Security Shield not allowing programs to run

Hi there again guys. After my last encounter, I decided to only visit 'trustworthy' sites. Surely the links TV-links.eu provide would be ok?
Apparantly not, after clicking on a movreel link, some weird security shield downloaded itself to my computer. Windows antivirus protection picked it up, but seemed to crash....before saying the virus was wiped. No problem I thought.


However I noticed a fake security shield appear in the system tray and now Internet Explorer keeps misdirecting me to some page saying the following website might be infected, and to purchase some spyware removal in slightly broken english. It has also disabled my internet, even when I try unplug my wireless adapter, it comes up the same message.
It won't let any programs run including combofix or mslogs, it just comes up with 'this program is infected. continue unprotected?' and if I click OK to continue, it goes back to the desktop with no program opened. Weirdly, the only two programs I can run are IE and Super anti-spyware. Super antispyware cannot detect any viruses, and can only be run from the system tray. Converesly, the fake security shield sign cannot be right clicked or anything. Can still use Windows Explorer, cannot activate anything from the Start-Run menu, constant popups (even with Internet Wireless Adapter unplugged) and fake computer scans keep telling me basically hundreds of viruses, pay using credit card information.


Windows Antivirus is running, going to try starting in safe mode, see if that helps. Any advice would be appreciated.

 

Hello SEGA,

http://img805.imageshack.us/img805/9659/rktigzy.gif Please download RogueKiller to your desktop.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
After the Scan has completed, press the Delete button too.
When it is finished, there will be two logs on your desktop called: RKreport[1].txt and RKreport[2].txt
Attach both RKreport[1].txt and RKreport[2].txt to your next message. (How to attach)

http://img850.imageshack.us/img850/4124/mbam.gif Now immediately try to install and run a scan with MalwareByte's Anti-Malware.

Refer to Using Malwarebytes Anti-Malware if you need help.
Remember to attach the log from MBAM. (How to attach)

Let me know if you were successful or unsuccessful with these tasks before I give you further instructions.

 

Hey there. I had to save files from a different computer using a CD, as the virus wouldn't allow me to connect to the net at all, plus I didn't want to run a risk of a memory stick getting infected.

I ran the requested items in safe mode, and the Secutriy Shield thing seems to have disappeared, and windows is letting me run programs. HOWEVER, it seems to have disabled a few of my USB slots on my PC. I can only currently connect to the net through a LAN Cable, as most of the USB slots now don't seem to be recognizing the wireless adapter at all. Luckily my keyboard and mouse run through different slots (Ps2?) so they seem fine. Also using memory sticks seems to work fine.....

Here are the requested files. I will include an mglogs report in the next post.

 

here is another file, the mglogs.zip file which I ran before running Malware bytes and RootKiller.


EDIT: BTW something strange happened when I tried to run combofix, whcih is why there is no log for it. It said something about it not being the right version and asked me if I wanted to run in Reduced Functionality mode. I clicked OK, then it just deleted itself off my system. ????

 

Good job

Find and delete this file:

• C:\Documents and Settings\Compaq_Administrator.YOUR-E6F02835AE\Local Settings\Application Data\vuuhwrezhr.exe

Let me know if it was the icon was a picture of a green globe.

This is because your copy of ComboFix expired.

Download a new copy from here: Download ComboFix

• Transfer it over to the computer with the issue.
• Then double-click it to run it.
• Attach the latest C:\ComboFix.txt to your next message.

 

Hi! Ran combofix, attached the log.
I did delete the file you spoke of, but I can't remember if it was a globe or not srry.....

 

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 22
• Java(TM) 6 Update 29

/!\ Please Disable Spybot's TeaTimer
Leave it disabled for the remainder of malware removal.

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DDS::[/COLOR]
uInternet Settings,ProxyOverride = <local>;*.local
[COLOR="DarkRed"]Domains::[/COLOR]
[COLOR="DarkRed"]Driver::[/COLOR]
gexriqmj
kacctabh
95603645
[COLOR="DarkRed"]File::[/COLOR]
c:\windows\system32\drivers\gexriqmj.sys
c:\windows\system32\drivers\kacctabh.sys
c:\windows\system32\drivers\96428476.sys
C:\Documents and Settings\Compaq_Administrator.YOUR-E6F02835AE\Local Settings\Application Data\vuuhwrezhr.exe
C:\Documents and Settings\Compaq_Administrator.YOUR-E6F02835AE\Local Settings\temp\3.tmp
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"=-
"iTunesHelper"=-
"QuickTime Task"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DivXUpdate]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD23}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0D7562AE-8EF6-416d-A838-AB665251703A}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD23}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CFC4F59B-A2DA-4e12-B337-52A4F871E10C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d48c9ead-f59f-4dea-ac97-7065fea79f42}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{d48c9ead-f59f-4dea-ac97-7065fea79f42}"=-
[-HKEY_CLASSES_ROOT\clsid\{d48c9ead-f59f-4dea-ac97-7065fea79f42}]

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img834.imageshack.us/img834/2930/fixiticon.gif Please download Microsoft Fix it 50203 to your desktop.

• Double-click it to run.
• Reboot when asked to.

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Hey there! here's the files you requested. Ran the Micrososft fixit thingy, and put the script into combofix etc. Sorry it took so long, I was working a lot lately. Things....seem ok, but I'll wait for the OK from, you first.

 

Good job. Latest logs are clean and internet appears to be restored. Except it looks like you had the ethernet cable unplugged when you ran GetLogs.bat

Last steps:

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

http://img195.imageshack.us/img195/9049/javaz.gif Now install the current version of Sun Java from: jre-7u3-windows-i586.exe

__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

Ok, did everything you asked. Thanks for all your help!
btw that link you provided to download the new Sun Java Runtime Environment 7 won't let me download from there, it says my broswers cookies are not enabled...when they are lol.

once again, thanks guys, you probably have real life jobs to get on with, but by helping us poor people, you provide a real public service for free! :cool

 

No problem.

http://img195.imageshack.us/img195/9049/javaz.gif It looks like their site is acting up because it's doing the same thing to me. Give me a second to find an alternative link

 

Even this site was down just a few minutes ago.

Try to download it from here: http://www.oracle.com/technetwork/java/javase/downloads/jre-7u3-download-1501631.html

The one you need is:

Code:

Windows x86 (32-bit) Offline	19.38 MB  	jre-7u3-windows-i586.exe

 

hey there, everything is working fine thank you! I downloaded the last link you gave me!


btw there is one last annoying thing, sometimes words will appear in blue saying 'powered by text enhance' when surfing the net, they seem to go to some weird link. Is that spyware as well?

 

You're welcome

This may apply to you. Let me know. http://wafflesatnoon.com/2011/10/05/seeing-unwanted-text-enhance-ads/

 

I checked those three things it said to do in the link. I chcked Google Chrome, Tools-extentsions, no Facetheme there. No Facetheme under control panel - add/remove progmrams, or CC Cleaners add remove programs. And superantispyware doesn't seem to have picked it up.

 

Try this next: http://answers.microsoft.com/en-us/...and-when/1e9f8840-d1b8-4557-89c9-174e5a434fa5