Malware or Virus remnants still lingering

[bhardin1]

Please forgive me if any of this is redundant, I simply am trying to give as detailed of an account as I can.

I recently removed a fake trojan "virus" from my PC, it had a window poped up that stated I was infected, via research I discovered that upon clicking it it would scan and present 35 different locations to download a "fix". I got rid of it before that happened, however, there seems to be some nasty side effects still lingering.

For a while yesterday I was not able to log onto IE, FireFox, or Google Chrome. I then started looking around the settings and disovered that the "use proxy setting" was ticked, I unticked it and was then able to get back to surfing the internet.

Okay, that's the backstory, now the main issue:

When I try to run Malwarebytes' Anti-Malware I get: Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access them.

When I try to run SUPERAntiSpy, I get the same error message.

When I try to run HijackThis, I get the same error message.

When I boot up in safe mode, it's the same message.

Earlier in the day I was able to get MalwareBytes to run but it would scan for about 3 seconds then close.

I use Trend Micro's AntiVirus plus AntiSpyware for daily use, but yesterday it seemed to be trying to do mutilple updates at random times during any give hour. Usually it only checks for updates about once a day. Trying to scan with it shows the time that has elapsed, but it has no current target, which tells me it's not working either. Today it won't even open.

Twice yesterday the computer itself crashed to the Blue Screen of Death with a memory dump.

Sometimes in the middle of browsing with IE, IE will simply stop responding.

After following your steps as listed I am still in need of some help.

As best to me knowledge I am running only 1 Anti-virus: Trend Micro's AntiVirus plus Antispyware. I have only 1 firewall. I did the House Cleaning.

I tried to update Java to the latest (Java 6 update 22) but first had to delete an older version, Java 6 update 14. It would not let me. When I went in via Add/Remove programs the update/remove button is not there. I can go into CCleaner and click Uninstall but it tells me Error: 5 - Access is denied.

I've even looked into the registry for it and it's simply not there. I was looking in:
Hkey_local_machine/Software/Microsoft/Windows/CurrentVersion/uninstall

Currently I cannot get my Trend Micro to even open, but yesterday I was able to delete all but 5 files from quarantine. I apologize but I do not recall which specific 5 files those were.

Recycle Bin is empty. Norton Recycle Bin protection does not apply here.

CCleaner ran and did it's cleaning.

I am running Windows XP Media Center Edition with SP3.

I did not find any Malware via Add/Remove programs.

Disabled Disk Emulation via defogger.

I am unable to disable spybot's TeaTimer because when I try to open Spybot it tells me:
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

I've downloaded all the programs requested, however, most of the antispyware ones (which I tried to run prior to finding your website) would give me the "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item" error message, which tells me it's not a permission issue, but rather something else preventing me from running it.

Attached is the MGlogs.zip as requested.

[chaslang]

Welcome to Major Geeks!


I'm looking thru your logs now, but I have a question or two first.

1. Whose instructions were you following when you ran Avenger? You should not use fixes given to another person.
2. Who asked you to run TDSSKiller and since you ran it many times, why didn't you allow it to fix the suspicious drivers? They are malware.
3. Is there a reason you did not mention running ComboFix?

[chaslang]

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Quote:

Drivers to delete:
asyncm2k
cxfsxww32
vbma4748
ibfymgn
gkawqxm
DFBCFDBA

Files to delete:
C:\WINDOWS\system32\drivers\ibfymgn.sys
C:\WINDOWS\system32\drivers\vbma4748.sys
c:\windows\system32\drivers\gkawqxm.sys
c:\windows\system32\drivers\asyncm2k.sys
c:\windows\system32\drivers\cxfsxww32.sys
c:\windows\Uzexec.exe
c:\windows\Uzexeb.exe
c:\windows\Uzexea.exe
C:\WINDOWS\Akafe.dat
c:\windows\Etenakuqejakoku.bin
c:\docume~1\hardin\applic~1\dsfsds.bat
c:\windows\system32\autofmt4.dll
C:\WINDOWS\upoxiqex.dll
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\BackgroundDownloader.job
C:\WINDOWS\Tasks\vpqmdcpv.job
C:\WINDOWS\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
C:\WINDOWS\system32\234.js
C:\Documents and Settings\Hardin\Desktop\snerf.exe
C:\Documents and Settings\Hardin\Desktop\wowqsysguard.exe

Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run | Pforacuqepico

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[bhardin1]

Chaslang, thank you for the reply.

To answer your questions first:

1. Unknown to me, my wife decided to get a friend over here yesterday. Evidently he ran Avenger and TDSSKiller. I spoke with him a few moments ago and asked what kind of progress he made. He said in reference to TDSkiller that it found 4 things total, two were malicious (so they were killed) and two things were suspecious (he did not recognize them so he left them alone).
2. As for ComboFix I ran that, it just did nothing, it kept telling me "access is denied." over and over. It just looked to me that it did not work, and to be perfectly honest I just didn't think about it after that.

I ran Avenger as you instructed, it rebooted on it's own.
I then ran the C:\MGtools\GetLogs.bat.

Attached are the logs for each.

After that was done I had to redownload and reinstall a couple of programs, Mainly the Malwarebytes Anti-Malware. It seems to be working fine. I ran a quick scan and it showed 1 infection: Trojan.Hiloti I removed selected which it was wable to quarantine and delted successfully.

[bhardin1]

I'm not sure if this is a further indication of more issues but when trying to reinstall my Trend Micro AntiVirus I get the following message:

The installer has insufficient privileges to modify this file: C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe.

I can then Abort, Retry, or Ignore.

[chaslang]

Quote:

Originally Posted by bhardin1

I ran Avenger as you instructed, it rebooted on it's own.
I then ran the C:\MGtools\GetLogs.bat.

Attached are the logs for each.

You forgot to actually attach them.

Quote:

Originally Posted by bhardin1

After that was done I had to redownload and reinstall a couple of programs,

You are not supposed to be doing anything unless we ask you to until we are finished. This includes trying to reinstall Trend Micro. The very first section of the READ & RUN ME had the below in it

Quote:

• Once you start this cleaning process to remove your malware please do not do anything to your PC except what is requested in this procedure. Do not install anything on your own and do not run other scans.

[bhardin1]

My most sincere apologies, I'm not sure why it didn't attach the 1st time.

I also apologize for misreading, when you requested for me to make sure how things are working now, I read more into it (those programs that were not working, can you get them working now?).

From this point forward, it'll be hands off until you tell me to.

you tell me to jump, I'll ask how high.

Again I apologize.

[chaslang]

Okay that looks much better. Now just as a precaution, let's run TDSSkiller again to make sure it comes up clean.


Download TDSSKiller from Kaspersky to your directly onto your Desktop

• Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor. )
• Allow the application to run if prompted by Windows or any security programs you have installed
• It will start the scan and run rather quickly and will notify you of whether anything is found or not.
• Follow the instructions to delete/quarantine if asks you what to do when if finds something.
• Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

[chaslang]

Almost forgot, I wanted you to run the instructions in the below link too:

Resetting Registry and File Permissions

[bhardin1]

As per your request, attached is the TDS log. (It found nothing by the way).

I also ran the instructions for Resetting Registry and File Permissions, and rebooted as it instructed.

I can tell you for certain the PC boots up a good bit faster now too.

[chaslang]

Okay the TDSSkiller log was clean which is what I as suspecting after the manual removal.

Are you having any more malware problems? If not then move on to the below.




If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

[bhardin1]

I followed your steps 1 to 9; and all the sub-steps they took me to do.

Clean Restore point has been established.

I certainly don't mind keeping (and paying for) Malwarebyte's Anti-Malware as well as SuperAntispyware as you mention in step 1.

I worked through the 'How to protect yourself from Malware!' and have just a couple of questions:

Step 2 is in regards to my Anti-Virus. I've purchased a copy of Trend Micro's AntiVirus + AntiSpyware (have actually been running it for about 7 months). Would this be the time to reinstall it or is it not recomended because it has the AntiSpyware built in?

Step 3 is kindav tied in with Step 2, the Trend Micro has a built in firewall (I don't know how good it is seeing as I have recently had all these problems though), Should I keep the Trend Micro is it not sufficient?

Aside from that everything seems to be running smooth.

[chaslang]

Quote:

Originally Posted by bhardin1

I certainly don't mind keeping (and paying for) Malwarebyte's Anti-Malware as well as SuperAntispyware as you mention in step 1.

If you have antispyware protection with your AV, you don't need to purchase these. You can just use the free scan only versions for additional scanning. They frequently find things that others miss. However I only saw Trend Antivirus in your logs and nothing else. Are you sure you have their antispyware? Normally we would see something like tmas.exe ( see: http://www.liutilities.com/products/wintaskspro/processlibrary/tmas/ ) or similar.

Quote:

Originally Posted by bhardin1

Step 2 is in regards to my Anti-Virus. I've purchased a copy of Trend Micro's AntiVirus + AntiSpyware (have actually been running it for about 7 months). Would this be the time to reinstall it or is it not recomended because it has the AntiSpyware built in?

It is fine as long as it is not causing you any problems.

Quote:

Originally Posted by bhardin1

Step 3 is kindav tied in with Step 2, the Trend Micro has a built in firewall (I don't know how good it is seeing as I have recently had all these problems though), Should I keep the Trend Micro is it not sufficient?

You said you have the Antivirus + AntiSpyware, you did not say you had their security suite. Are you sure it includes a firewall? And as stated above, are you sure it include the antispyware progam as it does not look like it.

You need to remember that no solution these days is absolutely perfect and that the problems/and prevention of problems begins and ends with you or other people using the PC.