Program starts and mouse control

[Patrick]

After running your recommendations, my cpu is back (Win XP Media Center Edition) with C and D drives, so thank you. Data files and desktop is there, but icons do NOT start their programs by double-clicking from the desktop, and they don't start by left-clicking from the Start menu either. If they open at all, I must right-click, then select 'open'. I've checked the mouse settings, and all seems normal there. MS Office won't work at all (Windows Installer Service could not be accessed), and Internet Explorer starts then stops. I've run the programs suggested several times (RKill, Malwarebyte's Anti-Malware, Hitman Pro, Unhide, RogueKiller, and EmergencyKitScanner ..... both SmartScan and then DeepScan later ...... removing all threats in each case). There were only folders 1 and 2 in the smtmp folder, and those 2 have been copied (no folders 3 or 4). Quick Launch icons are all gone. I suspect my biggest problem is Admin rights ........ I don't remember setting a password years ago, so all "fixes" were run under the User login (no password).

How do I get my mouse working correctly?

 

[Jack]

Hello Patrick,


Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />
Step 1 : Download and run Combofix
 
Download ComboFix from one of the following locations: 
Link 1  
Link 2  
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop  
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here  

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks
  
  
  
  
  
  
  
  
  
• When finished, it shall produce a log for you. 
  [*]Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.

<hr />
Step 2: Run a aswMBR scan:

1. Download aswmbr.exe ( 1.8mb ) to your desktop.
   http://public.avast.com/~gmerek/aswMBR.exe
2. Double click the aswMBR.exe to run it Click the "Scan" button to start scan.
   
   
   
   
   
3. Click the [Scan] button to start scan
   
   
   
   
   
4. On completion of the scan click [Save log], save it to your desktop and post in your next reply.

<hr />
Step 3 : Download and run OTL

1. Please download the OTL utility from here : http://oldtimer.geekstogo.com/OTL.exe
2. Right-click on OTL.exe and select Run as Administrator to start OTL.
3. Double click on OTL.exe to run it.
4. Under the Custom Scan box paste this in:
   
   

   %SYSTEMDRIVE%\*.exe
   %ALLUSERSPROFILE%\Application Data\*.exe
   %APPDATA%\*.
   /md5start
   atapi.sys
   explorer.exe
   winlogon.exe
   Userinit.exe
   svchost.exe
   csrss.exe
   PrintIsolationHost.exe
   consrv.dll
   /md5stop
   %systemroot%\*. /mp /s
   hklm\software\clients\startmenuinternet|command /rs
   %systemroot%\system32\*.dll /lockedfiles
   %systemroot%\Tasks\*.job /lockedfiles
   %systemroot%\system32\drivers\*.sys /lockedfiles
   CREATERESTOREPOINT

5. Click the Quick Scan button.The scan wont take long.
   
6. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
   Please post this 2 logs in your first reply.

<hr />



What's next?
Attach the following logs to your post (You can find here details on how to use the Attachment System):

1.Combofix log
2.OTL logs
3. aswMBR log

 

[Patrick]

Jack,

I opened the McAfee Security Center menu and thought I turned off everything, but ComboFix detected it running (McAfee Anti-virus and Anti-spyware), and it asked me to disable them before continuing to prevent ......... "unpredictable results or possible machine damage". I right-clicked the MxAfee icon in the taskbar again and a McAfee menu popped up. I attempted again to turn off the scanning, firewall, etc. when a Windows error message popped up. The program shut down unintentionally (did I want to send the error message to Microsoft? I said 'no'). I looked for the program in the Start menu ........... McAfee was listed, but no program was there. I browsed the C:drive for McAfee and found tons of files and folders there, but I couldn't find the start file.

Now what? Do I just run ComboFix anyway??

 

[Jack]

McAfee , closed itself..Don't worry, it should start again when you'll reboot your PC. (Off Topic ; McAfee..Seriously?We really need to improve your PC security!). Skip this scan for now.

1.Run a scan with Dr.Web CureIt
<ol><li>Download <>Dr.Web CureIt</> to the desktop:
<a href="ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe" rel="nofollow" target="_blank">ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe</a></li>

<li>Doubleclick the <>drweb-cureit.exe</> file and click <>Scan</> to run express scan. Click <>OK</> in pop-up window to allow scan.</li>
<li>This will scan the files currently running in memory and when something is found, click the <>Yes</> button when it asks you if you want to cure it. This is only a short scan.</li>
<li>Once the short scan has finished, select <>Complete scan</>.</li>
<li><>Complete scan</> sometimes takes up to 2 hours to finish so please be patient.</li>
<li>Click the green arrow <img src="http://i154.photobucket.com/albums/s258/evilfantasy69/drweb.jpg" alt="Posted Image" /> at the right, and the scan will start.</li>
<li>Click <>Yes to all</> if it asks if you want to cure/move the file.</li>
<li>When the scan has finished, in the menu, click <>File</> and choose <>Save report list</></li>
<li>Save the report to your <>desktop</>. The report will be called <>DrWeb.csv</></li>
<li>Close Dr.Web Cureit.</li>
<li><>Important!</> Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.</li>
<li><>Copy and paste that log in the next reply.</> You can use Notepad to open the <>DrWeb.cvs</> report.</li>
</ol>
<>NOTE</>. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on <>X</> in upper right corner.

2.Run OTL
Download OldTimer from here then click on it to run it.
Make sure all other windows are closed and to let it run uninterrupted.
Under the Custom Scan box paste this in:

%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please attach them in your next reply.

 

[Patrick]

Jack,

The DrWeb cureit scan took more than a day to complete. The csv file it created was not allowed on your site, so I copied it as a text file.

OTL was run as requested, but an error message popped up so it did not complete. It was scanning C:\Documents and Settings\All Users\Start Menu\Programs\Startup folder .... when the following popped up:
"OTL ..... Access violation at address 0052BF8B in module 'OTL.exe'. Read of address 00000000."

Since it didn't complete, there were no files (OTL.Txt and Extras.Txt).

What now?

 

[Jack]

1. Run a scan with ESET Sirefef Remover
Download, save and run the ESET 'Win32/Sirefef' stand-alone malware removal tool and follow the prompts as directed.
<a href="http://download.eset.com/special/ESETSirefefRemover.exe">ESET Sirefef Remover Download Link</a>


2.Run a scan with Kaspersky TDSSKiller
<>Read carefully and follow these steps.</>
<ol>
<li>Download <><a title="External link" href="http://support.kaspersky.com/downloads/utils/tdsskiller.exe" rel="external">TDSSKiller</a></> and save it to your Desktop.
</li>
<li>Double-click on <>TDSSKiller.exe</> to run the application.
<img src="http://img4.imageshack.us/img4/1907/tdss1.png" alt="Posted Image" /></li>
<li>Click <>Change parameters</>
<img src="http://img593.imageshack.us/img593/288/tdss2.png" alt="Posted Image" /></li>
<li>Check the boxes next to <>Verify Driver Digital Signature</> and <>Detect TDLFS file system</>, then click <>OK</><img src="http://img521.imageshack.us/img521/1456/tdss3.png" alt="Posted Image" /></li>
<li>Click on the <>Start Scan</> button to begin the scan and wait for it to finish.
<>NOTE:</> Do not use the computer during the scan!</li>
<li>During the scan it will look similar to the image below:
<img src="http://img6.imageshack.us/img6/9136/tdss4.jpg" alt="Posted Image" /></li>
<li>When it finishes, you will either see a report that no threats were found like below:
<img src="http://img696.imageshack.us/img696/9898/tdss5.jpg" alt="Posted Image" />If no threats are found at this point, just click the <>Report</> selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.</li>
<li>If any infection or suspected items are found, you will see a window similar to below:
<img src="http://img854.imageshack.us/img854/905/tdss7.jpg" alt="Posted Image" />
<ul>
<li>If you have files that are shown to fail <em>signature check</em> do not take any action on these. Make sure you select <>Skip</>. I will tell you what to do with these later. They may not be issues at all.</li>
<li>If <em>Suspicious objects</em> are detected, the default action will be Skip. Leave the default set to Skip.</li>
<li>If <em>Malicious objects</em> are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
Make sure that <>Cure</> is selected. <>Important!</> - If <em>Cure</em> is not available, please choose <>Skip</> instead. Do not choose Delete unless instructed to do so.</li>
</ul>
</li>
<li>Click <>Continue</> to apply selected actions.</li>
<li>A reboot may be required to complete disinfection. A window like the below will appear:
<img src="http://img828.imageshack.us/img828/4812/tdss6.jpg" alt="Posted Image" />
Reboot immediately if TDSSKiller states that one is needed.</li>
<li>Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like <>TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt</> which is based on the program version # and date and time run.</li>
<li>Attach this log to your next reply.</li>
</ol>

3. Please try to run again an OTL scan.

1. Please download the OTL utility from here : http://oldtimer.geekstogo.com/OTL.exe
2. Right-click on OTL.exe and select Run as Administrator to start OTL.
3. Double click on OTL.exe to run it.
4. Under the Custom Scan box paste this in:
   
   

   %SYSTEMDRIVE%\*.exe
   %ALLUSERSPROFILE%\Application Data\*.exe
   %APPDATA%\*.
   /md5start
   atapi.sys
   explorer.exe
   winlogon.exe
   Userinit.exe
   svchost.exe
   csrss.exe
   PrintIsolationHost.exe
   consrv.dll
   /md5stop
   %systemroot%\*. /mp /s
   hklm\software\clients\startmenuinternet|command /rs
   %systemroot%\system32\*.dll /lockedfiles
   %systemroot%\Tasks\*.job /lockedfiles
   %systemroot%\system32\drivers\*.sys /lockedfiles
   CREATERESTOREPOINT

5. Click the Quick Scan button.The scan wont take long.
   
6. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
   Please post this 2 logs in your first reply.

<hr />



What's next?
Attach the following logs to your post (You can find here details on how to use the Attachment System):

1.ESET Sirefef Remover
2. TDSSKiller
3.OTL logs

 

[Patrick]

Ran a scan with ESET Sirefef Remover. I don't think it ran correctly. See PDF attached.

Run a scan with Kaspersky TDSSKiller. Several suspicious files, but skipped as directed. See file attached.

I was going to run the OTL utility again, but you want it run as Administrator. I don't have that password, so I didn't run it.

Remember I don't have internet access from the problem computer. I copy the programs from a thumb drive onto the Desktop, then run.

 

[malwarekiller]

OK jack on holidays so i am here:angel:.. let's go after the keyboard and mouse.

Click Start >> Computer >> System Properties >> Device Manager

Now on this screen do you have any items with a yellow ! or a red X ???

If so which ones?

 

[Patrick]

Device Manager in XP has a red 'X' on 1 of the 2 Network Adapters (1394 Net Adapter) shown. It's disabled, but the other one (NVIDIA nForce 10/100 Mbps Ethernet #2) says it's working properly.

 

[malwarekiller]

can u enable that and see if that gets the internet back...

 

[Patrick]

can u enable that and see if that gets the internet back...

 

[Patrick]

I enabled it, but it did nothing except take the 'X' off. Says it's now working properly under 'Properties'. I don't believe it was used previously.

Internet Explorer starts, but then closes immediately.

 

[malwarekiller]

can provide me with a screenshot of the device manage with that X...is the X gone?

Download Complete Internet Repair to your desktop
http://www.datum-forensics.com/down/

Unzip all the files to their own folder on the desktop
Within the folder double click CIntRep
The programme will then run
Select all items
Press go
Select file to get the log
Post the log here


next,run the MSFixit from here:
http://support.microsoft.com/kb/318378

 

[Patrick]

See attached screenshot of Device Manager with X gone.

Ran Complete Internet Repair. See attached log before reboot. Rebooted. This restored connectivity to Internet Explorer.

Ran MSFixit.

 

[malwarekiller]

Good Job!

what are your current issues?? what error u get when opening programs??

 

[Patrick]

This is ridiculous ............

1. Cannot update MS Office / Outlook from auto-update (updates are ready) or Windows Update. It tries, but fails; also tried MS Fix It (it didn't);
2. Cannot update iTunes (it tries, but fails);
3. Quick Launch items on Desktop will not save between boots, even when the toolbar is 'locked';
4. Mouse is not working properly. Double-click usually doesn't work anymore (must right-click and select 'open' to start a program, even from the Start menu). I've tried updating the software, but that fails.

I'm about ready to junk this thing .............