Evil malware on Vista, help please!

geminisoup · May 8, 2010

Hi, I have run all the suggested items, or at least the ones that I have been allowed to run, as the malware disables installation and running of several items when I try to....

Detail:

False antivirus bug is the culprit. Logs attached, with explanations in parentheses after each log. Any suggestions appreciated.

Ran Defogger, no problems.

Ran SuperAntiSpyware, no infections reported.

Ran Malwarebytes, no infections reported, but got an error message that some parts had not been successfully installed.

Ran Combofix, got the following log:

Tried to run MGTools, got message that this was an illegal operation, using a registry key that was marked for deletion. Same message is received when running Rkill or Ccleaner or SpyNoMore and RootRepeal.

Disabled User Accounts and File Recovery and every bloody thing else listed in the "Try me first" page. I am transferring all these files by Thumb Drive, as internet connection is disabled from the infected computer.

Any and all suggestions welcome. Including instructions on how to just wipe the hard drive and reinstall the OS if necessary.

Thanks in advance for all responses.

TimW · May 8, 2010

Did you try to do any of the scans in safe mode?

Use windows explorer to find and delete:
c:\windows\system32\windrv.sys

Have you tried doing a system restore?

Let's see if you can run MGTools from a command prompt.

Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The red is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

geminisoup · May 9, 2010

Thanks for the reply. I have addressed each issue below.

TimW said: ↑

Did you try to do any of the scans in safe mode?
I don't seem to be able to run ANYthing in safe mode. Booting in safe mode disables virtually all services, including plug and play, so I can't even open files from my thumb drive. And it won't let me re-enable or start the services from the MSCONFIG or Manager screen either. I get an error message stating that Access is denied. I have tried changing permissions from the Properties tab within the window and get the same response. On one occasion several days ago, I tried to run Dr. WebCureIt and it ran in safe mode, detecting Ransomware and a Trojan. Then when I activated the Remove Infections, the processor shut itself down.

Use windows explorer to find and delete:
c:\windows\system32\windrv.sys
Managed to delete this with no trouble.

Have you tried doing a system restore?
Yes. Each restore point reloads the bug.

Let's see if you can run MGTools from a command prompt.

Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The red is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.
Click to expand...

I attempted to run all of these. On the MGtools, I got an error stating "system cannot find the path specified." All the rest gave me "This is not recognized as an internal or external command, operable program or batch file."

I do not have a lot of experience with command prompts, so it is possible that I am doing something wrong. Thanks again for the response. This is kind of making me crazy. It's my sister's computer, and she told me it has been acting wonky for quite some time, so this bug has had time to get comfortable in its new home. She was running AVG at the time of the infection, but apparently it didn't help.

TimW · May 9, 2010

Do you have MGTools downloaded directly to the C:\ drive ( assuming that is the root drive of your system)? Did you turn off the UAC? Did you try to rename it or change the .exe to a .com?

See if you can create this disc and then on the infected machine, boot to it and let it run. Then after it is finished, boot back to safe mode and see if you can run any of the other scans.

BitDefender Rescue Disk-with-auto-update.

Log in or Sign up

Evil malware on Vista, help please!

geminisoup Private E-2

Attached Files:

Combo1.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

geminisoup Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member