AnimeSuki.com Forum

AnimeSuki Forum (http://forums.animesuki.com/index.php)
-   Tech Support (http://forums.animesuki.com/forumdisplay.php?f=24)
-   -   A bit of a problem (http://forums.animesuki.com/showthread.php?t=85786)

kakakka 2009-09-01 15:41

A bit of a problem
 
Last week I got a problem in my computer, making it disable/close/unable to open some of these things

1) Task Manager
2) Yahoo Messenger
3) Yahoo Mail/MSN
4) Norton Anti-Virus
5) Any update
etc (that I don't know)

Now I got Malwarebytes' and Superantispyware to scan my computer for something bad, (Malwarebytes 2-3 times before PC restore and 1 time after PC restore then 1 time for SAS). Also did AVG before PC restore, but it mess up a bit (it didn't stop scanning). I also downloaded Spybot(?) after the PC restore, but it won't open/run for some reason.

Now I can access/do 2, 3, and 5 after PC restore and scanning. Didn't redownload Norton. Still can't access Task manager. I found out I can't access regedit. I remember from the logs (whose I don't have right now) from Malwarebyte's that somethings are hijacking those files that can't easily erased/solved by Malwarbytes' even by restarting, so what do I do now? I think there's still a problem.

Any websites that answers this question is also welcome.

Thanks in advance

Claies 2009-09-01 23:50

Sounds like malware. Have you tried doing the above in safe mode?

Also, can HijackThis run? If it can, please have it perform a scan and put the logs up here.
http://download.cnet.com/Trend-Micro...-10227353.html

I'd go for a full format and reinstall if this doesn't work out. That's pretty entrenched in the OS and it'd be difficult to render it completely clean again.

kakakka 2009-09-02 10:11

It doesn't go to Safe Mode

Here's the result from HiJackThis

Spoiler for hijackthis:


These entries always show up in Malwarebyte scans

Spoiler for mbam-log:

SaintessHeart 2009-09-02 12:39

Quote:

Originally Posted by kakakka (Post 2619971)
It doesn't go to Safe Mode

Here's the result from HiJackThis

Spoiler for hijackthis:


These entries always show up in Malwarebyte scans

Spoiler for mbam-log:

OT : Funny, your computer runs BOTH HP and Compaq's custom programs. Rule of the thumb : never install or run anything packaged under the computer's brand name, they are usually useless and full of bugs. Just install the drivers they give you.

You mean it hangs when you try to go into safemode?

Had the same problem recently, need to try a few times for me. Anyway I bolded the potential malware on hijackthis already, the red on being the most suspicious.

Regedit seems to be disabled, one of the first few signs of something wrong. Only the dumbest of system administrators managing a network would disable regedit IMO, because it doesn't help to slow infection of malware, only helps to deter port intrusions.

1. Uninstall Google toolbar and Superantispyware. For the latter product, DELETE anything it quarantined. Don't restart your computer yet if it does prompt.

2. Download and run CCleaner. Clean up your registry AND temp files, then go disable system restore. Now you can restart.

3. Backup your Registry if you can access regedit, and quarantine the backup in an antivirus. Delete the stuff I bolded on hijackthis. Before you do that, rename hijackthis.exe with something random like "uguuuguu123456.exe" and set the file as read-only. Post the new hijackthis log here if you can, and if possible, the safemode one too.

EDIT :

I am not sure if this works, but try if you want, since your computer is pretty much either a test subject or a gone case.

Open notepad and copypasta this in :

Quote:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\DisableRegistryTools]
Save it as "Repair.reg" by selecting the file type to save as All Files, and putting in the filename.

This too :

Quote:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\DisableTaskMgr]
Save this as "repair2.reg" under same methods.

Run both the .reg files and replace the registry values, then go back to step 3 before my edit to post a new hijackthis log.

P.S If they don't work modify the files with these

Spoiler for just in case:


I haven't been building .reg files for a bloody long time, close to half a decade.

kakakka 2009-09-02 15:45

Quote:

Funny, your computer runs BOTH HP and Compaq's custom programs. Rule of the thumb : never install or run anything packaged under the computer's brand name, they are usually useless and full of bugs. Just install the drivers they give you.
I think it already have them (Compaq files) when my family got the computer. Though it might got hp extras when we installed the printer.

Quote:

You mean it hangs when you try to go into safemode?
The computer restarts again if I try to choose any Safe Mode when I F8 while starting.

I'll try what you said. Thanks for the reply


________________


Unfortunately, that didn't work.

Added AVG. Then got up to no. 2 of your step

no. 3 seems no go since I still can't access regedit

CCleaner is also blocked, after I did no. 2

tried the EDIT: didn't work too

here's a log now...

Spoiler for hijackthis:

SaintessHeart 2009-09-02 23:22

Quote:

Originally Posted by kakakka (Post 2620635)
I think it already have them (Compaq files) when my family got the computer. Though it might got hp extras when we installed the printer.

Please tell me it is a second-hand!

Quote:

Originally Posted by kakakka (Post 2620635)
Unfortunately, that didn't work.

Added AVG. Then got up to no. 2 of your step

no. 3 seems no go since I still can't access regedit

CCleaner is also blocked, after I did no. 2

tried the EDIT: didn't work too

here's a log now...

Spoiler for hijackthis:

The CLOAKER.EXE looks bloody suspicious. Tried running your computer in administrator mode? Or that default user is the admin?

Here are some solutions :

Go run and type in cmd, press enter. Type in "chkdsk /f", pressing Y when it asks you to. Type in "shutdown -r -t 01". Let it fix any errors then try to boot in safemode for a hijackthis log.

If not :

1. Uninstall AVG, CCleaner, Spybot but keep their installation programs (other than AVG). Download Avast! BUT DON'T install it yet.

2. Then download these :

http://www.filefactory.com/file/ah52g1c/n/uguu_reg

http://www.filefactory.com/file/ah52h1a/n/desu_reg

3. And run uguu.reg FIRST, then desu.reg. You should be able to start up your registry now. Go under

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System

Modify ALL the values other than default to 0 (keeping value type as hexadecimal). Then go under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\

4. Modify these values to 1 :

AntiVirusDisableNotify
FirewallDisableNotify
UpdateDisableNotify


5. Install Avast and run a boot scan. If Avast does a restart run uguu and desu and loop the registry modifications before proceeding with the install.

6. Download Scar5's Simple File Shredder to shred out cloaker.exe if you find it on Windows search. At any rate, I need the hijackthis log in safe mode.

To try an alternate method in safe mode, go Start>Run and type in msconfig. Under BOOT.INI select /SAFEBOOT. Restart.

If it throws the computer into a loop, press F8 and start up in normal mode.

If such an error recurrs we are in trouble. I will try and find the solution to that CLOAKER.EXE program on my end.

Claies 2009-09-03 01:42

CLOAKER.exe looks like an HP driver. He doesn't need it anyway, but I'm much more worried of this one:

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

I don't have time to search right now, but I'd prioritize sending that "Pol icies" directory to the sun.

demonix 2009-09-03 03:41

Quote:

Originally Posted by Claies (Post 2621689)
CLOAKER.exe looks like an HP driver.

It is and the location it's running from is correct according to process library.

Also you shouldn't have more then 1 anti-virus installed since it can cause problems and even I wouldn't have AVG installed since it's a complete and total placebo.

kakakka 2009-09-03 10:19

Quote:

Please tell me it is a second-hand!
It looks new 4 years ago >_>
Quote:

CLOAKER.exe looks like an HP driver. He doesn't need it anyway, but I'm much more worried of this one:

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

I don't have time to search right now, but I'd prioritize sending that "Pol icies" directory to the sun.
Before I posted this problem here, malwarebyte's tried to fix it 2-3 times. Any additional suggestions are welcome
Quote:

Also you shouldn't have more then 1 anti-virus installed since it can cause problems
What do you mean? I don't think I got two, except if one isn't really working/being stopped to work.
Quote:

even I wouldn't have AVG installed since it's a complete and total placebo.
Yeah, been fooled twice now. I wouldn't go for the third...


I'll try your suggestion later SaintessHeart...

___________

Quote:

3. And run uguu.reg FIRST, then desu.reg. You should be able to start up your registry now.
This is no go, unfortunately

sa547 2009-09-03 14:42

Waitasec... based on the HJT results, I notice that you seem to be running both Norton Antivirus (probably an old copy) and AVG altogether, which isn't good. Only one antivirus must be running, so you'll have to uninstall the other.

Rename Hijackthis.exe to something like "dehijack.exe" so that any potential trojan running wouldn't see and try to evade its presence.

If all other efforts fail, the last-ditch measure is to backup, reformat the whole hard disk, and reinstall the operating system.

Claies 2009-09-03 14:46

Quote:

Originally Posted by kakakka (Post 2622273)
Before I posted this problem here, malwarebyte's tried to fix it 2-3 times. Any additional suggestions are welcome

Have you tried getting your hands on a Windows XP install disc and performing a repair to try and get safe mode working again? I suggest trying that, and then rerunning Spybot or Malwarebytes under safe mode to remove it completely.

Oh, another thing: When you're doing all these scans, physically disconnect your computer from the Internet so the malware don't get the chance to redownload and reinstall various nasties that you've removed last time. This means unplugging the ethernet cable if there is one, or taking out the wireless router if that's how Internet works in your house. If taking out the router inconveniences someone else, open your computer and take out the wireless card. If necessary, post back to us on some other computer.

[EDIT]: Echoing what the rest said about antivirus software, do go ahead and take out AVG.

kakakka 2009-09-04 09:31

Quote:

Have you tried getting your hands on a Windows XP install disc and performing a repair to try and get safe mode working again? I suggest trying that, and then rerunning Spybot or Malwarebytes under safe mode to remove it completely.
I don't have one, as far as I know/

Quote:

1. Uninstall AVG, CCleaner, Spybot but keep their installation programs (other than AVG). Download Avast! BUT DON'T install it yet.

2. Then download these :

http://www.filefactory.com/file/ah52g1c/n/uguu_reg

http://www.filefactory.com/file/ah52h1a/n/desu_reg

3. And run uguu.reg FIRST, then desu.reg. You should be able to start up your registry now. Go under

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System

Modify ALL the values other than default to 0 (keeping value type as hexadecimal). Then go under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\

4. Modify these values to 1 :

AntiVirusDisableNotify
FirewallDisableNotify
UpdateDisableNotify

5. Install Avast and run a boot scan. If Avast does a restart run uguu and desu and loop the registry modifications before proceeding with the install.


Okay, I tried again after I got (temporarily?) access to regedit after I fix the DisableRegedit through Hijackthis. Though I can't install avast!

SaintessHeart 2009-09-04 10:32

Quote:

Originally Posted by kakakka (Post 2624778)
I don't have one, as far as I know/

There are many ways to get something you can't buy. For everything else (i.e Vista), there is Mastercard.

Quote:

Originally Posted by kakakka (Post 2624778)
Okay, I tried again after I got (temporarily?) access to regedit after I fix the DisableRegedit through Hijackthis. Though I can't install avast!

Can't install as in?

I shall be consistent and say : Uninstall AVG. I am not sure if Norton is disabled, but if you can run a boot time scan with it.

This is going to be tedious, but if u still can use Regedit help me find out ALL the HKEYs for under the Norton and Symantec keywords using the find. Several HKEYs can be found under different locales, so keep searching until the results repeat themselves. Then right click on the folders and click export to desktop. Finally, right click on the .reg file, select edit, and copypasta everything inside out here under spoiler tags.

Life sucks without your personal Windows disk.

kakakka 2009-09-04 10:57

For the installation, it doesn't load during the downloading setupeng.exe It closes automatically.

I tried to change the name of the setup..It went as far as asking some sort of agree/decline window. Then it closes

(EDIT: I'm trying to do it again now....)

I don't have AVG anymore. I don't have Norton anymore (I can't run it anyways, and doesn't do anything active).

Here's the curret one...
Spoiler for hijackthis:

kakakka 2009-09-04 13:18

From scanned from Registry Editor:
Windows Registry Editor Version 5.00

Spoiler for o:


Spoiler for NSI:


Spoiler for exe:


Spoiler for MUICache:


Spoiler for NortonSystemInfo:

kakakka 2009-09-04 13:19

Spoiler for installer:

kakakka 2009-09-04 13:20

Spoiler for installer (cont.):


All times are GMT -5. The time now is 12:14.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.