I'm in a panic, guys...HELP!

[PamJ]

I tried to start MS Money 2002 today and received a message from avast that it was stopping it because of this:

Win32:Evo-gen[Susp]

And Money, it's like it's in a loop. It's like it's trying to install itself. I try to cancel and just loops back and tries again. I have to go in Task Manager to stop it.

I ran Malwarebytes and received a ton of PUP detections which I clicked to remove all of them. Restarted the computer as Malwarebytes said to do.

Now the part that has me freaked the most. When I click on ANY folder on my desktop, it tries to load MS Money instead of opening the folder!!!

If I try to go into Control Panel, it tries to load MS Money!! Same with Search. But clicking on Programs works okay.  Any folder on the desktop...Money tries to install itself but can't. Any program, link to a website on my desktop are working fine, at least for now.

What in the world is going on?? Should I just call a computer guy first thing in the morning?? This seems really bad.

At this point I'm afraid to do anything else without some guidance. Don't want to shut off the computer, don't want to run a boot scan. (I did run a quick scan with avast, and that was clean, but nothing else at this point.

What do I do??

[magna86]

Hi,
Allow me to check that.



Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Under Optional Scan ensure "Driver MD5" are ticked.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[PamJ]

Thanks so much for the quick reply! Attached are the two text files requested from the Farbar Recovery Scan Tool.

[PamJ]

I just found out something else that may or may not be helpful. I discovered by accident that if I click really fast on a desktop folder that it will open. Now, Money still tries to "install" as well, and I go into Task Manager and end it. I put put "install" in quote because it says it's trying to install but it was already installed so...?

I can also access the desktop folders easily (without the Money intervention) if I do so from within another program such as Word or Notepad.

[magna86]

Hi,
You may stop panicing as Microsoft Money is pat of Microsoft, please read here:
http://support.microsoft.com/kb/2118008
You may allow it to run.



Btw, FRST logs shows me some adware and PUP related entries. We may clean that if you wish.




Please download zoek.zip or zoek.rar by smeenk () from here or here and save it to your Desktop.
Unpack the archive...

• Close any open browsers
• Temporarily disable your AntiVirus program. (If necessary)
  If you are unsure how to do this please read this or this Instruction.
  
  
• Double click on zoek.exe to run the tool .
  Please wait while the tool does not start...
  
  
• Copy the text present inside the code box below and paste it into the large window in the zoek tool:

Code: [Select]

autoclean;

• Click on button.
  Please wait until a logreport will open (this can be after reboot)
  
  
• Save notepad to your Desktop and attach here zoek-results.log
  Note: It will also create a log in the C:\ directory named "zoek-results.log"
  

THEN...


Re-run FRST, ensure "Addition.txt" are ticked and press Scan button.
Post me fresh created FRST.txt and Addition.txt logs.

[PamJ]

I will go through the process you mentioned above, but wanted to let you know that I can't let Money run. It won't. I get these windows when I try:

1, Preparing to install, then
2. Please wait while Windows configures Money, then
3. It asked me to insert CD*, then I cancel, then
4. "Error 706. No valid source could be found for product MS Money 2002. The Windows Installer cannot continue." I click "Ok" then is starts with #2 again.

*I inserted the Money CD only once, and it didn't help anything.

If I click cancel at any point, it goes back to #2. The only way to stop it is to stop it within Task Manager.


Prior to this mess, Money loaded from the desktop shortcut just fine. What started all this is the first time I tried to load it last night, I got that avast error message and avast wouldn't let it load. *I did put in the disc once at that point but it didn't help, still got the avast message.

I then ran avast quick scan, after which it asked me to run a boot scan. I started that scan, but it kept stopping and asking me about something it found (all PUPs at this point) which I had avast put most into the chest (not all). It was taking forever, so I cancelled the boot scan and that's when I ran Malwarebytes and it found over 12 PUPs, which I had moved to quarantine.

Within Avast chest are 5 entries of that Win32-Evo.gen [Susp] listed with MS Money and a keyhook.dll. (Sorry, forgot to mention "keyhook" thing before with I mentioned the Evo-gen.)

Since doing avast quick scan and 1% of the boot scan, I do not get any avast warnings, just the whacky "trying to install" stuff.

Also, the scary part is THE SAME THING happens (Windows Installer tries to install Money) if I click on any of the following:

- Any folder on the desktop
- My Computer
- Recycle bin

Within "Start"

- Control Panel (I wanted to go in and just remove Money, but I can't)
- Settings
- Search

When I click on any of the above, Windows Installer window pops up trying to install Money. The items clicked on above will not load, this Money thing happens instead.  (If I click really fast several times on a desktop folder, the folder will open, along with Installer trying to load Money.) The other items above won't load at all.

I deleted the Money shortcut on the desktop, but it didn't help.

Sorry for the length of this, but not sure what you need and don't need to know.

Thanks so much for your continued help!

[magna86]

I would recommend to you to call someone who understands more in computer technology than you do.

As this isn't malware related, you may just delete FRST.exe icon from desktop. You'll have C:\FRST folder, you may keep that folder if you wish as it contains valid system backup hives.

[PamJ]

Thank you, magna86.  Since I finished running zoek and rerunning the other, I went ahead and attached to this post.

Thanks again.

[magna86]

While you are here, zoek has been clean the large number of adware. This shall remove the rest of it...

Re-run zoek.exe as you did before and post me the fresh created zoek log.

Code: [Select]

CertPropSvc;s
emptyfolderscheck;delete
emptyclsid;
MixiDJ V8;ff
C:\Documents and Settings\Pam\Application Data\Mozilla\Firefox\Profiles\35637qgf.default\extensions\{e4c3a8b6-7724-45d1-a629-17b69118ebcd}(2);f
ffdefaults;
klibnahbojhkanfgaglnlalfkgpcppfi;chr
oajgghejjpgkmpgbchgjieahoefimdle;chr
klibnahbojhkanfgaglnlalfkgpcppfi;chr
oajgghejjpgkmpgbchgjieahoefimdle;chr
giigmfllkbnekpcfdckipcdkdpinhpgl;chr
C:\Documents and Settings\Pam\Local Settings\Application Data\CRE\klibnahbojhkanfgaglnlalfkgpcppfi.crx;f
C:\Documents and Settings\Pam\Local Settings\Application Data\CRE\oajgghejjpgkmpgbchgjieahoefimdle.crx;f
C:\Documents and Settings\Pam\Local Settings\Application Data\CRE\klibnahbojhkanfgaglnlalfkgpcppfi.crx;f
C:\Documents and Settings\Pam\Local Settings\Application Data\CRE\oajgghejjpgkmpgbchgjieahoefimdle.crx;f
mcbkbpnkkkipelfledbfocopglifcfmi;chr
chrdefaults;
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main];r
"Start Page"="http://www.google.com";r
{0633EE93-D776-472f-A0FF-E1416B8B2E3A};c
{A057A204-BACC-4D26-8287-79A187E26987};c
C:\Documents and Settings\All Users\mbc.dat;f
ipconfig /flushdns >> %temp%\log.txt;b
emptyalltemp;

[PamJ]

Here it is...thanks!

[magna86]

That's it. All adware has been removed. Use DelFix to uninstall and remova zoek and FRST.

Please download DelFix by "Xplode" to your Desktop.

Run the tool and check the following boxes below;

• Remove disinfection tools
• Create registry backup
• Purge System Restore

Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

[PamJ]

Thanks again, magna86.

One more question, though. In using DelFix and purging system restore, will it remove ALL system restore points or just the one set by zoek? (I don't want to remove them all.)

The problem still exists (as we thought it would since it doesn't appear to be virus related). I will try a few more things and if they don't work I might just get a new computer rather than pay someone to check this and maybe be able to fix it. My machine is six years old and running XP (which I believe will stop having support and security updates in April next year). I've had my eye on a computer/monitor combo for a while that's a pretty good deal, so might just be time. Once a computer gets past a certain age point, I think it's best to weigh the cost of repair versus new.

Thanks!

[Michael (alan1998)]

if Avast! is still saying it's Evo-Gen email them at :virus@avast.com or through the Virus Chest.

[magna86]

One more question, though. In using DelFix and purging system restore, will it remove ALL system restore points or just the one set by zoek? (I don't want to remove them all.)

DelFix shall remove all previus created system restore point and it shall create new and fresh point. If you do not agree with that, then just uncheck "Purge system restore" options.

Feel free to coll someone to install Microsoft's Money. Or you may remove it from startup, that should stop im to been load.

HKLM\...\Run: [MoneyStartUp10.0] - C:\Program Files\Microsoft Money\System\Activation.exe [241714 2001-07-25] (Microsoft Corporation)

You may use CCleaner for that. In CCleaner panel > Tools > Startup and disable MoneyStartUp10.0 entrys.