Malware problem, neither IE nor FF will start

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by zoombobby, Jun 12, 2011.

  1. zoombobby

    zoombobby Private E-2

    Here's my problem:

    My wife downloaded something and ran it, it installed some viruses and then she rebooted the computer. i found out about it and ran some antiviruses and everything seemed to be working but all of a sudden IE and firefox won't start, they say 'IE has encountered a problem and needs to close' but there are no details, and FF is about the same but it's just got a different message that there was a bug and it needs to close. BUT IE in 64 bit mode works fine.

    I ran through your basic instructions for win7. I have 64 bit so I couldn't run rootkit revealer. Also, combofix wont run. I watch it in the task manager and it starts up and runs for a while and then dies. No error messages except when i forgot to turn off ad-aware, but i turned it off and combofix still wouldn't run.

    Also mgtools didn't run right the first time, it couldn't make a zip file because of an io error. I did some searching and couldn't find a solution so i tried again and it worked. I am attaching the logs files to this post.

    Thank you very much in advance for your expert assistance, i am tearing my hair out. bob

    p.s. sorry if i made any mistakes, i'm trying very hard to follow the directions exactly
     

    Attached Files:

    zoombobby, Jun 12, 2011
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It did run but you need to move it to your desktop as requested!
    Running from: c:\users\VACT Electric\Downloads\ComboFix.exe <--- Running from wrong location, move to desktop.

    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    Code:
    :services
hquupove

:files
c:\windows\system32\drivers\hquupove.sys
C:\Users\VACT Electric\AppData\Local\{00059A90-9734-4CE7-AC75-4726AE08544C}
C:\Users\VACT Electric\AppData\Local\{0917B26A-5D3C-4B8F-AF3A-90D3CF9384FC}
C:\Users\VACT Electric\AppData\Local\{097DCF4C-E163-4220-BF45-4F7449A0F020}
C:\Users\VACT Electric\AppData\Local\{0DDF3FE6-5E6D-4FD3-9E0C-0233D49270B6}
C:\Users\VACT Electric\AppData\Local\{16016A36-3E5D-43DA-99B0-56E8942C1FCE}
C:\Users\VACT Electric\AppData\Local\{19360671-587E-447F-BA86-3B570F6A4964}
C:\Users\VACT Electric\AppData\Local\{21C053D6-8299-4A4B-81AB-6C5013551AD5}
C:\Users\VACT Electric\AppData\Local\{25F936F7-8629-4D19-A485-1A411603B959}
C:\Users\VACT Electric\AppData\Local\{26C35B35-9216-47C1-8E4C-F58CD1219179}
C:\Users\VACT Electric\AppData\Local\{27C13D1F-293E-45B0-93C4-F63CF94B8600}
C:\Users\VACT Electric\AppData\Local\{2C1C02D1-CF9D-4066-9897-0089B74100E7}
C:\Users\VACT Electric\AppData\Local\{2FDA04DF-23B8-4CC2-8E44-F3FB95BDFAD9}
C:\Users\VACT Electric\AppData\Local\{3243DCC8-9057-461C-AEB7-B8BE96FE5D33}
C:\Users\VACT Electric\AppData\Local\{32BB5EB9-4172-445A-B088-386216D6AA53}
C:\Users\VACT Electric\AppData\Local\{369E49CA-4770-49CB-874D-80E4085D38AA}
C:\Users\VACT Electric\AppData\Local\{3786EC62-97F9-4D4D-A747-27F91E0AE146}
C:\Users\VACT Electric\AppData\Local\{3E034C3D-8F03-4726-A950-E830FAEE217F}
C:\Users\VACT Electric\AppData\Local\{58F33F7E-386A-4820-BAD7-8C852DBD9299}
C:\Users\VACT Electric\AppData\Local\{67561535-57C2-481D-BCB0-1697B19737E0}
C:\Users\VACT Electric\AppData\Local\{768F1BBD-440A-492A-B2D9-B990E7CD10B2}
C:\Users\VACT Electric\AppData\Local\{778983FD-F408-48F4-81CD-A25623148481}
C:\Users\VACT Electric\AppData\Local\{85DAA96F-E8CF-40DA-947B-7E8B432A0C8B}
C:\Users\VACT Electric\AppData\Local\{8EE2D308-E705-40BC-8627-6669018E894A}
C:\Users\VACT Electric\AppData\Local\{97A28D38-72DB-4BAB-B4D4-5DD37F3B8C53}
C:\Users\VACT Electric\AppData\Local\{9BB2D8EB-DEDA-4B8D-971D-E66DFED5F6D8}
C:\Users\VACT Electric\AppData\Local\{A23AEE8B-3362-4D8F-A9B4-64C494FBC890}
C:\Users\VACT Electric\AppData\Local\{A63EE871-EADF-40F4-82DF-1E9DF25E551D}
C:\Users\VACT Electric\AppData\Local\{A873EB3F-48B5-4E66-B7A1-85CA44085053}
C:\Users\VACT Electric\AppData\Local\{A96F4762-B51E-4AA3-AB6F-5389232586CD}
C:\Users\VACT Electric\AppData\Local\{ABC06664-AB67-49AD-9EAF-72CA755B297E}
C:\Users\VACT Electric\AppData\Local\{AC60ECFD-C4AC-4EB8-ABCB-24AD20098654}
C:\Users\VACT Electric\AppData\Local\{B4DFAC74-101F-4B60-BC0D-671B1E374456}
C:\Users\VACT Electric\AppData\Local\{B5E50D59-97F5-4EC8-BD31-D6272E549A42}
C:\Users\VACT Electric\AppData\Local\{B9C39A12-B606-4C18-A406-924E3BA46452}
C:\Users\VACT Electric\AppData\Local\{BABC06B4-E144-476F-8936-EC825D5ECBDA}
C:\Users\VACT Electric\AppData\Local\{C2A33EDE-FE78-405B-A4A6-56743114FD5B}
C:\Users\VACT Electric\AppData\Local\{C5725246-A1A7-4CF2-81E9-7048D9587030}
C:\Users\VACT Electric\AppData\Local\{CA3E234C-8433-4499-8710-267A88DCD196}
C:\Users\VACT Electric\AppData\Local\{CB489D43-8176-4FCE-BFBA-FE44D2EAA7B6}
C:\Users\VACT Electric\AppData\Local\{D0906834-FAF3-4B0A-A3EA-43138E4400A6}
C:\Users\VACT Electric\AppData\Local\{DB630D7C-FABD-491C-90C6-7E3B718AA8E2}
C:\Users\VACT Electric\AppData\Local\{F26B3B4A-73A3-47AE-8867-3FCF2719AF83}
C:\Users\VACT Electric\AppData\Local\{F6A9E97C-D9D8-447E-BD1E-5A63E7BC800C}
C:\Users\VACT Electric\AppData\Local\{F87432FF-41AC-4192-997B-4CC4CA8462EE}
C:\Users\VACT Electric\AppData\Local\{F93938E4-27F1-49CE-903F-5AD2FC154E08}

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

    Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).
    • C:\Windows\TEMP
    • C:\Users\VACT Electric\Local Settings\TEMP
      [*]
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Jun 12, 2011
    #2
  3. zoombobby

    zoombobby Private E-2

    hello Kestrel and thank you for your help

    I ran OTM and everything seemed to work as expected. log attached.

    I deleted all the files that I could from the directories you mentioned, some of them i was denied access

    and i ran getlogs and it seemed to work fine. i attached this log too.

    my IE in normal mode and firefox still have the same problems. IE in 64 bit mode still works.

    sorry about the combofix problem. i thought i was running it from the desktop, i guess i was wrong.
     

    Attached Files:

    zoombobby, Jun 12, 2011
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I feel this is not malware related. Your logs look good now, just delete this folder:
    • C:\Users\VACT Electric\AppData\Local\{0504E70D-FECA-4C3F-A263-B1428FA3CBEE}

    What happens if you use the browsers in safe mode with networking? Do you still have the same problems?

    Also try the below for Firefox.

    How to start Firefox in Safe Mode
     
    Kestrel13!, Jun 12, 2011
    #4
  5. zoombobby

    zoombobby Private E-2

    OK i deleted that folder.

    I restarted the PC in safe mode, and internet explorer in 32 bit mode worked for about 15 seconds before the popup came up that internet explorer has encountered a problem and needs to close. I tried to start firefox and it said that it was already running. then i tried it again and it had the same message as before, popped up instantly. firefox had a problem and crashed.

    I looked at the instructions for firefox in safe mode but they won't work because i can't start firefox at all to give the 'restart in safe mode' command.
     
    zoombobby, Jun 12, 2011
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    What about start > all programs > Mozilla Firefox > Mozilla Firefox (Safe mode) Try it that way? If not, you are going to have to post about this in the software forum. Try installing another browser using a flashdrive, such a Chrome and see if that opens up. Do you have any problems opening up any other programs?
     
    Kestrel13!, Jun 12, 2011
    #6
  7. zoombobby

    zoombobby Private E-2

    I don't have a mozilla firefox folder in my all programs folder. maybe the malware deleted it?

    I can still use IE in 63 bit mode in both normal windows and safe mode, so i will download google chrome and try that. If that doesn't work i will make a post in the software forum. Thanks again for your help kestrel :D
     
    zoombobby, Jun 12, 2011
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're welcome. :)

    Yes you should try using something Like revo Uninstaller to properly remove Firefox too and see if a fresh install makes any difference. Important to use revo though as the standard uninstaller does not do a thorough enough job.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required (If we renamed it please rename it back to Combofix.exe.
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Jun 12, 2011
    #8
  9. zoombobby

    zoombobby Private E-2

    so I downloaded google chrome and installed it, and i started it. It worked for about two minutes and then a message popped up that it had stopped working and needs to close. But it didn't close. A few more minutes went by and I closed it myself. Then I try to reopen it, and it pops up a message that says 'sadly your firefox settings are not...' something, with two buttons on the bottom, but that message only lingers for a second or two before it vanishes without any input from me.

    that happens whenever i try to restart chrome now :(

    I'm going to run through the rest of your instructions now. i hope this isn't some new clever malware.
     
    zoombobby, Jun 12, 2011
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I am thinking that's not the case because your logs looked clean to me. Malware wants browsers to function if anything so that more damage can be done.

    I had asked whether you were able to open all your other programs correctly?
     
    Kestrel13!, Jun 12, 2011
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Kestrel13!, Jun 12, 2011
    #11
  12. zoombobby

    zoombobby Private E-2

    sorry, yes, I just tried to open almost everything on my start menu, the only programs with problems are web browsers :( i've completed the rest of the instructions too
     
    zoombobby, Jun 12, 2011
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Run the gmer, I will check the log and then you will have to head to software forum.
     
    Kestrel13!, Jun 12, 2011
    #13
  14. zoombobby

    zoombobby Private E-2

    understood, i am doing so now, will report back
     
    zoombobby, Jun 12, 2011
    #14
  15. zoombobby

    zoombobby Private E-2

    ok gmer scan completed and didn't find anything, the log file was just an empty file. i'll go post in the software forum then
     
    zoombobby, Jun 12, 2011
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds