Many Invaders (Win 7, prelimscans defeated)

Hi all;

I've had a number of trojans and whatnot over the years, and this site and it's tools have always helped to weed them out. Now I have a doozy;

I'm not sure when it started, but I started getting search engine rerouting, then google disappeared from Firefox, after Chrome stopped working at all (it would start up but refuse to load anything at all, not even error pages). I tried various uninstalls and reinstalls, nothing helped. I then started getting desktop popups saying "WARNING INFECTION" and Antivirus 2010 offering to fix things. I was using AVG to good effect until then, and knew it was bunk.

AVG wouldn't catch anything if it scanned, then Malwarebytes stopped scanning (it would mysteriously and silently terminate mid scan) and SUPERantispyware did the same (it would vanish on startup if it was the exe, and somewhere in scanning the registry if it was the portable version). I tried Hitman 3.5, it would also terminate as soon as the scan started. Often, after trying any of the programs once, they would then be locked (I did not have permission, or could not find path need permission).

So I tried the RUN FIRST manual from this site, I got these results;

-neither version of superantispyware worked: the .exe version started up but silently disappeared, and the portable version scanned, but vanished in the middle of the registry scan.

-Malwarebytes runs, if renamed, but does not scan for more than a second before it is terminated.

-Combofix runs.

-Running Root repeal immediately gives me this: "FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000e0)" There is some more in details, but it is the same addresses and messages repeated.
I looked in the options and changed the "disk access level" to "Middle Level," which says it "supports all block-based devices, does not support dynamic disks." I have a SATA drive, so maybe this is part of the problem? Doesn't matter, still doesn't work, on any of the settings.

-Actually, when doing the "Files" tab, it still does not work. "There is a driver error, please contact the author." The same address shows up (0xc0000024).

-MGTools runs fine.

-when i restarted the computer, new windows updates were installed, but did not seem to change anything. Malwarebytes did not install correctly (MBAM_ERROR_LOAD_DATABASE (0,5)) and Superantispyware will not scan completely. I did not try rootrepeal or combofix or mgtools again.


After all that, the pop-up WARNING INFECTION is gone, so has most of the other symptoms (I haven't reinstalled chrome, but my searches in firefox seem stable with a new extension. I haven't got the default 'google' search option back). There doesn't seem to be any outward symptoms, but as any anti-spyware related programs are terminated, I'm afraid my system is still compromised by something serious. Help?

 

Thanks, I'll do this in a few and let you know.

 

Kestrel,

Okay, I tried running things again. Combofix got run twice, both times it claimed that Superantispyware was still running, though I've done everything I can to remove it. The second time combofix ran, it got an update.

MGtools analyze.exe did not run (I did not have permission) until I did a "Grant Full Admin Control" and then ran as an administrator. That is the first MGlog attached.

I then ran Malwarebytes, but it again was terminated as soon as the scan started. So no blogs to post.

I ran MGtools getlogs.bat and uploaded the logs as MGlog2.

The computer doesn't have any AV running, and hasn't been on since the first post.

 

Kestrel,

Everything is running fine now. Chrome starts and works fine.

HOWEVER

I still can't run scans. AVG finds nothing. Superantispyware I can't access and Malwarebytes is terminated, still, after a little while.

Additionally, I downloaded peerblock (I've had a network activity monitor for a while) and I have a lot of activity to strange addresses. So even though I don't seem to have any identifiable lags or activities, I still concerned that I am compromised in some way.

 

Nope. The same things happen; if I can start the scanners, they are terminated immediately.
To my knowledge, nothing else seems affected, only the antivirus programs. It seems targeted.

Also, to run malwarebytes, I have to "Grant Admin Full Control" and then run as admin. It will terminate, and then I won't have access to the .exe unless I do those actions again.

 

:confused

Nope. It was terminated while scanning the registry. Although it got farther than it usually does...

 

TimW,
Eset scanner worked brilliantly. It took out a lot of threats related to Java 6.0 and a rootkit that the other scanners didn't catch. I ran Superantispyware afterward and it behaved fine, discovering and deleting a bunch of tracking cookies. Everything seems fine...except I still cannot run Malwarebytes at all. If there is a connection with the rootkit and various other threats, it seems residual, but how can I be sure?

I've attached the log from esetscanner, for more infos.


And thanks, both of you.