Browsers Won't Launch 3

[Nuffsaid]

Hi Everyone,

Win XP SP3 on a Dell Dimension 1 Gig ram.

I cannot get on the internet with either IE or Firefox. It appears something is blocking access. I'm also going through AVG hell. It didn't install properly and I had a hell of a time getting rid of it. I tried a system restore to an earliear date but that didn't help. Ran Malwarebytes, CCleaner nothing. Got like 52 process running. Tried creating a new account, same deal. Seems only Safe Mode works.

Advice welcome and thanks in advance

Nuffsaid.

 

[Nuffsaid]

Hey Again,

The saga continues. Tried to run Combofix but it reports AVG real time scanning is running and it should be stopped before proceeding. Must be a mistake because I removed it twice using the tool Linney provided. Carry On Combofix. minutes later receive the message that the Maste Boot Record is infected. Make sure to disable all anti virus before proceeding. This is where I aborted. I'm doing all this insafe mode. I can't see any obviously apperant references to AVG in either the process or services. Help!!

Other Avenues....

cru629.dat

Searched the sytem for that file, nothing found.
Searched the Registry and 2 entries were returned.

Assume I should delete these;
localmachine\microsoft\windowsnt\currentversion\windows
currentuser\software\microsoft\searchassistant\ACMru\5603

Until I can figure out the Combofix thing, it's on to the Bonjour Service.

I'll let you know.....




Nuffsaid.

 

[linney]

What do I need to do to get these entries to stop showing up in the HJT log?"

After running the Hijack This are you ticking those entries so that Hijack This actually removes them for you?

Are you saying you have done this but they keep coming back?


If you are chasing MRB virus have a look at the FixMBR and FixBoot in this article.

How to use the Bootrec.exe tool in the Windows Recovery Environment to troubleshoot and repair startup issues in Windows

http://support.microsoft.com/kb/927392

See if the free Avira Support Tools are any use to you.

Avira AntiVir Rescue System

http://www.avira.com/en/support/support_downloads.html

The Avira AntiVir Rescue System a linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to repair a damaged system, to rescue data or to scan the system for virus infections. Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer. The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.

 

[goombawaho]

Uninstall AVG and then run the Combofix. You have nothing to lose by removing the AVG since it didn't prevent your infection and it's not killing the current infection.

Remove AVG, reboot into safe mode and run combofix.

Combofix will fix a boot sector virus for you, if detected. The Avira boot disk didn't do squat for me when I tested in a real world scenario.

 

[Nuffsaid]

goombawaho,

That's the problem, I already uninstalled AVG. There's no AVG folders under program files, there's nothing listed under Add / Remove Programs, but when I run ComboFix it states that AVG real time scanning is running. I don't get it.... Could something be running under a different account? (I thought I checked all accounts??) I assumed that when one removes a program, it's removed from all users of the system.

Linney, all I did with Hijack This is produced the log file I posted above. I haven't attempted any type of fix using this tool.

Thanks for sticking with this....


Nuffsaid.

 

[Turkbear]

Hi,
Did you check the Services to see if any are running related to AVG ( or any other anti-virus) -



To Paraphrase:"The Help you get is proportional to the Help you give.."

 

[linney]

I haven't attempted any type of fix using this tool."

Have you now let Hijack This fix (remove) the entries we mentioned, especially the Appinit dll entry?

It might be that other security software that you are running is confusing Combofix and is being interpreted as being AVG when it is really something else. I vaguely remember software from Webroot being involved in something similar.

310353 - How to Perform a Clean Boot in Windows XP

http://support.microsoft.com/default.aspx?scid=kb;en-us;310353&FR=1&PA=1&SD=HSCH

316434 - HOW TO: Perform Advanced Clean-Boot Troubleshooting in Windows XP

http://support.microsoft.com/default.aspx?scid=kb;en-us;316434&FR=1&PA=1&SD=HSCH

310560 - How to Troubleshoot By Using the Msconfig Utility in Windows XP

http://support.microsoft.com/kb/310560

 

[goombawaho]

Or you could use autoruns per and do a search for AVG and then uncheck all instances of it.

I have seen where Combofix said some antivirus live was still running but I could never identify from where. I ran it anyway - never a problem and it fixed the original problem.

 

[Nuffsaid]

Good Day All,

Well I finally got this sorted.

In normal mode I removed the Bonjour service. This was actually quite simple to do despite all I've read about how difficult this is to get of your system. I simply used Control pannel to remove it, and poof, it appears to be gone. (I get a nag screen when I launch ITunes but ITunes appears to be ok, so far)I then re ran Malware Bytes and removed two infections probably associated with ThinkPoint. Next I re ran Hijack This and had it remove all offending entries from the log posted above.

Presto!! Internet access...

So, I'm not quite sure which exact step corrected the problem (perhaps it was a combination of things) but we appear to be back to the state we were before all this started.

Installed the latest AVG with no problem. It uncovered a couple of nasties and removed them.

Never did get to run Combofix, but maybe I should just to see what happens.

Thanks to all who participated in this little adventure....




Nuffsaid.

 

[goombawaho]

Never did get to run Combofix, but maybe I should just to see what happens."

I would for sure. It is what I use for the nasty stuff or stuff that tends to come back. Don't wait too long to run it, since the baddies could be downloading fresh reinforcements.

 

[Nuffsaid]

goombawaho,

"Don't wait too long to run it, since the baddies could be downloading fresh reinforcements."

I think they already have. Although I think I got rid of ThinkPoint and switched the account it had infected to "Limited", there's now 10 - 20 mshta.exe processes running under this account. I Googled this and there seems to be mixed reviews. Essential Windows file vs Virus.

I monitor my Processes quite frequently and this is the first time I've seen this one. Another thing that makes it suspect is that while it shows up in Task Manager, Process Scanner

http://www.processlibrary.com/processscan/

doesn't see it.

I just noticed all this late last night so haven't done much about this yet.

Anyone have any additional thoughts?



Nuffsaid.

 

[linney]

What other security programs such as, Anti Spyware, Anti Malware, Anti Virus, Anti Trojan, or Anti Worm are you running?

How many instances of the mshta.exe load in Safe Mode, if none, or at least a lot less, see if you can further isolate which program may be involved.

Again I point you to the three "clean boot" links from earlier.

On a XP Professional SP3 I have that file (includes size in bytes) in these 3 locations.

mshta.exe D:\WINDOWS\ie8 29,184

mshta.exe D:\WINDOWS\ServicePackFiles\i386 29,184

mshta.exe D:\WINDOWS\system32 45,568

 

[goombawaho]

0. Turn system restore OFF, reboot PC, turn system restore back on.

1. Run RKILL

2. This will be the last time I say this: Run ComboFix or you are toast.

Then wait a few days to see how it's going. If you still have malware, reload windows.

 

[Nuffsaid]

ComboFix appears to have worked. There are no longer any mshta processes running in Task Manager.

All scans performed after the fix come back clean.





Nuffsaid.

 

[goombawaho]

Yes. Good.