Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Got AntiMalware Doctor, Ran Rkill and MalawareBytes But AVG Deleted Winlogon.exe and Explorer.exe. System Won't start.


  • Please log in to reply
34 replies to this topic

#1 Mewten

Mewten

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 21 October 2010 - 05:00 PM

Hello there, just a few days go I some how got AntiMalware Doctor on my computer. The moment I saw it I did a hard shutdown and then rebooted it in hopes it would stop any infection. Though upon restarting the laptop I got AntiMalware Doctor popping up instantly with all it's fake alerts. I tried ending it's process in task manager and then I tried removing it with Malaware Bytes Removal Tool. After scanning it found stuff and so I restarted the computer. Though it was still there when I came back. So I just shut it down.

I found this solution for the problem here: http://www.bleepingcomputer.com/virus-removal/remove-antimalware-doctor
So I downloaded Rkill and followed the steps it said. I started up my computer ran Rkill the moment that AntiMalware Doctor popped up. It seemed to close most things but there were still a few fake alerts it seemed so I ran it again. I then started scanning with MalwareBytes and not long afterward AVG popped up a security warning telling me repeatedly that winlogon.exe and explorer.exe were infected with trojan horse Patched_c.cC** the *'s being varying letters. AVG also told me that the files were white-listed and couldn't be removed, note that this was before I had pressed anything.

I waited until MalwareBytes was done and then removed everything it could. Then I looked back and AVG said it needed to restart the system to fix the problems with winlogon.exe and explorer.exe. I figured something must seriously be wrong because each one was listed repeatedly very many times. So I hit okay on the restart and then after the XP bootscreen it just goes black and then after a brief pause and it reboots and repeats the cycle all over again. One of the times it did this I noticed a BSOD flash by for half a second before it auto restarted.

I believe AVG deleted winlogon.exe and explorer.exe and now my computer is incapable of starting up fully. I tried Safe Mode and it didn't work either. I have my original XP install disc and I think all I may need to do to repair my system so it starts up is copy a fresh winlogon.exe and explorer.exe to my hard drive off the disc in Recovery Console. The problem is I can't remember the proper commands nor do I know the location of the files on the disc or where they should go on the hard drive.

I'm not sure what my disc drive's letter ID is either if anyone could tell me how I could find that.

Thanks for the help.

Edited by Mewten, 21 October 2010 - 06:01 PM.
Moved from XP forum to Am I Infected ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:00 PM

Posted 22 October 2010 - 12:33 AM

:welcome:

Insert your Windows installation CD and restart the computer. If prompted, select any options required to boot from the CD. You will be prompted with the following options:

A. To setup Windows XP, press Enter.
B. To repair Windows XP installation using recovery console, press R.

Choose the option, "To repair the Windows XP installation using recovery console", press R. If an Administrator Password have been established, you will be prompted to type it in. If no Administrator Password exists, just press ENTER.

You will be presented with the following:

Microsoft Windows® Recovery Console
The Recovery Console provides system repair and recovery functionality.
Type EXIT to quit the Recovery Console and restart the computer.

1: C:\WINDOWS

Which Windows Installation would you like to log onto
(To cancel, press ENTER)?


Press the number assigned to the installation you need access to on your keyboard and hit Enter.

In this case and if only the above is displayed is 1.

At the command prompt, type the following command and press Enter:

MAP

Note the drive letter assigned to your CD_ROM. Then, at the prompt type the following commands and press Enter after each line. Please replace the red X with the letter assigned to your CD_ROM:

Expand X:\i386\winlogon.ex_ C:\Windows\System32\winlogon.exe
Expand X:\i386\explorer.ex_ C:\Windows\System32\explorer.exe


Overwrite if necessary. Type Exit and press Enter to re-start the computer and allow it to boot in Normal Mode.

Note: The files in the installation CD end with an underscore, and in the command above there is a space between the underscore and C:

Edited by JSntgRvr, 22 October 2010 - 12:34 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Mewten

Mewten
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 22 October 2010 - 09:38 AM

Okay so I followed your instructions exactly. Turns out my disc drive is my E:\ drive. I tried using the commands you gave me and it would say the file could not be created followed by "0 file(s) expanded."

So I tried the same exact commands only using Copy instead.

Copy E:\i386\winlogon.ex_ C:\Windows\System32\winlogon.exe
Copy E:\i386\explorer.ex_ C:\Windows\System32\explorer.exe

These responded with successful file created messages. Though upon exiting and restarting it doesn't work. I see the welcome logon screen for a brief moment only to go to a black screen with an error bubble.

Titled: SAS Window: winlogon.exe - Application Error

The exception Single Step.

A single step or trace operation has been completed.
(0x80000004) occured in the application at 0x00000000

Click on OK to terminate the program
Click on Cancel to debug the program.

----

Clicking either just results in the system BSODing and then it restarts.

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:00 PM

Posted 22 October 2010 - 12:38 PM

You cannot use the copy command as the file is compressed in the disk and needs to be expanded. Try the following (Replace the X in red by he CD_ROM drive letter):

Expand X:\i386\winlogon.ex_ C:\winlogon.exe
Expand X:\i386\explorer.ex_ C:\explorer.exe
Copy C:\Winlogon.exe C:\Windows\System32
Copy C:\Explorer.exe C:\Windows



If unsuccessful, lets try to create a boot CD and Run OTLPE. You will need a USB drive (Pen drive)

Please print this guide for future reference and save it in the USB drive!

You will need a blank CD, your Windows XP install disc, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. Please tell me what error messages you got and/or what steps you got hung up on.

1. Download the PE Builder to your desktop

http://www.nu2.nu/download.php?sFile=pebuilder3110a.exe
  • Double-Click on the PE Builder that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on PE Builder.exe located on your desktop.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
  • Builder
  • Source: (path to Windows installation files)
  • Enter the path to the drive where your XP CD is located.
  • You can click on the "..." button on the right to navigate to the path as well.
[*]Custom: (include files and folders from this directory)
  • No information is necessary, leave blank.
[*]Output:
  • Keep the default
[/list][/list]
  • Media output
    • Choose Create ISO image
    • Do not choose Burn to CD/DVD
    • Download the RunScanner plugin and save it to your desktop
    http://www.paraglidernc.com/Files/RunScanner10025.cab

    Please note: You will be prompted for the folder that it shall be saved. By default it appears as runscanner10025. It should be modified to just runscanner <--- Important!!!


    • Press the Plugin button on the PE Builder interface
    • Press the Add button and navigate to the location of the RunScanner plugin to install
    • Please note: If you are using a Windows XP disc with sp2 then highlight RpsSS needs to launch DComLaunch and then press Enable
  • When your done press Close and the PE Builder interface will re-appear
3. Click on the "Build" button
  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit
4. Burn your ISO file to CD
==========

Next........

From your clean computer..

Please download OTLPE.zip and save it to a flash drive.
http://oldtimer.geekstogo.com/OTLPE.zip
http://www.itxassociates.com/OT-Tools/OTLPE.zip

Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

==========

Plug your flash drive into your sick computer now and do as instructed below..

==========

1. Restart Your sick Computer Using the PE Builder ISO CD That You Have Created
  • Insert the CD in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on No
  • After it loads press the Go button in the lower left and do this....
    • Go
    • System
    • Display
    • Screen Resolution
    • 1024x768
    Next choose....
    • Go
    • Programs
    • A43 File Management Utility
==========

In A43File Management you should see your flash drive
Navigate to the OTLPE folder that you saved to your flash drive.

Open the OTLPE folder and double click Start.cmd.
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTLPE should now start

    Change the following settings
    • Change Services, Drivers, Standard and Extra Registry to All
    • Uncheck LOP and Purity check

    Please note: Stay with your computer during the course of the scan. If "Entry Point Errors" are encountered simply press "ok" and allow the program to continue. <-- Important!!

  • Copy and Paste the following code from your flash drive into the Posted Image textbox. Do not include the word "Code"

    /md5start
    userinit.exe
    Winlogon.exe
    Explorer.exe
    /md5stop

  • Push Posted Image
  • A report will open named "OTL.txt" (C:\OTL.txt) . Save this log's to your flash drive. Copy and Paste this in your next reply.

Edited by JSntgRvr, 22 October 2010 - 12:39 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Mewten

Mewten
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 24 October 2010 - 12:32 AM

Woah that second method is quite the mouth full. That'll take some time to attempt to do. Though first I'd like to check in.

Expand X:\i386\winlogon.ex_ C:\winlogon.exe
Expand X:\i386\explorer.ex_ C:\explorer.exe
Copy C:\Winlogon.exe C:\Windows\System32
Copy C:\Explorer.exe C:\Windows

This didn't work for some reason. I changed the X to E as that's the letter for my CD drive. But it still says that the file can't be created. So I tried just:

Expand E:\i386\winlogon.ex_

Which said that it successfully expanded the file. And then I followed by using:

Copy winlogon.exe C:\Windows\System32\winlogon.exe

It asked me if I wanted to overwrite the file and I said yes. It seemed to work but the computer still won't boot without giving me errors. Any idea what could be wrong with why the commands don't seem to work properly for some reason?

Could I perhaps copy my working computer's winlogon.exe and explorer.exe to a USB drive and then copy them from their to my broken laptop?

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:00 PM

Posted 24 October 2010 - 10:26 AM

Please print this guide for future reference and save it in the USB drive!

You will need a blank CD, your Windows XP install disc, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. Please tell me what error messages you got and/or what steps you got hung up on.

1. Download the PE Builder to your desktop

http://www.nu2.nu/download.php?sFile=pebuilder3110a.exe
  • Double-Click on the PE Builder that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on PE Builder.exe located on your desktop.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
  • Builder
  • Source: (path to Windows installation files)
  • Enter the path to the drive where your XP CD is located.
  • You can click on the "..." button on the right to navigate to the path as well.
[*]Custom: (include files and folders from this directory)
  • No information is necessary, leave blank.
[*]Output:
  • Keep the default
[/list][/list]
  • Media output
    • Choose Create ISO image
    • Do not choose Burn to CD/DVD
    • Download the RunScanner plugin and save it to your desktop
    http://www.paraglidernc.com/Files/RunScanner10025.cab

    Please note: You will be prompted for the folder that it shall be saved. By default it appears as runscanner10025. It should be modified to just runscanner <--- Important!!!


    • Press the Plugin button on the PE Builder interface
    • Press the Add button and navigate to the location of the RunScanner plugin to install
    • Please note: If you are using a Windows XP disc with sp2 then highlight RpcSS needs to launch DComLaunch and then press Enable
  • When your done press Close and the PE Builder interface will re-appear
3. Click on the "Build" button
  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit
4. Burn your ISO file to CD
==========

Next........

From your clean computer..

Please download OTLPE.zip and save it to a flash drive.
http://oldtimer.geekstogo.com/OTLPE.zip
http://www.itxassociates.com/OT-Tools/OTLPE.zip

Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

==========

Plug your flash drive into your sick computer now and do as instructed below..

==========

1. Restart Your sick Computer Using the PE Builder ISO CD That You Have Created
  • Insert the CD in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on No
  • After it loads press the Go button in the lower left and do this....
    • Go
    • System
    • Display
    • Screen Resolution
    • 1024x768
    Next choose....
    • Go
    • Programs
    • A43 File Management Utility
==========

In A43File Management you should see your flash drive
Navigate to the OTLPE folder that you saved to your flash drive.

Open the OTLPE folder and double click Start.cmd.
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTLPE should now start

    Change the following settings
    • Change Services, Drivers, Standard and Extra Registry to All
    • Uncheck LOP and Purity check

    Please note: Stay with your computer during the course of the scan. If "Entry Point Errors" are encountered simply press "ok" and allow the program to continue. <-- Important!!

  • Copy and Paste the following code from your flash drive into the Posted Image textbox. Do not include the word "Code"

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    explorer.exe
    winlogon.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    ntldr
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    CREATERESTOREPOINT

  • Push Posted Image
  • A report will open named "OTL.txt" (C:\OTL.txt) . Save this log's to your flash drive. Copy and Paste this in your next reply.

Edited by JSntgRvr, 24 October 2010 - 10:35 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Mewten

Mewten
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 29 October 2010 - 09:21 PM

Okay I finally had enough free time to attempt this long process. My apologies for the delay. I did all this and I got to the point where I had just added the plugin.

I then get this error upon attempting to build.

Posted Image

Also you seemed to just repost exactly the same response without answering my question on whether or not I could just copy my already non-compressed winlogon.exe and explorer.exe onto a thumbdrive and from there to the sick computer.

I'm unsure where to proceed from now.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:00 PM

Posted 29 October 2010 - 10:28 PM

Hello, sorry to to do this now,but I need to move this topic ,to the Virus, Trojan, Spyware, and Malware Removal Logs forum . It will stay there now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:00 PM

Posted 29 October 2010 - 10:59 PM

Slipstream SP3 and use the folder where you will copy the Contents of the XP CD, as the source of your installation CD.

http://www.helpwithwindows.com/WindowsXP/Slipstreaming_Windows_XP_Service_Pack_3.html

Then proceed. Only use the Slipstream instructions in this site.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 Mewten

Mewten
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 09 November 2010 - 03:23 PM

Well to be honest slippstreaming and all that stuff just seemed like a lot to do. And I was fairly certain copying winlogon and explorer from my working SP3 XP pc to my laptop would restore those files and make it work, so I gave it a shot and it turns out that it worked quite nicely. My computer booted up just fine.

Though it appears I still have AntiMalware Doctor. So I suppose getting rid of that is my key focus now. Would ComboFix help here? It doesn't seem like Malawarebytes is capable of removing it.

Edit: Well I can now get into Safe Mode but I can't use System Restore. If I try I get this message. "System Testore has been turned off by group policy. Please contact your group administrator." I'm logged into the Administrator safe-mode account. I've tried going into regedit.exe and deleting "DisableSR" value under "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\SystemRestore\" But every time i delete "DisableSR" it comes back instantly still preventing me from running System Restore. Any suggestions?

Edited by Mewten, 09 November 2010 - 06:00 PM.


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:00 PM

Posted 10 November 2010 - 12:06 AM

I am glad you got it working. Lets try Combofix.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 Mewten

Mewten
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 10 November 2010 - 11:41 AM

Okay I have a problem. I tried temporarily disabling AVG 9's resident shield but ComboFix still won't work. So I tried uninstalling AVG but it comes up with an error at the end with something about not being able to make a registry change, obviously because of the virus, so I can't remove AVG to run ComboFix.

Would it be possible to delete AVG's folder in Program Files in Recovery Console to stop AVG from being able to run and interfere with ComboFix?

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:00 PM

Posted 10 November 2010 - 01:46 PM

Lets attempt remaming Combofix. Remove your current copy.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 Mewten

Mewten
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 10 November 2010 - 08:20 PM

This still didn't work. The problem is AVG9 won't uninstall not ComboFix. I disabled the Resident Shield and the Link Scanner even with the new renamed one and it did nothing. It still says it won't run with AVG installed and so I tried yet again to uninstall AVG with the same result. At the end of the uninstallation process I get the message:

"Local Machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Windows NT\CurrentVersion\Windows: creating registry key...
Access is denied."

I can't remove AVG and without doing so I can't run ComboFix. This is my problem that needs solved at the moment.

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:00 PM

Posted 10 November 2010 - 10:33 PM

Download and run the AVG remover (32 bit) 2011

http://www.avg.com/ww-en/download-tools

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users