Malware blocks the use of antivirus, microsoft updates and more. Hero/es Needed!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ShpongleCraft, Nov 27, 2011.

  1. ShpongleCraft

    ShpongleCraft Private E-2

    Hail, friendly ones!

    I've recently been infected with some kind of Zlob, i think, after having just reformatted my harddrive, and it's got me somewhat paranoid and fearful of the internet. Why?

    SYMTOMS
    It's restricted access to antivirus websites, blocked microsofts webpages so i can't download important updates, switches of Automatic Updates every time i power up my computer, rendered programs such as McAffe Security Scan malfuctioning (they won't initiate when i start the program), and probably more.

    Also i think it's actually disabled the ESC key on both of the keyboards I've plugged into my can, or maybe I'm just being paranoid about that.

    Attempts at downloading the software nesseccary to get rid of this thing has been tricky since it can also block the download links too. But I've managed to download Combofix and run it. I've posted the report from that further down.

    What I CAN DO
    I can still access blocked URLs tho, using google's function to translate the pages, but alas i cannot do much more than that. I can still perform tasks that have nothing to do with security, like gaming or surfing my "censured" browser (firefox) but naturally feeling insecure to say the least when signing in to my mail or somthing like that.

    The reason i don't just reformat my harddrive yet again is because it's hellishly frustrating when you don't have the drivers on discs. But I've done it before and am willing to do so again, but only as a last resort.

    INTERESTING THING I'VE NOTICED ON MY COMPUTER
    There a boot.bak file on C:, is that supposed to be there?

    ComboFix Report

    Edit by chaslang: Inline ComboFix log attached.
     

    Attached Files:

    Last edited by a moderator: Nov 27, 2011
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Zlob is an insignificant issue in the malware world these days. And your ComboFix log shows no signs of Zlob. It does show that you have been running with a Conficker infection for quite some time though.

    Also note that ComboFix should never be the 1st thing you run!!! Also note, please do not post any inline logs like you did with ComboFix. Logs must be attachments (See: HOW TO: Attach Items To Your Post )



    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

    Now after running the above, let's perform a proper malware cleaning process as shown in the below link. You can skip the section where ComboFix is requested since you have already run it.

    Please read ALL of this message including the notes before doing anything.

    Please follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide



    and attach the requested logs when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
  3. ShpongleCraft

    ShpongleCraft Private E-2

    [QUEST COMPLETE]
    You!... you're a good man Chaslang!
    I've done as the "READ & RUN ME FIRST" instructed and have come up with the following logs that are attached. So far eveything has run smoothly, and there seems too be very little loss to the system. After the conficker was removed I was finally able to complete the task i had set about, after having reformatted, to getting the computer up-to-date with nessesary updates, drivers, and software for use.

    I can't thank you enough for helpin' me out, and I'll mention you and this site to all those in need of a proper internet Hero, Mr.Chaslang.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. You did not attach the proper log from MGtools. You need to attach the C:\MGlogs.zip file so that we can continue.

    Also do you have the log from SUPERAntiSpyware?
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds