robinana Posted November 28, 2009 ID:163243 Share Posted November 28, 2009 Hi,I have a compaq computer (not a laptop) and since I'm new to this forum I did things a bit backwards. I can't run or download malwarbytes. I know I have some sort of malware that poses as a virus detector because I was getting all the popups trying to get me to buy the program. When I tried to install malwarebytes, it ran...detected a bunch of stuff and then when I hit the button to get rid of the files, it wouldn't let me. The computer then shut down and only has a black screen and a pointer upon startup. The version of malwarebytes that I used the one time no longer will run. I now have to run the computer in safe mode and cannot access the internet. I have to run it in safe mode because in regular mode it is only a black screen. I found these instructions on this forum and tried them. I've posted my results:Download the following file and save to your desktop.http://live.sysinternals.com/procexp.exeRename the file to winlogon.exe and the run it.In order to get MBAM installed you will need to identify and terminate/kill the SystemSecurity process.As you see from the screenshot it very easily identified by its shield icon and use of random numbers for its executable. eg 1234567.exe 638476435.exe 453732.exe and the list goes on.Highlight the shield icon/random.exe line and right click and select kill processI followed these instructions and it looked like it was going to work. When I hit the "kill process" the Malware would not allow the files to be deleted. Instead it popped up a message that said "The system is shutting down. C://WINDOWS/system32/services.exe terminated unexpectedly with status code."When the computer restarts, the files are still there. I'm just going in circles. I was then led by one of your moderators to the correct post that instructed me to install Defogger. I was able to do this correctly. Then I downloaded the dds.scr and tried to run it........No go. Does nothing. Just kind of blips the screen and then goes back to just the icon sitting there.Then I downloaded the GMER and followed the instructions. It started scanning the files but when it got to the end, it disappeared. The icon is now there and if I click on it again, I get "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item." I did download the mbam.exe as explorer.exe and when I tried to run it I got a Error code: 703 (0,453)I would appreciate any help. I still have the CD Emulation drivers disabled by the Fogger program. I am not enabling until I receive instructions. Thank you so much (in advance) for your help ~ Robin Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 30, 2009 ID:164217 Share Posted November 30, 2009 Hello Robin,If you are getting help elsewhere, please let me know.Otherwise, please do these basics:It would help a lot to know your version/edition of Windows.You will want to print out or copy these instructions to Notepad for offline reference!If you are a casual viewer, do NOT try this on your system! If you are not robinana and have a similar problem, do NOT post here; start your own topicDo not run or start any other programs while these utilities and tools are in use! Do NOT run any other tools on your own or do any fixes other than what is listed here.If you have questions, please ask before you do something on your own.But it is important that you get going on these following steps.=Close any of your open programs while you run these tools.Please do the following:Step 11. Go >> Here << and download ERUNT (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)2. Install ERUNT by following the prompts (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)3. Start ERUNT (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)4. Choose a location for the backup (the default location is C:\WINDOWS\ERDNT which is acceptable).5. Make sure that at least the first two check boxes are ticked 6. Press OK7. Press YES to create the folder.Step 2Set Windows to show all files and all folders. On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed. "CHECK" (turn on) Display the contents of system folders. Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders. Next, un-check Hide extensions for known file types. Next un-check Hide protected operating system files. Step 3Download and Save to the DESKTOP Win32kDiag from any of the following locations and save it to your Desktop.Download Win32kDiag (Win32kDiag.exe) - #1Download Win32kDiag (Win32kDiag.exe) - #2Download Win32kDiag (Win32kDiag.exe) - #3Click on Start button. Select Run, and copy-paste the following command (the bolded text) into the "Open" textbox, and click OK. "%userprofile%\desktop\win32kdiag.exe" -f -r Step 4Download RootRepeal:http://rootrepeal.googlepages.com/RootRepeal.zipExtract the archive to a folder you create such as C:\RootRepealDouble-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).Click the "File" tab (located at the bottom of the RootRepeal screen)Click the "Scan" buttonIn the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:Click OK and the file scan will beginWhen the scan is done, there will be files listed, but most if not all of them will be legitimateClick the "Save Report" ButtonSave the log file to your Documents folderPost the content of the RootRepeal file scan log in your next reply.Step 5Reply with copy of Win32kdiag.txtand the RootRepeal logThere will be much more to do later. Please respond soonest. Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 12, 2009 ID:169951 Share Posted December 12, 2009 This is closed due to lack of response.Robin, If you issues are unresolved and you wish to re-open this topic, send me a PM.All others with similar issues, open your own topic.The steps outlined here were only for this system and no other. Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 13, 2009 ID:170395 Share Posted December 13, 2009 Robin,I have re-opened your topic. Please get the requested items I had asked for. Link to post Share on other sites More sharing options...
Recommended Posts