Malware or Virus remnants still lingering

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by bhardin1, Oct 14, 2010.

  1. bhardin1

    bhardin1 Private E-2

    Please forgive me if any of this is redundant, I simply am trying to give as detailed of an account as I can.

    I recently removed a fake trojan "virus" from my PC, it had a window poped up that stated I was infected, via research I discovered that upon clicking it it would scan and present 35 different locations to download a "fix". I got rid of it before that happened, however, there seems to be some nasty side effects still lingering.

    For a while yesterday I was not able to log onto IE, FireFox, or Google Chrome. I then started looking around the settings and disovered that the "use proxy setting" was ticked, I unticked it and was then able to get back to surfing the internet.

    Okay, that's the backstory, now the main issue:

    When I try to run Malwarebytes' Anti-Malware I get: Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access them.

    When I try to run SUPERAntiSpy, I get the same error message.

    When I try to run HijackThis, I get the same error message.

    When I boot up in safe mode, it's the same message.

    Earlier in the day I was able to get MalwareBytes to run but it would scan for about 3 seconds then close.

    I use Trend Micro's AntiVirus plus AntiSpyware for daily use, but yesterday it seemed to be trying to do mutilple updates at random times during any give hour. Usually it only checks for updates about once a day. Trying to scan with it shows the time that has elapsed, but it has no current target, which tells me it's not working either. Today it won't even open.

    Twice yesterday the computer itself crashed to the Blue Screen of Death with a memory dump.

    Sometimes in the middle of browsing with IE, IE will simply stop responding.

    After following your steps as listed I am still in need of some help.

    As best to me knowledge I am running only 1 Anti-virus: Trend Micro's AntiVirus plus Antispyware. I have only 1 firewall. I did the House Cleaning.

    I tried to update Java to the latest (Java 6 update 22) but first had to delete an older version, Java 6 update 14. It would not let me. When I went in via Add/Remove programs the update/remove button is not there. I can go into CCleaner and click Uninstall but it tells me Error: 5 - Access is denied.

    I've even looked into the registry for it and it's simply not there. I was looking in:
    Hkey_local_machine/Software/Microsoft/Windows/CurrentVersion/uninstall

    Currently I cannot get my Trend Micro to even open, but yesterday I was able to delete all but 5 files from quarantine. I apologize but I do not recall which specific 5 files those were.

    Recycle Bin is empty. Norton Recycle Bin protection does not apply here.

    CCleaner ran and did it's cleaning.

    I am running Windows XP Media Center Edition with SP3.

    I did not find any Malware via Add/Remove programs.

    Disabled Disk Emulation via defogger.

    I am unable to disable spybot's TeaTimer because when I try to open Spybot it tells me:
    Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

    I've downloaded all the programs requested, however, most of the antispyware ones (which I tried to run prior to finding your website) would give me the "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item" error message, which tells me it's not a permission issue, but rather something else preventing me from running it.

    Attached is the MGlogs.zip as requested.
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!


    I'm looking thru your logs now, but I have a question or two first.
    1. Whose instructions were you following when you ran Avenger? You should not use fixes given to another person.
    2. Who asked you to run TDSSKiller and since you ran it many times, why didn't you allow it to fix the suspicious drivers? They are malware.
    3. Is there a reason you did not mention running ComboFix?
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  4. bhardin1

    bhardin1 Private E-2

    Chaslang, thank you for the reply.

    To answer your questions first:

    1. Unknown to me, my wife decided to get a friend over here yesterday. Evidently he ran Avenger and TDSSKiller. I spoke with him a few moments ago and asked what kind of progress he made. He said in reference to TDSkiller that it found 4 things total, two were malicious (so they were killed) and two things were suspecious (he did not recognize them so he left them alone).
    2. As for ComboFix I ran that, it just did nothing, it kept telling me "access is denied." over and over. It just looked to me that it did not work, and to be perfectly honest I just didn't think about it after that.

    I ran Avenger as you instructed, it rebooted on it's own.
    I then ran the C:\MGtools\GetLogs.bat.

    Attached are the logs for each.

    After that was done I had to redownload and reinstall a couple of programs, Mainly the Malwarebytes Anti-Malware. It seems to be working fine. I ran a quick scan and it showed 1 infection: Trojan.Hiloti I removed selected which it was wable to quarantine and delted successfully.
     
  5. bhardin1

    bhardin1 Private E-2

    I'm not sure if this is a further indication of more issues but when trying to reinstall my Trend Micro AntiVirus I get the following message:

    The installer has insufficient privileges to modify this file: C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe.

    I can then Abort, Retry, or Ignore.
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You forgot to actually attach them.


    You are not supposed to be doing anything unless we ask you to until we are finished. This includes trying to reinstall Trend Micro. The very first section of the READ & RUN ME had the below in it
     
  7. bhardin1

    bhardin1 Private E-2

    My most sincere apologies, I'm not sure why it didn't attach the 1st time.

    I also apologize for misreading, when you requested for me to make sure how things are working now, I read more into it (those programs that were not working, can you get them working now?).

    From this point forward, it'll be hands off until you tell me to.

    you tell me to jump, I'll ask how high.

    Again I apologize.
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay that looks much better. Now just as a precaution, let's run TDSSkiller again to make sure it comes up clean.


    Download TDSSKiller from Kaspersky to your directly onto your Desktop
    • Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor. )
    • Allow the application to run if prompted by Windows or any security programs you have installed
    • It will start the scan and run rather quickly and will notify you of whether anything is found or not.
    • Follow the instructions to delete/quarantine if asks you what to do when if finds something.
    • Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  10. bhardin1

    bhardin1 Private E-2

    As per your request, attached is the TDS log. (It found nothing by the way).

    I also ran the instructions for Resetting Registry and File Permissions, and rebooted as it instructed.

    I can tell you for certain the PC boots up a good bit faster now too.
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay the TDSSkiller log was clean which is what I as suspecting after the manual removal.

    Are you having any more malware problems? If not then move on to the below.




    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  12. bhardin1

    bhardin1 Private E-2

    I followed your steps 1 to 9; and all the sub-steps they took me to do.

    Clean Restore point has been established.

    I certainly don't mind keeping (and paying for) Malwarebyte's Anti-Malware as well as SuperAntispyware as you mention in step 1.

    I worked through the 'How to protect yourself from Malware!' and have just a couple of questions:

    Step 2 is in regards to my Anti-Virus. I've purchased a copy of Trend Micro's AntiVirus + AntiSpyware (have actually been running it for about 7 months). Would this be the time to reinstall it or is it not recomended because it has the AntiSpyware built in?

    Step 3 is kindav tied in with Step 2, the Trend Micro has a built in firewall (I don't know how good it is seeing as I have recently had all these problems though), Should I keep the Trend Micro is it not sufficient?

    Aside from that everything seems to be running smooth.
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you have antispyware protection with your AV, you don't need to purchase these. You can just use the free scan only versions for additional scanning. They frequently find things that others miss. However I only saw Trend Antivirus in your logs and nothing else. Are you sure you have their antispyware? Normally we would see something like tmas.exe ( see: http://www.liutilities.com/products/wintaskspro/processlibrary/tmas/ ) or similar.

    It is fine as long as it is not causing you any problems.

    You said you have the Antivirus + AntiSpyware, you did not say you had their security suite. Are you sure it includes a firewall? And as stated above, are you sure it include the antispyware progam as it does not look like it.

    You need to remember that no solution these days is absolutely perfect and that the problems/and prevention of problems begins and ends with you or other people using the PC.;)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds