Help with removing malware

Yes, Chas, I'm on the case!

Yes, please try and start it because even if you do not need the firewall you do the ICS. Does it start up ok? If not - any errors? Also what happens when you try to start this service? Network Connections

 

And the Network Connections?

 

Not in previous logs.

Please run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Yes now this log shows it is okay; however I see MANY other services that are not in expected states.

I cannot believe this is all due to the malware you had as it is not typical of this malware to cause this many changes. Had you in the past many any kinds of tweaks to your system services in some attempt to improve performance as commonly ( and quite mistakenly ) posted on many websites?

Please shutdown ALL protection software and then run the below again. I know you ran it before but I want to do it again. Pay close attention to which options I have selected.


Be patient while doing the below. The fixes can take quite awhile to run. Especially the permissions repairs. It may be best to kick it off and goto bed or do something else. It is better not to run anything while the repairs are going on.


Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
• Now select the Start Repairs tab.
• The click the Start button.
• Create a System Restore point if prompted.
• On the next screen, click the Unselect All button to first deselect all repairs.
• Now select the following repair options:
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Repair WMI
  • Repair Windows Firewall
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
  • Repair Proxy Settings
  • Repair Windows Updates
  • Set Windows Services To Default Startup
• Now on the lower right side check the box to Restart/Shutdown System When Finished
• Then make sure the Restart System radio button is enabled.
• Shutdown any other programs that you are running now before continuing.
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• It should reboot automatically when finished.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Thanks for your input Chas, much appreciated. You're in good hands jlachey

 

Did you first disable ALL protection software ( this includes the junk from AOL, Avast, ZoneAlarm )?

Also once you select all the options, shutdown your browser before clicking Start.

Please try again.

 

Well now the Network Connections service shows that it is no longer running again. As are many other services. As stated earlier, I do not think all of this is due to malware damage. There are way to many things in the wrong state to have been from malware that you had. This is not at all typical. Also it seems you don't have any restore points we could attempt to use to fix this. Let's try the below using ComboFix but we will first need to download a new copy to your Desktop. Also we will need to do this in a few stages since there are so many broken services.

Download this combofix.exe and save to your Desktop. Do not run it yet. Just save it.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Good. That fixed 13 services. Let's try to fix a few more with another registry patch.

Yes it was not running. Now it is.


Copy the bold text below to notepad. Save it as fixme2.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

I did not realise so much was broken! Nice one Chas. :major

 

Well now most of what we fixed is broken again. I think it is time you bite the bullet and reinstall. There is just too much messed up to be able to repair. Your other choice may be to use Macrium to restore an old backup.

 

You're welcome. One other thing of note if you reinstall. Do not have two active Windows partitions like you have now. You have somethings trying to load from drive F and some from drive C. There should be only one "ACTIVE" Windows partition.

 

From your logs there were examples of what I'm referring too. For example in RogueKiller it showed the two hard disks and both of them have Active Windows boot partitions.

Code:

+++++ [COLOR=darkred][B]PhysicalDrive0: WDC WD2500JB-57REA0[/B][/COLOR] +++++
--- User ---
[MBR] c7d283efd6f72a116f5c4a6e68b934a6
[BSP] 124cd039919cf1c728422027a3563770 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 31 Mo
1 - [COLOR=darkred][B][ACTIVE][/B][/COLOR] NTFS (0x07) [VISIBLE] Offset (sectors): 64260 | Size: 238441 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ [COLOR=darkred][B]PhysicalDrive1: MAXTOR 6L040J2[/B][/COLOR] +++++
--- User ---
[MBR] 3457ac3ae5cfdb2a5d269d6c6080e1bc
[BSP] f49cae14d8b91b005dff84b1f6d8852f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 31 Mo
1 - [B][COLOR=darkred][ACTIVE][/COLOR][/B] NTFS (0x07) [VISIBLE] Offset (sectors): 64260 | Size: 38138 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Only one disk should have an active boot partition. You should have turned the other into a slave drive just to hold data. You have things setup where you are booting Windows from drive F and then having some things like C:\Program Files reference while this in itself is not necessarily an issue, the two active boot partitions is. I'm not sure of everything you did but you may even have Windows itself confused on where your registry is and perhaps this is even part of the reason that your services are all messed up. I cannot be sure but I do know all of this is not due to malware. And since each time we get things fixed, and then they break again on the next reboot, it points towards some internal issues with Windows. For stability sake, it would be better to reinstall; however you could try temporarily disconnect the smaller ( and I assume older ) drive and then see if your PC will bootup Windows properly.

I'm not even sure if removing the Active setting on one of the drives will cure the problems you have.

Do you have a full backup from Macrium? Possibly you could use it?

 

Well while you only have one drive connected ( either the C or the currently F drive ), run MGtools and attach the new log so we can see what the status is in that mode with all your services.

 

This is likely the effect of having Windows installed on both and both being active. This is why we were having problems previously in getting services fixed. Perhaps you would be better off reinstalling.

 

On behalf of us both, you are *most* welcome.