AnimeSuki Forums

Register Forum Rules FAQ Members List Social Groups Search Today's Posts Mark Forums Read

Go Back   AnimeSuki Forum > AnimeSuki & Technology > Tech Support

Notices

Reply
 
Thread Tools
Old 2009-09-01, 15:41   Link #1
kakakka
Senior Member
 
 
Join Date: Sep 2008
A bit of a problem

Last week I got a problem in my computer, making it disable/close/unable to open some of these things

1) Task Manager
2) Yahoo Messenger
3) Yahoo Mail/MSN
4) Norton Anti-Virus
5) Any update
etc (that I don't know)

Now I got Malwarebytes' and Superantispyware to scan my computer for something bad, (Malwarebytes 2-3 times before PC restore and 1 time after PC restore then 1 time for SAS). Also did AVG before PC restore, but it mess up a bit (it didn't stop scanning). I also downloaded Spybot(?) after the PC restore, but it won't open/run for some reason.

Now I can access/do 2, 3, and 5 after PC restore and scanning. Didn't redownload Norton. Still can't access Task manager. I found out I can't access regedit. I remember from the logs (whose I don't have right now) from Malwarebyte's that somethings are hijacking those files that can't easily erased/solved by Malwarbytes' even by restarting, so what do I do now? I think there's still a problem.

Any websites that answers this question is also welcome.

Thanks in advance
kakakka is offline   Reply With Quote
Old 2009-09-01, 23:50   Link #2
Claies
Good-Natured Asshole.
 
 
Join Date: May 2007
Age: 25
Sounds like malware. Have you tried doing the above in safe mode?

Also, can HijackThis run? If it can, please have it perform a scan and put the logs up here.
http://download.cnet.com/Trend-Micro...-10227353.html

I'd go for a full format and reinstall if this doesn't work out. That's pretty entrenched in the OS and it'd be difficult to render it completely clean again.
Claies is offline   Reply With Quote
Old 2009-09-02, 10:11   Link #3
kakakka
Senior Member
 
 
Join Date: Sep 2008
It doesn't go to Safe Mode

Here's the result from HiJackThis

Spoiler for hijackthis:


These entries always show up in Malwarebyte scans

Spoiler for mbam-log:
kakakka is offline   Reply With Quote
Old 2009-09-02, 12:39   Link #4
SaintessHeart
Ehh? EEEEHHHHHH?
 
 
Join Date: Nov 2007
Age: 25
Quote:
Originally Posted by kakakka View Post
It doesn't go to Safe Mode

Here's the result from HiJackThis

Spoiler for hijackthis:


These entries always show up in Malwarebyte scans

Spoiler for mbam-log:
OT : Funny, your computer runs BOTH HP and Compaq's custom programs. Rule of the thumb : never install or run anything packaged under the computer's brand name, they are usually useless and full of bugs. Just install the drivers they give you.

You mean it hangs when you try to go into safemode?

Had the same problem recently, need to try a few times for me. Anyway I bolded the potential malware on hijackthis already, the red on being the most suspicious.

Regedit seems to be disabled, one of the first few signs of something wrong. Only the dumbest of system administrators managing a network would disable regedit IMO, because it doesn't help to slow infection of malware, only helps to deter port intrusions.

1. Uninstall Google toolbar and Superantispyware. For the latter product, DELETE anything it quarantined. Don't restart your computer yet if it does prompt.

2. Download and run CCleaner. Clean up your registry AND temp files, then go disable system restore. Now you can restart.

3. Backup your Registry if you can access regedit, and quarantine the backup in an antivirus. Delete the stuff I bolded on hijackthis. Before you do that, rename hijackthis.exe with something random like "uguuuguu123456.exe" and set the file as read-only. Post the new hijackthis log here if you can, and if possible, the safemode one too.

EDIT :

I am not sure if this works, but try if you want, since your computer is pretty much either a test subject or a gone case.

Open notepad and copypasta this in :

Quote:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\DisableRegistryTools]
Save it as "Repair.reg" by selecting the file type to save as All Files, and putting in the filename.

This too :

Quote:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System\DisableTaskMgr]
Save this as "repair2.reg" under same methods.

Run both the .reg files and replace the registry values, then go back to step 3 before my edit to post a new hijackthis log.

P.S If they don't work modify the files with these

Spoiler for just in case:


I haven't been building .reg files for a bloody long time, close to half a decade.
__________________

When three puppygirls named after pastries are on top of each other, it is called Eclair a'la menthe et Biscotti aux fraises avec beaucoup de Ricotta sur le dessus.
Most of all, you have to be disciplined and you have to save, even if you hate our current financial system. Because if you don't save, then you're guaranteed to end up with nothing.

Last edited by SaintessHeart; 2009-09-02 at 13:09.
SaintessHeart is offline   Reply With Quote
Old 2009-09-02, 15:45   Link #5
kakakka
Senior Member
 
 
Join Date: Sep 2008
Quote:
Funny, your computer runs BOTH HP and Compaq's custom programs. Rule of the thumb : never install or run anything packaged under the computer's brand name, they are usually useless and full of bugs. Just install the drivers they give you.
I think it already have them (Compaq files) when my family got the computer. Though it might got hp extras when we installed the printer.

Quote:
You mean it hangs when you try to go into safemode?
The computer restarts again if I try to choose any Safe Mode when I F8 while starting.

I'll try what you said. Thanks for the reply


________________


Unfortunately, that didn't work.

Added AVG. Then got up to no. 2 of your step

no. 3 seems no go since I still can't access regedit

CCleaner is also blocked, after I did no. 2

tried the EDIT: didn't work too

here's a log now...

Spoiler for hijackthis:
kakakka is offline   Reply With Quote
Old 2009-09-02, 23:22   Link #6
SaintessHeart
Ehh? EEEEHHHHHH?
 
 
Join Date: Nov 2007
Age: 25
Quote:
Originally Posted by kakakka View Post
I think it already have them (Compaq files) when my family got the computer. Though it might got hp extras when we installed the printer.
Please tell me it is a second-hand!

Quote:
Originally Posted by kakakka View Post
Unfortunately, that didn't work.

Added AVG. Then got up to no. 2 of your step

no. 3 seems no go since I still can't access regedit

CCleaner is also blocked, after I did no. 2

tried the EDIT: didn't work too

here's a log now...

Spoiler for hijackthis:
The CLOAKER.EXE looks bloody suspicious. Tried running your computer in administrator mode? Or that default user is the admin?

Here are some solutions :

Go run and type in cmd, press enter. Type in "chkdsk /f", pressing Y when it asks you to. Type in "shutdown -r -t 01". Let it fix any errors then try to boot in safemode for a hijackthis log.

If not :

1. Uninstall AVG, CCleaner, Spybot but keep their installation programs (other than AVG). Download Avast! BUT DON'T install it yet.

2. Then download these :

http://www.filefactory.com/file/ah52g1c/n/uguu_reg

http://www.filefactory.com/file/ah52h1a/n/desu_reg

3. And run uguu.reg FIRST, then desu.reg. You should be able to start up your registry now. Go under

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System

Modify ALL the values other than default to 0 (keeping value type as hexadecimal). Then go under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\

4. Modify these values to 1 :

AntiVirusDisableNotify
FirewallDisableNotify
UpdateDisableNotify


5. Install Avast and run a boot scan. If Avast does a restart run uguu and desu and loop the registry modifications before proceeding with the install.

6. Download Scar5's Simple File Shredder to shred out cloaker.exe if you find it on Windows search. At any rate, I need the hijackthis log in safe mode.

To try an alternate method in safe mode, go Start>Run and type in msconfig. Under BOOT.INI select /SAFEBOOT. Restart.

If it throws the computer into a loop, press F8 and start up in normal mode.

If such an error recurrs we are in trouble. I will try and find the solution to that CLOAKER.EXE program on my end.
__________________

When three puppygirls named after pastries are on top of each other, it is called Eclair a'la menthe et Biscotti aux fraises avec beaucoup de Ricotta sur le dessus.
Most of all, you have to be disciplined and you have to save, even if you hate our current financial system. Because if you don't save, then you're guaranteed to end up with nothing.
SaintessHeart is offline   Reply With Quote
Old 2009-09-03, 01:42   Link #7
Claies
Good-Natured Asshole.
 
 
Join Date: May 2007
Age: 25
CLOAKER.exe looks like an HP driver. He doesn't need it anyway, but I'm much more worried of this one:

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

I don't have time to search right now, but I'd prioritize sending that "Pol icies" directory to the sun.
Claies is offline   Reply With Quote
Old 2009-09-03, 03:41   Link #8
demonix
Senior Member
 
 
Join Date: Jul 2006
Location: Hayes, Middx UK
Age: 35
Send a message via Yahoo to demonix Send a message via Skype™ to demonix
Quote:
Originally Posted by Claies View Post
CLOAKER.exe looks like an HP driver.
It is and the location it's running from is correct according to process library.

Also you shouldn't have more then 1 anti-virus installed since it can cause problems and even I wouldn't have AVG installed since it's a complete and total placebo.
demonix is offline   Reply With Quote
Old 2009-09-03, 10:19   Link #9
kakakka
Senior Member
 
 
Join Date: Sep 2008
Quote:
Please tell me it is a second-hand!
It looks new 4 years ago >_>
Quote:
CLOAKER.exe looks like an HP driver. He doesn't need it anyway, but I'm much more worried of this one:

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1

I don't have time to search right now, but I'd prioritize sending that "Pol icies" directory to the sun.
Before I posted this problem here, malwarebyte's tried to fix it 2-3 times. Any additional suggestions are welcome
Quote:
Also you shouldn't have more then 1 anti-virus installed since it can cause problems
What do you mean? I don't think I got two, except if one isn't really working/being stopped to work.
Quote:
even I wouldn't have AVG installed since it's a complete and total placebo.
Yeah, been fooled twice now. I wouldn't go for the third...


I'll try your suggestion later SaintessHeart...

___________

Quote:
3. And run uguu.reg FIRST, then desu.reg. You should be able to start up your registry now.
This is no go, unfortunately
kakakka is offline   Reply With Quote
Old 2009-09-03, 14:42   Link #10
sa547
Senior Member
*Author
 
 
Join Date: Oct 2007
Location: Philippines
Age: 37
Waitasec... based on the HJT results, I notice that you seem to be running both Norton Antivirus (probably an old copy) and AVG altogether, which isn't good. Only one antivirus must be running, so you'll have to uninstall the other.

Rename Hijackthis.exe to something like "dehijack.exe" so that any potential trojan running wouldn't see and try to evade its presence.

If all other efforts fail, the last-ditch measure is to backup, reformat the whole hard disk, and reinstall the operating system.
__________________
sa547 is offline   Reply With Quote
Old 2009-09-03, 14:46   Link #11
Claies
Good-Natured Asshole.
 
 
Join Date: May 2007
Age: 25
Quote:
Originally Posted by kakakka View Post
Before I posted this problem here, malwarebyte's tried to fix it 2-3 times. Any additional suggestions are welcome
Have you tried getting your hands on a Windows XP install disc and performing a repair to try and get safe mode working again? I suggest trying that, and then rerunning Spybot or Malwarebytes under safe mode to remove it completely.

Oh, another thing: When you're doing all these scans, physically disconnect your computer from the Internet so the malware don't get the chance to redownload and reinstall various nasties that you've removed last time. This means unplugging the ethernet cable if there is one, or taking out the wireless router if that's how Internet works in your house. If taking out the router inconveniences someone else, open your computer and take out the wireless card. If necessary, post back to us on some other computer.

[EDIT]: Echoing what the rest said about antivirus software, do go ahead and take out AVG.
Claies is offline   Reply With Quote
Old 2009-09-04, 09:31   Link #12
kakakka
Senior Member
 
 
Join Date: Sep 2008
Quote:
Have you tried getting your hands on a Windows XP install disc and performing a repair to try and get safe mode working again? I suggest trying that, and then rerunning Spybot or Malwarebytes under safe mode to remove it completely.
I don't have one, as far as I know/

Quote:
1. Uninstall AVG, CCleaner, Spybot but keep their installation programs (other than AVG). Download Avast! BUT DON'T install it yet.

2. Then download these :

http://www.filefactory.com/file/ah52g1c/n/uguu_reg

http://www.filefactory.com/file/ah52h1a/n/desu_reg

3. And run uguu.reg FIRST, then desu.reg. You should be able to start up your registry now. Go under

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System

Modify ALL the values other than default to 0 (keeping value type as hexadecimal). Then go under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\

4. Modify these values to 1 :

AntiVirusDisableNotify
FirewallDisableNotify
UpdateDisableNotify

5. Install Avast and run a boot scan. If Avast does a restart run uguu and desu and loop the registry modifications before proceeding with the install.


Okay, I tried again after I got (temporarily?) access to regedit after I fix the DisableRegedit through Hijackthis. Though I can't install avast!

Last edited by kakakka; 2009-09-04 at 09:55.
kakakka is offline   Reply With Quote
Old 2009-09-04, 10:32   Link #13
SaintessHeart
Ehh? EEEEHHHHHH?
 
 
Join Date: Nov 2007
Age: 25
Quote:
Originally Posted by kakakka View Post
I don't have one, as far as I know/
There are many ways to get something you can't buy. For everything else (i.e Vista), there is Mastercard.

Quote:
Originally Posted by kakakka View Post
Okay, I tried again after I got (temporarily?) access to regedit after I fix the DisableRegedit through Hijackthis. Though I can't install avast!
Can't install as in?

I shall be consistent and say : Uninstall AVG. I am not sure if Norton is disabled, but if you can run a boot time scan with it.

This is going to be tedious, but if u still can use Regedit help me find out ALL the HKEYs for under the Norton and Symantec keywords using the find. Several HKEYs can be found under different locales, so keep searching until the results repeat themselves. Then right click on the folders and click export to desktop. Finally, right click on the .reg file, select edit, and copypasta everything inside out here under spoiler tags.

Life sucks without your personal Windows disk.
__________________

When three puppygirls named after pastries are on top of each other, it is called Eclair a'la menthe et Biscotti aux fraises avec beaucoup de Ricotta sur le dessus.
Most of all, you have to be disciplined and you have to save, even if you hate our current financial system. Because if you don't save, then you're guaranteed to end up with nothing.
SaintessHeart is offline   Reply With Quote
Old 2009-09-04, 10:57   Link #14
kakakka
Senior Member
 
 
Join Date: Sep 2008
For the installation, it doesn't load during the downloading setupeng.exe It closes automatically.

I tried to change the name of the setup..It went as far as asking some sort of agree/decline window. Then it closes

(EDIT: I'm trying to do it again now....)

I don't have AVG anymore. I don't have Norton anymore (I can't run it anyways, and doesn't do anything active).

Here's the curret one...
Spoiler for hijackthis:

Last edited by kakakka; 2009-09-04 at 12:50.
kakakka is offline   Reply With Quote
Old 2009-09-04, 13:18   Link #15
kakakka
Senior Member
 
 
Join Date: Sep 2008
From scanned from Registry Editor:
Windows Registry Editor Version 5.00

Spoiler for o:


Spoiler for NSI:


Spoiler for exe:


Spoiler for MUICache:


Spoiler for NortonSystemInfo:
kakakka is offline   Reply With Quote
Old 2009-09-04, 13:19   Link #16
kakakka
Senior Member
 
 
Join Date: Sep 2008
Spoiler for installer:
kakakka is offline   Reply With Quote
Old 2009-09-04, 13:20   Link #17
kakakka
Senior Member
 
 
Join Date: Sep 2008
Spoiler for installer (cont.):
kakakka is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 05:29.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
We use Silk.