Paladin vs. Malwarebytes

I have Paladin Antispyware on my computer, so I downloaded Malwarebytes and, at the end of installation, clicked to update and run the programme. Then nothing happened. I waited for half an hour, and still nothing. When I try to open Malwarebytes (or Spybot or AVG), there is still no action. Paladin seems to have taken over the whole show. Also, when I try to open a lot of websites through Google, the page is unobtainable.
Any ideas (please!). I'm at my wits' end.

 

Try not to restart the computer until one of the tools we use does it for you or tells you to.

1) Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the next one. Save the logs to attach in your next reply. HOW TO: Attach Items To Your Post

Vista and Windows 7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* When finished it will create a log.
* Please post the rkill.log in the next reply.

* If Rkill does not run from the first link, delete the file, then download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.


Once you've gotten one of them to run then try to immediately run the following.


2) Download and run exeHelper

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Add the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).



If you already have them installed, be sure to update Malwarebytes and SUPERAntiSpyware before the scan!

Now run this: Using Malwarebytes Anti-Malware

Now run this: SUPERAntiSpyware - running & getting a log

Now run this: Using MGtools


Please attach all of the logs in your next reply. If one tool will not run skip to the next one and make note of it in your next reply.

Logs needed:

• Rkill
• exeHelper
• Malwarebytes
• SUPERAntiSpyware
• MGlogs

 

Thank you for your help, and I will save that information in case it happens again (or in case I'm being too confident, now).
I ran something called Hitman, really just to try and free up Malwarebytes. The latter then worked. I then ran Spybot, Superantispyware and AVG. So far, so good. My computer is back up to speed, no more pop-ups and everything is functioning normally.
Thank you, again, for your help.

 

I suggest ysing the READ & RUN ME FIRST. Malware Removal Guide and letting us ensure all of the malware is gone. But the choice is yours.

I do also suggest reading this. How to Protect yourself from malware!

 

evilfantasy: I have just followed all the steps in the "Read & Run Me" instructions, then I ran Malwarebytes, which came up clear.
Should I reverse any of the steps from the above instructions (such as reinstating Teatimer)?
Is an HJT log necessary?
Many thanks for your time and help. I'm learning all the time.

 

Finally, here are the log files as requested (in two posts), sent as attachments.

 

And finally...

 

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

• R3 - URLSearchHook: (no name) - *CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
• R3 - URLSearchHook: (no name) - *EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
• O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
• O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
• O4 - HKUS\S-1-5-19\..\Run: [rundll32.exe] rundll32.exe "E:\Documents and Settings\LocalService\Application Data\Macromedia\Common\387500361.dll"" (User 'LOCAL SERVICE')
• O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
• O4 - HKUS\S-1-5-20\..\Run: [rundll32.exe] rundll32.exe "E:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\387500361.dll"" (User 'NETWORK SERVICE')
• O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
• O4 - HKUS\S-1-5-18\..\Run: [rundll32.exe] rundll32.exe "E:\Documents and Settings\LocalService\Application Data\Macromedia\Common\387500361.dll"" (User 'SYSTEM')
• O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
• O4 - HKUS\.DEFAULT\..\Run: [rundll32.exe] rundll32.exe "E:\Documents and Settings\LocalService\Application Data\Macromedia\Common\387500361.dll"" (User 'Default user')
• O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
• O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
• O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
• O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
• O20 - AppInit_DLLs: E:\WINDOWS\System32\dsdmo32.dll
• O20 - Winlogon Notify: 74b28f26502 - E:\WINDOWS\System32\dsdmo32.dll (file missing)

After clicking Fix checked, exit HijackThis.



Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.



Download The Avenger by Swandog46 and save it to your desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Code box below, and paste it into the Input script here window:

Code:

Comment:

Files to delete:
E:\Documents and Settings\All Users\Application Data\fiosejgfse.dll
E:\Documents and Settings\LocalService\Application Data\Macromedia\Common\387500361.dll
E:\WINDOWS\System32\dsdmo32.dll
E:\WINDOWS\Tasks\8c4c~1.job

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

* Add the Avenger log in your next post.


Did you have problems running ComboFix?

Also do you know what these are in Add/Remove Programs?

"DisplayName"="?????"
"DisplayName"="??????"
"DisplayName"="??????? 2.1"

 

Attached are the logs from Avenger and ComboFix.
I couldn't find any files to delete from WindowsDelete (although my computer - on Firefox - automatically saves everything to my E: (your C partition, with no choice.
The 3 programmes came up as ????? so are probably Chinese. I'll have to throttle my (step)daughter about those, as my computer only reads certain Chinese codes.

Thank you for all of your trouble. It seems that it was a good job that you persisted.

 

The logs didn't get attached.

 

Dumb!

 

Start Malwarebytes and go to the More Tools tab. There you'll find a button named Run Tool to run FileASSISSIN.

Then browse to this file:

E:\Documents and Settings\LocalService\Application Data\Macromedia\Common\387500361.dll

Select that file and click OK, then Yes to remove it.

How is your computer running now?

 

Apparently, this file doesn't exist. When I clicked on 'common', the box was empty, so I pasted the line into the window, and was told that there was no such file.
My computer is running fine, except when I haven't used it for a while, when it is quite slow.

 

Alright. Maybe it was removed.

Run CCleaner then use the directions to run ESET and attach the log. Using ESET's Online Scanner

 

The ESETScan is attached.

Thank you.

 

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!