Fake AV and MB VB 0/440 error

[Josh E]

I got some fake antivirus popups. I attempted to just kill it by disabling everything in msconfig and deleting the funny named folder it was pointing to in the application data folder. I tried to install MB and I get a VB 0 and 440 error at installation and attempting to run it. The fixes I've tried are renaming application name, updating VB from microsoft and also the regsvr32 MBAM Fix.bat file (which gives me an error. regsvr32 is not in the system32, but regsvr32.ex_ is in the i386 folder?).

I'm pretty sure I killed the original infection incorrectly, if at all. So any help would be appreciated. I ran a command line scan with AVG in safe mode, but it only came up with 69 locked files and no infections.

Anyway, here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:47:06 PM, on 5/19/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\fxssvc.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe

C:\WINDOWS\system32\cmd.exe

C:\Documents and Settings\Joshua\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Joshua\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Joshua\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Joshua\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Metamail IEPlugin - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IEPlugIn.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1243366049084

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...450/mcfscan.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 5641 bytes

[Blade81]

Hi,

Download DDS and save it to your desktop from here or here or here.

Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
     
  2. Attach.txt
     

  [*]Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:

• Double-click .exe that you downloaded
  
• Click rootkit-tab, uncheck files option and then click scan.
  
• Don't check
  Show All
  box while scanning in progress!
  
• When scanning is ready, click Copy.
  
• This copies log to clipboard
  
• Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.
  

[Josh E]

All 3 files are attached.

I've also noted an issue when starting up. It takes about 10 minutes to act "normal", but something is stalling the startup of my computer. I can start programs from my desktop easily...most easily opened is process explorer and google chrome. if i try and open up programs from the start menu or icons near the clock, it causes the task bar becomes locked up and the programs do not open. also, if google chrome tries to open a popup, it crashes. after 10 minutes or so, i've noted process explorer says that imapi.exe and alg.exe start up, but imapi.exe is closed on its own...after that, the computer runs normally and all the programs i tried to open earlier now popup at the same time

Attach.zip

[Blade81]

Hi,

BitTorrent

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
2. Click Yes to allow ComboFix to continue scanning for malware.
   

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

[Josh E]

Attached is the ComboFix log and new DDS/Attach logs

Thank you very much for all of your help so far.

[Josh E]

Attached is the ComboFix log and new DDS/Attach logs

Thank you very much for all of your help so far.

Apologies, forgot to hit attach

DDS.zip

DDS.zip

[Blade81]

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

Save this as

CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows, disable protection and refering to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log.

Uninstall your current Adobe shockwave player and get the fresh one here if needed.

Download ATF (Atribune Temp File) Cleaner

[Josh E]

Hello again,

Ran everything above and still get VB error when running MBAM.

Kaspersky picked up something that AVG has never picked up. I don't know if it cleaned it out either.

Attach.zip

[Blade81]

Hi,

Uninstall MBAM (if it's visible in add/remove programs) and then try to reinstall. Delete those files Kaspersky flagged.

[Josh E]

Hi,

Uninstall MBAM (if it's visible in add/remove programs) and then try to reinstall. Delete those files Kaspersky flagged.

I deleted the noted files and uninstalled/reinstalled MBAM but I'm still getting VB errors . Maybe it just wasn't meant to be

[Blade81]

Hi,

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c PEV -l "%systemdrive%\regsvr32.exe" >Log.txt&Log.txt&del Log.txt

A Notepad file will open. Post the contents of Log.txt in your next reply.

[Josh E]

Hello Blade,

The log comes back as:

-c----w- 11,776 2004-08-04 12:00:00 C:\WINDOWS\$NtServicePackUninstall$\regsvr32.exe

-c----w- 11,776 2008-04-14 00:12:32 C:\WINDOWS\ServicePackFiles\i386\regsvr32.exe

Entries: 2 (2)

Directories: 0 Files: 2

Bytes: 23,552 Blocks: 46

[Blade81]

Hi,

Click start->run->type cmd.exe and press enter. Then type following command:

copy /y C:\WINDOWS\ServicePackFiles\i386\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe

If successful try MBAM installation again.

[Josh E]

Hi,

Click start->run->type cmd.exe and press enter. Then type following command:

copy /y C:\WINDOWS\ServicePackFiles\i386\regsvr32.exe C:\WINDOWS\system32\regsvr32.exe

If successful try MBAM installation again.

MBAM runs and comes up clean...Thanks for everything Blade!

[Blade81]

You're welcome

THESE STEPS ARE VERY IMPORTANT

Let's reset system restore

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK.

NOTE: only do this ONCE,NOT on a regular basis

Now lets uninstall ComboFix:

• Click START then RUN
  
• Now copy-paste Combofix /uninstall in the runbox and click OK
  

Please download OTC and save it to desktop.

• Double-click OTC.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the
  Begin cleanup Process?
  prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it by yourself.
  

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

• hosts file:
  
  • Every version of windows has a hosts file as part of them.
    
  • In a very basic sense, they are used to locate webpages.
    
  • We can customize a hosts file so that it blocks certain webpages.
    
  • However, it can slow down certain computers.
    
  • This is why using a hosts file is optional!!
    

  Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here

  If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:

  1. 
     
     
  2. Click the start button (at the lower left hand corner of your screen)
     
  3. Click run
     
  4. In the dialog box, type services.msc
     
  5. hit enter, then locate dns client
     
  6. Highlight it, then double-click it.
     
  7. On the dropdown box, change the setting from automatic to manual.
     
  8. Click ok
     

  [*]Run Secunia vulnerability check here and fix its findings.

Just a final reminder for you. I am trying to stress these two points.

UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.

Make sure all of your security programs are up to date.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,

Blade