Various problems

Hi,

It is a long time ago since my problems started and I have tried a sorts of things to sort them out, BUT unfortunately without your help.

About a year ago - can't remember exactly when, I got some kind of virus that seemed to get past everything and effectively took over my computer.

I think I was using MSE or Live One Care at the time.

It got past my antivirus, disabled it, would not allow me to open task manager, disabled updates, system restore etc etc. It would not let me run most scanners etc

I got some limited hep from Microsoft, but they did not fix all my issues and I have had various problems ever since, the most obvious of which is that Windows update has never worked properly since. It constantly tells me that there is 1 important update, which is the Windows Malicious Software removal tool, which it daily downloads and then fails to install. Microsoft have been no help with this and although I have tried, I have not found any 'solution' that works.

In looking for solutions, I have discovered that Windows Update is not even present in 'Services'. Background Intellegent Transfer Service was also missing earlier today, but I found a 'solution' to get that back, but it wouldn't work properly and since running through your scans, it is no longer there.

Incidentally, while I was running through your scans, Windows Explorer kept crashing and shutting down.

Also (rather worryingly) the 2nd partition of my hard drive is just showing as External1 (K but I cannot see anything in it and it is not displaying the blue bar with how full it is. This was fine until I ran the scans.

The Hitman scan seemed to have difficulty and got stuck after a few seconds. On the third attempt it ran through.

I don't know what else to tell you, but I am guessing there is probably plenty if prompted.

I'll be very grateful for any help you can give me.

Tim

 

Welcome to MajorGeeks, Tim.

You had a really old variant of ZeroAccess / Sirefef.

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• 1ClickDownloader
• Ad-Aware Antivirus
• Ad-Aware Browsing Protection
• iLivid
• Java(TM) 6 Update 31
• Rootkit Unhooker Uninstall
• Spybot - Search & Destroy
• STOPzilla

__

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  drives
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

__

http://img97.imageshack.us/img97/8120/fss.gif Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure all the options are checked
• Press Scan.
• It will create a log (FSS.txt) in the same directory the tool was run.
• Please attach FSS.txt to your next message. (How to attach)

 

Thanks for your help.

OK I did as you said:

OTL was running fine for quite some time. Then suddenly it went 'ping' and a OTL box opened which said, 'Win32 Error. Code: 6. The handle is invalid. OK

At the bottom of OTL main window it said it was scanning Spybot - Search and Destroy event log...

It seems to have got stuck there.

I also noticed that it hadn't scanned my K Drive which is the larger partition of my main drive. I have attached a screen shot of OTL as it was when it stopped.

 

/!\ First, please read and understand this: Warning about Porn, Keygens, Cracks, and other Illegal Software


I would prefer if you ran this fix while in Safe Mode for the highest chance of success.
See: How to start your computer in Safe mode

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
SRV - File not found [Disabled | Stopped] --  -- (NAUpdate)
SRV - File not found [Auto | Stopped] -- M:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - File not found [Disabled | Stopped] -- C:\Program Files\Emsisoft Anti-Malware\a2service.exe -- (a2AntiMalware)
DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\SBREdrv.sys -- (SBRE)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Tim\AppData\Local\Temp\cpuz134\cpuz134_x32.sys -- (cpuz134)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Tim\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Unknown] --  -- (.smb)
DRV - [2011/07/17 20:24:33 | 000,076,696 | ---- | M] (Prevx) [File_System | System | Running] -- C:\Windows\System32\drivers\pxrts.sys -- (pxrts)
DRV - [2011/07/17 20:24:33 | 000,032,008 | ---- | M] (Prevx) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pxscan.sys -- (pxscan)
DRV - [2011/07/17 20:24:32 | 000,026,096 | ---- | M] (Prevx) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pxkbf.sys -- (pxkbf)
DRV - [2011/07/12 10:38:45 | 000,011,264 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\uze3njk5.sys -- (uze3njk5)
FF - prefs.js..browser.search.defaultenginename: "Claro Search"
FF - prefs.js..browser.search.defaulturl: "http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=18836"
FF - prefs.js..browser.search.order.1: "Claro Search"
FF - prefs.js..extensions.enabledAddons: ffxtlbr@claro.com:1.5.0
FF - prefs.js..keyword.URL: "http://isearch.claro-search.com/?affID=114162&tt=3612_7&babsrc=KW_iclro&mntrId=4a82ec940000000000000019d15634d6&q="
[2012/09/08 23:44:59 | 000,000,000 | ---D | M] (Claro Toolbar) -- C:\Users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\xlonzqby.default\extensions\ffxtlbr@claro.com
[2012/08/26 09:07:19 | 000,000,000 | ---D | M] (Lavasoft Search Plugin) -- C:\Users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\xlonzqby.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack
[2012/08/31 17:32:21 | 000,000,000 | ---D | M] (OneClickDownloader) -- C:\Users\Tim\AppData\Roaming\Mozilla\Firefox\Profiles\xlonzqby.default\extensions\OneClickDownload@OneClickDownload.com
[2012/08/26 09:07:15 | 000,000,616 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\adawaretb.xml
[2012/09/05 00:05:05 | 000,006,531 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
O2 - BHO: (SafeOnline BHO) - {69D72956-317C-44bd-B369-8E44D4EF9801} - C:\Windows\System32\PxSecure.dll (Prevx)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-51262478-1772206609-1865092225-1000\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
[2012/09/09 22:09:51 | 000,000,000 | ---D | C] -- C:\Users\Tim\AppData\Roaming\PC Cleaners
[2012/09/09 22:09:47 | 004,571,448 | ---- | C] (PC Cleaners) -- C:\Windows\uninst.exe
[2012/09/04 22:33:51 | 000,000,000 | ---D | C] -- C:\Users\Tim\AppData\Roaming\IClaro
[2012/09/04 00:46:24 | 000,000,000 | ---D | C] -- C:\Users\Tim\AppData\Local\Trusteer
[2012/09/04 00:44:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Trusteer
[2012/08/22 21:22:00 | 000,209,269 | ---- | M] () -- C:\torrent.exe
[2012/09/05 02:33:18 | 000,000,804 | ---- | C] () -- C:\Windows\$NtUninstallKB45589$\946506367\L\00000004.@
[2012/09/04 22:34:12 | 000,000,196 | ---- | C] () -- C:\user.js
[2011/07/12 10:36:45 | 000,011,264 | ---- | C] () -- C:\Windows\System32\drivers\uze3njk5.sys
[COLOR="DarkRed"]:files[/COLOR]
dir /s C:\Windows\System32\%APPDATA% /c
C:\Users\Tim\AppData\Local\adaware /d
C:\Users\Tim\AppData\Local\adawarebp /d
C:\Users\Tim\AppData\Roaming\IClaro /d
C:\Users\Tim\AppData\Roaming\Media Finder /d
C:\Users\Tim\AppData\Roaming\PC Cleaners /d
C:\Users\Tim\AppData\Roaming\PCPro /d
C:\Windows\$NtUninstallKB45589$ /d
C:\Users\Tim\AppData\Local\temp\*.tmp /d
C:\Windows\Tasks\Google*.job /d
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"GridinSoft Trojan Killer"=-
"AdobeBridge"=-
"Media Finder"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"startup"=dword:00000000
"services"=dword:00000000
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}]
[COLOR="DarkRed"]:commands[/COLOR]
[clearallrestorepoints]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
The fix will need a reboot. Allow the PC to reboot into Normal Mode.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

OK - after running OTL I lost the use of my keyboard, I am having to use the on screen keyboard instead.

when I ran GetLogs the following error message box popped up:

Cback slash)Windows(back slash)System32(bs)cmd.exe
SYSTEM(BS)CurrentControlSet(bs)Control(bs)VirtualDeviceDrivers, Virtual Device Driver format in the registry is invalid. Choose 'Close' to terminate the application.



So that is what I did......

I had to do it 3 times

It would be handy to have the keyboard back

 

Did you have trouble uninstalling the applications I listed here (top of post)?
They are all still present according to your latest logs.

Regarding your keyboard issue, can you uninstall and reinstall Prevx. Apparently this application you installed wants to manage your keyboard.

 

Very odd. They all uninstalled as I would expect them to and they do not show up in Add/Remove programs. I have attached 3 screenshots of the programs installed.

You're good!

I just deleted Prevx and my keyboard came straight back. Unless you think I should have it, I don't need to reinstall it. I can't remember why I did, but think it was on recommendation from someone on another forum when I was trying to get rid of the infection originally.

 

I have a feeling some of the logs just didn't update properly. We'll find out by doing the below. Then I'll help you with the broken Windows services.
And yes, leave Prevx uninstalled.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:files[/COLOR]
C:\Users\Tim\AppData\Roaming\Ad-Aware Antivirus
C:\Users\Tim\AppData\Roaming\IClaro
C:\Users\Tim\AppData\Roaming\Media Finder
C:\Users\Tim\AppData\Roaming\PC Cleaners
C:\Users\Tim\AppData\Roaming\PCPro
C:\Users\Tim\Desktop\gnubg.exe - Shortcut.lnk
C:\Users\Tim\Documents\1Click.cfg
C:\Users\Tim\AppData\Local\adaware
C:\Users\Tim\AppData\Local\adawarebp
C:\Users\Tim\AppData\Local\Trusteer
C:\ProgramData\Ad-Aware Browsing Protection
C:\ProgramData\Lavasoft
C:\ProgramData\Trusteer
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rootkit Unhooker
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\STOPzilla
C:\Program Files\Mozilla Firefox\searchplugins\adawaretb.xml
C:\Program Files\Mozilla Firefox\searchplugins\babylon.xml
C:\Program Files\1ClickDownload
C:\Program Files\Ad-Aware Antivirus
C:\Program Files\iLivid
C:\Program Files\Trusteer
C:\Program Files\smartdl
rd C:\Windows\$NtUninstallKB45589$ /c
dir /s C:\Windows\$NtUninstallKB19946$ /c
C:\Windows\$NtUninstallKB45589$ /d
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

OK All done.

stuff attached

 

The screenshot you attached appears to be related to something MGtools is trying to do. I've asked Chaslang (the author of the tool) to take a look at it.

Will review your latest logs shortly.

 

Very odd that there were two separate, bad, NtUninstallKBfolders both relating to ZeroAccess (these don't exist on Vista and up). It's as if you had two separate ZeroAccess infections (very rare!)

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:files[/COLOR]
xcacls.exe C:\WINDOWS\$NtUninstallKB19946$\946506367 /p Administrators:f SYSTEM:f /y /c
fsutil reparsepoint delete C:\WINDOWS\$NtUninstallKB19946$\946506367 /c
C:\Windows\$NtUninstallKB19946$\946506367\L\fomtmfeh
C:\Windows\$NtUninstallKB19946$\946506367\L
C:\Windows\$NtUninstallKB19946$\946506367\U
rd /s/q C:\Windows\$NtUninstallKB19946$\946506367 /c
rd /s/q C:\Windows\$NtUninstallKB19946$ /c
C:\Windows\$NtUninstallKB19946$
type c:\mgtools\newfiles.txt /c

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to the Start Repairs tab.
• Press the Start button
• Create a System Restore point if prompted.
• In the Repair Options window, choose the following repairs:
  • Reset Registry Permissions
  • Repair Windows Firewall
• Place a checkmark in Restart/Shutdown System When Finished
• Fill in the Restart System bubble
• Now click the Start button.
• Be patient while the tool repairs the selected items. Your computer should automatically restart when finished.

__

• Download each of the 5 files below onto the desktop of the computer with the issues:
  • wuauserv.reg
  • BITS.reg
  • WinDefend.reg
  • SharedAccess.reg
  • wscsvc.reg
• Now double-click each of them, one at a time, and allow each one to merge into the Windows registry.
• Let me know if you received a successful message for all four files.
  • If all were successful, reboot your computer and rescan with Farbar Service Scanner. Attach its latest log.
  • If they weren't successful, let me know but rescan with Farbar Service Scanner too.

Test Windows Update once you have completed the above. Also let me know how the computer is running.

 

Chaslang recommends trying the resolution listed here: http://support.microsoft.com/kb/314452/

Try it and then rerun GetLogs.bat as administrator.

 

Thanks so much for all your help.

OK I did everything in the first message that you told me to do and there didn't appear to be any problems.

Logs attached.

Windows Update worked!! I finally have the Malicious Software removal Tool installed.

I want to make sure that you want me to do what was contained in your last message though.

When I click that link it says that the article applies to a different version of windows to what I am using and sends me off to the Vista Solution Center.

I did a search on the problem and it gave me various options.

I just want to check 100% what you want me to do before doing it.

Would be a shame to break it again.

BTW - I had to click on Close multiple times last time. I gave up counting at 35 - I estimate approx 50-60 times.

 

Before we go any further regarding this page : http://support.microsoft.com/kb/314452 ; Let me know what problems you are still experiencing, if any.

Your logs from MGtools aren't getting updated properly. The latest OTL fix and FSS log look good though.

 

OOps - that was a bit premature.

I downloaded updates and it reported that they had successfully installed, but then a little while later I noticed that Update was telling me updates were available.

You guessed it - it was the Windows Malicious Software removal Tool again.

I just downloaded it again - screenshot attached.

Also got screenshot of history.

Although it said it was successful, it failed again. screenshot attached

 

Question, can you open the Windows Malicious Software Removal Tool (C:\Windows\System32\MRT.exe)?

Start => mrt

 

No - that file is slightly 'greyed out' and when I try to open it or open as administrator it says the same thing. screenshot attached.

 

Check for Windows Updates again. Take a screenshot of which updates appear and then attach it here.

 

Hi again,

I took 2 screen shots - one of the updates available and one of update history which shows it has 'successfully' installed 3 times today!

However, during all of this I discovered something which may be pertinent to this matter.

When this virus hit me back in Mar 2011 - I was desperate. It appeared that I had lost everything. Somehow I managed to make a copy of my computer and this copy is on the 2nd partition of my drive - the K Drive. (Used to be M or L - not sure how it changed to K) .

When you asked me to look for MRT.exe, it occurred to me that it might be there still. And it was. Not only that, but when I clicked it, it ran a quick scan. Nothing found. I then did a full scan which took nearly 6 1/2 hours. Nothing found. It prompted me before running it that it was out of date (March 2011) Once the scan finished I tried to install the new one I downloaded, but although it appeared to try and install - it didn't overwrite.

 

Go back to this screen:

http://forums.majorgeeks.com/attachment.php?attachmentid=187092&d=1347442464

From here, click "Installed Updates".

Uninstall all occurrences of Windows Malicious Software Removal Tool from here.

Once Windows Malicious Software Removal Tool is completely gone from the Installed Updates list, REBOOT.


Once you have rebooted. Try downloading and installing this: http://www.microsoft.com/en-us/download/details.aspx?id=16

 

I think this is partly the problem.

Windows Malicious Software Removal Tool is not present among the 317 updates installed.

But I know an old version is present on the K Partition of my drive, but is there as part of a previous installation of Windows (not the current one)


I already had that file downloaded, but it won't run.

I have attached a screenshot of what happens when I try to run it. Less than a second after the screenshot the window closes and nothing else happens.

 

That's because it's trying to extract to the K: drive which appears to be an external drive (FreeAgent Drive). We want to work on the C: drive only which has your operating system files. Make sure you are saving the MRT tool to the desktop of your C: drive and then try extracting again.

 

Yes - Free Agent Drive WAS an external drive - although a different letter.

the larger of my 2 partitions was originally called 'Programs'. But about a week ago, after installing some software called Rapport - which also had problems with the previous infection, something happened to my drives. The contents of the Programs drive seemed to move to the external drive and the stuff on the external drive ended up on the larger partition of my PC's drive. I have no idea how this happened! At the same time the letters also changed from what they were!.

Just as I was trying to sort that out - my external drive went POP (literally) - I am hoping it is just the caddy, but won't know until I get a new one.

The screenshot I sent of mrt installing WAS saved to the desktop of my C Drive. Have also tried it from the downloads folder of C, but it always says K when its trying to install.

 

Extract the .exe itself (Windows-KB890830-V4.12.exe) into a new folder on your desktop.
You can use 7zip for this operation.
Then run mrtstub.exe

 

OK Done - When I ran mrtstub.exe - nothing seemed to happen.

But I was able to run a quick scan which came back negative.

Now running a full scan which I anticipate will take several hours. Please let me know if you don't want me to do this.....

 

That's fine, if MRT.exe launches from the desktop folder you created, you can overwrite the copy found at c:\Windows\System32\MRT.exe with the one in the desktop folder

 

Scan running.

It will not let me overwrite the original one. Everytime I try to anything with it including making it not hidden, it says I do not have the appropriate permissions to access the file.

 

Before you continue with the below, place mrt.exe (the one on your desktop) into the root of your C: drive.

So the file path should be C:\mrt.exe

If C:\mrt.exe is not present, then this fix will not work.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:files[/COLOR]
C:\WINDOWS\System32\mrt.exe|c:\mrt.exe /replace

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

That seemed like a great idea, but I don't think it worked. The mrt.exe is still greyed out and showing a date 03/06/2011.

I don't know if it is pertinent, but this is about 3 months after the initial infection (I think)

Log attached - and thanks so much for your patience.

 

Yeah it didn't get replaced. We'll try another tool. Make sure that the desired mrt.exe is still at C:\mrt.exe.

http://img225.imageshack.us/img225/760/blitzblank.gif Please download BlitzBlank to your desktop.

• Double-click BlitzBlank.exe to open (Vista/7 right-click and select Run as Administrator)
• Press OK at the warning prompt.
• Click the Script tab
• Copy the text inside the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]DeleteFile:[/COLOR]
C:\WINDOWS\System32\mrt.exe

• Now click the Execute Now button.
• The fix will require a reboot in order to complete successfully.
• Upon reboot, locate C:\blitzblank.log and attach this log to your next message. (How to attach)

 

OK - everything went fine up until the System Reboot window.

When I press OK - I get the attached screenshot message.

I guess because it did not execute properly it didn't create a logfile.

 

Double-check that you opened Blitzblank.exe by right-mouse clicking it and then choosing "Run as administrator".
Then retry the same script. Let me know if same error message appears.

 

yeah - sorry - exactly the same :cry

 

In that case, refresh this page and attempt to use the edited script from the previous message.

 

Sorry - same result. It said 'Failed to execute, please make sure the application was started as an administrator.

 

I promise you I AM Running as administrator! :boxing

 

Yeah I figured so, it has happened to me too.
Another tool to try:

http://img502.imageshack.us/img502/3875/avenger.gif Now download The Avenger by Swandog46 and unzip it.
Shut down your protection software now to avoid possible conflicts.
Run avenger.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
Click "OK" at the warning to continue to using the tool.
Copy everything in the code box below, and paste it into the "Input script here:" text-field.

Code:

[COLOR="DarkRed"]Files to delete:[/COLOR]
C:\WINDOWS\System32\mrt.exe

Now click the "Execute" button.
Click Yes when asked to "Reboot now?"
If Avenger does not reboot the PC for you -- manually reboot.
Upon rebooting into Windows, Notepad will open with the results of the fix (avenger.txt).
Attach c:\avenger.txt to your next message. (How to attach)

 

AHA!!!! It seems to have worked.

I can no longer see mrt.exe in the System32 folder.

Hope I am not ruining things - I am going to attempt a Windows Update.

Windows Malicious Software removal Tool installed and Windows Update finally reports there are no updates (apart from optional ones)

Did a quick scan directly by clicking the exe file and it ran OK - Says no files infected.

Do you want me to rerun any of the scans/repairs I did earlier?

 

So everything is running OK now?

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

It appears to be! :-D

Thank you so much for all your help. I have no idea how or why you do it - at the end of the day you are an anonymous face and so am I.

BIG respect!

I hope at least that you enjoyed the challenge of killing off whatever it was that my PC caught.

Thanks again. Cheers :wine

 

I can't see your latest post - but I got it as email.

There was no need. When Updates worked - it installed it to the correct place anyway. I deleted the one we put in C:

Incidentally, since running that final cleaning tool. I have gained an extra 15 or 16GB in my C Drive

Thanks again.

 

You're welcome