Please help. Serious infection.

Discussion in 'Malware Help (A Specialist Will Reply)' started by mudbog, Apr 3, 2008.

  1. mudbog

    mudbog Private E-2

    I am at witts end with my pc and have info on it I do not want to lose in formatting. My desktop is a blue screen with a Warning spyware detected message and a link. The pc won't access the internet and hangs when I click on pretty much anything.
     

    Attached Files:

    mudbog, Apr 3, 2008
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Major Geeks!

    Please uninstall HJT as it will be properly installed when you do the following:

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

    READ & RUN ME FIRST. Malware Removal Guide
     
    TimW, Apr 4, 2008
    #2
  3. mudbog

    mudbog Private E-2

    When I attempt to follow the Read & Run Me First... I am blocked at most every turn. I cannot install anything that uses windows installer. I cannot access the internet, nor can I move/copy files. I can run files from removeable media only. All admin rights have been blocked even in safe mode and nothing shows up in the user accounts. So far the only success I had was running combofix which stopped the desktop from showing a warning message and the pc seems to run a little faster.
     
    mudbog, Apr 4, 2008
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Can you attach the log from ComboFix and from MGtools? They do not use Windows Installer.
     
    Last edited by a moderator: Apr 4, 2008
    TimW, Apr 4, 2008
    #4
  5. mudbog

    mudbog Private E-2

    I have the combo log. I can't run the Mgtools due to not being able to install it in the root folder.
     

    Attached Files:

    mudbog, Apr 4, 2008
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Do you have both McAfee and Avast installed? If so uninstall one of them.

    Please Disable Spybot's TeaTimer

    * Run Spybot and click Mode
    * Select Advanced Mode.
    * Then click Tools and select Resident.
    * Now in the right window pane, uncheck TeaTimer.
    * Also while this is open, in the left column now select IE Tweaks
    * and then in the right pane make sure all the Miscellaneous locks are unchecked.
    * Now quit Spybot!

    Now we need to get rid of the rogue program ---> C:\Program Files\Antivirus Pro

    Use add/remove to uninstall it ....if you can't please download and run:
    Rogue Remover

    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now see if you can run the MGTools as well as the other scans.
     
    TimW, Apr 4, 2008
    #6
  7. mudbog

    mudbog Private E-2

    I believe I have already wiped out all of those lines. They aren't showing up when I scan with HJT. I don't understand why any AV programs are showing up. I uninstalled everything. Or so I thought.

    I still cant move MGtools to the root and when I install Malwarebytes' anti-malware, I get a

    Run-time error '372':
    Failed to load control 'vbalGrid' from vbalsgrid6.ocx. Your version of vbalsgrid6.ocx may be outdated. Make sure you are using the version of the control that was provided with your application.
     
    mudbog, Apr 4, 2008
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Do you have .net framework installed?

    You also need to rename HJT if you are going to run it
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe --- > C:\Program Files\Trend Micro\HijackThis\analyse.exe

    Do you have parental control software installed?

    And did you disable TeaTimer?
     
    TimW, Apr 4, 2008
    #8
  9. mudbog

    mudbog Private E-2

    I don't know about the .net framework. How do I check?
    I renamed HJT and ran scan only. Got the same results 22 lines mostly McAfee.
    No, I never installed any parental controls.
    Can't find spybot. If you are looking at the HJT log at the beginning of this thread, I believe I uninstalled it later or combofix maybe took it out.
     
    mudbog, Apr 4, 2008
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Two more things I see:

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Then use windows explorer to find and delete:
    c:\windows\system32\netknl.dll

    Re-run combofix and attach a new log...

    Did you run rogue remover and get rid of Antivirus Pro?
    Did you have any problems doing the previous Reg. fix?

    .Net framework will be in the add/remove programs list.
     
    TimW, Apr 4, 2008
    #10
  11. mudbog

    mudbog Private E-2

    Ran rogue remover and it only found one thing that wasn't Antivirus Pro.
    Didn't have any problems with the first reg fix.
    Ran the second reg fix and deleted the netknl.dll file.
    Do have .net framework1.1

    Ran combofix again. Now I have no icons, just a background that was installed before.
     

    Attached Files:

    mudbog, Apr 4, 2008
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did it reboot after running ....if not do so.

    Try opening my computer / double click on the C drive and drag and drop MGTools.exe into it.

    I really need to see those logs.
     
    TimW, Apr 4, 2008
    #12
  13. mudbog

    mudbog Private E-2

    Still can't drag and drop or copy and paste any files. I am going to try to reinstall the wireless card to see if I can get back online. If that works I think I will be able to download and run MGtools from the root folder.
     
    mudbog, Apr 5, 2008
    #13
  14. mudbog

    mudbog Private E-2

    That didn't work. I can get a signal from my router, but I have no network connections and it won't let me create one. Once I get to the 2nd window in the wizard it stops.
     
    mudbog, Apr 5, 2008
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did you plug directly into the modem?
     
    TimW, Apr 5, 2008
    #15
  16. mudbog

    mudbog Private E-2

    No my ethernet connection is broken.
     
    mudbog, Apr 5, 2008
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you can't copy and paste...then there is no way to get me any logs.....I would suggest that you do a repair install and see where we are then.
     
    TimW, Apr 6, 2008
    #17
  18. mudbog

    mudbog Private E-2

    Will that affect any saved files such as pics and documents?
     
    mudbog, Apr 6, 2008
    #18
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Apr 6, 2008
    #19
  20. mudbog

    mudbog Private E-2

    Thanks. I will give it a try. Probably won't be for a couple of days due to work. I'll keep you posted.
     
    mudbog, Apr 6, 2008
    #20
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Keep me posted. :)
     
    TimW, Apr 7, 2008
    #21
  22. mudbog

    mudbog Private E-2

    All right.... now I really bit the big one. My pc didn't come with a boot disc. It has a partitioned or virtual drive with the restoration files. So... My dumb instinct led me to ask an HP tech what to do. Now, after running the hp rescue (which says I wouldn't lose personal files), I am stuck at the final screen that says I have finished setting up my pc and to click finish. It just hangs there. Any possible way out of this one?
     
    mudbog, Apr 9, 2008
    #22
  23. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Power off and reboot....:(
     
    TimW, Apr 9, 2008
    #23
  24. mudbog

    mudbog Private E-2

    Naturally, that doesn't work. It picks up where I left off. L tried safe mode and it told me to finish installing windows.
     
    mudbog, Apr 9, 2008
    #24
  25. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You may have to go thru the install process again ....if it sticks at the 14 minutes to go installing ...then just wait it out.
     
    TimW, Apr 9, 2008
    #25
  26. mudbog

    mudbog Private E-2

    Ok. After getting an xp cd from a friend, I think we are getting somewhere. I am in the repair process right now based on the "wordy link" that you gave me. We'll see what happens from here.
     
    mudbog, Apr 10, 2008
    #26
  27. mudbog

    mudbog Private E-2

    Please have a look at these.
     

    Attached Files:

    mudbog, Apr 10, 2008
    #27
  28. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It looks good ...other than a few items to deal with:

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Download and install:
    Java Runtime 6

    Find and delete this:
    C:\Windows\Antivirus Pro

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Owner\Local Settings\Temp\

    Now go to HERE and install some ant-virus program.

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    2. * Click START then RUN
    * Now type combofix /u in the runbox and click OK.
    * Note: The space between the X and the /U, it must be there.
    3. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    4. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    5. If you are running Windows XP or Windows ME, do the below:
    * Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    6. After doing the above, you should work thru the below link:
    How to Protect yourself from malware!
     
    TimW, Apr 11, 2008
    #28
  29. mudbog

    mudbog Private E-2

    You are that Dude. I just went through all of the Read Me and windows cleaning to make sure everything is good. It found a couple of minor things that appear to be gone now. I appreciate all of your help. You saved my ***.
     
    mudbog, Apr 12, 2008
    #29
  30. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You're welcome ...safe surfing. :)
     
    TimW, Apr 12, 2008
    #30
  31. mudbog

    mudbog Private E-2

    If you are ever in Pittsburgh, let me know. I'll owe you a trip to the local gentleman's club....or at least a beer.
     
    mudbog, Apr 13, 2008
    #31
  32. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I'll remember that ...:)
     
    TimW, Apr 13, 2008
    #32

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds