nasty malware not letting me run any antispyware, etc

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jg7587, Sep 24, 2009.

  1. jg7587

    jg7587 Private E-2

    I'm attempting to clean up some pretty severe malware off of my friend's laptop. So far, all attempts have resulted in no real progress. Everything that I have tried to run or install ends up thwarted, and sometimes the application itself becomes blocked. I have done this in both normal and safe modes. Currently, when I log into safe mode no task bar appears. I have been able to copy over SDfix, SMitFraudFix, Root Repeal, Superantispyware and Malwarebytes, but have yet to be able to successfully run any of them. Usually I can get them to start to install, but then the process bombs out, and when I go and try it again, I get a "The system adminstrator has set plicies to prevent this installation". Or if the setup does seem to begin, nothing really happens, and the process just sits idle and never does anything. I do know that the system does have on it at least Windows Police Pro and Protection System malware, but there probably is some other nasty rootkit as well. I have even tried the Avira Rescue CD, with no success, as it seems like all the files that it identifies as trojans, malware, viruses, etc, it was unable to delete anything.

    Any ideas how to clean this thing up?
     
    jg7587, Sep 24, 2009
    #1
  2. jg7587

    jg7587 Private E-2

    not trying to bump...just was able to finally get MGTools to run (the only one of the four logging tools) and get a log from it. Not sure if it ran completely though as it seems that sometimes processes are getting cut short of completing on their own.
     

    Attached Files:

    jg7587, Sep 24, 2009
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Let's see if we can get some info so that we can determine which system file has been corrupted. That way we can try to replace it.

    Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then doube click on it to run it.

    AVPFind.bat

    It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running.


    Now download and Run exeHelper
    • Please download exeHelper to your desktop.
    • Double-click on exeHelper.com to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    Also please try running the below online scan:

    http://www.superantispyware.com/onlinescan.html

    Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. See if you can save a log with it.


    Then try running these instructions: Using MGtools

    Attach the below logs when finished with all of the above:
    • C:\avplog.txt - from AVPfind
    • a log from online SAS scan if you could make one
    • log.txt - from exeHelper
    • C:\MGlogs.zip - from MGtools
    The C:\ assumes that drive C is you Windows boot drive. If you boot from another drive, then use the correct drive letter above.
     
    chaslang, Sep 28, 2009
    #3
  4. jg7587

    jg7587 Private E-2

    Here are the files...they weren't very easy to get. At first I booted up, I was able to get AVPFind and exehelper to run, but then I had to shutdown and go to a spot with wi/fi (I wasn't going to put the infected laptop on my work network). Once I got started back up, I couldn't get SAS to go through a complete scan. Each time I would try, it would get to a certain point and then close. I was able to figure out the breaking point, roughly. It kept closing shortly after finding the trojan.agent/Gen-FakeScan[ASC]. On the third try, I paused it immediately after it found that and got a log file. I also tried to have it remove what it found, but they came back after the reboot(I tried twice). After that I tried running MGTools, but nothing seemed to happen. So I came back to work, and then it dawned on me that maybe the first two files might make some changes that would allow for the other processes to run, but I shouldn't reboot in between (duh, sorry). Being back at work, I couldn't get out to the internet, so I couldn't run the SAS scan, but I was able to get the other three to run in Safe mode. So I will try again tonight in the complete order with an internet connection, and hopefully get that SAS scan. But in the meantime, here are the logs that I was able to get. Note that the SAS log that I included is from an interrupted scan, and isn't complete.
     

    Attached Files:

    jg7587, Sep 29, 2009
    #4
  5. jg7587

    jg7587 Private E-2

    Well, I tried getting a SAS scan tonight while connected to the Internet and going through all of the steps that you laid out, but was unsuccessful. I tried doing it all in safe mode. Here are the logs that I was able to gather tonight.

    Thank you for your help with this.
     

    Attached Files:

    jg7587, Sep 29, 2009
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )



    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now! See if you can run Malwarebytes and ComboFix now. If you can, attach the logs.
     
    chaslang, Sep 30, 2009
    #6
  7. jg7587

    jg7587 Private E-2

    Alright, for the most part, everything seemed to work and I think the machine is just about back to normal. After running avenger I was able to start getting SAS and Malwarebytes to run, as well as Combofix and MGTools. So I have attached all of the most recent logs. My last SAS scan seemed to indicate that there was a virus still in one of the recovery points, but I thought that I had disabled those yesterday...

    Again, thank you so much for your help, I really appreciate it.
     

    Attached Files:

    jg7587, Sep 30, 2009
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not attach the requested new MGlogs.zip file which I needed to give you a full fix. I will give you a fix anyway but it may not be complete.

    You need to download and save the current version of ComboFix to your Desktop as requested or the below and later instructions will not work!



    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Oct 5, 2009
    #8
  9. jg7587

    jg7587 Private E-2

    Sorry for the late reply. The guy wanted his laptop back before I got your message on 10/5, so I wasn't able to do what you recommended to finish up. I had run a couple of clean Malwarebytes scans and SuperAntispyware scans that all came up clean before I gave it back to him, so hopefully all is well. I haven't heard back from him, so I'm assuming that it is still working fine.

    Thanks for the assistance, it is much appreciated.
     
    jg7587, Oct 23, 2009
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you did not do what I requested then it is not clean. All the items I gave you were not being detected by the scanners but it is still malware and part of the initial infection.
     
    chaslang, Oct 25, 2009
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds