Posts by PhilliePhan

I tried renaming mbam in normal and safe mode and I get the Access Denied error message.

Phillie, when I'm using cmd to run KILLBAD, I can't get rid of C:\Documents and Settings\Username\_

I can't backspace to get rid of it and when I hit enter it's still like that instead of C:_
I'm assuming that is why I can't get KILLBAD to run properly.

*continues to pull hair out*

That shouldn't be an issue - type cd c:\ enter to change it back. That doesn't matter when you type the whole path to the tool...

Let's try this:

First, Rename mbam.exe to zappa.com
See if it will run.
If so, please have it remove all that it finds and post the log for us.

If it does not run, you can try the following, but it is strictly a "Run At Your Own Risk!" proposition:

* Download KILLBAD.zip and EXTRACT the KILLBAD folder to your C:\ Drive
* Use START > RUN >Command.com to get a command prompt

* TYPE C:\KILLBAD\KILLBAD.bat ENTER

* If the tool is able to run, a log should eventually pop up in notepad.
Please post that for us.

Then, try running MBA-M again.

I'll try to check back as time permits.

Best Luck :)
PP

Hi Dave,

Try this:
Please download GooredFix
http://downloads.securitycadets.com/GooredFix.exe

* Double-click GooredFix.exe to run it.
* Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
* A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.

PP :)

Hi Sisaly,

Here is a fix you can try. Again, it is a "Use at your own Risk!" proposition:

-- Download the attached KILLBAD.zip and EXTRACT the KILLBAD folder to your C:\ Drive.

Use command.com to get a command prompt

TYPE C:\KILLBAD\KILLBAD.bat ENTER

It should run quickly.

-- Now, try to run MBA-M.

Let me know if you run into any problems.

*** To any others reading this post: This fix was specifically made for Sisaly. IT MAY OR MAY NOT WORK FOR YOU. IT MAY RESTORE SOME FUNCTION TO YOUR COMPY, BUT YOU RUN IT AT YOUR OWN RISK.....
'Course your compy's pretty borked already, or you wouldn't be reading this . . . . .

Best Luck :)
PP

I apologize for the length of that sucker! I never got around to fixing that.....

There is a good deal of malware showing that we can remove. I am sure crunchie and the other volunteers can see it and can show you what needs to be deleted.

I will definitely be gone until Monday Night EST, but will check back then.

Cheers :)
PP

If you like, we can try this to have a better look at what is going on. This is an old tool that I wrote some time ago and if you can get it to run, it might help us see what we are missing.
This is a strictly "Run at your own risk" proposition:

Download PKBOO.zip and EXTRACT the PKBOO Folder to your C:\ Drive

Open a command prompt with Command.com

TYPE C:\PKBOO\PKBOO.bat ENTER

It should run for a few seconds and then pop up with a log. Please post that for us.

I will try to check back Monday Evening as time permits.

Best Luck :)
PP

If you like, this is an old tool that I wrote some time ago and if you can get it to run, may give us a better picture of what is going on.
This is a strictly "Run at your own risk" proposition:

Download PKBOO.zip and EXTRACT the PKBOO Folder to your C:\ Drive

Open a command prompt with Command.com

TYPE C:\PKBOO\PKBOO.bat ENTER

It should run for a few seconds and then pop up with a log. Please post that for us.

I will try to check back Monday Evening as time permits.

Best Luck :)
PP

renaming it to zappa.exe still causes it to crash while scanning and spyware doctor wont connect to the internet/wont work at all

Looks like reformatting is rearing its head in :[

There are a few options I would like to try, but I have to get back to work and won't be back until Monday night at the earliest.
-- I'd like to try to get Safe Boot back as an option.
-- Also, I'd like to get a look at the files that have been added in the last 15 days or so.
I can probably put something together for you Monday night.
Or, maybe one of the other volunteers can jump in....

PP :)

The first command didn't work in command prompt, however I found the LOGIT text file anyway.

So . . . . It worked :)

I added something to my last post RE MBA-M. Try that.
If it doesn't run when you click on it, use the command prompt:

Type C:\PROGRA~1\MALWAR~1\zappa.exe ENTER

Do I type In C:\C:\ or is one of those just a mistake? Also, how can I find the spyware doc entry?

Sorry! TYPO!

Do this:
Command Prompt

TYPE DIR /x "C:\PROGRA~1" >> C:\LOGIT.txt ENTER

Navigate to C:\LOGIT.txt and post that for me.

Also Go into Program Files and the MalwareBytes folder and rename mbam.exe to zappa.exe. I don't think we tried that.....
DoubleClick it and see if it runs.

Here's the Quick Scan version...

You didn't have it remove the baddies . . .

Try another Full Scan and make sure that everything is checked, and click Remove Selected.

Then post us the new log plus a fresh HJT.

PP :)

EDIT: Normal Windows boot is what we want. Yes, you definitely want to remove the baddies ;)

crunchie... that's random! But it's working... Results in a few

Great!
Is this Safe Mode?
Ideally, we'd like a Full Scan in Normal Windows boot.

If Safe Mode, let it run and we'll go from there once the scan wraps up.

PP:)

i dont know the command for SD, nor do I know how to access aborted MBA-M logs. The logs i see right now don't have any of the recent ones, just past scans from weeks ago

Ok.
Let's try Spyware Doctor.

Command prompt
Type C:\C:\PROGRA~1\DIR /x ENTER

Find the Spyware Doctor entry. Will probably look like SPYWAR~1 or similar.

Then, Type C:\PROGRA~1\XXXXXX~1\DIR /x ENTER and find what the executable is and let me know - XXXXXX~1 is whatever you found previously.

Give it a try in Safe mode.
Also, try re-naming mbam.exe to crunchie.exe and see if it runs.

PP :)

I also have spyware doctor, maybe it can scan/clean up?

You could try that - do you know the executable for SD? Bearing in mind that this is command.com.

-- Can you get me the log(s) from the aborted MBA-M runs?

Wow, it worked, and I hit quick scan, and already found 7 infected objects. Hoping it works:)

Great! Good job :)

Make sure to have MBA-M remove all it finds and post the log - you may be instructed to run it again if the defs are not up to date. Plus, you'll want to do a "Full Scan" next time.

If I am not around, I'm sure another volunteer will be happy to assist you further.

Best Luck :)
PP

Yes, its in program files and my system drive is C:\

Using your command prompt:

Type C:\PROGRA~1\MALWAR~1\mbam.exe ENTER

See if that works.

malware bytes anti malware? Yes, and no I don't know how to run it in command prompt

Is it installed in Program Files (it should be)?

Is your system drive C:\ or different?

No bolded days on the calendar, and no restore points available:(

I also have no windows CD on hand, one of my friends has it. Recovery partition as in another HD? Don't have it

I was afraid of that....

You have MBA-M installed, right? Do you know how to run it via command prompt?

System Restore pops up. Should I restore my computer to an earlier time?

YES - Preferably to a point long before your issues started.

Then, see if you can Update and Run MBA-M. Have it remove what it finds and post back here with the scanlog.

-- Let us know if you run into problems.

PP :)

But i've seen these kind of issue before & there the system restore doesn't work... that's why gave the option for system reformate...

Let us try a few options before resorting to this.

BTW - did you ask the poster if they have a copy of Windows or a recovery partition?

-- Open a command prompt with command.com

Type %systemroot%\system32\restore\rstrui.exe ENTER

What happens?

Is this like reformating where it deletes all the files, or is it a settings change, and how do I go about doing it?

That is the "Last Resort," and certainly not called for at this time.
You will lose any data that is not backed up......

-- Are you able to access System Restore?

PP :)

Hi Dave,

Please run MBA-M as per this linky and then post the log:

http://www.daniweb.com/forums/thread134865.html

PP:)

BTW: using Winkey+R and running MSConfig - Windows Config should allow you to disable most start-up processes, but sometimes the 3rd party utility will pull the more tricky buggers

LOL!
Hey KL, that's an argument I'm NOT going to have with you ;)

Suffice it to say that I believe that msconfig is for "diagnostic" startup rather than as a "startup manager." Frankly, HJT is a better startup manager. And I'm sure Judy will have her say . . . LOL!

@Kevin - Happy to see things are looking good :)

PP

So have you tried another keyboard as suggested by PP?

I definitely think we can rule out malware. I am very much leaning toward a hardware problem, probably with the keyboard. Obviously, this is something that will stick with a machine after multiple formats.

Definitely try a different keyboard.

-- Also, what happens when you press Ctrl + N?

PP :)

Thanks so much for your help...calling it a night myself once this scan is done.

You're welcome! Happy to help :)

Keeping my fingers crossed that things go well.

PP :)

nevermind...dumb question, figured it out...running now

Great! Well done! :)

You should be good to go, assuming MBA-M is up to date with build and definitions.

I am going to cut out - will check back Sunday evening. Please post the MBA-M log and I'm sure Judy or kaninelupus will be happy to assist you further.

Cheers :)
PP

Yes..I can access task manager in normal mode.

Cool!
Use Task Manager to kill windows Police Pro.exe & svchasts.exe (note the spelling).

Now, you ought to be able to run some programs. I suggest you start with MBA-M and post the log for us.

Best Luck :)
PP

Here is log....and yes, "Last Know Good Config" option is there when I go into Safe Mode....

Cool - We'll keep that in mind in case we need it.

-- Are you able to access Task Manager?
Obviously, there is a process we want to kill listed there ;)
Also, I think there are a couple less obvious ones. Once we kill them, you ought to be able to run MBA-M.....

Go ahead and answer my Task Manager question while I have a look at that list.....

PP :)

Ok, that worked...I have a command prompt

Ok, great.

Type tasklist >> %systemdrive%\TSKLST.txt ENTER
Type notepad %systemdrive%\TSKLST.txt ENTER

See if the log pops up now and post it for us.

Also, see my edited post above RE Last Known Good

PP :)

No - screen blanks for a second and then just goes back to desktop with all the Windows Police Pro windows....won't open command prompt box

Try Start > Run > command.com

Can you get a command prompt in Normal Windows Boot?
Start > Run > cmd

-- Also, when booting to Safe Mode, do you have option for "Last Known Good Configuration?"

Thanks for the responses all. OS is Windows XP. I am able to boot up into Safe Mode with Networking and get online (posting from the problem computer now) - however I can't run Hijack This or Anti Malware...nothing happening when I try to run them.

Let's try this:
-- Download the attached file to the desktop and re-name it TSKLST.bat
Boot to normal windows and doubleclick on TSKLST.bat to run it. A log should pop up - Copy and paste that for us, if possible...

Best Luck :)
PP

I guess we'll see where we are once Kevin posts back.

Here, Judy:
http://remove-malware.net/sofware/

They seem to be pimping PCTools, even if they spelled software wrong... LOL!

Registration Service Provided By: RESELLERCLUB
Contact: +1.4152361970

Domain Name: REMOVE-MALWARE.NET

Registrant:
Private Person
Bryan Stenberg ()
4 Trubek Farm Rd
Annandale
New Jersey,08801
US
Tel. +001.9087350422

Creation Date: 17-Oct-2008
Expiration Date: 17-Oct-2009

Hey . . . He's not in the Ukraine! LOL ;)

Cheers :)
PP

Could be, but all the other links I found with same instructions, word for word by the way, do not include the link called Windows Police Pro Automatic Remover. Why don't they call it Spyware Doctor?

Ok, you know more than me PP so I bow to you and take back my comment.

You're being too kind, Judy :)

That's a good question about SD - I did not bother to download the whole package, but if the site is affiliated with PCTools, then I would think it would be legit.
Even "legit" affiliates have been known to use scare tactics.....

BTW - OP cannot run any programs. I'd like to see what can be done in safe mode.

PP :)

@PhilliePhan - how good are you at guiding someone through a reg-fix? Looking more and more at this one, that may well be required here.

No worries on that front :) Have done hundreds - literally.

What worries me here is possible rootkit/stealth components in the mix. Have you heard or seen anything pointing in that direction?
I've been away from the battle for too long to be up to date on many details.

I do think MBA-M will get this baddie . . . If it can be run.

PP :)

EDIT: @Judy - Interestingly enough, the removal tool for download at the site KL linked looks like PCTools Spyware Doctor, a legitimate and well-respected product, last I heard. Maybe WOT is a bit off?
PP :)

I'm totally locked up - I can't do anything. I'm posting this from another computer.

-- What OS?
-- Can you get into Safe Mode by tapping F8 at boot ?(do not use msconfig)
-- Safe Mode with Networking to DL and run HJT and MBA-M?

Let us know what you are able to do via Safe Mode and we'll go from there.

PP :)

@top10ufo:
I don't mean to demean your knowledge in any way shape or form - If I did, I apologize.

This is just not good advice, simply saying:

Try using ComboFix if you haven't already.

When you posted that, I kinda figured you were just here to spam your site. Maybe I was a bit harsh and, again, I apologize.
-- BTW, I like your website. Stuff like that interests me.

Still, I am going to stick by everything I said in this thread as being accurate.
As necrolin has noted, post#1 tends to lead away from a malware issue. The logs support that. Not sure why the OP is uninstalling AVG or running Combofix again.

All told, I think we made a pretty good mess of this thread....:-/

Cheers :)

What you saw in the combofix files - can you tell if that is the remnants of the virus i mentioned or is it a different one?

I'd like to know that as well - I didn't see anything.

@top10ufo:
I am not sure what you have the poster doing now or why you are doing it, so I will be happy to stay out of your way.

Unfortunately, some companies and advisors advocate disabling system restore *before* attempting a cleanup. This is dangerous advice. First, things can and do go wrong when attempting to remove malware. Second, the Restore Points may not be infected anyway. Third, any malware that may be in a Restore Point is harmless unless and until System Restore is used to restore a system to an earlier state, and that won't happen without direct user intervention.

Since you disdain Googling for knowledge, try this:

http://msmvps.com/blogs/spywaresucks/archive/2005/09/17/66724.aspx

Cheers :)

You obviously have no idea what you are talking about and are a typical "Google Tech" meaning you can fix it because you were able to find it on Google.

Wrong again - I'm sensing a theme.

When to Disable System Restore (as well as not forcing Safe Mode) has been discussed ad nauseum in all of the reputable security forums and frankly I have no interest in re-hashing it with you when so many examples already exist.
And yes, I used to tell people to disable system restore just as you do before I was taught that an infected point is better than none at all - if the cleaning process doesn't go well, you then have a "fall-back position" from which to try again.
Why do you think ComboFix and other repair tools set a restore point before running?

I am still waiting for you to show me that malware in the ComboFix log that I missed - What? Oh, you can't?
I thought not.

Cheers :)

Most malware will just copy itself back into the registry and the file location from system restore (the system volume folder) when deleted. Therefore, not disabling System Restore beforehand makes about as much sense as pissing in the wind. Antivrus manufacturers such as Symantec will tell you this a well.

Gawd that is wrong in multiple ways - plus not applicable here after multiple formats.....

Google this: An infected restore point is better than none at all.

We flush System Restore AFTER cleaning a machine.

The problem IS malware (you would know this by looking at the ComboFix log if you knew what you were talking about!)

Still waiting for you to show me the malware in the Combofix log. Either that or an apology would be nice.

Cheers :)

It's behaving itself at the moment (for the last 10 minutes - first time Ive been able to do anything in a year! Is this any help - I ran an Avast cleaner and it was unable to look at these files C:\window\system32\catroot2\edb:log and same main name with \tmp.edb and temp\zlt00d58.tmp. Probably did wrong but tried to delete and said it was in use by another program or user.

No worries there - Don't try to delete those.

Honestly, I do not think this is malware. Unless it is something you reinstalled after re-formatting.
I do not see anything in the logs you provided - will wait for top10ufo to show me what I missed, if indeed that is the case.

--Did you say that the problem happens with Both browsers?
--Did you try the keyboard shortcut I mentioned - see if sticking?

Gotta run - I imagine one of the other regular posters will weigh in soon.

Best Luck :)
PP

Unless you feel you have more experience than I do, please keep your advise to yourself.

Then don't give bad advice regarding System Restore and ComboFix.
BTW:
ComboFix 09-08-29.01 - KristinG 29/08/2009 21:58.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.353.1033.18.446.184 [GMT 1:00]
Running from: E:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

The problem IS malware (you would know this by looking at the ComboFix log if you knew what you were talking about!)

Show me.

and just installing Firefox is not a problem solver if Windows security updates are not applied and up to date.

Didn't say it was a "solution." Just a part of the diagnostic process - to see if problem still occurs, and if it doesn't, at least the poster will have a working browser with which to carry out further steps.

Did you read the first post before immediately having the poster run ComboFix improperly?

I have had people look at re-formatted the harddrive several times and nothing. Have tries God knows how many spyware/malware remover, anyi virus etc.

Not a lot of malware survives multiple re-formats . . . LOL!

Before running ComboFix you should have turned of System Restore

NO! Bad advice! Do not disable System Restore until told to do so by someone who knows what they are doing.

Frankly, running combofix at this stage (and improperly at that) is not called for.

However, in this case I doubt it matters.
It doesn't look like malware to me - Perhaps even a keyboard issue causing IE to open? After all, it is not opening to ads, but to home page.
Have you tried different Keyboard?

Also, try installing Firefox and seeing if the problem continues.

Cheers :)
PP

EDIT: Try banging on Ctrl + N ( the IE shortcut to open new window) to make sure they are not sticking......

I could do the scan, I didnt find a report so here are the results:
ilename: Sys.exe

-- You should delete C:\Sys.exe
I'm surprised nothing caught that......

-- It looks like you had a couple serious infections and possibly in the removal of the Conficker variant, your connection was borked....

* Be advised, though, you have an infected USB/External drive somewhere that could be reinfecting any number of machines!

-- Try running Kaspersky's stand alone tool as per the linky below and let us know the results:
http://support.kaspersky.com/faq/?qid=208279973

-- Also, taksman.exe has been known to to bork DNS server settings. Maybe you guys should run ipconfig and flush DNS?
Perhaps a reset of router or Wireless connection as well?

Best Luck :)
PP

Also, can you upload the following to Jotti and post the results?
It is probably malware and knowing what you were infected by might help with the current connection issue....

2009-07-21 20:16 . 2009-07-22 18:36 1218776 --sh--w- C:\Sys.exe

http://virusscan.jotti.org/en

PP :)

I did the online scan and after booting, the connection was gone.

I didn't see if crunchie already asked this, but do you have a logfile of what was removed by Kaspersky?
Do you have any old scanlogs from before you posted to this forum?
If so, please post them!

PP :)

I suggest you use ATF-Cleaner by Atribune

Cheers :)
PP

need to go to best buy to be cleaned pronto

What is the point of this post? Not helpful at all.

Is there any way to run the Anti-Malware, and have it check my F: drive? It seems that it just wants to check C:\.

Hi Jim,
-- Did you re-connect your WD My Book? (Sorry, had to ask ;) )
-- Are you able to scan with MBA-M in Normal Windows Boot?
-- When you run MBA-M Full Scan, it ought to automatically detect your F: drive and give you the option to scan it. Does MBA-M fail to recognize drive in Normal Windows boot?

PP :)

I do not believe that this is a malware issue. Perhaps some security settings have been changed? Have you tried a System Restore to a time when your compy was behaving properly?

You could fix the following in HJT, but they are just minor cleanup:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O13 - Gopher Prefix:

I am not sure why you are having trouble with command prompt. Have you tried navigating to cmd.exe and running it? What about command.com?

-- For your connectivity issue, you might try investigating with the following tools:
http://visualroute.visualware.com/
http://network-tools.com/

-- Have you installed the latest build for ZoneAlarm. I think they had a recent update.

-- Do you have connection problems using IE?

There could be any number of causes for the connectivity problems.
The command prompt issue may be a lingering result from a previously cleaned malware infection.

PP :)