Aggravating Problem

Discussion in 'Malware Help (A Specialist Will Reply)' started by mccauslind, Aug 17, 2009.

  1. mccauslind

    mccauslind Private E-2

    I am working on a friend's PC that is infected with God knows what. When I got it, it would not allow any .bat, .com or .exe files to run. I took the drive out, slaved it to my PC and ran MalwareBytes and AVG on it. It cleaned many (157) various infections from back-door trojans to virtumonde.
    I put the drive back in their PC, used the reg fixes from Kelly's Corner to fix file associations. I thought it was back up and running properly.
    Five days later, they call and it is messed up again. I did the same procedure, cleaned lots of baddies off, and it is up and running again.
    However... There is still a hijacker in there somewhere, as it will not go to any security sites. I tried to go to Microsoft Windows OneCare, but it goes to ad sites instead.
    I tried to run HijackThis!, it will not run. I tried to load MalwareBytes on that drive to run locally, it will not run. I tried to "trick" it like the folks from mbam suggest, by changing the install's name, then changing the exe name. Still will not run.
    AVG will start, but as soon as the scan is requested, it blanks out.
    I loaded Spybot, but as soon as I tried to start a scan, it closed.

    This is a Dell Dimension E510. My friend said that it never came with a Windows XP restore CD, and they never made one (tsk! tsk!).
    At this point, I am ready to trash it all.

    Any ideas? A huge thanks in advance!

    Dave
     
    mccauslind, Aug 17, 2009
    #1
  2. mccauslind

    mccauslind Private E-2

    My apologies for not running all your recommended/required steps. It will not allow any of those utilities or programs to run. I cannot access any online security sites.

    - Dave
     
    mccauslind, Aug 18, 2009
    #2
  3. mccauslind

    mccauslind Private E-2

    So far:
    Followed the Basic Maintenance Steps first.
    Only antivirus program is AVG Free 8.5
    Using Windows Firewall only
    No ViewPoint apps installed
    Sun Java is up to date
    I had already emptied the quarantine folders, emptied the Recycle Bin and cleared temps
    CCleaner loaded, but will not run. When I try to run it, it will not respond
    MSConfig is set to normal
    MalwareBytes will install, but will not run
    Spybot will install, but will not run
    AVG will not update or run
    When I try to run any of these, I get a message that says
    "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."
     
    mccauslind, Aug 19, 2009
    #3
  4. mccauslind

    mccauslind Private E-2

    Worked on this again tonight. Went through steps after logging on as different user with Admin rights. Again, this is XP SP2.
    Repeated Housecleaning.
    SuperAntiSpyware will not run. Still gives message "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."
    MalwareBytes AntiMalware installs, but will not run. Displays message "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item." I tried renaming the .exe as MB suggests, but results were the same.
    ComboFix DID run this time. Log is attached.
    RootRepeal loads. I selected "Files" and nothing showed in the tab. I selected Scan, and then selected Drive C:. Nothing displayed, nothing scanned, no log would save.
    Ran MGTools. This ran and saved the log that is attached.
     

    Attached Files:

    mccauslind, Aug 20, 2009
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    At this point, do not download anything, install anything, or in short do anything we do not ask you to do as it could just complicate removal of your malware. Please only do what we ask and nothing else.

    We will now run Avenger to remove some malware.


    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Now run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5


    Now try to run SUPERAntiSpyware, Malwarebytes and RootRepeal per the cleaning instructions.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • C:\avenger.txt
    • the logs from SUPEAntiSpyware, Malwarebytes and RootRepeal if they ran
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 24, 2009
    #5
  6. mccauslind

    mccauslind Private E-2

    I was able to run The Avenger. After that, I tried SuperAntiSpyware, MalwareBytes and RootRepeal. SuperAntiSpyware would not run. It gave the same message that I did not have appropriate permissions. MalwareBytes and RootRepeal DID run, however.
    I then ran CCleaner, as directed.
    Finally, MGTools.
    Requested logs are attached.
     

    Attached Files:

    mccauslind, Aug 25, 2009
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay we have some more to remove.

    First uninstall SUPERAntiSpyware and delete any installers you previously downloaded for it.


    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now download, install, update and try to run a scan using the below links for SUPERAntiSpyware
    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • the SUPERAntiSpyware log if it ran
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 28, 2009
    #7
  8. mccauslind

    mccauslind Private E-2

    First, thanks for sticking with me! I appreciate your time and talen in this!

    Avenger ran, and the log is attached.
    SuperAntiSpyware uninstalled and then would not install. Said I did not have sufficient permission.
    CCleaner ran.
    MGTools ran, and the log is attached.
     

    Attached Files:

    mccauslind, Sep 1, 2009
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Other than the troubles with SUPERAntiSpyware not running, are you having any other problems? Your logs appear to be clean now.
     
    chaslang, Sep 6, 2009
    #9
  10. mccauslind

    mccauslind Private E-2

    Things seem to be running well except for a couple things. I tried to re-load AVG-Free, and it said it could not add the registry key, so the install failed. When I tried to clean the desktop of some of the tools, a few would not be moved, said that access was denied.

    Other than that, things seem to be running properly. It is no longer hijacking the web pages, redirecting, etc.

    Thanks again for your help! I greatly appreciate it, and so does my friend. If you think things still need to be looked at, let me know what you want to see.

    Have a great Labor Day! :)

    Dave
     
    mccauslind, Sep 6, 2009
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try running their removal tool: AVG Remover(32bit)

    After running it make sure that you reboot.
    Then redownload the program from here: AVG AntiVirus Free Edition
    Try reinstalling.


    Also do the below!

    It is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Sep 11, 2009
    #11
  12. mccauslind

    mccauslind Private E-2

    Followed your steps. The uninstall worked, but the install failed with this message:
    Local machine: installation failed
    Installation:
    Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
    Error 0x80070005

    Any suggestions on other free A/V products? What of Vipre?

    Thanks!

    Dave
     
    mccauslind, Sep 11, 2009
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Possibly residual damage caused by the infection you had. You could try running this Resetting Registry and File Permissions and then see if you can install it. If not, uninstall it and run the removal tool to be sure. Then use something else.


    Not a free tool.
     
    chaslang, Sep 17, 2009
    #13
  14. mccauslind

    mccauslind Private E-2

    Thanks! I ended up just leaving the residual HiJackThis!, and MalwareBytes on it. I could not remove them, nor would it let me move them off the desktop to a folder. I just let my friend know that they should never try and use them, as they were inoperable... ;)

    For antivirus, I was able to successfully download and install Vipre. So it appears that they are up and running, and life is once again good in the realm.

    Thanks again for all your help!

    Dave
     
    mccauslind, Sep 17, 2009
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try the below.

    • Please save Win32kDiag file to your
      desktop.
    • Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished,
      there will be a log called Win32kDiag.txt on your desktop. Please attach this log
    "%userprofile%\desktop\win32kdiag.exe" -f -r



    Now we need to scan the system with this special tool.
    • Please download Junction.zip and save it.
    • Unzip it and put junction.exe in the Windows directory (C:\Windows).
    • Go to Start => Run... => Copy and paste the following command in the run box and click OK:
      cmd /c junction -s c:\ >log.txt
      A command window opens starting to scan the system. Wait until a log file opens. Attach this log that is in the Windows folder.
     
    Last edited: Sep 18, 2009
    chaslang, Sep 18, 2009
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds