Program Compability Assistant

Discussion in 'Malware Help (A Specialist Will Reply)' started by bapaveza, Jun 11, 2010.

  1. bapaveza

    bapaveza Private E-2

    On 4/23/10, at about 9:30am CT, I became victim to an infestation of malware including Desktop Security 2010 and the fake/rean trojan. After working through the issues over the course of four or five days I believed my system was in the clear.

    About two weeks went by and I tried to play some music in Windows Media Player 11. At that point a window appeared titled Program Compability Assistant (note the misspelling).

    The window then lists the program, publisher, and location of Windows Media Player with a button that says "Download required components".

    Clicking the button would take you to a website selling Total Codec Pack for $4.99 ... given the misspelling of the window and the fact that this is a Microsoft program telling you to buy something from a non-Microsoft site (yeah right!) it seemed clear my earlier infestation was still around.

    I've gone through the steps in the Read & Run First procedure with some success. Attached are my logs. Somewhere in the procedure the Program Compability Assistant window disappeared but I remain unable to use Windows Media Player so I suspect something is still hanging around. Specifically, when I try to play mpg or mp3 files in Windows Media Player 11 I get the following error message:

    Clicking Web Help tells me I'm getting error code C00D11B1 and that they think there is something wrong with my sound device. I've gone through the recommended fixes and they aren't helping.

    I've tried playing the same mpg files in QuickTime and receive the following:

    I have been able to play mp3's in Quick Time and in Zune Player. Also, embedded video like YouTube is working just fine so it seems like there is something really focused on preventing me from watching videos and, to a lesser extent, music. Any help you can provide in getting me clear of this infestation once and for all would be appreciated.

    Log Note: RootRepeal crashed every time I tried to run it so the log for that one is just a crash log.
     

    Attached Files:

    bapaveza, Jun 11, 2010
    #1
  2. bapaveza

    bapaveza Private E-2

    Root Repeal log attached.
     

    Attached Files:

    bapaveza, Jun 11, 2010
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not seeing much in the way of malware, but use windows explorer to find and delete:
    C:\ProgramData\lemovewe
    c:\programdata\vabehile
    c:\programdata\takahuki
    C:\Users\Bryan\AppData\Local\rygptuhgc

    Tell me if you have a problem doing that.

    You need to put ComboFix on your desktop, not here:
    Running from: c:\users\Bryan\Downloads\ComboFix.exe

    You may need to post in the software forum to try to straighten out WMP. Perhaps you should uninstall it, run CCLeaner and after a reboot, reinstall it.

    Since you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:

     
    TimW, Jun 11, 2010
    #3
  4. bapaveza

    bapaveza Private E-2

    These items have been deleted without issue.

    I have moved ComboFix to my desktop. I wasn't sure if your intention was for me to run a scan after moving it. I have done so and the new log is attached. If I could get an all clear on that log I'll then proceed with the final steps you mentioned below.
     

    Attached Files:

    bapaveza, Jun 12, 2010
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No, I didn't need you to run it again, only to put it on the desktop so that it could be removed with ease. Otherwise, your logs are clean. Did you uninstall and reinstall WMP? Was it successful?
     
    TimW, Jun 12, 2010
    #5
  6. bapaveza

    bapaveza Private E-2

    I have completed the final steps previously listed.

    The issue with WMP persists. I did not uninstall WMP - my understanding is that WMP can not be uninstalled due to its close integration with the Vista OS. WMP does not appear in Programs and Features to uninstall.

    I will follow-up in the Software forum on the WMP issue as you suggested. I suspect that the issue is not program-related though as both WMP and Quick Time are unable to play mpg's. If it was program-related I would expect only one program to be impacted. It strikes me more as a missing codec issue or something more general. We shall see.
     
    bapaveza, Jun 12, 2010
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, probably a codec issue. Good luck with that. :)
     
    TimW, Jun 13, 2010
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds