Malware blocking almost everything

I have an old Dell running MS XP. Something has infected it, though it had AVG antivirus and Windows Defender running, as well as regular scans of Spybot.

Somehow AVG and Defender were disabled, and I can't run any of the programs listed in the Majorgeeks sticky note--Superantispyware, Malwarebytes, Combofix, etc, or Spybot. Firefox was disabled, then, eventually, even IE. In a few cases, the browser seemed to be redirected,

While IE was running, I tried running several online scans, most evaporated immediately, some seemed to get to a few files before evaporating. None made any report. I tried running from a flash drive, that didn't work.

The only thing that seemed to run (it didn't seem to help) was a Microsoft Standalone System Sweeper disk I made on another computer. (Version 1.113.773.0 on 10/2/11) This ran a scan for a long time and found the following, which I copied:

Exploit: Java/CVE-2010-0840.BE
Worm: Win32/klez.H@mm
Program: Win32/PowerRegScheduler

All were set to "remove" and the report said "succeeded". However, the computer is no better than it was and in some ways getting worse.

Not sure what to do next--thanks in advance for your help!

Larry

 

Hi and welcome to Major Geeks, LMarvet!

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and then attach the requested logs to your next reply when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes, you could use a flash drive too, but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

* Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated - our system works the oldest threads FIRST.
​

 

Sorry, I overlooked this.

What about MGtools? >> Using MGtools

Have you attempted to run any of the programs in Safe Mode? >> Starting your computer in Safe Mode.

Give me details on what happens when you try to run the programs you say you cannot run.

Also try to complete the below:

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)


Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

Please download OTL by Old Timer to your desktop.

• See the download links under this icon:
• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• Under the Extra Registry section, check Use SafeList.
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  netsvcs
  %systemdrive%\*.exe
  /md5start
  atapi.sys
  csrss.exe
  explorer.exe
  ipnat.sys
  ipsec.sys
  regedit.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemroot%\*. /mp /s
  %windir%\assembly\tmp\L /s
  %windir%\assembly\tmp\U /s
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  hklm\software\clients\startmenuinternet|command /rs
  hklm\software\clients\startmenuinternet|command /64 /rs
  

• Now click the button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be two log files on your desktop entitled OTL.txt and Extras.txt.
• Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)

 

Thank-you, Thisisu! I have followed your directions as well as possible. Here is the specifics, with files enclosed:

--uninstalled all Java updates (6u20, 6u7), rebooted then installed the latest
--AVG is uninstalled
--Uninstalled Viewpoint Media Player
--DeFogger ran and disabled emulators
--Ran Superantivirus after renaming. Ran about 15 seconds then evaporated. Tried the alternate start method, changing the kernal check boxes, no help, always evaporated.
--Installed and updated Malwarebytes. Ran quick scan, evaporated in 5 seconds. When I tried to run again, got error "can't access"
--Ran RootRepeal from desktop. Pop up "Initializing" but nothing happens.
--Ran MGTools and it seemed to run a complete (see log). There was one error that came up, "Ordinal 1108 could not be located in dynamic link library WSOCK32.dll" to which I hit "ok" and it went away, did not seem to affect the scan.
--Went into safe mode (no networking). On my first try, got a bsod and memory dump. restarted and got into safe mode ok.
--Ran TDS as a diff name, it ran and found a medium threat which I had quarantined. Log enclosed.
--MBRCheck ran, no problem, log enclosed.
--OTC ran, no problem, log enlosed
--Still in Safe Mode, tried SuperAV, still evaporates at about 15 sec
--Malwarebytes won't start, "cannot access path"
--RootRepeal says "Initializing" for 30 minutes, apparently hung, no good

Thanks again. Let me know the next step, please.
Larry

 

You are infected with a Max++/Sirefef/ZeroAccess rootkit.

I will prepare a fix for you later this evening after work.

In the meantime, please also attach Extras.txt as requested.

And try to run ComboFix.exe from Safe Mode. Attach its log if it is able to run.

 

Sorry I didn't attach those files before, see enclosed. I (obviously) ran Combofix. It rebooted a couple of times and, at one point, a popup said, "PEV.exe encountered a problem and needs to close'. I cliked ok. Eventually it ended up at the log file txt screen.

Let me know what I need to do. And thanks again!

Larry

 

I forgot to say that I ran Combofix in safe mode, no networking. Larry

 

It looks like ComboFix removed most of what needed to be removed. This fix will be mostly to ensure those files/folders are gone as well clearing up some extras.

Attempt to perform all fixes here while in Normal Mode! If for some reason you are not able to, then resort to Safe Mode.

This is fairly normal when you are heavily infected. Nothing to worry about.

I'm also removing some traces of AVG. Do not reinstall AVG until we are completely finished with malware removal! I will let you know.

Now we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the text-field.
  
  Code:

  [COLOR="DarkRed"]:processes[/COLOR]
  killallprocesses
  [COLOR="DarkRed"]:otl[/COLOR]
  O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll File not found
  O2 - BHO: (no name) - {99E00A4C-D35E-11DD-BA95-9B6A56D89593} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
  [2011/10/03 20:11:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner.DOWNSTAIRS\Application Data\Viewpoint
  [2003/12/11 03:51:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
  [2011/10/04 03:59:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
  [2008/05/25 14:50:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINXP\Application Data\Grisoft
  [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
  [2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
  [1 C:\*.tmp files -> C:\*.tmp -> ]
  [2011/10/04 06:07:25 | 000,000,000 | ---- | M] () -- C:\WINDOWS\94286682
  [2010/03/06 17:36:41 | 000,012,232 | -HS- | C] () -- C:\Documents and Settings\Owner.DOWNSTAIRS\Local Settings\Application Data\fwSG76dUmwJ
  [2011/10/03 20:39:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg9
  @Alternate Data Stream - 784 bytes -> C:\WINDOWS\94286682:2773246458.exe
  [C:\WINDOWS\$NtUninstallKB15177$] ->  -> Unknown point type
  [COLOR="DarkRed"]:services [/COLOR]
  5ab39e05
  [COLOR="DarkRed"]:files[/COLOR]
  c:\windows\$NtUninstallKB15177$
  C:\AVG6DB_F.DAT
  C:\Documents and Settings\Owner.DOWNSTAIRS\Local Settings\Temp\0.442182515848235.exe
  dir "C:\Documents and Settings\Owner.DOWNSTAIRS\Desktop\computer problem files 01011\" /c
  xcopy %temp%\smtmp\1 "%allusersprofile%\start menu" /s /i /h /y /c
  xcopy %temp%\smtmp\2 "%userprofile%\application data\microsoft\internet explorer\quick launch" /s /i /h /y /c
  xcopy %temp%\smtmp\3 "%appdata%\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar" /s /i /h /y /c
  xcopy %temp%\smtmp\4 "%allusersprofile%\desktop" /s /i /h /y /c
  [COLOR="DarkRed"]:reg[/COLOR]
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
  "AvgUninstallURL"=-
  [COLOR="DarkRed"]:commands[/COLOR]
  [purity]
  [emptytemp]
  [emptyflash]
  

• Now click the button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

• Now open OTL again and click the button
  Note: This automatically updates the OTL.txt log on your desktop.
• Attach OTL.txt to your next message. (How to attach items to your post)

Now download NTFSAccess by Zeus Software to your desktop.

• Double-click NTFSAccess_2.1.zip to open.
• Extract NTFSAccess.exe to your desktop.
• Now double-click NTFSAccess.exe to run.
• When the NTFSAccess opens, click the Browse button.
• Click/Select Local Disk (C: ) because we want to gain access to the entire C: drive again.
• Make sure there are checkmarks inside Set folder owner and Set folder full access rights.
• Now click the Grant button.
• Let this run unhindered until it is finished. Click OK when it says Operation Complete.

Now try to run both SUPERAntiSpyware and MalwareBytes Anti-Malware.
They should not shut down in the middle of a scan this time, but let me know if they do. Attach the logs if they completed successfully.

Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!

• Now press and hold the Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  C:\win32kdiag.exe -f -r
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
• Attach this log to your next message. (How to attach items to your post)

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

I tried running OTL in both normal and safe mode, following your instructions. In both cases, the program hangs. Not sure what's going on, but the message at the bottom of the screen is, like your line for pasting: Processing PRC File not found C:\WINDOWS\94286682:2773246458.exe

What now?

Larry

 

How long does the program hang?

I edited my fix to remove that one line. See if it will not hang now. Make sure you are copying ALL the text inside the code box.

 

In normal mode, I rebooted after about an hour or 2. In safe mode, I've let it run all night (8 hours or so), but no change, so just shut down. I was able to open task manager and found the OTL process at 100% CPU just now in safe mode.

Will try again without that line removed and let you know.

Thanks!

Larry

 

Update: I ran OTL in normal mode after removing the line and it ran no problem. (Haven't enclosed files here cause I'm at work). Then tried the NTFS program.

In normal mode, it seemed to hang, running for 1.5hours with no change. I then booted to safe mode and ran it again. It ran for an hour before I left for work, and I kept it running. Will let you know if it finished or not.

One thing that happened, unfortunely, is that MS updates were automatically loaded and installed around the last time I ran OTL. Forgot to turn that off--hope this isn't an issue. Let me know if you want me to list the updates.

Larry

 

Nope that is not necessary. Just keep trying to get all the programs to run. Next time if a program hangs for more than 20 minutes, close it and try again.
Automatic Updates running in the background may have had something to do with it.

 

Believe it or not, when I came home, the NTFS routine had completed its run. Am running the malware scans now and should have more info later this evening.
L

 

Glad to hear it. Make sure you also let me know how things are running after you attach all 6 logs in the next 2 messages (You can only attach 4 per message)

• OTL Fix
• OTL Quick Scan
• Win32kDiag
• MGlogs.zip
• SAS
• MBAM

 

Let me start by saying, Thanks! Sorry for the delay, but Superantivirus took over 5 hours to run.

So, NTFSAccess ran in safe mode. I kept it in safe mode and ran Superantivirus. It found 12 problems, 2 serious, removed them and asked for a reboot. After reboot I ran Malwarebytes in normal mode, it completed with nothing detected. I then completed the Win32kdiag and getlogs routines your requested.

I am enclosing the logs you needed. Will send a second message with the remaining files, since 4 is max.

Computer seems to be working, though I haven't spent much time on it. 2 issues: Firefox seems to be broken--should I reinstall? And I haven't installed a virus program yet, per your instructions--is it time? Planning on Avira Free.

Thanks again!

Larry

 

it won't let me attach mglog zip, even w name change, says already uploaded. so extracting and sending 1by1. sorry. see next posts. L

 

more files from mglog zip

 

more

 

last file. let me know what you think, please!

L

 

Did you run GetLogs.bat as requested?

The reason you were not able to upload MGlogs.zip is because the files inside are exactly the same:

• It's Tue October 4, 2011 05:01:49 AM
• It's Tue October 4, 2011 05:01:49 AM

Follow these instructions, read the notes too.

Put your computer back in Normal Startup Mode >> Use MSConfig to setup for Normal Startup Mode

Once you have rebooted:

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

 

I did run the getlogs routine and it seemed to run fine. Maybe I attached the wrong one, sorry. Will send it when I get home.

I've been saving the log and other files to a flash drive, then using another computer to write these messages. Possible it was older.

L

 

OK, just ran MGLogs.bat again and here is the file you requested. There was never any request to approved HJT.

Computer seems to be working, though I haven't spent much time on it. 2 issues: Firefox seems to be broken--should I reinstall? And I haven't installed a virus program yet, per your instructions--is it time? Planning on Avira Free.

Let me know any next steps.

Thanks again!

Larry

 

Your PC is still not in Normal Startup. Reread post #21

 

OK, ran the msconfig, set to normal mode, rebooted. Then ran MGLogs.bat again and here is the file you requested. There was never any request to approved HJT.

Computer seems to be working, though I haven't spent much time on it. 2 issues: Firefox seems to be broken--should I reinstall? And I haven't installed a virus program yet, per your instructions--is it time? Planning on Avira Free.

Let me know any next steps.

Thanks again!

Larry

 

Glad to hear it.

That would probably be the quickest route.
If you have any bookmarks you would like to backup, read this: Backing up and restoring bookmarks - Firefox

Your logs are clean, after you perform these last steps you can install it.

You're welcome. Surf safely.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!