Malware disabled Task Manager, Safe Mode, and wants us to buy AV!

My wife's computer had a Trojan and other things that were messing it up. I thought I got them out but they seem to be back, or she got new ones that are similar. First one seemed to be from a program called "Protection Systems" that may have come from "My Web Search", which may have come with "Gamevance32". Protection Systems was trying to convince us we had many viruses and we should download their program (and pay to activate it) to clean these up. It used windows that looked remarkably like real Windows, but there was no mention of Microsoft or any copyright info at all. It also kept saying I had no AV software. Well, I used my Norton and Comcast Anti-Spyware, that I didn't have, to remove them. My Web Search was automatically blocking any attempt to change my default web search engine. Gamevance32 was making over 900K changes in my computer on each Startup (according to my Norton History). Something also disabled the Task Manager via Administrator, and also has disabled the Safe Mode Startup.
Things were good for several days, but last night a new set started. A program called "Personal Anti-Virus" also trying to get us to buy it so it could clean out stuff it said we had. It had installed itself in the C:/Programs/ directory without Windows knowing about it. And added itself to the Startup list in MSCONFIG. I disabled the Startup and rebooted. Then I was able to delete the program. However, my Norton keeps telling me that Hacktool tries to run on each Startup, and tells me the file name, and Blocks or Removes it each time, but when I look in the File Manager where it says it is located, there is nothing there I can see. The file it names is not listed. I am the Administrator and all files are supposed to be visible. So obviously I have not found all of the problem children. My wife does a lot of downloads of simple games, you play for an hour and then it is done and you go find another one. If you really like one, you can download the full version and buy it. I think these might be coming in on one of these game suppliers, like Gamevance32. I'm thinking another one might be "IWon.com". Do you have any direct knowledge of these? In looking up the Safe Mode problem I came upon your forum for "Malware changed my Login's, Disabled AntiVirus & Windows Safe Mode. Please help!". Your response seemed to be what I may need also. I really don't want to re-format my C Drive. It would take three solid days to reload every program and document, if I can find all the original CD!

 

This computer is now infected with Police Pro and nothing is allowed to work. None of the applications in the computer work except Police Pro, Internet Explorer, and Flock. All anti-virus, anti-spyware, downloaded fix programs (FindyKill) are blocked and will not run. Neither will the Run First stuff. No Regedit, no Msconfig, no Task Manager, no Safe Mode, etc.... So where can I go from here? I can download anything, but as soon as I click "Run", it is blocked. A window pops up from the toolbar saying this file is infected and cannot run. I am sending this from my computer. These seem to be popping up every three days.

 

Thanks for responding Chaslang. Sorry, haven't tried MGTools yet. I didn't see the stuff about Read First until after I had already posted. May I suggest you folks use a verification email so new people have to read the email before they are allowed to post? Anyway, the last couple of days we have been preparing for vacation. We will be back 9/14 and I will start the Read First process on the 15th, documenting exactly what works and what doesn't. I have already printed about 60 pages of all the procedures. I have also asked the SAS people if that program can be downloaded to, installed on, and run from a write once CD, but I have had no response yet. I have a feeling I am going to wind up doing the suggestion you listed below. By the way, I forgot to mention this machine is a desktop running Windows XP Media Center Edition w/SP2. I have seen a lot of references to XP Home and XP Pro in various procedure listings (My new laptop is using XP Pro w/SP3). Would the procedures listed for XP Pro be basically the same as for XP Media Center?

 

OK, I just started up the infected computer, but I didn't get far. I was going to try the MGTools and send you the log, but below is what happened. When I had been on this computer previously it had been locking up all applications from starting. I had Re-Started as Administrator and tried to run my Norton Internet Security 2008 (latest at the time bought) but it locked up after a few seconds of trying to bring up its History file. Scan would not run. I was able to open Internet Explorer and start my online Comcast.net Anti-Spyware and start a Full Scan. It immediately Quarantined 7 files and then froze. I was able to close it but when I re-opened it and tried to scan again it kept saying Scan was already running. I had Cancelled the Scan but it would not clear itself. At that point I tried to download and run SAS because it was listed before MGTools on the list of programs to download and Run. SAS downloaded successfully and appeared to install successfully, but when I tried to Run it, it failed with the Error window I had mentioned previously. I shut down the computer to await the time I could get all the instructions from Run First together and try it all. Today I started:

*Started up as Administrator.
*As several Error Windows were popping up, Police Pro Main Window appeared. As I started to disclaim "Aw, $%&*", it disappeared.
*Error Windows continued to appear, total 34, all for .exe files.
*Had to Click each OK button 3 times to clear each window. Clicked button, window popped off and popped back on. Repeat twice more before window did not return.
*Most of Startup Toolbar icons appeared, including Norton. Opened Norton.
*Got Error Window for Norton. Clicked it twice and then Norton opened anyway.
*Opened Norton History. It opened with only two lines, neither Malware.
*Tried Quick Scan, would not Run.
*Tried Full Scan, would not Run.
*Closed Norton.
*Opened Internet Explorer to try Comcast.net Anti-Spyware and download MGTools. Got three Error windows but it opened anyway.
*Ran Quick Scan on Anti-Spyware. It quarantined 46 files and completed its scan (I think when it quarantined the previous 7 files it disabled enough of Police Pro to be able to get the rest this time.)
*I closed Anti-Spyware and went to Majorgeeks.com.
*I was about to go to MGTools Download when Norton popped up a window that it had just quarantined tr(something).backdoor and that Norton needed to Restart the computer to finish fixing this problem.
*I closed IE and clicked on OK for Norton to Restart.
*During Restart, before Login Screen, I got two Error Windows. First one was titled "services.exe - Bad Image". Screen said "The application or DLL globalroot\systemroot\system32\kbiwkmlrrsotmo.dll is not a valid Windows image. Please check this against your installation diskette." It had an OK button. I clicked OK and the second window appeared saying exactly the same thing, except a different title. This one said "lsass.exe - Bad Image".
*I clicked OK and it proceeded to the Login Screen. Clicked Administrator.
*New window popped up with same message as last two, but a different title: "userinit.exe - Bad Image". Clicked OK.
*Desktop Background picture appeared after about 15 seconds (longer than usual), but no icons or Toolbar.
*Pressed Ctrl-Alt-Del. Same window appeared again with a 4th different title: "taskmgr.exe - Bad Image". Clicked OK and the Task Manager opened.
Task Manager shows no Applications running, but shows 38 Processes running, including all four previously listed .exe files on the Error windows.
*Tried the New Task button. It opened a Run Window with "msconfig" already showing. I clicked OK and Windows opened a new window asking me what program I wanted to use to open this .exe file. I then tried again with "explorer.exe", same result. Cancelled Run Window.
*Clicked on Restart from Menu.
*Restart repeated previous six steps except for New Task.
*Restarted again. Restart now went to Login without Error screens.
*Clicked Administrator. Went to Desktop Background picture without error, but still no icons or Toolbar.
*Ctrl-Alt-Del opened Task Manager without any Error Screen. Still 0 Applications, but now has 39 Processes.
*Restart from Menu. Repeats last 3 steps, but with 40 Processes.
*Repeated Restarts show no further change except Processes vary from 39 to 41. Repeated 8 times.
*Attempted Safe Mode Restart. Immediately after loading drivers, computer re-booted itself.
*Shut down computer. Reporting here.

Sorry I was not able to provide a log file. May I presume I will now need to create one of those bootable CDs you listed previously? I do not have the original Installation CD for Windows. This is a Gateway computer from 4 or 5 years ago and the Installation CD is actually a Partition of the Hard Drive. Drive D, for Recover purposes. They "Recommend" you make a Bootable CD when you first start up your new computer, but I was younger and dumber back then and never did. In looking at these 4 links you gave me, the Trinity Rescue Kit looks like the most comprehensive of the 4. Would any of these 4 be more apropo for my situation? I could do a Recover but all the Windows Settings would be cleared and I would have to re-install all the programs. It will save all documents, pictures, etc, but the programs, and their settings, will be gone.

 

The UBCD4Win is the one I used to create a Boot CD, with help from your brethrin in another thread. I was able to use it to clean out a couple hundred files and Registry items. I am still not able to boot up normally due to the Bad Image issue. I did have a slight problem with the Boot CD. Several of the programs in it would not work. I think this may be due to them not being complete. The CD was rated at 700MB and it had 733MB on it, so it may have been too small. I have remade a new one on DVD. It looks like it used about a quarter of it.

I just tried your suggestions from above:

iexplorer.exe would not Run from Task Manager. It gave a "Windows cannot find the selected file."

C:\WINDOWS\ServicePackFiles\i386\explorer.exe would not Run either. A window opened requesting I select what program I wanted to use to open this file.

Awaiting further instructions.

 

OK, how will I download this and install it on a CD so I can try it on the bad computer. I cannot download anything to that computer just yet, unless I can get a wireless connection thru the Boot CD?

 

That is correct! All I get is the background picture of my Desktop. I can use Ctrl-Alt-Del to open the Task Manager, but there are no Applications running and only 40 (39 - 41) Processes running. I have not tried inserting a CD yet to see if it will Autorun. I tried using the Run window from the Task Manager to open the File Manager, but it failed with the same "Open With This" window that the C:\WINDOWS\ServicePackFiles\i386\explorer.exe had. This is the same response I got for msconfig.exe and any other .exe I tried. Would a list of the Processes that are running help? The computer I am using for this is currently running 66 Processes, so I don't know if 40 is too few or not.

Does UBCD4Win have a dll repair program that I could use to fix the Bad Image dll file?

 

Had a surprise when I got back to the problem computer. I had left it on while I replied to you and when I returned to it, it had a Symantec window opened for its One Button Checkup Scan. Apparently it was still running in the background thru all the bootups I had attempted. It reported the following: Repaired 155 of 156 Registry Errors, 54 Program Integrity Errors, 102 Shortcut Errors, and Cleaned 1492 items in Norton Cleanup Scan.
I Closed Symantec. Still no Desktop, just the Background Picture.
Restarted the computer. Still no Desktop, just the Background Picture.

This worked. As does the File Manager now (explorer.exe) and msconfig.exe.

The only three letter names in the Processes are alg.exe & jqs.exe.

C:\Windows\system32\eventlog.dll 55KB
C:\Windows\system32\netlogon.dll 398KB
C:\Windows\system32\scecli.dll 177KB

All three were Last Modified on 04/13/2008. I was now able to use the File Manager to get these. I can probably now do EXEfix on a USB Stick. Do I still need it now the .exe seems to be working?

I retried your previous suggestions now that Run is working:

iexplorer.exe still cannot be found

C:\WINDOWS\ServicePackFiles\i386\explorer.exe opens the File Manager. No Desktop Icons appear, nor does the Toolbar.

 

No. No icons, no Toolbar, only the Background Picture.

( SIZE/ SIZE ON DISK )
C:\Windows\system32\eventlog.dll 56,320/ 57,344
C:\Windows\system32\netlogon.dll 407,040/ 409,600
C:\Windows\system32\scecli.dll 181,248/ 184.320

Successful! Log file attached!

It exists, as well as another file, same name, but no extension, and an icon of a folder with a spyglass.

 

Downloaded and currently running. It says Norton Internet Security is running and needs to be disabled. Do you know how I can disable it when I don't have a System Tray showing Its icon? It does not show on Task Manager either as an Application. I could stop its Processes if I knew which ones they were.

 

OK, did all the stuff you suggested above. ComboFix seemed to run ok. It said Norton was still running. After restart it seems to be just sitting there. After 20 minutes I have gotten no further responses from ComboFix. I tried to disable ccSvcHst.exe again and this time it said I do not have permission to do that. Is this because ComboFix is still running in the background? Is this amount of time normal for it to finish?

 

No. I'll be back later with the rest.

 

When I got back to the computer last night it had a window for Norton Internet Security. It had finished a Full Scan. I restarted the computer again so it could finish its Cleanup. Nothing further appeared on the screen overnight. I proceeded with your procedures this morning.

 

• 
  
  Done!
  
  
  Done! Ran seperately for each userid.
  
  
  Done!
  
  
  Done! Everything seems to be OK so far.

 

All done! Thank you very much.