Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

A Continuing Adventure Against Malware! v2

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

A Continuing Adventure Against Malware! v2

Unread postby strelet007 » August 10th, 2010, 11:27 pm

Hello friends,

I had a post here just a few days ago that was shut down for inactivity because I was unable to get on the nets. If you'd like a link to that post, let me know. I apologize for this and I will make sure to notify my helpers if I take an expected or unexpected extended leave.

Comp Specs:
Windows Vista 32 bit
Q6600 processor
2 gigs of ram
about 350gigs of free hd space

Here's some history of what's been happening:

I was experiencing crashes while installing/ uninstalling/ running software and couldn't download any files. Disabling UAC allowed me to download files and helped a bit with my installing/ uninstalling/ running software errors. I was now able to install software but I still had trouble with uninstalling. I could now initialize the uninstaller, but no files were deleted. Disabling UAC also fixed some problems with running stuff. I was now able to launch some programs I previously couldn't (MBAM, for example).

That aside, I am still having a number of problems. While MBAM can launch itself and update, it cannot scan. Rootkit scanners are unable to complete their scans. Software still can't be uninstalled. Some services can't be initialized, like the ones required for Microsoft Security Essentials. UAC is currently disabled but if I enabled it, I'd experience frequent crashes upon launching programs or trying to change any system settings (like opening msconfig or looking at my network settings).

I think this just about summarizes what was wrong, what I was able to fix, and what is still wrong. If you have questions, I'll be happy to answer any.

I look forward to continuing my quest to kill this malware. I apologize again for leaving my previous helper unexpectedly. I will try to make sure I don't need to be away from the internet for long, and if I am, I will notify my helper.


Logfile of HijackThis v1.99.1
Scan saved at 9:21:28 AM, on 8/10/2010
Platform: Unknown Windows (WinNT 6.00.1906 SP2)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\Apple Software Update\SoftwareUpdate.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [Google Update] "C:\Users\Roaa\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{60525742-673A-44CF-B57B-F517BF589BB8}: NameServer = 69.145.248.50,69.145.232.4
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - igfxdev.dll (file missing)
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30011 (AppHostSvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: @gpapi.dll,-112 (gpsvc) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30003 (W3SVC) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30001 (WAS) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm
Advertisement
Register to Remove

Re: A Continuing Adventure Against Malware! v2

Unread postby MWR 3 day Mod » August 14th, 2010, 2:01 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: A Continuing Adventure Against Malware! v2

Unread postby askey127 » August 14th, 2010, 10:06 pm

Hi strelet007,
Since you are running Vista, any program I ask you to run should be activated, not by double click, but by right-clicking with the mouse and choosing "Run as administrator".
------------------------------------------------
Download and Run Rkill
Please download Rkill from one of the following links and save to your Desktop:
One, Two,Three or Four
  • Double click on Rkill.
  • A command window will open, then disappear upon completion, this is normal.
  • Please leave Rkill on the Desktop until otherwise advised.
Note: If your security software warns about Rkill, please ignore and allow the download to continue. If you cannot get one of the downloads to work for you, try one of the other links.
If you cannot get Rkill to run without being stopped, don't proceed further, and post back to tell me about it.
-----------------------------------------------
Please delete or Uninstall your current version of HiJackThis. Your current one is older and does give accurate results with Vista.
-----------------------------------------------
Download and Install HiJackThis
The Downloads for HiJackThis 2.0.4 are here: http://free.antivirus.com/hijackthis/
  • Choose the Installer version and save to your Desktop. It will be named HiJackThis.msi.
  • Right click and choose "Run as administrator") to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and a text log file will open in notepad.
  • Make sure Notepad's Format Menu has Word Wrap Unchecked.
  • Copy/Paste the entire log to your next reply please.
  • No matter what it says in the QuickStart Guide or elsewhere, DON'T USE the "ANALYZE THIS" button.
    Its Findings can be Dangerous for your machine.
  • Please Don't have Hijackthis fix anything yet.
    Most of what it is in the log are legitimate entries, necessary for the operation of your computer.
-----------------------------------------------------------
Retrieve the List of Installed programs Using HJT
Open HijackThis, click Open The Misc Tools Section. Then scroll down the list if you need to, click Open Uninstall Manager and Save List...
The List of installed programs will automatically be saved as uninstall_list.txt in your HiJackThis folder.
In addition, the list opens in Notepad so you can also save as another name in another location if you wish.
Please paste the contents into your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13905
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: A Continuing Adventure Against Malware! v2

Unread postby strelet007 » August 15th, 2010, 12:13 am

Hello askey127,

Rkill ran fine but I cannot install HiJackthis. I uninstalled my previous versions of it and then downloaded the Installer. It hangs on "Preparing to install..." once I launch it.

Would you like me to try installing it in safe mode?
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: A Continuing Adventure Against Malware! v2

Unread postby askey127 » August 15th, 2010, 7:57 am

Yes, go ahead and try that.
If it doesn't work we have other methods.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13905
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: A Continuing Adventure Against Malware! v2

Unread postby strelet007 » August 15th, 2010, 3:40 pm

It looks like I can't install it in safe mode either. Windows gives me some error about not being able to run .msi files in safe mode.

I tried downloading the .exe to see if it would run. While it does start, it hangs on O4 - Registry & Start Menu Autoruns.
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: A Continuing Adventure Against Malware! v2

Unread postby askey127 » August 15th, 2010, 5:25 pm

Just download the executable (not the "installer") to your desktop and run it, if you can..
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13905
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: A Continuing Adventure Against Malware! v2

Unread postby strelet007 » August 15th, 2010, 5:35 pm

Hi askey127, I think there's some confusion. I already tried downloading the executable.

I tried downloading the .exe to see if it would run. While it does start, it hangs on O4 - Registry & Start Menu Autoruns.
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: A Continuing Adventure Against Malware! v2

Unread postby askey127 » August 15th, 2010, 8:30 pm

strelet007,
Right click and run RKill as an administrator
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • Now start ComboFix (zzz.exe)
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Post the log in your next reply, and then Reenable your protection software
A copy of the log will be located here if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13905
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: A Continuing Adventure Against Malware! v2

Unread postby strelet007 » August 15th, 2010, 11:38 pm

Hi askey127,

It doesn't appear that Combofix is working either. I did make sure to follow your directions to the t.

The progress bar loads but then nothing else happens. It's been going for a couple hours now. I'll let you know if anything's changed by morning.
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: A Continuing Adventure Against Malware! v2

Unread postby askey127 » August 16th, 2010, 6:42 am

strelet007,
Is this Vista a 64-bit system?
There are a few tools that work on 64-bit systems, but because we don't have the diagnostics we like yet, we don't provide support for 64-bit systems.
http://malwareremoval.com/forum/viewtop ... 99#p491399
Also, Punkbuster may be altering the normal system functions. (They are not too careful).

I will need to close this topic.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13905
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: A Continuing Adventure Against Malware! v2

Unread postby strelet007 » August 16th, 2010, 11:42 am

Hi askey127,

This is a 32 bit system.
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: A Continuing Adventure Against Malware! v2

Unread postby askey127 » August 16th, 2010, 12:58 pm

strelet007,
OK.
I know you had 32-bit listed in your opening post but the IIS services listed are not usually found on 32 bit machines.

Tell me a few examples of programs that WILL run on the machine.
Is it only Security related programs that fail?

-----------------------------------------
Open Notepad... then copy and paste the following line into Notepad:
(Notepad is in Start, Programs, Accessories)
Code: Select all
cmd  /c  chkdsk  c:  |find  /v  "percent"  >> "%userprofile%\desktop\checkhd.txt"

Now Save the NotePad file like this:
  • Click on File from the top menu bar.
  • Select Save As, use Filename: testhd.bat. and Save As Type: All Files.
  • Choose Desktop as the location
  • Click Save.
Right click on testhd.bat on your desktop and select Run As Administrator to run it.
A Command Prompt box will pop up, then close after a couple minutes.
Please post the contents of the checkhd.txt file from your desktop.
If the file is very long, just copy and paste the LAST 20 or 30 lines into your reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13905
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: A Continuing Adventure Against Malware! v2

Unread postby strelet007 » August 16th, 2010, 10:03 pm

Hi askey127,

It looks like I can't get the .bat to run either. :(

The window quickly pops up and closes.

When I copy and paste the text into cmd, nothing happens either except it does print "The type of the file system is NTFS." to checkhd.txt.

Google chrome, media player, and the game Battle for Wesnoth all run normally. QTPlayer, Photoshop, and CCleaner also run fine. It seems that it mostly is a problem with antivirus software. Before I disabled UAC, most activities that prompted a UAC dialog crashed during launch as well.

It does seem mostly to be a problem with antivirus/ antimalware software right now.

Are there any programs in particular you'd like to know about?
strelet007
Regular Member
 
Posts: 37
Joined: July 20th, 2010, 1:46 pm

Re: A Continuing Adventure Against Malware! v2

Unread postby askey127 » August 17th, 2010, 6:50 am

strelet007,
----------------------------------------------------------
Retrieve the Installed Programs List from CCleaner
Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
Please post the contents of install.txt in your next post.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13905
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 21 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware