ACME bug survived MG Cleaning Procedures

Hi. I've got a nasty worm that has taken over my executables and totally eluded Major Geeks' cleaning procedures. Any program I open is hijacked by "ACME" and is renamed and re-iconed, so Microsoft Word becomes ACME Word, with a weird skull-like icon. And all the programs that have been hijacked cannot now be run. Consequently, I can no longer go online and have to transfer files via the USB.

When I plug the USB storage drive from the infected computer into another, the other computer's AVG program identifies corrupted files on the USB storage device as being "Worm/Generic.APN", but I can find no other references to such a worm on the internet.

This entire episode started after my computer's 'credit card modem' (for hooking into a phone line) died and I bought a new one. My computer said that the card required a particular driver, so I looked online for the driver. It was hard to track down, but I found one --I believe it was called spcolsv-- on a foreign site that my AVG didn't find too sketchy, so I downloaded it. While it did enable me to use the modem card initially, I later learned it also copied some odd programs to my computer, one called setup.exe and another spcolsv.exe. It then began a total takeover, and now I am stuck.

I have run all the recommended malware removal programs with no luck. Most didn't even find the infection. I have copied all the logs into one folder, and I'm not certain which logs will be the most helpful for me to attach.
I am running on Win2K, so newer antivirus products are not necessarily compatible.

Any help anyone can offer would be greatly appreciated.
Thanks!
Please let me know which logs I should attach.

 

Tim,
Thanks. I will attach the various log files with this post. Let me know if there are any I missed, as some logs said not to post them unless specifically requested, and some were hard to keep track of on the infected computer. The SuperAntiSpyware log didn't seem to include anything other than the various programs it ran, but I could include that in another post. Also, I don't know whether it makes any difference, but I ran most of the scans in Safe Mode, as the standard mode seemed to mess with the scans. Another thing I may not have mentioned is that the virus prevents me from opening the Task Manager. Thanks again!
-Toddly

 

Tim,
Okay, I downloaded the specified programs again, run them, and enclosed the logs. In running the programs (as I do in safe mode, except SAS), I had some glitches that I thought may be potentially helpful in the machine's diagnosis.

In running C:\MGTools, I got the message: "The system cannot find file C:\MGTools\ltime.exe" and another for "locate.exe"

Later I got the notice "The dynamic link library mscoree.dll could not be found in the specified path."

Malwarebytes came up with the error code: 732 (0,0). Also, I ran the full scan instead of the quick scan.

When doing a search for the log files, I noticed hundreds of recent DESKTOP_.ini files that I don't believe I've ever had before. Also, the virus file spcolsv.exe is trying to run and apparently connect to the internet via something called maqqhk0ael that continually is trying to access the internet.

The computer still takes forever to load and will not allow me to run Task Manager or the other programs that have been hijacked.

When I tried to upload the zipped MG logs, I kept getting the message that I was missing a security token, so the files could not be loaded. So I simply attached the text filelog.

Thank you very much for your help!

 

Tim,
Okay, I succeeded in getting an updated mbam to run by copying the updated file to a zip drive then running it. It found and removed some viruses, but it did not get it all.
Next, I tried to run the Rkill programs, and it seems none of them ran properly in safe-mode. When I went out of safe mode, all the Rkill programs were hijacked and corrupted by the virus.
Still, I ran ExeHelper, but it didn't appear to find or fix anything.

I actually had to run mbam four times because I ran it twice without the updates taking, and once when I tried using the computer in regular mode, the viruses went berserk again, so I ran the updated mbam again to clear out a few of the viruses that returned. Since then, I have been running everything in safe mode.

Because I cannot tell which mbam log is which, I will paste the logs from the four scans. I am also including the exeHelper log and MGlogs as you requested. Since you asked for the MGlog, I went ahead and tried to run the program again, but got the following messages:"mscoree.dll not found", "cannot find ltime.exe," "program cannot initiate," and about another hundred "cannot find file" messages for various files it was looking for.
Although you didn't mention the Rkill logs, I'm enclosing those as well.

Thanks so much for your help!!

 

It turns out that I don't have any Rkill logs to send. But here are the MGlogs and exeHelper log. Thanks!

 

Tim,
Just to further clarify the situation with my sick computer, I do not turn it on except to run your fixes and obtain logs. It is so slow when the virus is running that it scares me what the virus night be doing, so I just keep it turned off. The virus corrupted all my internet access ability, so I cannot get on the internet using that computer. So I am forced to use friends' computers to see my email, etc.

I stopped using Norton a few years back and began using AVG by Grisoft, and ZoneAlarm's firewall. Years after I had removed Norton I learned that its RECYCLER folder had continued growing until it literally took up 95% of my hard disk. So after finding the right solution, I removed it and restored my disk space. My computer was working fine until this virus. Now AVG has been hijacked and will not run, so I have no functioning AV program. Also, I am assuming that it is the virus that is not allowing MGLogs to run properly, or perhaps the limits of the NewFiles Log reflect that my computer has largely lied comatose except for the moments I try to run fixes. But when I watch the program, it appears to not run fully.

I will attempt to run the programs you have suggested and get back to you after I finish. Thank you again.

 

Tim,
Well, it's been a long time, but I haven't given up on reviving my sick computer, and I performed the scans you had asked me to. Most notably, this time I received the following message:
“System file is infected!! Attempting to restore. C:\WINNT\System32\comres.dll”

Here's the chronology of fixes you'd asked me to run, and the results:

Ran AVPFind.bat – It finished running in 8 seconds. Acplog.txt attached.

Ran exeHelper – It finished running in 4 seconds. ExeHelperlog.txt attached.

Ran SAS – First ran the Quick Scan. It took 27 minutes, found nothing. Then ran Complete Scan. It took 1 hour and found nothing.

Ran Win32KDiag – It gave me the message, “WARNING: Could not get backup privileges!” Log attached.

Feeling like I hadn't accomplished anything, and wanting to find something meaningful after such a long lapse, I decided to run Combofix and Malwarebytes.

Ran Combofix – Received the message, “WARNING –This machine does not have a recovery console installed!!!” I believe it was later that I received the message “System file is infected!! Attempting to restore. C:\WINNT\System32\comres.dll” Combofix log attached.

Ran Malwarebytes Quick scan, “No malicious items.” Let me know if you want me to send that log.

Lastly, because I run all these programs off a flash drive (because the sick computer can't go online), I have found that my friend's computer (that I use to download the programs for the flash drive) detects the ACME bug infection on the flash drive and removes it. It seems the AVG program is able to recognize and remove the virus. So, I copied the AVG setup program on the flash drive and tried to install it on the sick computer in safe mode. I got this message, “Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows: creating registry key”

I hope the logs and messages give you a clue as to what's happening with my computer, and I thank you again for your help and patience.

Thanks,
Todd

 

Tim,
Okay, I ran SystemLook and MGTools. SystemLook could not find the file comres.dll that we were looking for. MGTools gave me two messages:
"The dynamic link library mscoree.dll could not be found in the specified path," and "The system cannot find the file C:\MGTools\ltime.exe. I looked in the MGTools file in the root directory, and ltime.exe was there, so I don't understand that problem.

My logs should be up-to-date despite being 2 months old, because the virus killed my ability to go online, and I cannot open any file or program without it getting infected. Consequently, I only turn the computer on to run the programs you suggest, and I only run the computer in safe mode. After running the programs I turn the computer off until I hear back from you. So the system and registry should not have changed. But let me know if you'd like me to get another, fresh log file.

I'm attaching the two log files from SystemLook and MGTools.

Thanks again!!
Todd

 

Chas,
Thanks for your input. But if you'd have read thru some of the previous dialog, you'd see that the computer is indeed infected, extremely infected. I cannot run processes such as Task Manager, and every program I run is immediately disabled and has its desktop icon taken over by something called the Acme virus.
Can anyone tell me what to do about this: "The dynamic link library mfc90u.dll could not be found in the specified path."
Apparently, many of my dlls cannot be found.
Thanks.
Todd

 

Tim,
I downloaded new versions of MBAM, SAS, Combofix and MGTools, and ran them on my computer is safe mode (because in normal mode, the virus infects any app running). Here were the results:
1. Ran MBAM full scan, took 41 minutes. FOUR infected objects were found. Log is attached.
2. Manually updated virus definitions, ran complete scan: "no harmful software was detected."
3. Ran Combofix: "Access to the specified device, path, or file is denied. 32788R22FWJFW\n.pif" Log is attached.
4. Ran MGTools. As previously, I got a messages "Cannot find ltime.exe" and "The system cannot execute the specified program. The dynamic link library mscoree.dll could not be found..."

Some questions:
1. About 40 applications on the computer have had their icons replaced by the virus icon, should I assume these apps are still infected? Should I delete them?
2. The virus had initially placed a new app icon on my desktop. It is still there. What should I do with it?
3. I have not been running the computer in normal mode, only in safe mode. Should I now try running in normal mode to see what happens?
4. I still have no internet connectivity, WORD, or any of another 20 or so apps that had been infected. Should I remove those programs? How can I do so if the uninstall files are infected and don't work?
5. Is there some place that might want me to send them one of the infected files so that they could see it and figure how to remove it?
6. How will I know when all the infected files have been healed or destroyed?

Tim, thanks again for all your assistance and patience! I have attached the logs below.

 

Tim,
I went ahead and deleted all other versions of MGTools in other directories and re-ran MGTools from the root C: drive, and it came up with the same errors, unable to find files or execute programs. So I decided to run analyze.exe (HijackThis) by itself, which did run successfully.

I have posted both logs below.
Thanks!

 

Tim,
As per your suggestion to try running the computer in normal mode (as opposed to safe), and then running MGTools, well, I TRIED.

Apparently, the malware has hijacked the "Super Anti-Spyware" program on the desktop. For the first time in eons, I was successfully able to open the Task Manager, and noticed that SAS had begun running by itself. I waited for ten minutes for it to stop loading (or doing whatever it was doing). It never allowed the icons to appear at the bottom of the screen; and it wouldn't allow me to run any other program or to use the Task Manager to "End Process"; and it would not allow me to turn off the computer. I was forced to do a hard shut down.

So much for normal mode? This is obviously a really nasty bug. Are you sure you don't want me to send you a copy to study up close?