Cant run installs after virus alerts

Hi

Im new here but i have read the pages about what to do before posting.

I have followed the instructions but my problem still remains.

Here is some background.

I turned my computer on New Years Day, and almost immediately recieved about 6 virus alerts from AVG Free before i got an application error message and it shutdown.

I restarted the machine and tried to scan my computer with AVG, but the scan button wasn't working. clicking on it had no effect. I the attempted to fix it in add/remove programs. this lead to it being uninstalled. attempting to reinstall it i discovered that i could no longer run the install file. clicking on it i would get the working mouse icon for about a second then nothing would happen.

I tried running some other spyware detectors i had installed on my computer, Spybot S&D revealed a couple of cookies which it removed. Adare SE revealed some more critical objects which were also removed.

restarting the computer i still had the same problem, so i tried to run the Malicious Software Removal tool. but typing mrt into the run prompt failed to do anything aswell.

by this time i was getting desperate and attempted to run some install programs for other spyware / antivirus programs either from the internet or from some CD's. here is a list of success / failures

- Norton Anti Virus trial - failed
- AVG Free - failed
- Avast - failed
- Spyware Sweeper - success
- Spyware Doctor - success

during this time when i was attempting to install off a CD, (which is the only time it worked although it took many attempts) i recieved a blue screen error stating a physical address error caused by avpe64.sys

running both Spyware Sweeper and Spyware Doctor over 112 infected files were successfully removed, many were infected with trojans and atleast one was a variant of CWS.

after restarting the machine i found that i still had the problems, so i did some research and have found that avpe64.sys might be part of a Rootkit called Haxdoor (i found this infomation on the sophos anti virus website).

and after reading some computer magazines i have installed Rootkit Revealer, which found all the files listed on the sophos anti virus site as being part of Haxdoor.

I then decided to seek more help and that has lead me here. i have read and attempted everything in the READ ME FIRST thread..

CCleaner wont install. and i still cant get the Malicious Software removal too run.

I followed the instructions for all the others and the have beween them found and removed a number of different infections ranging from more cookies to other trojans (yes i did run the tests in safemode)

I have also run BitDefenfer and Panada online virus programs (again in safemode, with networking this time)

BitDefender found a number of trojans and removed them - i have the log file if requested

Panda found some more problems - i was unable to find an option to save a log , but i have written down the results if requested

I have also installed HijackThis according to your instructions and run it, yes in normal mode after restarting the computer with normal startup selected in msconfig. i have a log file if requested

I have also run Rootkit revealer and saved a log file from that if requested.

I am now stuck and un sure what to do, so i am here asking for help.

thanks in advance to anyone crazy enough to try.

 

Please post a HijackThis log, the BitDefender and Panda logs.

 

Here are my logs

as mentioned in my previous post i dont have a log from Panda.
but i did write down the results

Here are the results:

Virus 1
Spyware 28
Hacking Tools and Potentially unwanted tools 1
Dialers 0
Security Risks 0
Suspicious Files 1

 

Ah, i ran Panda again to see if i could get a log file.

I ran it in normal mode this time, since it is a fixed size window when i ran it in safe mode i could not see the button to view the log.

Here is the new log. It found the same number of infections as when i ran it in safe mode.. except it did not detect the 1 virus. this time.

 

Scan with HijackThis and fix teh following:

Download
- Pocket Killbox
- ExplorerXP

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the directions for Running Ewido Security Suite.

Download Rootkit Revealer 1.56

Once download is complete, run the utility and click SCAN to begin scanning your system.

If you need any help with this utility please see the site below...
http://www.sysinternals.com/Utilities/RootkitRevealer.html

After you complete a scan, attach the log to your next post.

Post the Ewido and Rootkit Revealer logs along with a fresh HijackThis log.

 

Followed instructions, I did not find any of the files in ExplorerXP so i assume that Pocket Killbox removed all of them.

Here are the fresh logs

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to PYKBFX ... right-click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

PYKBFX

Copy the contents of the below quote box to Notepad, Save As RegFix.reg to your Desktop.

REBOOT to Safe Mode.

Double-click RegFix.reg and answer 'Yes' when asked if you want to merge with the registry.

Open ExplorerXP navigate to and DELETE the following:

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Scan with HijackThis and fix the following: (May no longer be present)

REBOOT

Run RootkitRevealer again.

Post a fresh HijackThis log along with the RootkitRevealer log.

 

I have tried to follow the instructions.. however.

I was unable to find these files in ExplorerXP

D:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb
D:\WINDOWS\system32\avpe64.sys
D:\WINDOWS\system32\klgcptini.dat
D:\WINDOWS\system32\qz.dll
D:\WINDOWS\system32\qz.sys
D:\WINDOWS\system32\stt82.ini
D:\DOCUME~1\FR@CTU~1\LOCALS~1\Temp\PYKBFX.exe

Also whilst running Rootkit Revealer my anti virus detected a virus in a system restore point .dll file. So i deleted the file. it may be the system restore .dll that appears in the Rootkit Log..

 

OK, let's do the following:
Please make sure System Restore is OFF.
How to view hidden, system files & folders!
Searching for Hidden Files on WinXP

Now do the following:
Running Ewido Security Suite; run Ewido in Safe Mode; post the log.

Run Spybot Search & Destroy; run in Safe Mode; post the log.

Run RootkitRevealer post the log.

Download the attach GetRunKey119.zip to your PC someplace you can locate it. Then extract the files from the ZIP. Locate the getrunkey.bat file and double click on it to run it. It will create a file named runkeys.txt in the root of drive C: (C:\runkeys.txt) . This log will also popup in a notepad window which your can just close. Upload the runkeys.txt file here as an attachment.

 

Ok.

System Restore is now off, and i re scanned for all the files having checked the settings for viewing hidden and system files. The following files still do not show up in either the Windows Search or in ExplorerXP.

I ran Ewido and Spybot, both scans did not reveal any problems - logs are attached.

Rootkit Revealer log is also attached.

I could not find

so i was unable to run this step and dont have an attachment for it.

Please also note that i have noticed the file avpe64.sys is loaded when i enter SAFEMODE (it is the last file on the list).

 

Soory about that, It didn't attach.

Here is a new version:

 

Search for and delete; Logitech Desktop Messenger.lnk.

Uninstall Kazaa Lite.

Download Blacklight Beta from here:
http://www.f-secure.com/blacklight/try.shtml

• Hit I accept. It will take you to download page.
• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of log.

 

Here is the Blacklight log.

I was unable to run GetRunKey120, because i don't have a C: drive. My drives are a SATA array, so the boot drive is D:.

Also, while running the Blacklight scan an anti virus box did appear.. i leaft it alone as you specified. but i thought you'd want to know the file that caused the alert was qz.dll

One of the files on the list in a pervious post that did not appear in ExplorerXP.

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to avpe32 or TCPIP2 Kernel32 ... right-click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

avpe32 or TCPIP2 Kernel32 (Whichever was loacted from above)

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to avpe64 or TCPIP2 Kernel ... right-click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

avpe64 or TCPIP2 Kernel (Whichever was loacted from above)

Copy the contents of the below quote box into notepad and Save As FixHx.reg to your Desktop. Do not run it yet.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODENow run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Locate FixHx.reg on your desktop and double-click it. Answer 'Yes' when asked if your want to merge with your registy.

Open Windows Explorer navigate to and delete D:\!Killbox.

REBOOT to Normal Mode.

Post a fresh BlackLight Log.

 

Right, neither of the two services were listed..

but i did spot two suspicious ones:

IJWQNOKCOTXVNO

and

MRZNMGF

they looked suspicious since neither had a description.

I followed the rest of the steps including the FixHX file, pleased to say that i noticed avpe64.sys did not appear on the list when i booted into safemode.

Here is the Blacklight log

 

I have modified the GetRunKeys batch file it should now run on your system.

 

Here is the getrunkeys log

 

That didn't turn up anything suspicious.

Follow the directions for Running WinPfind by OldTimer.

Post WinPFind.txt when finished.

 

Here is the WinPFind log

 

Open REGEDIT, navigate to the following Registry Key: HKLM\SYSTEM\CurrentControlSet\Services

Locate IJWQNOKCOTXVNO and MRZNMGF

Export both keys. Change the file extension from .reg to .txt and post as attachments.

 

Here are the two reg entry attachments

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to MRZNMGF ... right-click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

MRZNMGF

REBOOT to Safe Mode.

Open Windows Explorer, navigate to a delete the following:

Open Regedit, navigate to a delete the following registry keys:

REBOOT to Normal Mode.

I need more information for the IJWQNOKCOTXVNO service. Look for a file path under the registry key for that service. Tell me if there is one or not; and if there is a file path give me the file path.

 

Ok i removed the Service as described. but the file was not present in either Windows Explorer or ExplorerXP.

The registry entries were also not present.

as for the other service, it is already set to disabled. and it does have a registry entry. with an imagepath that leads to an executable.

the registy entry has two sub folders Security and Enum

D:\DOCUME~1\FR@CTU~1\LOCALS~1\Temp\IJWQNOKCOTXVNO.exe

I was also unable to find the file in Windows Explorer or ExplorerXP.

 

Stop and remove the service, and delete the registry key. Using my last post as a guide.

REBOOT.

How is your computer running?

 

Ok done,

the system appears to be working fine. certainly all the symptoms that brought me here to the forum are now gone.

I will re run all the scans suggested in the READ ME FIRST thread, and let you know the results

Thanks for all the help

 

Ok, after running all the scans..

BitDefender found 5 infected e-mails, that have been removed. rescanning shows that this was successful

and Panda found one infected cookie. running CCleaner has removed this. and re scanning has also verified this.

None of the other scan programs returned any instances of viruses or spyware.

Thanks for all the help.

 

Disable System Restore and then enable System Restore. This will flush all your restore points and create a new clean one for your system.

System Restore
How to Protect yourself from malware!

Safe surfing.