Microsoft Security Essential Registry Hack

Discussion in 'Malware Help (A Specialist Will Reply)' started by jrussellmikkelsen, Oct 29, 2010.

  1. jrussellmikkelsen

    jrussellmikkelsen Private E-2

    Yesterday, I woke up with an issue. I normally fall asleep to a TV show on my laptop. I have a few dozen downloaded and pick a different one each night. I've been doing this for years. The same files, same shows. Haven't changed or added any new shows in months if not years. I have my computer set to go into hibernate after 20 minutes so it'll turn itself off by the time the show is down and I'm sound asleep.

    I can't think of any new files I've downloaded in the past week or two. I can't think of any change to my normal habits of "stumbleupon" and playing the same old flash games. Though I do "stumble upon" a new flash game every day. I don't usually play it for more than a few seconds or a minute.

    Yesterday, I woke up in the middle of the night to a bright white window taking up my entire screen, even hiding the normal bar at the bottom of my screen. It looked like a giant warning with approximately these words:

    And there was a button that read "Back up Registry".

    I clicked the button without thinking but nothing happened. I clicked it a dozen more times with no effect. Then I forced shut down.

    In the morning, I turned on my computer and the same white warning window was there. I restarted or forced shut down a dozen or so times-- sometimes I could restart from the ctrl-alt-del menu, sometimes that same menu would be unresponsive. Each time, everything would function as normal for about 30 seconds before this same prompt would pop up again. Every time, once the warning appeared, I was unable to do anything. I would try to close the window but this would cause 2-4 more identical warnings to appear.

    I used another computer to google the warning and found instructions to download "malwarebytes anti-malware". Restarting my computer over and over, using the functional 30 seconds at start-up each time, I succesfully downloaded malwarebytes, ran a quick scan, as soon as it identified 3 threats, I stopped the scan and removed the threats. At that point I stopped having problems. I restarted the computer, ran a complete scan, removed 12 more threats and went about my business.

    The next time I turned off and on my computer, the problem had returned. But this time, unlike last, I was able to restart the computer via the ctrl-alt-del method instead of forcing shut down by holding the power button.

    Next I started my computer in safe mode with networking. I came to your forum (which has helped me many times before though this the the first time I've needed to post) and read the Malware Read and Run first. I began doing what I could. Some steps had to be skipped. I got to step 4: configuration and set-up. I followed instructions to return msconfig to normal mode (I had it on custom) and your instructions say "reboot your PC before continuing." So I did. But I forgot to hit f8 in time to reboot in safe mode.

    *Out of safe mode, the computer started up and the Microsoft Security Essentials warning window did not return.*

    I went back through the "read and run" and did the steps I'd skipped in safe mode. Then I continued to the end of the Vista Cleaning Procedure. Now I'm here posting about the problem.

    The problem has NOT returned since I began your "read and run first" step-by-step process, but because the problem left for half a day and then came back, I'm posting in hopes that you can tell me definitively that it is either gone for good or what I need to do to get rid of it.

    Also, I was unable to run combofix. I downloaded it, double-clicked. But nothing happened. Double-clicked again, a window popped up for a split second (too fast to identify) and then disappeared again. I have a 32-bit system.

    I've attached all the logs.

    Thank you so much for your time and your help.
     

    Attached Files:

    jrussellmikkelsen, Oct 29, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Start with this:

    Please attach your SAS log, which is here:
    Code:
    "C:\Users\Johs\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\"
supera~1.log  Oct 29 2010        2328  "SUPERAntiSpyware Scan Log - 10-29-2010 - 12-22-12.log"
supera~1.txt  Oct 29 2010        2328  "SUPERAntiSpyware Scan Log.txt"
    Download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Oct 29, 2010
    #2
  3. jrussellmikkelsen

    jrussellmikkelsen Private E-2

    Attached the logs.

    Now, I'll get to the rest of your instructions. Thanks so much.
     

    Attached Files:

    jrussellmikkelsen, Oct 29, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I will be logging off in a few minutes. It looks like SAS found your major issue and dealt with it. The rest of the fix should get you clean. But I will recheck your logs asap tomorrow. ;)
     
    TimW, Oct 29, 2010
    #4
  5. jrussellmikkelsen

    jrussellmikkelsen Private E-2

    Success! Now what do I do with this fixme.reg file on my desktop? I'd prefer it not to be there. Where can I move it?

    Logs are attached.

    Everything has worked perfectly fine through-out your instructions. Feels good :) Hopefully you'll confirm that this is the case when you're back tomorrow.

    I do, however, see a ton of files that used to be hidden all over my frequently used folders. And this is after I thought I had "show all hidden files" checked for the past two years. For the past two years I thought I was already seeing all my hidden files. Now there are four times as many floating around. How can I hide them again?

    I cannot thank you, and everyone at Major Geek, enough. Can't believe you're willing to spend your free time helping strangers for no pay. It's incredibly generous of you all.

    Thanks again.
     

    Attached Files:

    jrussellmikkelsen, Oct 29, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looks much better. We have one item that tricked me to do and then the final cleanup instructions will reset your system files to hidden. You can just right click the Reg.fix and delete it from your desktop.

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:




    Support MajorGeeks with Geek Wear!
     
    TimW, Oct 29, 2010
    #6
  7. jrussellmikkelsen

    jrussellmikkelsen Private E-2

    I've attached the latest avenger log.

    Again, thanks so much for everything. The problem has not returned. Everything is functioning well and I've proceeded on to your "final steps" instructions.

    I can't thank you and everyone at Major Geek enough. Seriously. You guys are the best.

    Thank you.
     

    Attached Files:

    jrussellmikkelsen, Oct 29, 2010
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know. Safe surfing and you are most welcome. :)
     
    TimW, Oct 30, 2010
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds