt

Also do you see zip.exe in the C:\MGtools folder?

You need to run TDSSKiller now as requested.

 

Okay it found what I was suspecting. Did you reboot after running it? If not then reboot now. Either way re-run TDSSKiller now and reattach a new log from it so we can make sure that it actually was successful at fixing this infection. This is possibly the reason behind all of your problems. Even the problems with running some programs.

 

Oh and one more scan I want to be run as a backup!!!


Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

 

No good. A different file is now showing to be a problem. This may mean that your MBR is infected. Run the MBRcheck program I asked you to run.

 

As suspected. You MBR is infected. Do you have your Windows XP Pro boot CD?

 

Then you will need make a special CD to boot from to repair your Master Boot Record.

Since you say you do not have a Windows XP Boot CD, you will have to try something like below.


See what was posted in message # 12 of the below thread and see if you can get this CD to run.

whistler/black internet@mbr again!


It's 3:10 AM here now, and I need to get some sleep before going to work in a few hrs. Be back later today. Good luck with this CD. Remember you will need to change the boot order in your PC's BIOS so that you boot from CD before booting from the hard disk.

 

Okay let me know once you have created the CD and have successfully repaired the MBR.

 

Run MBRCheck again and attach a new log. Then do the same with TDSSKiller


Also you tell me how things are running from your end.

 

You did not allow TDSSKiller to cure the problem with ndiswan.sys

 

See if you can now run ComboFix as instructed in the READ & RUN ME FIRST. Attach the log if it runs.

 

I did not ask for any of these to be run. See my last message.

 

A little more to do.



Now we need to use ComboFix again

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Well there is one more item that showed itself after the last fix, but what exactly do you mean Firefox is slow? What aspects of using it are slow?

• Startup?
• Shutdown?
• Browsing?
• Downloading?

Is Internet Explorer also making you feel the same way?
Is the behavior the same if TrendMicro is temporarily shutdown?

See what happens after the next fix below.



Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome.



If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome.

Probably not. It did not look like you were using any disk emulation software so there was nothing to defog to begin with.