TechSpot

Help with Malware/Virus - Blocking Programs from Opening

By JHibb
Dec 8, 2009
  1. Hello!

    I've attempted to follow protocol and follow the 8 steps. So far I have been able to install Avira, Comodo, CCleaner, HijackThis. For somereason or another I have been unsuccessful with antiMalwareBytes and Super AntiSpyware. MalwareBytes is installed but won't run. I haven't been able to install superAntiSpyware...

    Once I boot up my computer it pretty much locks up on me. Whatever is infecting my computer is forced on my thtough notifications, website, antispyspware programs.

    Once this goes into effect I am unable to open Task Manager, The programs I just installed (from the 8-steps), Or a web browser.

    I am only able to access some functionality if I immediately open my task manager and begin deleting processes. It appears i can get some of the programs to run if i get them opened immediately open after i boot up. After a minute or two, I am unable to do anything.

    Avira however seems to work regardless and i get flooded with alerts.

    So far the only step of the 8 I have been successful with is HiJackThis. I have attached my log.

    I will be running CCleaner and Avira over night - everything seems to be moving at a snails pace. Avira did complete a scan today and found all sorts of stuff, then when i tried to quarantine the files... it stopped working . I've been at this all day and I am very frustrated.

    Please help.

    Thank you,
    Jamie
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yep 60 Windows Startups can cause that :D
    I have 1 if that helps ;)

    Start your Computer in Safe Mode With Networking (F8 before Windows starts up)
    Then update Avira and run another scan (a few things were missed ;))
    And also run updated Malwarebytes scan (although in Safe Mode Malwarebytes does not find them all)

    Restart

    Then run another updated Malwarebytes scan
     
  3. JHibb

    JHibb TS Rookie Topic Starter Posts: 19

    Thank you!
    I tried to start in Safe Mode with Networking and was unable. The computer kept shutting off when it was trying to load.

    However i was able to run the 8 steps. I have attached my logs.

    Now, for whatever reason, I can no longer access the internet from that computer. My connection doesn't even show up.

    Thank you, again for your help.
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Ok well still lots of issues, I think compounded by lack of Internet connection and not being able to do updates

    Start Hijackthis Scan Only
    Tick all of the following entry boxes
    Before selecting FIX, close all Internet browsers (and close Spybot S&D)
    Then select FIX
    Close HJT

    Restart

    Try to update Malwarebytes and Avira Antivirus, and run another scan (still issues there that both of these tools will remove)

    Also, you can uninstall Spybot S&D and SUPERAntispyware

    Give that a go :)
     
  5. JHibb

    JHibb TS Rookie Topic Starter Posts: 19

    Thanks for th quick response.

    When I try to Fix on HJT, I get an error message:

    "Registry Editor:
    Registry Editing has been disabled by your administrator"


    And it pops up approx 20 times. That means its not working right? Any suggestions?

    I'm going to try restarting anyway.
     
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yes it refers to this one:
    But as long as you are an Administrator account holder (check in Users in Control Panel) then you should be able to run the lot
    As that entry just stops the program running
     
  7. JHibb

    JHibb TS Rookie Topic Starter Posts: 19

    You are right, it says I am an admin.

    How come I get this error message when I try to fix? :confused:

    Is it working despite the messages?
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    You will need to Restart and test
    Or better yet, Restart to Safe Mode (F8 before Windows starts to load) run HJT Scan Only, and remove all the entries I stated above
    Then Restart again to Normal mode.
     
  9. JHibb

    JHibb TS Rookie Topic Starter Posts: 19

    So, I hit F8 during start up. The prompt of "safe mode", "safe mode with networking", etc. screen shows. If i choose anything other than "run windows normally" it begins to load running through the system32/drivers untill it gets to system32/drivers/mup.sys - my computer then shuts off.

    start windows normally and run test?
     
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    If I understand correctly, only Normal Mode will load up?

    If this is true then we can fix Safe Mode (well try whilst malware is present) by running >> Safeboot Repair (obviously in Normal Mode)

    You may also need to run CheckDisk (before you restart again, as it scans after restarting)
    Start > Run > chkdsk /r > ok > Y > Restart
    (Note: one space after chkdsk, in that run command)
     
  11. JHibb

    JHibb TS Rookie Topic Starter Posts: 19

    Yep, only normal mode.

    I'll do the safeboot repair and the chkdsk /r.

    since my last post, I ran another set of scans. I was able to get rid of the:
    "O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    "
    From HijackThis. I have attached the new scans.

    A few notes:
    My ethernet connection is still not showing up in my system tray.
    My wireless connection shows up in system tray and recognizes the router but has limited or no connectivity.
    when i restart, it looks like there is a litte DOS window (minimized) in the bottom left hand corner of my screen. It only pops up momentarily, but what I can see is it says something about my "S" drive which is the shared drive in muy office. I also think it says something about the system32/cmd.dll on that drive.
     
  12. JHibb

    JHibb TS Rookie Topic Starter Posts: 19

    Forgot to attach the scans!
     
  13. kritius

    kritius TS Guru Posts: 2,084

    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
     
  14. JHibb

    JHibb TS Rookie Topic Starter Posts: 19

    Update: Kimsland - Able to boot up in safe mode after following your directions.

    I ran Combofix, however since this incident I have been unable to connect to the internet. I have no idea why (I have been working from another comp). I have attached the report.

    I uninstalled Comodo in order to get Combofix to work - I'm not sure if i needed to this, but after I did, combofix worked. It looks like comodo had been supressing the malware bc next boot up, everything went back to going crazy. Combo fix was still able to run though - which is pretty cool :approve:

    Right now the computer is just sitting there in safemode, hanging out.

    Thanks again,
    Jamie
     
  15. kritius

    kritius TS Guru Posts: 2,084

    Is it a wireless or wired connection?

    Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

    ***************************************************

    With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


    Go to Microsoft's website => http://support.microsoft.com/kb/310994

    Select the download that's appropriate for your Operating System

    [​IMG]


    Download the file & save it as it's originally named.


    ---------------------------------------------------------------------

    Transfer all files you just downloaded, to the desktop of the infected computer.

    --------------------------------------------------------------------


    Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    [​IMG]


    • Drag the setup package onto ComboFix.exe and drop it.

    • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


      [​IMG]


    • At the next prompt, click 'No' to exit.


    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    Save this as CFScript.txt, in the same location as ComboFix.exe


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
     
  16. JHibb

    JHibb TS Rookie Topic Starter Posts: 19

    Ok, steps completed.

    To answer your last question, it is a wired connection. Still not showing up in my system tray.

    Log attached.

    Thank you!
     

    Attached Files:

  17. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Whilst waiting for kritius to check the logs, can you disable (or uninstall) Spybot Search & Destroy
    Then startup Malwarebytes again, and update it (this is found in the program itself)
    Then run a quick scan. At the end of the scan you must remove all found infections yourself
    Ideally submit the log as an attachment
     
  18. JHibb

    JHibb TS Rookie Topic Starter Posts: 19

    Hi Kimsland,

    Thanks for the response.

    I already had uninstalled spybot, i did this from control panel Add/Remove programs. Is there something i should do further?

    Also, I am still blocked off from the internet... is there another way i can update?

    Thank you, you all are very helpful.
     
  19. JHibb

    JHibb TS Rookie Topic Starter Posts: 19

    Hi Kimsland,

    Thanks for the response.

    I already had uninstalled spybot, i did this from control panel Add/Remove programs. Is there something i should do further?

    Also, I am still blocked off from the internet... is there another way i can update?

    Thank you, you all are very helpful.

    *Sorry for the Double Post!!*
     
  20. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Oh, you still cannot connect to the Internet

    Hmm, lets try a few resets:

    Run IE Reset Fixit Tool:
    [​IMG]
    Or manually from here http://www.techspot.com/vb/post682762-2.html
    Then restart Internet Explorer

    Uninstall COMODO free personal firewall

    Restart

    Start > Run > CMD > ok
    Run (copy/paste) each command below followed by enter key (note: some commands may not work)
    Restart again

    Test Internet/Network
     
  21. JHibb

    JHibb TS Rookie Topic Starter Posts: 19

    Ok! I'm on the internet from the virus addled comp.

    I can connect, but a few notes:

    1. My ethernet connection still does not show up in my system tray

    2. My Wireless conncetion does, however it still shows a "!" on it and when i mouse over it says there is "limited or no connectivity.

    3.When i was running the commands, not sure which one it was, the "!" came off the wireless connection symbol.

    I have updated and quick scanned with Malware as requested, logs attached.

    thank you!
     

    Attached Files:

  22. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Wireless Setup Wizard:

    Start > Run > %SystemRoot%\system32\rundll32.exe shell32.dll,Control_RunDLL NetSetup.cpl,@0,WNSW
     
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    JHibb, kritius is the best there is. Please follow what he is setting up for you and don't run any other programs in between.
     
  24. kritius

    kritius TS Guru Posts: 2,084

    DDS by sUBs
    Please download DDS by sUBs from HERE or HERE and save it to your Desktop.

    Vista users. Right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

    • Double click on dds to run it.
    • When done, DDS.txt will open.
    • You will receive another prompt after a while. Click Yes at the prompt. It will take another few minutes to scan.
    • When done, Attach.txt will open.
    • Please zip and attach the contents of DDS.txt and Attach.txt in your next reply.
     
  25. JHibb

    JHibb TS Rookie Topic Starter Posts: 19

    Kritius,

    Attached are the zipped DDS logs, as requested.

    Thank you for your help.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...