Help Needed -- Nasty Malware Disallows .exe Files to Run

Discussion in 'Malware Help (A Specialist Will Reply)' started by koufaxmaravich, Apr 2, 2010.

  1. koufaxmaravich

    koufaxmaravich Private E-2

    Got nasty malware on my laptop about 21 hours ago (April 1, 2010 @ 12 noon).

    Has annoying messages to get me to buy PHONY anti-virus programs. Messages include (1) "Applications cannot be executed. The file {anything.exe} is infected. Do you want to activate your antivirus software now?" (2) Antivirus Software Alert - Infiltration Alert. Do you want to block this attack? Yes or No [if you type yes, a phony website ad is displayed] (3) Security Center - Help Protect Your PC -- Resources - Security Essentials (4) "Windows Security Alert - Windows reports that computer is infected. Antivirus software helps protect your computer against viruses and other security threats. Click here for the scan you computer [sic - the grammatical errors are theirs]. Your system might be at risk now." (5) Antivirus Suite - Innovative protection for your PC - Performing scan

    Worse, it doesn't let any .exe file run. I did notice that it tended to kick into effect later in the startup routine, about when my laptop automatically connected with my wireless network. That gave me about 30-45 seconds in which I could try to run programs. That's how I got the antimalware programs to run.

    Based on your instructions, I did the following:

    Checked for the 5 MyWay or Viewpoint software programs to remove them (none were on my laptop)

    Tried to install the latest Java and uninstall the old versions -- couldn't do it because of the .exe problem

    Emptied all antivirus quarantined files

    Emptied the recycle bin

    Ran CCleaner

    I have a 32 bit Windows XP operating system

    I changed to display hidden system files & folders by showing extensions

    I changed MSconfig to Normal Startup mode

    I checked for known malware. Didn't have any. I do have Logitech Desktop Manager but was unable to delete the program (.exe problem again)

    Was unable to run disk-emulation-disabling software (but I don't think I have any of this)

    I do not use SpyBot's TeaTimer

    I ran SuperAntispyware
    I ran Malwarebyte's Anti-Malware
    I ran combofix.exe
    I ran RootRepeat
    I ran MGTools

    Attached to this message are the logs for the first 4 scans. The log for the MGtools scan will be attached to a follow-up message.

    Thank you for your help.
     

    Attached Files:

    koufaxmaravich, Apr 2, 2010
    #1
  2. koufaxmaravich

    koufaxmaravich Private E-2

    Follow up to my earlier post.

    Attached is the log of my MGtools scan.
     

    Attached Files:

    koufaxmaravich, Apr 2, 2010
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    See if you can do the below with ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If the copy of Spyware Doctor you recently installed is just the trial version, uninstall it now.

    Also uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 6

    Now install the current version of Sun Java from: Sun Java Runtime Environment

    Now see this: Using MGtools and apply the fix for Error Message Type 1


    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Apr 2, 2010
    #3
  4. koufaxmaravich

    koufaxmaravich Private E-2

    CHAS

    Thx for getting back quickly. Followed the steps but couldn't get ComboFix to run.

    As I explained, I only have about 30-45 seconds during the boot up/start up process to run .exe files. This was sufficient to open the notebook and to cut/paste to create CFScript.txt and file it in the Desktop.

    I rebooted to give me maximum time. However, the start-up procedures when I dragged CFScript.txt over ComboFix.exe took too long. Once I see my computer connect to the wireless network, I know it's too late. Only then, does the blue screen with "Please wait. ComboFix is preparing to run." show up. I think it may take this long because it is trying to update its version -- but in this case, it is defeating the purpose and not getting executed.

    I wonder if we could speed up the startup process?

    Awaiting your word. Thx.
     
    koufaxmaravich, Apr 2, 2010
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try again but first unplug your cable to the internet and also reboot into safe boot mode and try running the procedure.
     
    chaslang, Apr 2, 2010
    #5
  6. koufaxmaravich

    koufaxmaravich Private E-2

    Chas

    At some point on Monday afternoon, the popups stopped appearing (this was around the time I had changed settings on my AV BitDefender to turn it off, and also shut off just about everything to do with SuperAntiSpy).

    I was able to launch MS Word, the notepad and Compuserve (which I had NOT been able to do previously) as well as connect to Internet thru Mozilla Firefox, but still couldn't connect to Internet through IE. However, the bug had stopped preventing ".exe" files from running, so without your new suggestions, I was able to run the suggested fixes of your reply Fri 4/2 4:16PM.

    I was able to drag and drop CFScript.txt over ComboFix to launch. I ended up running it twice -- first time without Microsoft Windows Recovery console installed, and then later after I successfully installed it (both logs attached).

    I was also able to uninstall both Spyware Doctor and J2SE Runtime Environment 5.0 Update 6, and then install Java 6 Update 19.

    After the first runthrough of ComboFix, it asked me to connect to the Internet because it wanted to analyze malware it had found. I was able to do so.

    Last steps (after second running of ComboFix): I ran Ccleaner using only the "Run Cleaner" button. It appeared to eliminate about 10-12 files (mostly temporary ones).

    I ran MGTools scan and then tried to run the "XPHomeFix" as listed under Error Message Number 1. MGTools ran fine - log is attached.

    I was able to download the XPHome Fix. When I tried to run it, my computer made me unzip the three files and said I had unzipped them successfully. But I don't know how to *run* them. I even tried going down to the file level, but two files couldn't be opened, and the third just got me to a text editor (or some such).

    Computer seems to be running okay now. I can execute programs (prevention of .exe running seems to have stopped) and I am even able to connect to Internet through Explorer.

    Pls let me know what else I have to do NOW so that I fully eliminate all bugs and inoculate my machine for future (e.g. do you still want me to run that XPHomeFix, and if so, how?).

    THANK YOU so much for all the assistance. So much appreciated.
     

    Attached Files:

    koufaxmaravich, Apr 5, 2010
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Never do anything we don't ask you to do. If we don't say run it twice, don't run it twice. ;) If you cannot run a step and we did not say to continue (like we do in the READ & RUN ME), then stop and explain your problem to us before continuing.

    You don't need to run them. You just need to extract them into the suggested default folder which is C:\Windows\system32 This was stated in the Using MGtools instructions. If you put them anywhere else, they will not fix the error they are meant to fix. So since you did not extract the files directly into the system32 folder, the implied fix would not work for you. But you did not need it anyway. You put the files into an XPHomeFiles folder within the system32 folder which is not the samething as being in the system32 folder. You likely used the Windows built-in ZIP extractor and did not notice where/how it was suggesting to extract files. You should get a real ZIP program to avoid the deficiencies of the Windows one.

    FYI: That's Internet Explorer or simply IE. Explorer means Window Explorer which is the Windows shell and file manager.

    I suggest that you immediately delete all of the below or move them somewhere else into a folder created for saving downloads. I cleanup up a bunch of others you had here in my last fix but you still have lots here. And why are you saving the same file multiple times?

    C:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU(2).exe
    C:\jre-6u19-windows-i586(2).exe
    C:\jxpiinstall-rv.exe
    C:\jre-6u19-windows-i586.exe
    C:\JavaSetup6u19-rv(2).exe
    C:\JavaSetup6u19-rv.exe
    C:\ccsetup230_slim.exe
    C:\jre-6u19-windows-i586-iftw-rv.exe
    C:\ReimageRepair.exe
    C:\windows-kb890830-v3.5(4).exe
    C:\STOPzilla_Setup.exe
    C:\WindowsDefender.msi
    C:\AntiRootkit.zip
    C:\windows-kb890830-v3.5(3).exe
    C:\sdasetup(2).exe
    C:\sdasetup.exe
    C:\mbam-rules.exe
    C:\tdsskiller.zip
    C:\mbam-setup(7).exe
    C:\SUPERAntiSpyware.exe
    C:\ATF-Cleaner.exe
    C:\windows-kb890830-v3.5.exe
    C:\windows-kb890830-v3.4.exe
    C:\DMSetup.exe
    C:\XPHomeFiles.exe
    C:\XPHomeFiles(2).exe
    C:\XPHomeFiles(3).exe

    You should not save things to the root folder like this. At least not even semi-permanently. I know we ask you to save some things like MGtools there, but we will cleanup all of what we ask you to do later. It is a very bad practice to save things here especially if you need them. Some scanners will automatically delete exe's found here or declare them to be infected. For a simple example, take a valid Windows system file like explorer.exe and put a copy in the root folder of the C drive and run some scans. You will it get deleted as malware.

    Also for similar reasons, do not save downloads to the C:\Program Files folder like you did with the below:

    C:\Program Files\mbam-setup.exe

    The C:\Program Files folder should only have folders which containing programs you have installed. Like this folder C:\Program Files\Malwarebytes' Anti-Malware which contains the installed files for Malwarebytes


    Now we need to use ComboFix again
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Apr 7, 2010
    #7
  8. koufaxmaravich

    koufaxmaravich Private E-2

    As I said, the computer seemed to be running ok before I got this last posting from you.

    I deleted the files you listed

    Can you recommend a real ZIP program?

    ComboFix.txt and MGlogs.zip are attached

    Thx for the help
     

    Attached Files:

    koufaxmaravich, Apr 8, 2010
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes but after each fix, we still need to verify nothing has changed or got broken. ;)

    You logs are clean.

    Personally I use a paid version of WinZip however if you don't want to purchase it, you could try programs like 7-Zip , or TUGZip or ZipGenius



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Apr 9, 2010
    #9
  10. koufaxmaravich

    koufaxmaravich Private E-2

    When I tried to uninstall combofix with the Run command

    *"%userprofile%\Desktop\combofix" /uninstall*

    I got the following error message:

    Windows cannot find '*"c:\DocumentsandSettings\HMD\Desktop\Combofix"'

    It seems it is looking in the wrong directory.

    Kindly advise. Thx.
     
    koufaxmaravich, Apr 12, 2010
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just means something already removed it. If you don't see the red and white icon on your Desktop anymore then it was already deleted. Just continue on.
     
    chaslang, Apr 13, 2010
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds