Resolved XP OS hosed after conficker/downadup removal, registry cleaning, and indows update

[ivor77]

Operating System: Microsoft Windows XP Professional [Service Pack 3]
Running Mcafee antivirus

Hi, I have copied parts of this post from some other messages in this forum that described similar problems to mine. Unsure if history or fix is same though.

My home network got attacked by the conficker/downadup virus.
Cleaned it off and tightened up systems over several days.

Installed and ran cccleaner as part of fixes. And felt I had to set windows updates to automatic and daily. Previously they had been auto download but manual install. And I would update every few weeks or months !!

Now I have various problems all of a sudden which i hope u guys can help me with .

1.) i cant copy/paste files or folders or anything, i've tried right click copy, and when i right click and wanted to paste, the 'paste' is grayed out and im not able to paste anything. i've also tried ctrl-c ctrl-v which doesnt work too. And i cant drag the files or folders too.

2.) i cant open my internet explorer, when i click internet explorer, the window just open and close immediately in less than a sec.

3.) when i minimise my windows for any application, it doesn’t appear on the taskbar, the taskbar is always empty. I need to alt-tab to get from window to window.

4) various programs simply will not run: system restore for example. And my mobile internet usb dongle and software


I have seen the 8 steps to take for fixing malware before I post.
However I am now UNABLE to take most of those steps simply.
And would appreciate some advice on how to proceed.

1) Antivirus: I have Mcafee antivirus installed BUT it will not run. I see messages in event log from it but cannot read properties to see issue.
I HAVE run Symantecs downadup removal tool and it has cleaned off downadup hit.



2) I have run the TFC temporary file cleaner

3) Since I am unsure this laptop is clean I do not want to connect it to the network to get internet access. It has a mobile internet dongle BUT this is another of the programs that will not run.
It was pretty much up to date recently anyway --- Looks like IE8 was installed recently. I have a standalone sp3 I could reapply if this would help
I have access to other machines and con download from net and burn to cd any specific files or updates recommended.

4) I have MalwareBytes AntiMalware installed and ran it a few days back BUT it is now giving an error when try to run. (Runtime error 372. Faiiled to load control ‘vbalgrid’ from vbalgrid6.ocx). trying to reinstall get same problem.

5) I have GMER loaded and have run it. But have no quick and simple way to get the log file off. It just shows Mcafee drivers and hooks though,. No malware anymore. It did find and fix stuff a few days back. And I had to clean remnant out of registry following Microsofts downadup manual removal procedures.
I will figure out a safe way to get logs off it after I get your reply.

6) DDS have downloaded this but will wait until you give me some feedback


I’ve been at this for several days --- in fact a week or two since it all began.
Any help much appreciated. I'm reasonably technical so pointers to relevant info will also be appreciated.

I have seen lots of descriptions of symptoms like mine in these forums. But could not find a 100% match nor definitive solution
I've heard of and briefly tried to find info on
a) Mcafee bugs
b) Windows update and IE8 and bugs from that

that can give symtoms like mine
But I did not find any concrete definitive explanations/solutions.


Thanks in advance for any assistance

 

[Bobbye]

I have seen lots of descriptions of symptoms like mine in these forums. But could not find a 100% match nor definitive solution

We don't expect you to find an 'exact match' nor do we want you to use cleaning instructions given to others. You're going to have to use a flash drive to get programs you need, then install on the problem computer.

The Mbam error means you have an old version. Remove it, follow the directions and link for correct version in the steps. Use flash to d/l and install, save log and leave here.

I need to see the 2 DDS logs also.

For GMER, disable McAfee to run.

And I'd much rather have your own description of the problem instead of a copy and paste from someone else!

 

[ivor77]

Thanks --some problems running the 8 step process

Hi Bobbeye

Thanks for the response.
I have a couple of systems with problems. The xp laptop I started with is offline and difficult to work with.

I have a windows 2000 sp4 system still on the network that also has the explorer cannot copy/paste problem and various other strange system behaviour. But is less hosed than the laptop perhaps Since it is on the network it is easier to get to. I tried to follow the 8 step process and results are given here.

1. I have PC Tools antivirus - running a pc tools check
no log file but gives all clear and has for several days of scans now


2. run TFC –ran and rebooted ---


3. update –
Microsoft download ---windows 2000 sp4 --
went to update.microsoft.com using IE but did not seem toload any update environment. Does w2000 still get windows updates?

java updates –
Updates fail to complete saying the ‘The Windows Installer Service could not be accessed’

adobe reader --- attempted toinstall latest but fails saying ‘The Windows Installer Service could not be accessed’


4. Malwarebytes antimalware: latest version 1.46 already downloaded and previously installed on system.

on running it crashes with with ‘run-time error ‘372’’ Failed toload control ‘vbalgrid’ from vbalsgrid6.ocx …

Tried install again and install loaded and ran and completed BUT crashes during install with same error 372.

Trying to run after this gets same runtime error 372



5. GMER --- RUN – log below



6. DDS – runs but produces no output – disabled pc tools firewall – turned off pc tools antivirus iintelliguard
(realtime scanner)


7. LOGS Malwarebytes, GMER, DDS

Neither Malwarebytes nor DDS produced logs


GMER logs

GMER 1.0.15.15281 - http://www.gmer.net
8. Rootkit quick scan 2010-06-05 00:06:02
9. Windows 5.0.2195 Service Pack 4
10. Running: gxmxex_2010may8.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxddipog.sys
11.
12.
13. ---- Devices - GMER 1.0.15 ----
14.
15. AttachedDevice \FileSystem\Ntfs \Ntfs AVRec.sys (PC Tools Recognizer Driver for Windows 2000/XP/PC Tools Research Pty Ltd )
16. AttachedDevice \FileSystem\Ntfs \Ntfs AVHook.sys (PC Tools Filter Driver for Windows 2000/XP/PC Tools Research Pty Ltd.)
17. AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
18. AttachedDevice \FileSystem\Fastfat \Fat AVRec.sys (PC Tools Recognizer Driver for Windows 2000/XP/PC Tools Research Pty Ltd )
19. AttachedDevice \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
20. AttachedDevice \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
21. AttachedDevice \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
22. AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools)
23.
24. ---- EOF - GMER 1.0.15 ----


Any suggestions on next steps much appreciated

regards
Ivor

 

[Bobbye]

I do not work with multiple systems on the same thread- therefore, my instructions will be for one of the systems. Anything you say, scan or leave must be for a specific system on that thread. You will need to clarify whether you are working on Windows XP{ or Win2K to continue.

7. LOGS Malwarebytes, GMER, DDS

Neither Malwarebytes nor DDS produced logs

They always produce logs- maybe you just didn't save them.
For Malwarebytes:
If you accidentally close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

For DDS:
When done, DDS will open two (2) logs:
[o]DDS.txt
[o]Attach.txt

You should be able to do a search for the logs. Right now I have nothing to work with and am not clear which system you want to work on.

Regarding the following:
java updates and adobe reader –Updates fail to complete saying the ‘The Windows Installer Service could not be accessed’
If you are in Safe Mode, the Windows Installer won't work.

Malwarebytes antimalware: latest version 1.46 already downloaded and previously installed on system. For some reason, the system thinks it's an old version. Please uninstall, then reinstall from the link on the thread. If it continues to crash:

Check the Event Viewer to see if there is an Error that corresponds to the time showing on the computer clock when you get the runtime error:

Start> Run> type in eventvwr

Do this on each the System and the Applications logs:
[1]. Click to open the log>
[2]. Look for the Error>
[3] .Right click on the Error> Properties>
[4]. Click on Copy button, top right, below the down arrow >
[5]. Paste here (Ctrl V)
[6].NOTES

• You can ignore Warnings and Information Events.
• If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
• You don't need to include the lines of code in the box below the Description, if any.
• Please do not copy the entire Event log.

Errors are time coded. Check the computer clock at the runtime error.

 

[ivor77]

Thank you for your continued assistance Bobbye:


You said
'You will need to clarify whether you are working on Windows XP{ or Win2K to continue.'

I am working with Windows 2000 sp4

I understand that I need to follow your instructions in order for you to help me.
This is why I chose the Windows 2000 machine.
I could do more of the 8 steps that you ask done first.


However I am unable to complete some of these 8 steps.
I need to simply ask you if you are able to help me with the steps I am unable to complete.
Or whether you are unable to help me until I can successfully complete the 8 steps.

1) My windows installer service is not working and thus I cannot install various things at all (adobe, java update, etc)
Are you able to help with this problem or point me to someone or somewhere that could help?

2) I am unable to run MalwareBytes AntiMalware. It crashes with that runtime error 372
I used start run eventvrw to open the event viewer.
I can see event log entries but there is NO entry for the timestamp of the malwarebytes crash.
Also I am unable to display event log entry properties. Right click and select properties does NOT bring p the expected display.

3) DDS runs and shows its message but produces no logs.
Are you able to give me any help with this ?

I thank you for your assistance.
I am sorry that I cannot provide all the information you request.

Are you able to help me complete your preliminary 8 steps?
Or must I seek this help elsewhere?

Whatever your answer let me express my appreciation of the time you have taken so far to address my case.

Cordial Regards
Ivor

 

[ivor77]

Hi Bobbye:

Let me directly answer your questions here also. I note I missed answering one or two direct questions. SO these are direct answers to any questions you asked.
Also reports on things you asked me to do.

I do not work with multiple systems on the same thread- therefore, my instructions will be for one of the systems. Anything you say, scan or leave must be for a specific system on that thread. You will need to clarify whether you are working on Windows XP{ or Win2K to continue.

ivor: windows 2000 sp4

They always produce logs- maybe you just didn't save them



ivor: These two programs did not produce logs because they did not run properly


For Malwarebytes:
If you accidentally close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt


ivor: There is no log file at either of these locations



For DDS:
When done, DDS will open two (2) logs:
[o]DDS.txt
[o]Attach.txt

You should be able to do a search for the logs.

ivor: I do not believe the program is running right. This is why it produces no logs. I did not yet inspect the code. Is there a debug or verbose switch I can use with it?



Right now I have nothing to work with and am not clear which system you want to work on.

ivor: I wish to work on the windows 2000 system as I can provide more of the information you request for this.
Are you able/unable to help with the facts that
1) I am having the runtime error 372 when try to run or install Malwarebytes latest version 1.46
2) DDS is probably not running as expected since I get no logs



Regarding the following:
java updates and adobe reader –Updates fail to complete saying the ‘The Windows Installer Service could not be accessed’
If you are in Safe Mode, the Windows Installer won't work.


ivor: I am not in safe mode. This is a normal windows boot. Either virus or other system problem has corrupted my windows installer setup. I suspect the conficker/downadup virus recently removed (mostly :-(



Malwarebytes antimalware: latest version 1.46 already downloaded and previously installed on system. For some reason, the system thinks it's an old version. Please uninstall, then reinstall from the link on the thread. If it continues to crash:


ivro:
Add/Remove programs is NOT available -- will not open.
The Malwarebytes program menu uninstall entry succeeds in removing the program though gives 4 or 5 error 372.
(disabled pc tools anti virus) Installing from newly downloaded 1.46 completes BUT the checkboxes at end - run update/launch malwarebytes cause one or two error 372
Trying to run the newly installed program from the program menu immediately hits the runtime error 372


Check the Event Viewer to see if there is an Error that corresponds to the time showing on the computer clock when you get the runtime error:

ivor: there is no error in the logs corresponding that I can see


Start> Run> type in eventvwr

Do this on each the System and the Applications logs:
[1]. Click to open the log>
[2]. Look for the Error>
[3] .Right click on the Error> Properties>
[4]. Click on Copy button, top right, below the down arrow >
[5]. Paste here (Ctrl V)
[6].NOTES

• You can ignore Warnings and Information Events.
• If you have a recurring Error with same ID#, same Source and same Description, only one copy is needed.
• You don't need to include the lines of code in the box below the Description, if any.
• Please do not copy the entire Event log.

Errors are time coded. Check the computer clock at the runtime error.

ivor: there are many other errors in the logs but am unable to display the properties of these errors.

 

[Bobbye]

As far as I know, Windows 2000 doesn't have the Event Viewer. I was going by Windows XP as the OS- so those directions wouldn't work. I did have a tag wrong which might have confused you- Correctly it should display like this: But I don't think it will matter since it's W2K.

Start> Run> type in eventvwr

You're going to have to have the Windows Installer. Do you have a flash drive? You can download the installer to that and then try to run it on the Win2K machine:

Windows Installer for Windows 2000 SP4:

Instructions

• 
  [1]. Click on the site HERE and scroll down to this download:
  WindowsInstaller-KB893803-v2-x86.exe
  Click on the Download button. When asked to Run or Save, click on Save
  [2] Connect the flash drive to the problem machine
  [3]. Follow any onscreen prompts.
  [4]. Reboot the computer when finished

Now see if you can download and install the cleaning programs.
It is not necessary to quote my instructions in your reply.

I will help as much as I can. If it becomes necessary to correct more system problems before we can work on the cleaning and I can't handle them, I will then refer you to the Windows OS forum.

I am still a bit uncertain as to what you can do on which machine.
IF you can download, save then run the Windows Installer directly to the Windows 2000 machine, do that instead of using the flash drive.

 

[ivor77]

Windows still messed up - how to proceed

Hi Bobbye:

1) FYI windows 2000 does have event viewer but although I can see entries I cannot display properties. One of the symptoms of unwanted changes.

2) I downloaded the windows installer from the link you gave. It installed and asked for reboot. After reboot I tried to install adobe latest ver 9 for w2000 again.
Got a slightly different error this time:
'The Windows Installer service could not be accessed. This can occur if you are running Windows in safe mode, or if the windows installer is not correctly installed.'

I am NOT in SAFE mode. So something is still wrong with the installer function.

3) The installer is still not working right so still cannot install anything


4) the windows 2000 machine is still on the network and internet. I can download direct to it.

Do you have any ideas on how to fix the problem with Windows installer?

5) looking back over what was done I can see some .reg backups from running cccleaner after first getting rid of conficker
I also ran something called SuperAntiSpyware to clean the registry
I think this was what caused many of the unwanted changes in Windows behaviour

Have you ever used this SuperAntiSpyware program?

I exported a .reg file from REGEDIT it before it made changes I think.


If I knew which registry keys controlled windows installer then I might be able to recover by copying those keys either from this export or from a past backup?

I think similarly the keys controlling windows explorer behaviour have been messed up.

Perhaps I would be better off trying to reload system state from a backup.
And then cleaning off the virus/trojan if it is still there?


Thanks again for any assistance

Regards
Ivor

 

[Bobbye]

We use to have Superantispyware as one of the steps in Virus and Malware Removal. It was the free scan, a good program. But we found we could do more and get more information using other programs, so we dropped it.

Making Registry changes without any supervision is not something we recommend. I don't know that a registry change corrupted the installer, but if it did, whatever did it shouldn't have. We don't recommend Registry cleaners and ask those we are helping not to make any Registry changes while we are helping them.

Regarding the Event Viewer:
To use the Event Viewer: Events are time-coded. So note the time on the computer clock when a problem occurs, then look for an Error that corresponds to that time in either the System or Application log:

• 
  [1]. From the Start menu> select Program> Administrative Tools>| Event Viewer.
  [2]. Choose a log type (Application, Security, or System).
  [3]. From the View menu, select Newest First or Oldest First to sort your records.
  [4]. Select or highlight a log.
  [5]. From the Action menu, choose properties to view the details of the event, as seen in Figure A

.

My apology for the statement about Win2K not having this. You might find some of the info HERE helpful.

You mention that you cleaner the infection and downloaded CCleaner to handle the Registry. So at that time, the installer was working. I don't use or recommend CCleaner. We dropped it her and put TFC in it's place- one reason being exactly this> how CCleaner can handle the Registry.

The xp laptop I started with is offline and difficult to work with.

Is it more of a problem than what you're having with the Window 2000 machine?
I'm wondering if indeed Conflicker was entirely removed initially It's in the Network as I understand with at least one system running Win 2000, the system you are trying to install on. But it was also on a Win XP machine and you are now using a flash drive- is this correct? The chances are that the flash drive is/was also infected.

 

[ivor77]

Thanks for help - must try another recovery route

Hi Bobbye:

Thanks again for your help.
Was away on a 3 day seminar so could not respond further until now.

It seems difficult to get to first base with this process.
I cannot complete all your pre-requisite 8 steps

I will not proceed any further with this malware removal/cleanup process that is not working.
No fault or complaint implied. Just fact that I cannot get this first 8 steps done on my system.

I am going to try and recover from a backup system state.
And will look for help in the Windows OS area

Thanks again and all the best
Please consider this thread closed from myside although I will note and respond to any response you make to my closure.

Regards
Ivor

 

[Bobbye]

Thread closed at members request.