Virus disabled regedit - All logs attached

Welcome to Major Geeks!

Did you disable UAC and reboot afterwards as requested in the instructions? It does not look like it based on your log from MGtools. Or is the problem that when you tried to do this, that the infection blocked you from making this change too.

This must be done before trying to run ComboFix and MGtools.



Please download and run Win32kDiag per the below instructions:

• Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log

C:\win32kdiag.exe -f -r


Now download Junction,zip to your Windows folder

• Please download Junction.zip and save it to your Windows folder (i.e, C:\Windows\Junction.zip This assumes C:\ is your Windows boot drive.)
• Now unzip it and put junction.exeinto the Windows folder (i.e., C:\Windows\junction.exe)
• Do not try to run it right now. We will run something that uses it later.

Now we need to reset the permissions altered by the malware on some files.

• Download and save inhertit.exe to your Desktop: Inherit.exe
• It must be in your Desktop or the below fix will not work!

Now run the C:\MGtools\FixPerm.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

• A command prompt window opens and also a license agreement from SysInternals will appear for Junction.
• Accept the license agreement and the scan will begin.
• Wait until it finishes we can take a while to run since it scans your whole harddisk. e patient and don't do anything else while it is scanning.
• The command prompt window should close when it finishes.
• While this is running, you will get several/many popups that have a title Finish and say OK. Just click the OK button each time. This is an indication that it has found a file and has attempted to fix permissions. Depending on how many files that need to be fixed, you could get only a few or many of these popups.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

If may be necessary to uninstall McAfee to see if it is causing problems. Do you have the CD or files necessary to reinstall if we do this?


Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.

• Right click the Command Prompt entry and select Run As Administrator.
  • It is critical that you run it this way.
• If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.
• Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple/brown is merely informational.
  
  cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
  GRK64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
  regedit <-- this will try to run the Windows Registry Editor. Tell me what error messages, if any, you see. If it opens, you can just close it as this is just a test.

If GRK64 appears to have run in any fashion, please attach the C:\MGlogs.zip file since it will have been updated.

 

Okay bare with me. This is starting to look like it is not a malware problem but rather a problem with Windows. But let's check a couple more things.

I want you to repeat the previous instructions I gave you last time with the Command Prompt but skip entering the GRK64 command and go right to the regedit one but this time enter regedit.exe What happens?

Keep McAfee uninstalled for now. No do not install Avira. At least not right now while we try to work out what is wrong.


Now download the current version of MGtools and save it to your root folder ( or your Desktop if you are blocked from saving it to the root folder). Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator ) DO NOT attach the log yet.


Download the below file to your C:\MGtools folder

http://forums.majorgeeks.com/chaslang/files/GRKswg.bat

Now locate the GRKswg.bat file and right click on it and select Run As Administrator.

Let me know what happens.


Now attach the below log:

• C:\MGlogs.zip

 

Okay I modified the GRKswg.bat file a little and also fixed those two typos. See if the new one runs. You need to download it again to the C:\MGtools folder. If it seems to run OK then attach the C:\runkeys.txt log that should be created. If you see an error about not finding this file (like last time) then it means that the GRKswg.bat file did not run properly.

Also please goto the C:\Windows folder and locate regedit.exe and right click on it and select Copy. Then select Paste in the same window and you should get a file named Copy of regedit.exe. Rename this copy to be regedit.com

Now click Start, Run and enter regedit.com and click OK. What happens?

 

Are you sure about this? In your newfiles.txt log ( which is part of MGlogs.zip ) it reports the below infor for regedit.exe. Notice the file size in bold black.

Code:

============= Finding copies of regedit.exe ==================================
"C:\Windows\regedit.exe" [B]134656[/B] 21/01/2008 06:24 
"C:\Windows\winsxs\x86_microsoft-windows-registry-editor_31bf3856ad364e35_6.0.6001.18000_none_f42eb564dbd8a697\regedit.exe" [B]134656[/B] 21/01/2008 06:24 

Right click on C:\MGtools\ShowNew.bat and select Run As Administrator. Attach the updated C:\MGlogs.zip file so I can see the result of the copy of regedit.exe

 

Okay this is correct now. Your previous logs did not show it this way. They showed what I posted in my last message; however, now the same log shows they are 0 bytes. Thus something deleted the file contents for all copies on your PC. Thus there are no backups. Let me think about this a little more and also read thru your logs again to see if anything was being overlooked.

 

Okay it does not look like you are having malware problems based on your logs. Just looks like something nulled out all copies of regedit. Let's try to fix this here in the Malware Forum before sending you off to the Software Forum.

• Please download VregFix.exe the root folder of drive C ( just like we ask you to do with MGtools).
• Now make sure you still have UAC disable and McAfee is still uninstalled and then right click on VegFix.exe and select Run As Administrator. Accept/allow all prompts asking if you wish to run this ( that is if you receive any).
• As it runs it will run 2 modified scans from the MGtools set and add 2 new logs to the C:\MGlogs.zip file.
• Attach the new MGlogs.zip file. DO THIS RIGHT NOW before continuing with the below.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome.

Excellent news! Then delete the below two files now:
C:\VregFix.exe
C:\Windows\winre.exe

Final cleanup instructions below will remove everything else.

My final instructions will give you many things todo. Just follow them. I would suggest trying Avira if you have had enough of McAfee.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!