Can not install/uninstall any programs in normal or safe mode

[bgelston]

having all sorts of problems with a desktop. I can not install any program in normal or safe mode. My virus protection has been shutdown. When I attempt to go to any Virus protection web site ( symantec, mcafee, trendmicro, etc ) my browers gets page can not be displayed. Being local computer geek in my neighborhood, i get the gems.

I have attached the log file from hijackthis. I did the scan while in safe mode.
btw: I can not browser to any virus protection site in "safe mode with network" either.

Any help would be greatly appreciated.

If I can not get this fix I was planning on backing up all th data than "NUKIN" the hard drive and reinstall.

 

[kimsland]

Dest068.exe -> Trojan - part of Wareout
BoundRec.exe -> Trojan - part of Wareout
PestTrap.exe -> is a rogue anti-spyware application
85.255.116.110 -> Trojan DNSBust-M

Here's an idea, remove Norton, and install any other (ie free Avast Antivirus)

Anyway, please do the following:

Remove HijackThis entries

• Run HijackThis
• Click on the System Scan Only button
• Put a check beside all of the items listed below (if present):
  
  O4 - HKLM\..\Run: [rock] rock.exe
  O4 - HKLM\..\Run: [advap32] C:\DOCUME~1\Alex\LOCALS~1\Temp\scksexde.exe/r
  O4 - HKCU\..\Run: [SetupExeDll] Dest068.exe
  O4 - HKCU\..\Run: [SAPSTR] BoundRec.exe
  HKLM\System\CCS\Services\Tcpip\..\{D873375C-436B-4D7B-93DB-7F3D321F80DC}: NameServer = 85.255.116.110

• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

============================================

Run Kaspersky Online AV Scanner

In order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply



Edit:

This tool will remove "Wareout" Trojan
Please download FixWareout Removal Tool

I would also suggest that you un-install all those live protection programs (ie they didn't help!)
Then run CCleaner (to clean out all the temp files)

Post a new HJT Log once all this is done

 

[bgelston]

Here is the results..

Thanks for your help..

I could not go to kaspersky to download the AV on the infected computer.

I had to download FixWareout Removal Tool on another computer and than use a Cruizer drive to move it over to the infected computer. I had to do the same thing with CCleaner.

Attached is the HJT log.

Thanks again,

 

[kimsland]

Here's what you presently have
You can tick and fix all the bold threats in HJT (But read on below this too)

C:\WINDOWS\system32\wscntfy.exe
This is the MS security alert, telling you that either your Firewall is off, or Antivirus requires updating, or you have Windows Updates to do.
It is very convenient to help you be aware of these issues (especially if didn't know)
But if you already have a good understanding of what's going on in your computer, then you can read here : http://www.microsoft.com/windowsxp/using/security/internet/sp2_disablescalerts.mspx to disable security alerts.

In 2 places in HJT Log:
C:\Program Files\Gamevance\gamevance32.exe
O4 - HKLM\..\Run: [Gamevance] C:\Program Files\Gamevance\gamevance32.exe
This file is known as a known keylogger that can cause other "addons" (like other sites to download more threats!)

O4 - HKLM\..\Run: [WinInitDll] NukeSpan.exe
NukeSpan.exe information: TROJAN! - part of Wareout

O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
A module of the WildTangent advertising spyware.

O4 - HKLM\..\Run: [FLKPT] syspanel.exe
syspanel.exe information: TROJAN! - part of Wareout

O4 - HKLM\..\Run: [bikini] bikini.exe
Bikini.exe is Troj/LowZone-CX

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
Winstall.exe is part of SpySheriff (fake anti-spyware program)

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
Contains both banner and pop-up ads (lots of info here: http://www.pchell.com/support/weatherbug.shtml)

O4 - HKCU\..\Run: [systemdll] SYSTRAV.exe
SYSTRAV.exe information: TROJAN! - part of Wareout

Please Uninstall ALL those live protection programs from Add/Remove programs (lots of them!!) Whilst they are installed, the cleaning process is nearly impossible (I have now asked you twice to do this)

Then...

Download Startup Control Panel
Run it
Untick all Startups on all Tabs
Restart

Then...

Download Smitfraud Fix
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Clean:

Reboot your computer in Safe Mode
(before the Windows icon appears, tap the F8 key continually)

Double-click SmitfraudFix.exe

Select 2 and hit Enter to delete infected files.

You will be prompted: Do you want to clean the registry ? answer Y (yes)
and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if you are infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.

A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:

To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
----------------------------------------------------

Then...

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.

Then...

Post a new HJT Log

 

[bgelston]

some continuing issues...

I uninstalled Norton 360.i took care of the HJT entries you mention. I also did the startup control panel and unchecked all running programs under all tabs. However, when I attempted to run SmitfraudFix in Safe Mode it did not run. I have posted HJT log.
Please let me know what the next steps are.
Thanks again for your help

 

[kimsland]

Please let me know what the next steps are

I possibly should inform you, that checking HJT Logs are not my area of expertise, but hopefully you can see that I give it quite a good show.

Anyway, I don't understand this part, why doesn't it run?

I attempted to run SmitfraudFix in Safe Mode it did not run

Also did Malwarebytes get scanned? And remove any threats?

Also you now do not have any Virus protection (and hopefully all those Spyware programs have been removed!)

You now need to install another AntiVirus program
Have a look here: http://www.av-comparatives.org/
Due to the many Spyware/Trojans issues, it may be best for you to download/Install/Update and then do a full scan with AVG Free Antivirus

 

[bgelston]

Yes, you do give it a good show and I appreciate the help.

What I mean about "Not Running" is, when I double click on the ICON, I get some hard drive drive activity but the program does not run. The same thing happens with Malwarebytes.
It is really getting annoying...

HJT seems to run without a problem and so did Startup Control Panel.

Any thoughts..

Thanks

 

[kimsland]

Download Windows Installer 4.5 Redistributable
Install
Then restart

 

[bgelston]

Installed the 4.5 redistributable. I even installed SP3.
Still no luck. I can not install Smtfraudfix.exe..ugh...

 

[kimsland]

Follow the New Preliminary Removal Instructions , and attach the requested logs: (which should work then!)

1) Malwarebytes Anti Malware log
2) SuperAntiSpyware log
3) Hijackthis log

 

[bgelston]

All done..Logs attached..

Here are all the logs..Thanks again..
Bob

 

[kimsland]

having all sorts of problems with a desktop.

How's it all going now?

 

[bgelston]

seems to be much better. How do the logs look to you?

 

[kimsland]

I had a quick look, it looks good

But I am not a HJT log expert (as you know!)
You may receive other replies

 

[bgelston]

That is great news. I know you said you are not an expert with HJT but you certainly have me fooled .

BTW: Do i need to turn things back on using the Startup Control Panel?

Thanks again for you help..
Bob

 

[kimsland]

Good question

I need to inform you a little here

Startup Control Panel is not like Windows MSConfig; if you disable things in Startup Control Panel you are not in diagnostic mode (which is good) and if anything, Windows will run better for it

Personally I have disabled all my Windows startups (except AntiVirus and Firewall)
All the other shortcut Startups, I don't want Windows to automatically run, when it first starts!

But, maybe you do want these program shortcuts to run (ie some users like Messenger to open with Windows, god knows why??)
But if you feel one of your program shortcuts, must start with Windows (ie instead of running it manually after Windows starts) then by all means - retick that shortcut.
The next time Windows loads, so will that Program.

Your choice (also I run it often, just in case another program decides to get in there)