Your worse case ever! WinAvPro & WinAvPolice

Hello all, this is my first time here and my first time posting an insane and nasty virus/malware situation.

Per your request: "Clearly describe in detail the problems you are having and how long ago they started. Think about what you were doing at the time."

So here you go:
My friend's brand new Samsung netbook got infected with Microsoft Antivirus Pro malware about 4 weeks ago. McAfee was installed but it was expired (so I uninstalled it). I had a hard time dealing with this malware stuff since it was my first time dealing with it. Finally I found Malwarebytes software; I installed it and ran it, "problem solved". I also installed CCleaner, Spy Bot Search & Destroy, and AVG Free 8.5 on my friend's computer. I told her the virus was gone and end of the story.

A week ago the virus returned. This time its name was Microsoft Police Pro. Same annoying pop ups, "security alerts" messages, etc.., same behavior, but this time, it seems really powerful. I was unable to open Control Panel, it showed a bunch of little '.dll' files not found after booting up the computer, and I was unable to open any .exe file (Except browsers: Internet Explorer and Firefox). I tried Malwarebytes immediately after killing the respective processes in the Task Manager, but Malwarebytes didn't start up. I uninstalled it and reinstalled it again. This time it opened up, I clicked on 'Quick Scan', the process quits after 3 seconds, then nothing happens. Now, the .exe path to this file seems to be lost or broken. I cannot open Malwarebytes anymore.

I tried Spyhunter, pretty much the same thing happened as described above with Malwarebytes, but this time at least the pop up windows were stopped, and I was able to open Control Panel, and other .exe files.

I ran AVG, found several trojans, but it does not remove or heal the threads found.

In desperate, I went ahead and followed your instructions per the "READ & RUN ME FIRST. Malware Removal Guide." thread (I did follow them religiously) and this is what I have (a nightmare):

1. I was unable to empty the AVG's quarantine folder. It shows a message saying that it could not be open and that the window needs to be closed. After click on 'OK', AVG gets closed.

2. I am unable to boot into safe mode

3. As I mentioned, Malwarebytes was not working so I uninstalled. I also had Spy Bot installed, it was not doing anything either after trying to open it, so I uninstalled it too.

4. I needed to rename the SuperAntiSpyware .exe file. (to SAS.exe). It was not doing anything either. After renaming the file, the installation was successful. The SuperAntiSpyware icon now is on the desktop. I double clicked it, nothing happens. I renamed it, nothing happens. I tried to run it from Start/All Programs/SuperAntiSpyware, nothing happens. So, NO LOG FILE TO ATTACH.

5. I installed Malwarebytes again and the same scenario again. Quick Scan quits after 3 seconds. nothing happens, and I cannot open Malwarebytes anymore. The .exe path to this file seems to be lost or broken. So, NO LOG FILE TO ATTACH.

6. I needed to rename ComboFix file. After renaming the file it started up. Then it shows a message saying that it detected a "rootkit" thing and it needs to be restarted. After rebooting the computer, a command prompt window pops up quickly saying that 'GREP' is not recognized as an internal or external command. That's it. Nothing happens after the command prompt window gets closed. If I run the ComboFix again, it repeats the same procedure. So, NO LOG FILE TO ATTACH.

7. MGTools. After open file (from C:\) a command prompt window pops up very fast (I can't read what it says). Then a bunch of icons and files are added into the MGTools folder., then? nothing happens. If I open MGTools again, same thing happens over and over. So, NO LOG FILE TO ATTACH.


Is there any hope for my friend's computer?
I was considering reinstalling Windows XP, but I read an article yesterday (researching about this malware stuff) that said that even reinstalling Windows XP, the virus/malware may still there, and/or it can come back because it has so many variants.

Any help I would really appreciate it.

Thanks in advance.

 

First, I wanted to say that I don't know how you guys do all this in regards to availability of time, thank you very much for your response and help.

And second, here is what you have requested.

In regards to RootRepeal I guess I missed it during the process, so it was the first thing I ran. I attached the RootRepeal log too. (It is giving me a bandwidth error when trying to read the running instructions in the forum, so I hope the attached report helps)

In regards to the online scan, I was using Firefox but it was killed after trying to browse the superantispyware web page, so I tried Internet Explorer and I was able to run the scan. The following is what it found and removed:

Trojan.Agent/Gen-FakeScan[ASC] (4)
Rogue.XP AntiSpyware2009-Trace (1)
Rogue.XP AntiSpyware2009 (1)
Rootkit.Agent/Gen-Skynet (3)
Rogue.AntivirusPro2010 (23)
Rogue.WindowsPolicePro (15)
Adware.Tracking Cookie (82)
Trojan.Dropper/Win-NV (1)
Trojan.Dropper/Gen-NV (1)
Rootkit.BraviaX-Installer (2)
Trojan.Agent/Gen (2)
Trojan.Agent/Gen-FraudTool (2)

[The number in parenthesis is the number of items found]

PC was rebooted and it is waiting for further instructions

I was actually able to regenerate a log of what the online scan found, so it is attached too.

The following are the attached files:
RRlog.txt
avplog.txt
exehelperlog.txt (I didn't get any errors running it)
SUPERAntiSpyware Online Scan Log.txt

Thank you very much for your help.

BTW. I'm using my laptop and a flash drive back and forward from the infected PC. I hope I won't get my laptop infected too. :mad

 

One more thing --->

I downloaded 'The Avenger', copied the script and executed the file. Then rebooted PC and I got the following Command Prompt window:

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

'GREP' is not recognized as an internal or external command, operable program or batch file.
'Update-CF.cmd' is not recognized as an internal or external command, operable program or batch file.
Could Not Find C:\CmbFx23378C\Update-CF.cmd

Please wait.
ComboFix is preparing to run.

Attempting to create a new System Restore point.

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

Then a pop up window came up saying the following:

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
This machine does not have the 'Microsoft Windows recovery console' installed.
Without it, ComboFix shall not attempt the fixing of some serious infections.

Click 'Yes' to have ComboFix download/install it.

NOTE: this requires an active internet connection.
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

And it is waiting for "yes" or "no"

[It looks like now ComboFix is able to run now when before it wasn't]

Please advise before proceeding to the next step.

I'm attaching what I have so far: avenger.txt

Thanks again.

 

Ok sir, here you go.

I replaced the existing MGTools file and I ran it.
After accepting the license agreement for TrendMicro HijackThis, I got a pop up window saying:
“The application failed to initialize properly (0xc0000135). Click on OK to terminate the application.” I clicked OK and the zip file was created.

As per your possible error message type #4 that says: “If you receive a message similar to any of the below. It just means that you do not have the Microsoft .NET Framework software installed from Microsoft Update. You should install this as many .NET type applications require it…”, I went ahead and installed the .NET Framework software and re-ran MGTools. This time no errors or anything, everything went ok.

Attached is the ComboFix file and I'm actually attaching both the MGTools zip file from when I got the error message shown above, and the zip file from when it ran without any problems (just in case )

Waiting for further instructions, and once again, thanks a bunch.

FYI:
BeforeMGlogs.zip --> corresponds to the zip file when I got the error message.
MGlogs.zip --> without any errors.

After running the above tools, Windows Security reports that Firewall and Virus Protection (AVG) are off.

 

UPDATE.

There is a Windows Update that keeps popping up.

When the viruses were present, a Windows Update popped up and I tried to install it. After running all the process as of today, the same Windows Update keeps coming up. It is the Windows Malicious Software Removal for September 2009. It installs correctly with no errors, then about 2 minutes later the same update comes up (or I should say the yellow "shield" symbol for Windows Updates appears at the bottom right hand corner of the screen). It does the same thing even if the laptop is restarted.

I just wanted to let you know.

Thank you.

 

Any suggestions please?

Thank you.

 

I'm sorry about the "Don't Bump! It Only Hurts You!!!"
I was in a hurry since my friend was asking me what was going on with her laptop because she needed it.

I managed to "fix" the Windows Update issue mentioned before. It seemed to be working ok so far, so I had to return her laptop just today (10/06/2009) in the morning.

If I'm able to have it back, I'll run the instructions mentioned in your post and post the logs.

Thank you for all your help!!