Need Help - Malware Defense Bug

Are you on dial up? You may as well have downloaded and run combofix because we are going to need either it or avenger for the remaining malware removal. Do the following:

1. Please go to add/remove programs and uninstall the following softwares if found:

• Viewpoint Manager
• Malware Defense

2. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix exit HJT.

3. Download The Avenger by Swandog469, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

4. Also delete all files in the below bold folder except ones from the current date (Windows will not let you delete the files from the current day).

• C:\Documents and Settings\Wallace\Local Settings\TEMP

5. Now run SUPERantispyware again after letting it update...fix all it may find and attach the log into your next reply.

6. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger and also the log from SAS.

7. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Good evening. Looking better...

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Run RootRepeal again.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from avenger and also the log from RootRepeal.

Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Those logs look good now.

Let's just do this:

Delete all files in the below folder except ones from the current date (Windows will not let you delete the files from the current day).

Now I want to see if you are able to run Malware Bytes, and whether you are able to run SAS without the alternate start.

If you are successful update each, runs scans, and fix all they find. Attach their logs into your next reply.

 

Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

 

Loads just fine for me. Any way I have downloaded it for you and attached it here in my reply.

 

Will Malware Bytes update now?

Do this to get a fresh look on what's going on:

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

See error message type #4

Using MGtools

Yes try uninstalling Malware Bytes, reboot > run CCleaner > reinstall Malware Bytes and see how you then get on. I shall now review your logs.

 

Reformatting it would be an option or you can try this:

For the external Hard Drive and a USB stick.

Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

Please have all your removable storage devices ready for disinfection.

Download Flash Disinfector by sUBs and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it.
• Your desktop and icons may disappear. This is normal.
• It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
• Follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• There will be no GUI interface or log file produced.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Yes you can reinstall anti virus at this point. I am not seeing any reason for MBAM not being able to update. I am not seeing any malware in your logs. Be patient and I will have a word in Chaslang's ear

Also delete all files in the below folder except ones from the current date (Windows will not let you delete the files from the current day).

 

Are you able to complete this scan at all?

You can use either Internet Explorer or Mozilla FireFox for this scan.

• Please go here then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
  
• Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is checked, and the option Scan archives is also checked.
• Now click on Advanced Settings and select the following:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
• The virus signature database... will begin to download. Be patient this may take some time depending on the speed of your Internet Connection.
• When the download is finished, the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When the scan completes, click List of found threats
• Next click Export to text file and save the file to your desktop using a name such as ESETScan.txt. Attach this report to your next reply.
• Click the <<Back button then click http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
• Attach the ESETScan.txt to your next reply.

 

Also try this:

Please download This Renamed Malwarebytes' Anti-Malware File and save to your desktop.

• Right click on the renamed Malwarebytes' Anti-Malware File on your Desktop and chose Copy.
• Next go to Start > Computer > C > Program Files.
• Right click on the Malwarebytes' Anti-Malware Folder and click Paste.
• Next Double click on the Malwarebytes' Anti-Malware Folder and launch the renamed file, malwarebytes should run now and update.
• Please follow my previous instructions for running it, and post the log in your next reply.

 

Yes do let me know how you got on. Your logs look clean but something seems to be hiding. We have other options to try.

 

Right, well I will have to speak with Chaslang then as I am running out of options. Please be patient, he's a busy man but will get back to you about this ASAP

 

Run this, let's just see if it reveals anything.

GMER - running with a random name

 

The below may or may not be your problem but it has been an issue for some people.

With Internet Explorer running, click Tools, Internet Options, and select the Connections tab, then click the Lan Settings button. On the Local Area Network (LAN) Settings form, put a check mark in the Automatically detect settings box. Then click OK. Then OK your way out. Then close your browser.

Now run Malwarebytes and see if you can update.

If you cannot update, shutdown your firewall and see if you can update. Let me know the results.

 

Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
• It will create a folder named HostsXpert in whatever folder you extract it to.
• Run HostsXpert.exe by double clicking on it.
• Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
• Click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

Now click Start > Run and type in cmd

• Click OK.
• This will open a command prompt.
• Type or copy and paste the following line in the command window:
  ipconfig /flushdns
• Hit Enter
• Exit the command window

Now let's flush the Java Cache

• Click Start > Settings > Control Panel
• Double click the Java icon (be patient, it may take a while to open)
• Now click the General tab and under the Temporary Internet File area
• Click the Settings button and then click the Delete Files... button.
• In the next popup click OK.

If you have multiple Java plugin icons in Control Panel follow the above to clear all their caches.


Now let's flush the FireFox Cache

To flush your FireFox Cache:

• click Tools
• select Options
• select Privacy
• in the section labeled Private Data click Clear Now
  

Now let's flush the Internet Explorer Cache

To flush your Internet Explorer Cache:

• click Tools
• Internet Options
• Now on the General tab and click Delete Files and select Delete all Offline content too
• Click OK.
• When it finishes Click OK.

Now run Ccleaner!



Please download and run Win32kDiag per the below instructions:

• Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log

C:\win32kdiag.exe -f -r


Now download Junction,zip to your Windows folder

• Please download Junction.zip and save it to your Windows folder (i.e, C:\Windows\Junction.zip This assumes C:\ is your Windows boot drive.)
• Now unzip it and put junction.exeinto the Windows folder (i.e., C:\Windows\junction.exe)
• Do not try to run it right now. We will run something that uses it later.

Now we need to reset the permissions altered by the malware on some files.

• Download and save inhertit.exe to your Desktop: Inherit.exe
• It must be in your Desktop or the below fix will not work!

Now run the C:\MGtools\FixPerm.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

• A command prompt window opens and also a license agreement from SysInternals will appear for Junction.
• Accept the license agreement and the scan will begin.
• Wait until it finishes we can take a while to run since it scans your whole harddisk. e patient and don't do anything else while it is scanning.
• The command prompt window should close when it finishes.
• While this is running, you will get several/many popups that have a title Finish and say OK. Just click the OK button each time. This is an indication that it has found a file and has attempted to fix permissions. Depending on how many files that need to be fixed, you could get only a few or many of these popups.

Now run ComboFix as instructed in the READ & RUN ME cleaning procedure. See: Windows XP Cleaning Procedure


Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\combofix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Now we need to use ComboFix again

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're very welcome