Solved Trouble running GMER

[Doug8765]

Hi -
I downloaded GMER - as a randomly named executable per the TechSpot checklist. It fails when I run it because of the attached dialogue message: "c:\windows\system32\config\system: The system cannot find the file specified."

I looked at the instructions at the site specified. They don't mention this problem.

Any help would be much appreciated. I have found that following this checklist - in its various incarnations from the past - has worked for me. So I'm trying to follow it.

Doug

 

[Doug8765]

Also cannot update Adobe Reader

Hi -
In addition to not being able to run GMER, I also cannot update Adobe Reader. It does an installation repair and then says it cannot find the files to do that, but those would be in the installation file that I downloaded. It's Adobe Reader 9.3. The error message is attached to this post.

In my quest to solve the larger problem, I have found at least one unremovable virus in c:\windows\temp. I say unremovable because BitDefender cannot remove it. This virus is pinging BitDefender very often. I attach a picture of that BitDefender message also.

Yes, I am going through the checklist in the order that is set out. It is taking a long time.

 

[Broni]

It fails when I run it because of the attached dialogue message: "c:\windows\system32\config\system: The system cannot find the file specified."

I'd assume, you're running 64-bit Windows version?
If so, GMER won't run there. Skip it. Proceed with other steps.

 

[Doug8765]

Hi Broni -
Thank you for your reply.

I run Windows Home Premium. That's a 64-bit version. I will skip GMER.

Malwarebytes is running right now. I run it very often, but I'm running it now for the checklist.

The problem I am trying to solve is that I cannot get into Google Groups (I manage a forum there) because Google Groups fails (after an interminable "redirecting" wait) and tells me that it failed because "We're sorry... ... but your computer or network may be sending automated queries. To protect our users, we can't process your request right now."

Glad for the response.

Doug

 

[Broni]

I'm not sure, if it's malware related, but we'll check.
Don't forget about both DDS logs.

In addition to MBAM, please do the following...

Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

Print these instructions out.

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):

• 
  Close browsers before scanning.
  Scan for tracking cookies.
  Terminate memory threats before quarantining.

* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.

• 
  Click Preferences, then click the Statistics/Logs tab.
  Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  Please copy and paste the Scan Log results in your next reply.

* Click Close to exit the program.
Post SUPERAntiSpyware log.

 

[Doug8765]

Hi Broni -
Will do. I use SuperAntispyware as often as I do Malwarebytes - at least once a week.

Yes, I'll include both DDS logs.

Thank you.

Doug

 

[Broni]

Sure thing

 

[Doug8765]

Hi -
I have everything for the checklist. Note that I was unable to update Adobe Reader.
I am attaching all the logs: Malwarebytes, DDS 1, DDS2, SuperAntiSpyware.

I have 2 problems I am trying to solve:
#1, the primary reason, is that Google Groups will not let me into my own Google Group. They give me this message: "We're sorry... ... but your computer or network may be sending automated queries. To protect our users, we can't process your request right now."
#2, I have viruses in my Windows\temp directory that BitDefender cannot destroy.

Doug

 

[Doug8765]

Hi -
Should I have posted the files for the checklist - and the problem description - in a new thread? Is this just a complicated problem? Perhaps 12 hours is not long to evaluate the files.

Not trying to jump the line, just wondering if I buried the information in a thread that looks finished because of the title that refers to GMER, which *is* resolved.

Thanks to Broni.

Doug

 

[Broni]

I also cannot update Adobe Reader.

I suggest, you unistall Adobe Acrobat Reader, which is a resource hog, and install FoxIt Reader: https://www.techspot.com/downloads/2713-foxit-reader.html, which is much smaller, and faster. It does very same thing.
Make sure, you run "custom" install, and opt out from installing any extra toolbars.

=====================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[Doug8765]

Hi Broni -
The two OTL files are attached. I did not do copy-paste, I did save-as, if that makes a difference.

Both problems still alive and kicking. I was able to manually delete one virus in windows\temp, but another will not delete no matter what I do.

Let me know what else to do.

Doug

 

[Broni]

While I'm checking your OTL logs, can you tell me what exactly is BitDefender reporting?

 

[Broni]

You're running two AV programs, Avira and BitDefender. One of them has to go. Your choice.

 

[Broni]

Make sure to uninstall one of your AV programs BEFORE running the script listed below...


Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O4 - HKLM..\Run: []  File not found
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
  O18:[b]64bit:[/b] - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\x-atng {7e8717b0-d862-11d5-8c9e-00010304f989} - Reg Error: Key error. File not found
  O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
  O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
  O20:[b]64bit:[/b] - Winlogon\Notify\igfxcui: DllName - Reg Error: Key error. - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
  O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
  O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
  [2010/02/11 03:49:55 | 000,000,000 | ---D | M] -- C:\Users\Doug\AppData\Roaming\Registry Mechanic
  @Alternate Data Stream - 155 bytes -> C:\ProgramData\Temp:D1B5B4F1
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[Doug8765]

Hi Broni -
In this thread I posted a picture of one of BitDefender's dialogues, that it stopped multiple viruses. When I manually tell it to scan the windows\temp directory it has told me that it cannot delete the virus. I manually deleted one, but another will not delete. It's been an hour since I have been audibly pinged by BitDefender.

I will remove avast. I only run it once a week, BitDefender runs every day on a schedule.

Any suggestions about the access to my Google Group? It still has me locked out because Google still says "We're sorry... ... but your computer or network may be sending automated queries. To protect our users, we can't process your request right now."

Thanks for your persistence.

Doug

 

[Broni]

Let's finish cleaning process first.

 

[Doug8765]

Hi Broni -
Here's the newest OTL files - the script and the quick scan.

Glad to be doing something.

Doug

 

[Broni]

Is BitDefender still complaining?


1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[Doug8765]

Hi Broni -
I think the Kapersky scan finished (after about 6 hours, glad I could keep using the computer) with nothing noted. It is attached.

I have not been audibly pinged for awhile, but Google Groups is still doing its "redirecting" thing, which ends with the error message.

Doug

 

[Broni]

Google Groups is still doing its "redirecting" thing, which ends with the error message.

Tell me little bit more about the above.
I'm not very familiar withe the way Google Groups work.

 

[Doug8765]

Hi Broni -
Google Groups are similar to Yahoo!Groups or any other message board. The one in question is one that I founded several years ago. This is its address - http://groups.google.com/group/bostonibd/. Until last week when I clicked on that link I got the manager's console - complete with membership approval, message approval, etc.

If you want I can make you a member. Anyone's welcome and it's free. Here's the link to the general site where you can browse all Google Groups:
http://groups.google.com/ When I go to this site I do see the proper thing, but anything I click on resolves to this unresolving address: https://www.google.com/accounts/Ser...ttp://groups.google.com/group/bostonibd?pli=1 .

This address shows up on the Mozilla tab as "redirecting" for a long time. Then it resolves to "error" with the explanation "We're sorry... ... but your computer or network may be sending automated queries. To protect our users, we can't process your request right now." (I attach a picture of the screen.) It gives me the chance to show that I am a human by typing in a string, but that only resolves to "error" again at this address - https://www.google.com/accounts/Ser...ttp://groups.google.com/group/bostonibd?pli=1 . This time the resolution to "error" takes even longer and the address has resolved to http://groups.google.com/group/bost...s7U2FfjC3mLyF9Wze5N-fKmpfjWyh8OIzuzuiEEbU8Z6A with the text "We're sorry... ... but your computer or network may be sending automated queries. To protect our users, we can't process your request right now. See Google Help for more information."
If I click on Google Help at this point I get this link - http://www.google.com/support/websearch/bin/answer.py?answer=86640 - and the instructions here list the #1 thing to do is to get rid of malware. We just did that. Still does not work.


For example, the main address that I click on all the time - http://groups.google.com/group/bostonibd/ - resolves to this link - https://www.google.com/accounts/Ser...ttp://groups.google.com/group/bostonibd?pli=1

What's strange, but useless, is that I can go to the About page at http://groups.google.com/group/bostonibd/about, but if I click on any of the functions then I go to the "redirecting" tab.

My wife's computer works just fine. Also, most work of sending emails works fine, so I only need the management console for managerial work, for which I can run down the hall to my wife's computer but I don't want to keep doing that.

So now I have gotten - with your excellent help - to the place on the Google Help list where, what?

This is so convoluted I don't know if it will make sense, but I'm going to press Send. Your help is appreciated.

Doug

 

[Broni]

OK, from what I gather: http://www.quickonlinetips.com/archives/2009/03/fix-google-search-were-sorry-error-pages/, when your computer gets infected, your IP address may get banned by Google groups and you're getting "We're sorry..." message.

At the above page 3 possible solutions are listed.
We're almost done with finishing solution #2, getting your computer clean.
Now you can try solution #1 (I doubt, it'll work)
If it doesn't work, all you can do is to send a feedback to Google and they should investigate.

But, first things first - finishing cleaning process...

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

===================================================================

Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

 

[Doug8765]

Hi Broni -
I don't understand the long set of instructions that include something about System Restore. It has detailed instructions for Windows XP and Vista, but nothing for Windows 7. What's this about?

I submitted a request that Google stop this, but I cannot tell from your response whether they can.

Doug

 

[Broni]

Same instructions for Windows 7 as for Vista.

As for Google, I can't tell you what's going to happen. Unfortunately, I don't work for them

 

[Doug8765]

Hi Broni -
I have done all the steps you said. Everything runs fine. I plugged in the info that Google asked to get, now I wait for the "redirecting" to go away and get normal access.

Many thanks. To update you on anything, should I just add another post to this thread? Do threads get closed so that I cannot add a reply?

Doug