problem: can't run mbam, sas, combofix, and more

Welcome to Major Geeks!

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Administrator

You only need to get one of them to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

1. Rkill.exe
2. Rkill.com
3. Rkill.scr
4. Rkill.pif

Once you've gotten one of them to run then try to immediately run the following.


Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then double click on it to run it.

AVPFind.bat

It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running. (See: HOW TO: Attach Items To Your Post )


Now download and Run exeHelper

• Please download exeHelper to your desktop.
• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• A log file named log.txt will be created in the directory where you ran exeHelper.com
• Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Also please try running the below online scan:

http://www.superantispyware.com/onlinescan.html

Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. See if you can save a log with it.


Then try running these instructions: Using MGtools


Attach the below logs when finished with all of the above:

• C:\avplog.txt - from AVPfind
• a log from online SAS scan if you could make one
• log.txt - from exeHelper
• C:\MGlogs.zip - from MGtools

The C:\ assumes that drive C is you Windows boot drive. If you boot from another drive, then use the correct drive letter above.

 

Your MGlogs.zip is incomplete. Please take a look at this and refer to the error messages section:

Using MGTools

Now do the following:

• Download this Win32kDiag(If on your desktop - Right click and choose copy / then Open my computer, click on the C drive and in the window paste it there) and save to C:\Win32kDiag.exe. You must save it here!!!!
• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log

C:\win32kdiag.exe -f -r

Now download a fresh version of MGtools and save it to your root folder.

Run the new MGTools.exe referring to the link I gave you in case you receive any errors.

Attach the:
Win32kDiag.txt..and..
The new C:\mglogs.zip into your next reply here

 

Okay, let's do the below:

Click Start, Run type in cmd and click OK.

This will open a command prompt Window. In the command prompt Window, enter the below commands each followed by the enter key:

Now attach the C:\ver.txt and C:\flist.txt files here. Note there is a space after the dir and before the >

 

Hi there, we need to work out why yoour Mglogs.zip is always incomplete, so see the below:

• What exactly happens when trying to boot in safe mode? And have you also tried using the real Administrator account in safe mode?
• Try saving exeHelper to the C:\Windows folder and see if it will run from here since it could not be saved to the Desktop.

Now let's do this:

Click start > run > type in cmd > paste in the following in the quote box:

Then press enter. Attach the C:\Plist.txt into your next reply.

Thanks
Kes13!

 

Hi. I need you to take a look in your task manager and end the following processes if present:

Then immediately afterwards, try running MGTools.exe.

Next - run:

Attach logs from each.

Thanks
Kes13!

 

OK hang in there, I am speaking to Chaslang about it

 

Click start > run > type in cmd > and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>

process -k WS908.exe
process -k antimalware.exe
process -k VRT6.tmp

Note there is a space before and after the -k in the above commands.

Getlogs.bat <-- this should start a scan for all of the MGtools programs. If it does not then tell us what happens. If it does, let it finish and attach the C:\MGlogs.zip file when it finishes.

process > C:\Plist.txt

Attach the new C:\Plist.txt file and do not reboot your PC or shut it down. Wait for our next message.

 

Click start > run > type in cmd > and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>

process -k VRT1A.tmp
process -k VRT17.tmp

Note there is a space before and after the -k in the above commands.

GetRunKey.bat <-- This is different than last time. If it does not then tell us what happens.

ShowNew.bat <-- If it does run properly, then tell us what happens.

process > C:\Plist.txt
dir C:\MGtools > C:\flist.txt

Attach the new C:\Plist.txt and C:\flist.txt log files and do not reboot your PC or shut it down. Wait for our next message.

Also try doing the below.


Download ProcessExplorer

• Unzip it to its own folder somewhere you can locate it.
• Now run procexp.exe by double clicking on it.
• Let's configure some options first:
  • Click View and select Show Lower Pane. And where it says
    "Lower Pane View" make sure DLL's is checked.
  • Now click on explorer.exe.
  • Now also under the View menu choose "Select columns" and put a check mark on
    "Image Path".
• Now click on File and then Save As. And save the process
  list.
• Post it back here as an attachment.

 

You need to emphasize to her that she must not be using this PC and it must not be shutdown; otherwise, you may as well just take it in to have it formatted and reinstalled since we cannot help you if our instructions are not followed.


Click start > run > type in cmd > and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>

process -k VRT1B.tmp
process -k VRT1D.tmp
process -k gmcukn7t.exe
process -k mjhuxg6x.exe
process -k 1wtj3j8l.exe
process -k VRT6.tmp

Note there is a space before and after the -k in the above commands.

After doing the above, just close the command prompt window.



Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\TEMP
C:\Documents and Settings\NetworkService\Local Settings\Temp


Now run procexp.exe by double clicking on it.

Let's configure some options first:

• Click View and select Show Lower Pane. And where it says
  "Lower Pane View" make sure DLL's is checked.
• Now click on explorer.exe.
• Now also under the View menu choose "Select columns" and put a check mark on
  "Image Path".

Now click on File and then Save As. And save the process
list. Post it back here as an attachment.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )



Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now! Do not allow this PC to be shutdown.

 

Run ProcessExplorer right now and find the below processes:

Code:

 
00211ea1.exe 1504    C:\WINDOWS\system32\00211ea1.exe
001d0e0e.exe 1512    C:\WINDOWS\system32\001d0e0e.exe
0021f7ca.exe 1520    C:\WINDOWS\system32\0021f7ca.exe

Then right click on each of them and any similar one and select Kill Process. Then locate the files with Windows Explorer and delete the files.

Then try running Malwarebytes and also rerun C:\MGtools\GetLogs.bat
Then attach the new MGlogs.zip file and a log from Malwarebytes if it runs.

Did you ever get SUPERAntiSpyware to at least install?

 

Also do the below after completing the instructions in my previous message. The below will cause a reboot to occur when running Avenger. This reboot is okay but do not reboot or shutdown after attaching logs.

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

• Now go to TDSSKiller and Download TDSSKiller.zip to your Desktop
• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive called "TDSSKiller.txt" please attach this log to your next reply.

Now run procexp.exe by double clicking on it.


Let's configure some options first:

• Click View and select Show Lower Pane. And where it says
  "Lower Pane View" make sure DLL's is checked.
• Now click on explorer.exe.
• Now also under the View menu choose "Select columns" and put a check mark on
  "Image Path".

Now click on File and then Save As. And save the process
list. Post it back here as an attachment.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• C:\avenger.txt
• the log from TDSSkiller
• the new log from ProcessExplorer
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Security Tool is the malware and needs to be shutdown and deleted. See if you can run ProcessExplorer or TaskManager or process.exe and kill the process. Then see what steps you can run.

 

Okay the last log from ProcessExplorer showed the below running

Code:

0002bfd0.exe 1192    C:\WINDOWS\system32\0002bfd0.exe
00020b7d.exe 1208    C:\WINDOWS\system32\00020b7d.exe
00029ed1.exe 1272    C:\WINDOWS\system32\00029ed1.exe
0002a0f1.exe 1404    C:\WINDOWS\system32\0002a0f1.exe
00027e9f.exe 468    C:\WINDOWS\system32\00027e9f.exe

Use Process Explorer to Kill these processes and any similar ones. Also look for any like you killed last time ( gmcukn7t.exe, mjhuxg6x.exe, 1wtj3j8l.exe ) and kill them if found. Then exit Process Explorer.

Then Click start > run > type in cmd > and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational. Read all of it first so as that you know what is expected.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>

process -k explorer.exe <-- this will cause all off your Desktop to disappear so don't be alarmed.

GetRunKey.bat <-- This is different than last time. If it does not then tell us what happens.

ShowNew.bat <-- If it does run properly, then tell us what happens.


explorer.exe <-- this should restore your Desktop. If it does not, you will have to reboot using Task Manager.


Also run this Using ESET's Online Scanner and attach the requested log afterwards.

 

Ah hah! ESET is showing what I was starting to suspect. And that is a Virut infection. You are probably going to have to reinstall since there is no reliable and secure fix for Virut. Let's check something. Open a command prompt Window and enter the below commands

dir c:\windows\explorer.exe > c:\file1.txt
dir c:\windows\system32\userinit.exe > c:\file2.txt

Now attach the c:\file1.txt and c:\file2.txt logs that should have been created.

 

Sorry to give you the bad news but you will have to do a total clean reinstall based on what Eset was pointing out. It has probably just spread too much now for your these other programs like ProcessExplore and command prompt to work. They are probably infected now.

Your log showed that your Windows Operating system files have become infected by a Virut infection and there is no known reliable fix for this. In addition there are many many other infected files. We could spend a lot of time trying to remove this infection, but odds are that it will not work because the nature of the infection has so many executable system files infected that as soon as we fix one file, other files that are infected will almost immediately or upon the next reboot, just reinfect the files. In addition, your PC would still basically be unreliable/untrustworthy even if we manage to fix the infected files that we can see since there could be many more that we are not seeing.

The safest thing for you to do is backup your personal data immediately since your PC could possibly become unbootable at any point in time. Do not back up any executable files. This includes programs that you have downloaded since any of them could be infected. Anything you may have already backed up that is an executable type file (things you downloaded to install programs....etc) are most likely infected and will cause you to be reinfected if you reuse these files.

Once you backup, you need to format partitions and reinstall Windows and all other software especially your protection software. Then install all updates for all software. DO NOT reinstall from any executable file backups you made while this PC was infected or you will just be reinstalling the infection.