first serious infection

Important: This task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

How to back up and restore the registry in Windows]

1. Download and then installSubInACL (SubInACL.exe)file from Microsoft.
2. Click Start, Run and enter notepad and click OK to bring up the Windows Notepad program.
3. Copy and then paste the following text into Notepad.

Code:

cd /d "%ProgramFiles%\Windows Resource Kits\Tools" 
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

4. Save this Notepad file as Reset.cmd to your desktop. Be sure the Save as type is set to all files.
5. Once you have save it properly, double-click the Reset.cmd file to run the script.

* Note This script file may take a long time to run. Additionally, you have to run this script as an administrator.

6. Now reboot your computer! You must do this before the above will take effect.

Now see if you can run the other scans.

 

Try creating one or more of these boot disc's:

 

Do let me know how you progress!! There are a few other things we can try if nothing works.

 

Please try doing the below:

Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then doube click on it to run it.

AVPFind.bat

It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running.


Now download and Run exeHelper

• Please download exeHelper to your desktop.
• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Also please try running the below online scan:

http://www.superantispyware.com/onlinescan.html

Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. It does not save a log.

Then try running these instructions: Using MGtools


Attach the below logs when finished with all of the above:

• C:\avplog.txt - from AVPfind
• log.txt - from exeHelper
• C:\MGlogs.zip - from MGtools

The C:\ assumes that drive C is you Windows boot drive. If you boot from another drive, then use the correct drive letter above.

 

Try running MGTools in safe mode. Let me know what happens. Where you able to run ComboFix again?

 

Sorry, I have slept since then. LOL. Let me know if you can run things in safe mode.

 

Can you right click the exe file and under properties check the security tab and add your account for the permissions? If you still can't run it, let's try this:

Download OTL by Old Timer. and save it to your Desktop.

* Double click on OTL.exe to run it.
* Under Output, ensure that Minimal Output is selected.
* Under Extra Registry section, select Use SafeList.
* Click the Scan All Users checkbox.
* Click on Run Scan at the top left hand corner.
* When done, two Notepad files will open.
o OTListIt.txt <-- Will be opened
o Extra.txt <-- Will be minimized
* Please post the contents of these 2 Notepad files in your next reply.

 

Download SeDebug-Restore
Save to your desktop and double click to run.

Now see if you can run MBAM.

 

It looks like sUBs has removed the file. Hang in there, I need to consult with the other malware fighters as to the next procedure to try in fixing your permissions issues.

 

Please don't think that I have forgotten about you. We are still discussing this situation.

However, in the meantime, I would suggest that you try to back up all of your personal files and info in case we are left with having to do a reformat and clean install.

 

Ok, lets try a few things and see what happens>

First, try this:
http://fixitcenter.support.microsoft.com/Portal/

Then if it doesn't fix your system, I want you to see if you can create a new user account with Admin. privileges.

Let me know.

 

Use another PC to download the installer for the version of .NET Framework it wants. Then via a USB flash drive or CD, copy to this PC.

For example, below is a link for version 3.5 and at the end of this you can see links for version 3.5.1 and 4

http://www.microsoft.com/downloads/...fd-ae52-4e35-b531-508d977d32a6&displaylang=en

 

Does it mention a specific version number?

It is starting to sound like there are too many problems within your copy of Windows and that you may have to perform a reinstall to fix it. Let me ask a couple other questions:

• Do you have your Windows boot CD?
• Have you attempted to run System Restore to go back to a restore point from before when your problems began?

 

Does the C:\MGtools folder exist? And do you see the FixACLS.bat file in the folder?

 

Are both the C drive and the G drive bootable drives containing copies of Windows?

 

I'm just trying to understand your setup. And what is drive I. Is this just a backup drive? And is it a removable or fixed drive?


Please do the below after answering my questions.

Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.

• Right click the Command Prompt entry and select Run As Administrator.
  • It is critical that you run it this way.
• If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.
• Enter the below commands at the command prompt each followed by the enter key. Try each command!!!! The bold black are commands. The purple/brown is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
FixACLS <-- this will try to fix a limited number of permissions issues on a few files and folder. Tell me what error messages, if any, you see.
nwktst <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
analyse <-- this will try to run TrendMicro Hijackthis. Click Twice on the Accept button to accept the license agreement if it shows. Then run a scan and save a log. Tell me what error messages, if any, you see.
GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.

 

Did you say yes to all of them?

Just continue.

 

Okay that is what I actually expected should have happened since the FixACLS program is set to auto reply with the yes.

 

Okay that shows a few things will run. Did analyse.exe run?

Also try ShowNew from the command prompt. If it runs, a file named newfiles.txt will be created.

 

Your runkeys.txt log shows that you are not in Normal Startup mode per the request in step 4 of the READ & RUN ME. Many of your startup processes and many of your required Windows services are disable which may be the reason for some if not all of your problems. Are you unable to run MSconfig to get into normal startup mode.

 

Okay so did you select Normal Startup? If so, reboot your PC and then per my previous instruction, run GetRunKey again from the command prompt and then attach the new runkeys.txt log.

 

I just noticed in your newfiles.txt log that you had Glary Utilities. Make sure that you have not disabled any startups with it either.

 

Okay that's much better. All of your services are no longer disabled. Are things working any differently?

 

Okay but based on your logs, it may not be due to malware. Let's cleanup some additional non-malware items and try a couple more things but I may be sending you off to the Software Forum to handle you permissions problems since they appear to be Windows problems not malware.

Also answer a couple questions

• Had you recently run any kind of registry cleaning tools or performance enhancement tools on this PC?
• Have you tried using System Restore again after having run FixACLS?

Uninstall Trojan Remover which you have setup to run from a removable drive and this is a bad idea to begin with.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O3 - Toolbar: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - (no file)
O4 - HKLM\..\Run: [TrojanScanner] I:\Trojan Remover\Trjscan.exe /boot
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - (no file)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\Windows\System32\ZoneLabs\vsmon.exe (file missing)

After clicking Fix, exit HJT.





Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).




Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Any change to your status? I would not expect the above to change anything except remove a bunch of unnecessary/dead items.

 

For future reference, DON'T. You do not need them and they can cause more harm then good.

Okay but is this still the case after getting into normal startup mode since some services that were not running before are now running.

Not really a good idea especially since your problems do not appear to be related to malware. You could have just made things worse.

Do you have your Windows boot CD?