[TaraLeigh75]

I'm working on my friend's computer problem.
She was browsing on IE8 through a site about hiring a lawyer and her McAfee popped up showing a Trojan virus.

It supposedly snagged the virus but now McAfee won't open. Every time I try to open McAfee the 'open with' box opens looking for a program to use.

When I tried to open the control panel to go back to a previous restore point. Same error.

Even when I try to open the properties on the desktop I get the c:\windows\system32\rundll32.exe error.

No programs in the control panel will open. No programs will open. Even painter in accessories gives the 'open with' box looking for the program.

When I tried to download your malware protocols I cannot execute an EXE file.


Please Help.

The only thing that seems to open is my IE8. It's my only source at this point.



Thank you.



PS: When I try to view my system information I get that rundll32 error. I know she runs an XP system, 32 bit. It's running slower and slower as I try to even post this.

[SpySentinel]

Hi Tara,

Welcome to Geeks to Go! My name is SpySentinel and I will be helping you fix your computer problem.
Sorry for the delay, we have been very busy lately, and I apologize for your wait.


Please download ComboFix from
Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
    
  • Set to "Always ask me where to Save the files".
  
  
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  -----------------------------------------------------------
  
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    -----------------------------------------------------------
  
  
  • Close any open browsers.
    
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  
  -----------------------------------------------------------
  
• Double click on combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[TaraLeigh75]

McAfee doesn't work, but it doesn't let me disable it either.
When I tried to DL combo-fix I got a Trojan notice.

Also: ERROR COPYING FILE OR FOLDER
Cannot copy ComboFix[1]: Access is denied
Make sure the disk is not full or write-protected and that the file is not currently in use.

I did put the dash in before I saved Combo-Fix.

Any ideas?




PS--no problem on the wait.

[SpySentinel]

Hi,


Please download Win32kDiag.exe by AD to the desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply:

[TaraLeigh75]

I'm sorry, but part of my issue is that I cannot run an EXE file.
I get the 'open with' error. The computer cannot run this file.
I tried to put it on a flash drive, but it doesn't perform off of that.

[SpySentinel]

This may be a new variant, as we have seen this infection emerging lately.

Can you do this:


Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

[TaraLeigh75]

Tried it with the entire thing in bold and the parts in the quotes as well. Nope, still same error--looking for program to run the exe file.

[SpySentinel]

Can you still access your Task Manager?

(Ctrl + Alt + Delete)


Go into Task manager > Processes tab

check the checkbox labeled Show processes from all users bottom left of the Task Manager window.

Find the process Windows Police Pro.exe and left-click on it once so it becomes highlighted.

Now click on the End Process button

Task manager will ask you if you are sure - say YES

Now scroll through the list of processes until you find the svchast.exe process.

end this process as well by clicking on the End Process button and confirming that you want to end it.

note the spelling svchAst.exe there are legitimate files spelt svchOst < do not end process on those.

NEXT

[TaraLeigh75]

I can get into my task manager, but I don't see either of these processes.
I tried to do a screen print, of what's in the processes tab, but I can't open even my paint program to put it in there.

I have 9 svchost open---but nothing with an A.

Was this reply for me? Or just a guess based on past experience with th is lovely virus/trojan?

*sigh*

*lobbed the ball back into your court* I swear I don't know if it made it over the net. LOL US Open? What? LOL


Thanks.

[SpySentinel]

*Receive tennis ball and swiftly slam it back over into your court

• Download Fixswen and save it to your desktop
  
  
• Right-click on the file and choose install

[TaraLeigh75]

Okay, I'm not sure what it did.
But here's what popped up in my wordpad.
I can open programs now.
OMG! I think it might have worked.
Anything I should do now? I'm running a mcafee scan right now.


[Version]
Signature="$CHICAGO$"

[DefaultInstall]
AddReg=FixSwen
DelReg=EnableRegTools

[FixSwen]
HKCR, "batfile\shell\open\command",,0,"""%1"" %*"
HKCR, "comfile\shell\open\command",,0,"""%1"" %*"
HKCR, "exefile\shell\open\command",,0,"""%1"" %*"
HKCR, "piffile\shell\open\command",,0,"""%1"" %*"
HKCR, "regfile\shell\open\command",,0,"regedit.exe "%1""
HKCR, "scrfile\shell\open\command",,0,"""%1"" /S"
HKCR, "scrfile\shell\config\command",,0,"%1"

[EnableRegTools]
HKCU, "software\microsoft\windows\currentversion\policies\system","DisableRegistryTools"

[SpySentinel]

While its on the desktop, Please right click on it and Click Install

[TaraLeigh75]

I clicked on okay to open it, but all it does is pop up the notepad with the info:

[Version]
Signature="$CHICAGO$"

[DefaultInstall]
AddReg=FixSwen
DelReg=EnableRegTools

[FixSwen]
HKCR, "batfile\shell\open\command",,0,"""%1"" %*"
HKCR, "comfile\shell\open\command",,0,"""%1"" %*"
HKCR, "exefile\shell\open\command",,0,"""%1"" %*"
HKCR, "piffile\shell\open\command",,0,"""%1"" %*"
HKCR, "regfile\shell\open\command",,0,"regedit.exe "%1""
HKCR, "scrfile\shell\open\command",,0,"""%1"" /S"
HKCR, "scrfile\shell\config\command",,0,"%1"

[EnableRegTools]
HKCU, "software\microsoft\windows\currentversion\policies\system","DisableRegistryTools"




I'm not sure what it did, but I can run all programs now and open EXE files. Is there anything else I should do now?

McAfee ran a scan and everything looks good. Let me know if I should do anything else to doublecheck the system.

Thanks!


WOOT! So excited.




T

[SpySentinel]

You're welcome.

Now lets try running ComboFix again. Please delete it if you still have ComboFix, and:



Please download ComboFix from
Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
    
  • Set to "Always ask me where to Save the files".
  
  
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  -----------------------------------------------------------
  
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    -----------------------------------------------------------
  
  
  • Close any open browsers.
    
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  
  -----------------------------------------------------------
  
• Double click on combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

[TaraLeigh75]

Hello, SS--thanks for continuing to work with me.
I'd like to return the computer to my friend's mom without any issues in the future. LOL You're a lifesaver.



Okay.
Managed to get Combo-fix to work this time.
Attached TXT file.

Attached File(s)

•  ComboFix.txt (28.11K)
  Number of downloads: 157