Trojans/malware blocking virtually every malware remover tool

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by badlydrawngirl, Apr 3, 2010.

  1. badlydrawngirl

    badlydrawngirl Private E-2

    Ran a pcpitstop scan last week as my pc is becoming increasingly slow (particularly when it comes to opening web pages). The scan showed that the pc is infected with Kollah, trymedia as well as various others. Started searching for solutions on the web, and subsequently installed Malwarebytes, HijackThis, Superantispyware, etc (already had spybot S&D) Malwarebytes and hijackthis would install but refuse to run. I found this forum, and followed the READ AND RUN ME FIRST Malware removal guide - to the letter.
    Superantispyware scanned ok, but didn't find anything.
    Malwarebytes won't run.
    Combofix gets to stage three and then i get the BSOD and have to crash and restart.
    Rootrepeal and MGtools seemed to work ok and generated reports, although I am unable to find a zip file containing a log in the MGtools folder on the c drive.
    Incidentally, Spybot S&D and Adaware both don't find anything more sinister than a few tracking cookies.

    I'm losing the plot now!

    I have attached logs as instructed. Would really appreciate any help that you can give me!

    Thanks
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    It is not in the MGtools folder. See the instructions which said it would be in the root folder of your Windows boot drive. i.e., C:\MGlogs.zip

    We need this log to even begin.

    Why are you attaching instructions for using SDfix?
     
  3. badlydrawngirl

    badlydrawngirl Private E-2

    Sorry, have located MGlog and attached it.
    I uploaded SDlog by mistake, I was pretty brain fried by the time I got to posting my topic. Apologies again!
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you forget to accept the license agreement for TrendMicro HijackThis when you ran MGtools? The log is missing from MGlogs.zip.

    There are no problems showing in any of your logs. I suggest that you shutdown the below programs and see if you can run ComboFix. Also see if you still have any problems accessing websites when these programs are not running:

    Ad-Aware
    AVG Free 9.0
    IObit Security 360
    ZoneAlarm Spy Blocker
    ZoneAlarm

    Also you need to stop using Glary Utilities to control startups as specified in step 4 of the READ & RUN ME. It is making all of the entries in the MSconfig registry keys look like orphans and this registry key should be used only by Microsoft's MSconfig program. It should not be used by other programs.


    Now all the above being said, I still want to cleanup a few things seen in your logs. One is a left over driver from Sunbelt AntiVirus which is not installed and should not be here.



    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Apr 4, 2010
  5. badlydrawngirl

    badlydrawngirl Private E-2

    I don't think I forgot to accept the licence agreement when I installed HJT as it did run ok when I installed it. I didn't do more than open it though, as I wanted to make sure I used it properly when I did.
    I disabled the programs you suggested and tried to run Combofix again, but the same thing happened and a BSOD appeared again after step 2.

    Installed and ran Avenger and have attached log file. Also disabled Messenger (incidentally, i installed the exe but it wouldn't run from my desktop so I went to the developers website and disabled it manually using the run utility).
    Ran Ccleaner as instructed and then generated the MGlog which I have also attached.
    Web pages are still painfully slow to load, I usually have to refresh the page multiple times in order for it to display.I am also still unable to run malwarebytes or HJT.

    Many thanks.
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    But did you check how your PC performance and browsing is working with ALL of these shutdown? That was the second part of the test. You don't appear to be having malware problems.

    What happens if you goto C:\MGtools and locate analyse.exe and right click on it and select Open?

    According to the logs you attached, it is still running.
     
    Last edited: Apr 6, 2010
  7. badlydrawngirl

    badlydrawngirl Private E-2

    When I disable the programs listed, there is no noticeable change in the opening of web pages. I still have to refresh numerous times to get them to display, and simple tasks like clicking on 'My Computer' to access C drive takes a while for the window to display properly.

    I tried running HijackThis using the Analyse.exe method, but it was non responsive too.

    Not sure what happened with Messenger, the tray icon has not appeared when I have booted up since, so I assumed it had worked.
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    But did the program open? Or did nothing happen at all?

    We have been working on the Melanie user account. You have quite a few other user accounts. Several others ( listed below with a Yes) are admin accounts.
    • Yes | Manager
    • Yes | Rikky
    • Yes | Test
    Please try using each of these other admin accounts and see if there is any difference in performance.
     
  9. badlydrawngirl

    badlydrawngirl Private E-2

    Nothing happened at all. The same applies to malwarebytes.
    Funnily enough I set up the 'Test' user account a few days ago for the sole purpose of getting the programs mentioned to run. but to no avail. Have also tried the Rikky account but still no luck.

    I hope I haven't broken the rules of the forum, but I have uploaded a screen shot of the test results that indicate the presence of a high security risk, and the location of one of the files. i thought that this may be of interest to you?

    The general functioning of the PC isn't too compromised - games such as Sims 3 and Football Manager run ok, and we don't suffer with any pop ups or suchlike, my main concern is that there may be a virus lurking which may be operating in the background sharing personal info etc.

    I really appreciate you giving up your time to look into my concerns. Thank you.
     

    Attached Files:

  10. badlydrawngirl

    badlydrawngirl Private E-2

    ps...I don't know how to access the 'Manager' account? It doesn't appear on the startup screen?
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Actually it is of no use for two reasons.
    1. Really cannot clearly read what it is saying since you snapshot was of too large an area making the text illegible
    2. Names of infections are almost of no use to us whatsoever since names are meaningless inventions. We need to know exactly where the supposed problems are being detected. Like what files in what folders. Or what registry keys. For all we know the detections are false or they are only detecting things already quarantined or in system restore folder which is likely the case since all of your logs are clean. Attach a real log that shows exactly where and what is being found ( if it is still being found ) and then I can comment further.
    Thus far, it does not look like it, but please do the below anyway.



    Please download and run Win32kDiag per the below instructions:
    • Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
    • Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log
    C:\win32kdiag.exe -f -r



    Now download Junction,zip to your Windows folder
    • Please download Junction.zip and save it to your Windows folder (i.e, C:\Windows\Junction.zip This assumes C:\ is your Windows boot drive.)
    • Now unzip it and put junction.exeinto the Windows folder (i.e., C:\Windows\junction.exe)
    • Do not try to run it right now. We will run something that uses it later.

    Now we need to reset the permissions potentially altered by any previous malware that may have existed.
    • Download and save inhertit.exe to your Desktop: Inherit.exe
    • It must be in your Desktop or the below fix will not work!
    Now run the C:\MGtools\FixPerm.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).
    • A command prompt window opens and also a license agreement from SysInternals will appear for Junction.
    • Accept the license agreement and the scan will begin.
    • Wait until it finishes we can take a while to run since it scans your whole harddisk. e patient and don't do anything else while it is scanning.
    • The command prompt window should close when it finishes.
    • While this is running, you will get several/many popups that have a title Finish and say OK. Just click the OK button each time. This is an indication that it has found a file and has attempted to fix permissions. Depending on how many files that need to be fixed, you could get only a few or many of these popups.
    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Now attach the below log:
    • the log from Win32Kdiag
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds