Cant run mbam combofix or any other malware programs

First off, it is a very bad idea to allow all users to have Admin. privileges. Once malware gets into the system on an Admin, account, it has free reign of the computer.

Go to start / run / and type:
services.msc

Scroll through the services and look for this:
vbma640d

If you find it, disable it.

Now, use windows explorer to find and delete:
C:\WINDOWS\Tasks\9D5FF430B8309A5C.job
C:\Documents and Settings\All Users\Application Data\.wtav

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now see if you can run any of the other scans. ( Also, make sure you agree to the license to run HJT when you re-run MGTools!!)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

 

• Please download GMER and save it to your Desktop:
  • Unzip (extract) the gmer.exe file to your Desktop.
• Make sure the executable file is named gmer.exe otherwise the instructions below will not work properly.
• On you Desktop, click the Start button and select Run
• Then in the Run box copy & paste the below exactly as written
  • "%userprofile%\desktop\gmer.exe" -protect
• Then click OK.
• You may have to do this more than once to get it to run properly due to the malware..

After you get GMER running from the above, GMER will hopefully show the rootkit. Select right click on the bad service and choose Disable Service on the content menu.

If this works properly GMER will disable the service ok and you will get the below prompt telling you to reboot.

• Click OK to reboot.
• After your PC reboots, run TDSSkiller and if it delects the bad service that we are interested in. change the default action to delete at the top then click on Continue.
• TDSSkiller may ask you to reboot the computer to complete the process. Click on Reboot Now.

combofix.exe --download it directly to your desktop.

If the above is all successful, we may be able to run ComboFix now, but we will run it with the below instructions.

• On you Desktop, click the Start button and select Run
• Then in the run box copy & paste the below exactly as written
  • "%userprofile%\desktop\combofix.exe" /stepdel
• Then click OK.
• When finished, ComboFix should create a combofix.txt log for you to attach to your next reply.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!


Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

• Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  Vista/Windows 7 users right-click and select Run As Administrator.
• If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123tdk.com).
  • If you do not see the file extension, please refer to: How to view hidden, system files & folders!
• Click the Start Scan button.
• Do not use the computer during the scan
• If the scan completes with nothing found, click Close to exit.
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
• Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
• A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_14.17.05_log.txt) will be created and saved to the root directory ( usually Local Disk C ).
• Attach this log to your next message

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract+ avenger.exe from the Zip file and save it to your desktop

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner to clean out only temp files and nothing else!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
* TDSSKiller log
* GMER log
* C:\Avenger.txt
* C:\MGlogs.zip

 

Bring up Device Manager by right clicking My Computer and selecting Properties. Then click the Hardware tab and then select Device Manager.

Look under System Devices section, do you see something like [cmz vmkd] or [cmz vmkd] Virtual Bus

If you find a match to what I said to look for then right click on it and select Disable ( not select Delete at this time )

Then reboot your PC. After reboot, continue with the below.


See if you can now run ComboFix. I also want you to run SAS and MBAM on each user account. Attach the logs that show any infection and label them so I know which account they come from.

Also, go to C:\MGTools\analyse.exe and run it. Attach the resultant HJT log.

You didn;t attach the C:\Avenger.txt.