After Removing Spyware Fix etc. Problems

Welcome to Major Geeks!

Please run the below to uninstall McAfee:

McAfee Consumer Product Removal Tool

Then reboot your PC. After reboot, reinstall McAfee. If this does not fix your problem with McAfee, you will have to run throught the below malware cleaning process so that we can properly check your PC for malware.

READ & RUN ME FIRST. Malware Removal Guide

 

You're welcome. Surf safely!

 

You can either post in our Software Forum to check into the problems you are having with various services, or you can run the malware cleaning procedure I gave you earlied if you wish to verify whether your problems are due to malware.

Not sure if you really meant the services themselves ( like the registry entries and or driver files ) are really missing or whether you just mean the services were not running. Again this would be something to post in the Software Forum unless you want to pursue checking for malware.

 

If this is a question, I have no idea since you did not run our cleaning procedure.

 

If you SUPERAntiSpyware can finish running, then just let it continue without doing anything. If it cannot continue, just skip it and continue. If it does not run, skip it and continue.

 

Yes you did. Here is a list of the most recent ones. You ran them a few times

Code:

6,160 2011-12-08 22:51:29  C:\Users\SUE\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\SUPERAntiSpyware Scan Log - 12-08-2011 - 14-51-29.log
  588 2011-12-09 01:57:06  C:\Users\SUE\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\SUPERAntiSpyware Scan Log - 12-08-2011 - 17-57-06.log
 
 
1,039 2011-12-08 22:44:03  C:\Users\SUE\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2011-12-08 (14-44-03).txt
  901 2011-12-09 03:06:37  C:\Users\SUE\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2011-12-08 (19-06-37).txt

What files are you referring to? And which firewall are you referring to? McAfee or Windows. If you are trying to turn on the Windows firewall, you should not be doing this. You already have the McAfee firewall. Only one firewall should be running.

May be a problem internal to Windows.

Not completely yet. I have a fix posted further down.

When you tried to run it in normal mode, did you have ALL of McAfee shutdown?

Do you know what the below files and folders are? Is the

Code:

2011-11-28 23:41 . 2011-11-28 23:42 -------- d-----w- c:\users\SUE\AppData\Roaming\AC169528
2011-11-23 23:39 . 2011-11-23 23:39 -------- d-----w- c:\users\SUE\AppData\Roaming\Lacerte

Why is Chrome being started like below and why do you need to run it at all every single time you start your PC?

Code:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AC30C6C88D8B6DC4F764D2BFBD17F60969E73E56._service_run"="c:\program files (x86)\Google\Chrome\Application\chrome.exe" [2011-11-15 1036344]

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Seems to be a common problem with McAfee of late. We have seen a few threads with this complaint. Apparently cannot even protect itself from the malware that you bought it to protect you from.

I see the below om your ComboFix log

that is a driver/service for the McAfee firewall which likely means there is some kind of an issue with it.

Let's try uninstall one more time but without reinstalling it immediately. I want to look at some logs first to be sure it gets completely removed ( it frequently does not ). So uninstall it right now. Then run the below for good measure:

McAfee Consumer Product Removal Tool

Then reboot your PC. Do not skip this reboot.

After the reboot, download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\MGlogs.zip

I want to review this log before continuing. Minimize your surfing right now while McAfee is uninstalled.

 

This is amazing. You had McAfee people looking at your PC and they did not find this problem?????????

You have TDL infection that has added a new partition onto your hard disk and has made it the active partition inplace of your real Windows boot partition. I see the below in one of your logs from MGtools. The RED item is the problem.

Code:

Get Partition Info From WMI in K-bytes                          
============================================================== 
Bootable  Name                   Size          Type                     
FALSE     Disk #0, Partition #0  49319424      Unknown                  
FALSE     Disk #0, Partition #1  13360955392   Installable File System  
FALSE     Disk #0, Partition #2  486695501824  Installable File System  
[COLOR=red][B]TRUE      Disk #0, Partition #3  1064960       Unknown[/B][/COLOR]          

Do you have your Windows 7 boot DVD?

 

Additionally, it appears that the Base Filtering Engine (BFE) service has been deleted and the bfe.dll file required for it is also gone.

The above quote is from http://www.blackviper.com/windows-services/base-filtering-engine/ where you can see more info about this service.

 

Okay now what I want you to do is to delete the C:\MGtools.exe file because I don't want you to run this anymore. In previous steps when I asked to run C:\MGtools\GetLogs.bat you instead re-ran MGtools.exe which does not produce the same results. So delete the MGtools.exe file now. We only need this file to initially get each new version of MGtools installed.

It looks like McAfee did not fully uninstall, did you run the cleanup program from them?

Also uninstall the below:
McAfee Virtual Technician

 

Is this a bootable DVD that allows you to boot into the System Recovery Environment from the DVD? Can you try boot from it just to see if you can use it to do this? Then you can just exit and boot back into Windows.

A good explanation on booting into this environment is in the below link but I don't want you to run any commands at the command prompt. I just want to see if you can boot up from the DVD.

http://www.bleepingcomputer.com/tutorials/windows-7-recovery-environment-command-prompt/


I have another boot CD I will be asking you to make that we will use to remove the infected partition I mentioned.

 

Leave your CD in the drive and restart.

Normally it would ask you if you want to boot from the CD if it is already inserted. Perhaps you need to go into your BIOS to set it to boot from CD before it would boot from the hard disk. This is the boot order options.

If this does not work then it is probably not a bootable DVD. It is probably just some upgrade disk or other junk your PC vendor gave you but it is not a full installation disk if it is not bootable.

 

You need to just delete the MGtools.exe file ( has the superman symbol icon ) not the C:\MGtools folder.

 

What I need to know before continuing is were you actually able to boot up this CD all the way to the command prompt of the System Recovery Environment as shown in the link I gave you. We cannot continue until I know you can do this.

 

The below should remove it.

Open a command prompt window by clicking Start, Run, and enter cmd and click OK. If the window opens type each of the below commands in. Follow each by the enter key. Note there are spaces after the sc and after the stop and after the delete.

sc stop McMPFSvc
sc delete McMPFSvc

The stop request may say it is not running. Just continue.

 

It does not sound like you are doing what we want. I don't think you need to click the Load Drivers button that you must have clicked. You should just click Next and then follow the instructions afterwards. We also do not want to perform a System Restore at this time. We just want you to Cancel that as shown as we just want to verify that you can get to the command prompt where we will need to run some commands at a later time.

We are trying to verify that you can do this first because if we did other repair steps to remove the infected partition, you will not be able to boot your PC until we boot into this command prompt of the System Recovery Environment to run a few fixes.

 

Okay then this may be occurring due to the infected partition which is not a Windows partition.

You should backup ALL important data before continuing. The below is the only way we have to remove this infected partition and while this normally works quite well without problems, this malware is changing all the time and something could go wrong. Thus to be safe, you need to back up your data to DVD, external/removable drive or to another PC.

Let's continue by making that CD I mentioned earlier.


I need you to download the below:

• gparted-live-0.10.0-3.iso (115.1 MB)

Now create a bootable CD the above ISO image file. You can use ImgBurn do this.

And see the below link if you are not sure how to create a CD from an image file:

Using ImageBurn to Burn an ISO image

After you create this Gparted CD you will now need to boot up your PC using this Gparted CD. You can follow along with the below which illustrates what you will see at various points.

http://img829.imageshack.us/img829/5772/gpartedsplash.th.png
You should be here...
Press ENTER
http://img5.imageshack.us/img5/7286/gpartedkeymaps.th.png
By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.
http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png
Choose your language and press ENTER. English is default [33]
http://img140.imageshack.us/img140/7958/gpartedgui.th.png
Once again, at this prompt, press ENTER
You will now be taken to the main GUI screen below
http://img32.imageshack.us/img32/1122/gpartedo.th.png
According to your logs, the partition that you want to delete is the 1.02 MB partition I mentioned earlier. DO NOT delete any of the other three larger partitions.
Click the trash can icon to delete and then click Apply.
You should now be here confirming your actions:
http://img233.imageshack.us/img233/1533/gpartedsteps.th.png
Now you should be here:
http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png
http://img194.imageshack.us/img194/7753/gpartedboot.th.png
Is boot next to your OS drive?
If boot is not next to your OS drive under Flags, right-mouse click the OS drive while in Gparted and select Manage Flags
In the menu that pops up, place a checkmark in boot like the picture below:
http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png
Now double-click the http://img822.imageshack.us/img822/641/gpartedexit.png button.
You should receive a small pop up like this:
http://img88.imageshack.us/img88/8986/gpartedexitreboot.png
Choose reboot and then press OK.

Now reboot from the Windows 7 DVD so that we can again try to get into your System Recovery Environment.and once you get to the command prompt, enter the following commands:

• bootrec /FixMbr
• bootrec /fixboot
• exit

When you enter the exit command your PC will reboot, remove the CD and attempt to boot Windows normally.

 

Okay. Been a long day for me too. You're welcome.

No not today anyway. It was a nice clear night with a full moon last time I checked. It's cold enough to do so. About 29 F right now.

I guess you don't have to worry about snow where you are at.

 

Okay so let me see if I understand where you are at and what you were able to do:

1. Were you able to run Gparted and find and remove that partition?
2. Were you able to boot yor Windows DVD and get into the System Recovery Environment command prompt and run the bootrec /FixMbr and bootrec /fixboot commands?
3. Is your PC booting up into Windows right now without a problem.

If you are able to boot into Windows, continue with the below.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\MGlogs.zip