Multiple scans not working

gonff73 · Mar 2, 2009

Originally my problem was that a random anti-apyware program that I never downloaded or installed started popping up and opening alerts from my system tray. I first ran CCleaner which ran fine. I then tried to run SUPERAntiSpyware but it would not open. I restarted to Safe Mode and tried running it again, which again failed. After loking around for other possibilities I saw the alternate start for SAS and tried that, which opened SAS in the system tray and I was able to open it from there. I ran SAS then in Safe Mode which found several things and seems to have stopped that program from popping up and I got the log. I have since tried running all the other programs in read & run me first and none have opened/run in regular or safe mode. SpyBot seems to started opening (get hourglass) but then that spots and nothing. The others (Malwarebytes and ComboFix) do nothing at all. MGtools however seems to have worked totally fine and I have attached that log. For the others not starting I did try searching for TDSSserv non-plug and play driver as described in some of the other threads and found nothing. Also another problem I'm having is that I am unable to load any pages in Firefox, it just sits at a white screen and says its loading but never gets any farther. Any help here would be much appreciated. Thanks.

dr.moriarty · Mar 4, 2009

Hello, gonff73.

We are currently reviewing your logs and will get back to you with a set of instructions as soon as possible. Our queue is working the oldest threads first.

Thanks for your patience.
dr.m

dr.moriarty · Mar 7, 2009

Hello, gonff73

The below fixes are specific to your problem and should only be used for issue(s) on this machine. Also, please do not install any other software while we are still working with you unless instructed. Once we have given you the all clean and final instructions you will be free to install what you want.

Question:

Is Rawr a program for comparing and exploring gear for games?

* You have installed an outdated SUPERAntiSpyware version. Uninstall your current version > run CCleaner > install and update the latest version.
SUPERAntiSpyware 4.25.1014 Final

Step 1:
Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed

Java(TM) 6 Update 11
Click to expand...

Step 2:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O4 - HKUS\S-1-5-19\..\Run: [tukahipaso] Rundll32.exe "C:\WINDOWS\system32\gosofuwu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\f0f5e01c1.dll"" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [tukahipaso] Rundll32.exe "C:\WINDOWS\system32\gosofuwu.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\f0f5e01c1.dll"" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\f0f5e01c1.dll"" (User 'Default user')
Click to expand...

After clicking Fix, exit HJT.

Step 3:
Now download The Avenger by Swandog469, and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your desktop

Run avenger.exe by double-clicking on it.

Do not change any check box options!!

Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Files to delete:
C:\WINDOWS\system32\gosofuwu.dll
C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\f0f5e01c1.dll
C:\Documents and Settings\user\Local Settings\temp\AcrC132.tmp
C:\Documents and Settings\user\Local Settings\temp\f0f5e01c2.tmp
Click to expand...

Now click the Execute button.

Click Yes to the prompt to confirm you want to execute.

Click Yes to the Reboot now? question that will appear when Avenger finishes running.

Your PC should reboot, if not, reboot it yourself.

A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Step 4:
Run Ccleaner

Step 5:
Install the latest Sun Java Runtime Environment

Step 6:
Now try to install > update > and run:

Spybot

Malwarebytes' Anti-malware

SUPERAntiSpyware

ComboFix

Step 7:
Run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).

Then attach the below logs to your next reply:

Malwarebytes Anti-Malware log

SUPERAntiSpyware log

ComboFix.txt (normally C:\ComboFix.txt)

C:\MGlogs.zip

C:\avenger.txt

Make sure you tell me if you had any problems running this procedure and give a description of how things are working now!

dr.m

gonff73 · Mar 7, 2009

First yes Rawr is for comparing game gear. After I had uninstalled my old version of SAS and was trying to install the new version all I get when I doubleclick it is the message from windows that it encounted a problem and needs to close with the usual send error report option. I ran the HJT lines and Avenger script as requested with no problems. When I got to trying to run the scans again unfortunately still none will open. SAS getds that windows message. Spybot has the hourglass on the cursor come up (and I noticed that spybot has an open process in the task manager after I try to run it) but the program never opens up. Malwarebytes and Combofix still do absolutely nothing when doubleclicked. MGtools\GetLogs.bat seemed to work okay.

chaslang · Mar 11, 2009

Please uninstall your AVG8 antivirus. It has an infection hooked into it
and it may also be getting in the way of us running various tools. Is saw the below hooked into AVG and many other running processes:

\globalroot\systemroot\system32\UACrqjrvkai.dll

After uninstalling it (and even if for some reason it does not uninstall) continue on with the below.

Now run this: Resetting Registry and File Permissions and make sure you reboot where it indicates.

In your first message you said you did not find the TDSSserv non-plug and play device. Please look again and also check for UACd If you find either of them, disable them only.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKCU\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\user\Application Data\Macromedia\Common\f0f5e01c1.dll""
O4 - HKUS\S-1-5-19\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\f0f5e01c1.dll"" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\f0f5e01c1.dll"" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [rundll32.exe] rundll32.exe "C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Common\f0f5e01c1.dll"" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [rundll32.exe] rundll32.exe "C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Common\f0f5e01c1.dll"" (User 'Default user')

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"rundll32.exe"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"rundll32.exe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midi1"=-
"wave1"=-
"aux1"=-
"mixer1"=-
"aux2"=-
"midi2"=-
"wave2"=-
"mixer2"=-
Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now reboot into safe boot mode and do the below.

Run avenger.exe (previously downloaded) by double-clicking on it.

Do not change any check box options!!

Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Files to delete:
C:\Documents and Settings\user\WoW-1.10.0-enUS-patch.exe
C:\Documents and Settings\user\Application Data\Macromedia\Common\f0f5e01c1.dll
C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Common\f0f5e01c1.dll
C:\Windows\system32\UACrqjrvkai.dll

Folders to delete:
C:\Documents and Settings\user\Application Data\Macromedia\Common
C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Common

Registry keys to delete:
HKEY_LOCAL_MACHINE\System\ControlSet002\Services\UACd.sys

Registry values to delete:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | rundll32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 | midi1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 | wave1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 | aux1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 | mixer1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 | aux2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 | midi2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 | wave2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 | mixer2

programs to launch on reboot:
C:\Documents and Settings\user\Desktop\fixME.reg
Click to expand...

Now click the Execute button.

Click Yes to the prompt to confirm you want to execute.

Click Yes to the Reboot now? question that will appear when Avenger finishes running.

Your PC should reboot, if not, reboot it yourself.

A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner to remove temp files.

Now goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

Then attach the below logs:

C:\avenger.txt

C:\MGlogs.zip

Make sure you tell me how things are working now!

gonff73 · Mar 11, 2009

Okay I did everything as told. I again did not find the TDSSserv non-plug and play device or UACd. The registry restart went fine and the requested HJT lines were run without any issues. The fixme.reg ran and I got the success message. Avenger ran fine excapt that I got a message after clicking execute that HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | rundll32.exe couldn't be executed because the program can only execute HKEY_LOCAL_MACHINE or something like that (sorry didn't record exact message). It asked to skiip it and continue, which I did and the rest seemed to run fine. Past that CCleaner ran fine and I got the MGtools log fine. I am now able to open all internet sites that I have tried at normal speed (instead of only some at super slow speed). I did try opening Malwarebytes to see if it would open and it did seem like it was trying and an hourglass came up for a but but it still never open. I have not had a chance to try others but nothing is obviously wrong otherwise.

dr.moriarty · Mar 17, 2009

Hello again, gonff73

I strongly recommend that you clean up your Desktop immediately leaving only links. Do not store downloads, exe files, iso files....etc on your Desktop. First it is not a safe place to keep them (i.e., you may loose them due to malware, and a cluttered Desktop is an easy hiding place for malware), and last but not least it can have an effect on your PCs performance.

Step 1:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
Click to expand...

After clicking Fix, exit HJT.

Step 2:
Run avenger.exe (previously downloaded) by double-clicking on it.

Do not change any check box options!!

Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Drivers to delete:
UACd
UACkylqbuwp

Files to delete:
C:\Documents and Settings\user\Local Settings\temp\f0f5e01c2.tmp
C:\WINDOWS\system32\drivers\UACkylqbuwp.sys

Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Click to expand...

Now click the Execute button.

Click Yes to the prompt to confirm you want to execute.

Click Yes to the Reboot now? question that will appear when Avenger finishes running.

Your PC should reboot, if not, reboot it yourself.

A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Step 3:
Run Ccleaner

Step 4:
Now install the latest Sun Java Runtime Environment

Step 5:
Run this: F-Secure Blacklight

Save the tool as fsbl.exe to your C: directory

Double-click fsbl.exe to run it

SelectI agree to the license

Choose Next, then Scan

After the scan is completed, choose Next

A logfile will have been created in the C:\ drive

It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxxis the date and time of the scan

Attach this log in your next reply

Step 6:
Now go to this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

Step 7:
Now see if you can update and run Malwarebytes' Anti-Malware <--- renamed as MBAM.exe

Step 8:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).

Then attach the below logs to your next reply:

MBAM log

C:\MGlogs.zip

C:\avenger.txt

Make sure you tell me if you had any problems running this procedure and give a description of how things are working now!

dr.m

gonff73 · Mar 17, 2009

Everything ran beautifully. Here are the requested logs.

gonff73 · Mar 17, 2009

And the last log

dr.moriarty · Mar 18, 2009

Hello, gonff73

Let's wrap this up....

It is very important for you to get your chosen anti-virus program re-installed to protect your pc. *DO THIS QUICKLY!
Click to expand...

An observation - Ad-Aware is becoming useless in detecting and removing malware...SAS & MBAM are far better tools.

*I don't see what you installed:
Sun Java Runtime Environment

*Delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp

*Run Ccleaner

----------------------------------------------------------------

Other than taking care of the above items - Your logs look good! If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (=This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

If we had you run Avenger, you can delete all files related to Avenger now.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware

Click to expand...

Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif

gonff73 · Mar 20, 2009

Many thanks!

dr.moriarty · Mar 20, 2009

You're very welcome!

dr.m

Log in or Sign up

Multiple scans not working

gonff73 Private E-2

Attached Files:

SASlog.txt

MGlogs.zip

dr.moriarty Malware Super Sleuth Staff Member

dr.moriarty Malware Super Sleuth Staff Member

gonff73 Private E-2

Attached Files:

avenger.txt

MGlogs.zip

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

gonff73 Private E-2

Attached Files:

avenger.txt

MGlogs.zip

dr.moriarty Malware Super Sleuth Staff Member

gonff73 Private E-2

Attached Files:

mbam-log.txt

avenger.txt

fsbl-20090318023644.log

gonff73 Private E-2

Attached Files:

MGlogs.zip

dr.moriarty Malware Super Sleuth Staff Member

gonff73 Private E-2

dr.moriarty Malware Super Sleuth Staff Member