Questions before starting malware removal

I don't want to do anything wrong whilst performing this clean-up, but I need to ask a question before continuing.

I am working my way through the READ & RUN page and have come unstuck a little way in.

Step 2:
AVG is disabled and I am unable to reinstall it. When trying to launch install procedure I get a message box saying: "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator". So I can't get round the requirement to have one AV program running. The only one purporting to run is the fake one - Internet Security Suite.

Step 3:
I have disconnected the infected PC from the Internet and network for safety, so do I need to reconnect it or can I download the required tools onto a USB stick and transfer them that way to install and run them?

I have been unable to find any version of Sun Java, new or old, so should I still go ahead and install the latest version at all?

I'll try and progress with the other steps in the meantime.

 

OK, I have gone through the directions to run all the tools and have attached the appropriate logs. Throughout the tests the affected computer was disconnected from the Internet, and I downloaded all the tools onto a different machine and then moved them over via a USB stick. Please advise if the affected machine needs to be connected to the Internet to perform any of these tasks and I will run them again.

The story is that my husband's PC has been infected with something called Internet Security Suite. He thought AVG or Windows was issuing a virus warning and when he clicked on the link it launched into action. He was taken to a webpage to buy said program and then immediately realised something was wrong. I tried to see what I could do, but the system has been totally hijacked. I tried to find the Spybot site using Google, but as soon as I clicked on the link we were directed to a porn site. I shut this down immediately and unplugged the ethernet cable.

The cable is still unplugged, but we are getting frequent virus warnings and messages saying infected emails are being sent. The number of emails in the message increases with each warning box - this is, of course, not possible as the computer in question is not connected to the Internet or the house network. There are update messages, looking similar to the Windows Update message, saying that updates are available to fix critical system errors. I recall a similar box that appeared yesterday, just after this happened, and I was immediately suspicious as there was a spelling mistake - it said 'plese' instead of please.

System Alert balloon tips keep appearing from the System Tray, using an icon similar to the Windows Update one.

AVG Free appears to be disabled. I cannot access the control console to change any of its settings. I am also unable to uninstall it as indicated in some of your instructions - a message appears that says the registry is preventing uninstalling.

I also can't access Task Manager via Ctrl+Alt+Del.

Internet Security Suite has placed icons on the desktop, in the Quick Launch area, and in the list of Start>All Programs, just underneath the Windows Update icon. It appears in the list of programs as well, but does not appear in Add and Remove Programs. There is inevitably no uninstall option.

One or two issues when running through the instructions.
Step 3 (House Keeping):
The listed entries were not present in Add/Remove Programs
Java is not installed on the affected computer - I downloaded the latest version using a second PC, but I didn't install to the affected one. Not sure if this step was essential, as it wasn't installed anyway.

I cannot run Combofix. Error states that AVG needs to be disabled. I cannot do this as access to the AVG control panel has been blocked. I tried to uninstall AVG, but that failed. When I looked at the details it referred to the 'installation' failing (not removal), saying that the action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key... Access is denied.

I'm not sure if MGTools ran correctly. A command prompt window flashed up very briefly and then disappeared and nothing else appeared to happen. The MGTools and MGLogs.zip folders were created though. Whether the attached folder is complete or not, I am not sure. It appears to contain information.

I hope the logs are OK. Apologies if something has not worked correctly.

 

Update:
I've booted into Safe Mode but still unable to uninstall AVG or access its control panel.

 

Kestrel13, thank you for the help.

I will start by saying that I actually tried to continue with this unaided yesterday, and found some instructions on another site regarding removal of Internet Security Suite. I was so desperate and I'm sorry if this has messed things up.

I managed to get into Task Manager by following one of the tips - hit Ctrl +Alt +Del as soon as Windows starts to load - I then managed to spot a couple of rogue processes and managed to zap them. The fake virus warnings then stopped. As I had read, I then found spurious folders in Explorer and deleted those.

I still could not get AVG to open and could not uninstall or reinstall a new version. There is an error message saying the registry is not allowing uninstalling (or words to that effect) and the install is not allowed 'due to restrictions in effect on this computer'. The AVG removal tool will not work. The errror is: Cannot delete avgcfgx.dll: Access is denied. I have attached the log file from the attempted removal. This morning when I switched the machine on, the AVG icon had reappeared in the system tray, but when I open the user interface it says that no components are installed. I am unable to delete the AVG folders in Program Files and Documents and Settings - I get errors that files are still in use.

Consequently, I still cannot run Combofix.

I have managed to run TDSSKiller and MGTools and those logs are attached.

One more thing - an icon appeared on the desktop at the time of the infection, called TempWmicBatchFile.bat. I haven't done anything with this.

Yesterday I also took the risk of re-connecting the machine to the router. When I opened an IE page, Google would not appear and clicking the Home Page icon brought up a page where I had to enter a word code to continue. When I tried to search for something, the list of results came up, but went to incorrect pages when clicked on. As soon as I closed the browser window, there was another window underneath which was a porn site. I don't know how long that had been there, as I hadn't noticed another window open.

The machine is now disconnected again, so I am transferring these logs by USB stick onto my computer to upload here. I hope they are OK and that I haven't messed things up.

 

Hi Kestrel,

Ran the latest tests and the logs are attached.

I am still having issues with AVG. Just tried again to uninstall and got the following error, which is as before:
Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Access is denied.

However, I just re-connected the network cable and brought up IE. The Google search page opened, I entered a search term and the correct page appeared - no redirects or pop-under windows.

So I don't know if there is anything else needed!

 

In that folder are two files:
cookies.sqlite
Instructions.ini

Think I might move over to that machine now - might make this a lot simpler! As long as it's safe to do so.

 

Nope. Still detecting AVG.

 

OK done that. Will await further instructions. I tried the AVG removal tool while I was in Safe Mode but it still failed.

 

I have been out all day today and I am out tomorrow too so I will have to sort this out Monday, unless I get back early enough. But it looks pretty involved so I might need plenty of time!

Thank you very much for all your help with this. I will post again when I have worked through it.

 

OK here goes!

findgala.com was not in the list of Search Providers in IE. Just Bing and Live Search were present.

There were no entries related to AVG in the Revo Uninstaller window so could not run that program.

So, moved on to Task Manager: those two entries were not in the list.

Next step - MGtools\analyse.exe:
(I looked through the anti-spyware programs I've installed on your instruction, but could not see any options to disable them, so I don't know if the following has worked as it should.)
Of the list of four items in the quote box:
O2 - BHO....etc -- the line was there but at the end said (no file) instead of the AVG reference
O4 - HKLM ...etc -- not present
O18 - Protocol:....etc -- not present
O20 - Winlogon...etc -- was listed as per your instructions and presumably was fixed

Avenger ran and log file produced and attached.

Ran the fixME.reg file and received message that information successfully entered into registry.

Files and folders in the bold Temp folders deleted as requested (not today's).

Combofix gave a message that it had detected a real-time scanner operating, but this time it referenced Internet Security Suite rather than AVG. I tried to close the box, but it then stated that it could run but at a risk. I cancelled the box that appeared, as I didn't know what would happen if I did run it with the ISS being detected.

MGtools\GetLogs.bat run and log file attached.

 

I removed Windows Messenger then moved on to running Combofix. It went through about 50 stages and then indicated that it was deleting files. Then a blue screen STOP error appeared as follows:
Plug and Play detected an error most likely caused by a faulty driver.
Technical information:
STOP: 0x000000CA (0x00000004, 0x890cc030, 0x00000000, 0x00000000)

I am just rebooting the computer and running Combofix again. I did have to install the Windows Recovery Console.

 

Right, I managed to run Combofix and it did complete, although I did get a message pop up stating that:
PEV.exe encountered a problem and needs to close. This had the usual 'report to Microsoft' option, but I closed it down without doing so and Combofix continued. Log attached.

Also MGlogs.zip latest log attached.

 

OK. I copied the code and dragged the file onto Combofix icon. It ran, but this time the machine rebooted in the middle of the procedure. When it came back on the Combofix window was still active and shortly afterwards the log file was produced, which is attached.

I renamed and moved the file as directed then ran the MGtools\GetLogs.bat and the MGlogs.zip is attached.

One new thing happening is that Windows Security is now prompting that no anti-virus is installed and that the firewall is off. This has not been happening before while I've been running these tests. I have not yet installed any antivirus, but will do that now.

I don't know what problems might still exist, but will keep monitoring for any further issues. I have been surfing without any issues, and Google is no longer redirecting to any dubious sites, as I've mentioned previously.

 

OK - and thank you very much for this assistance.

I have a headache now so I have switched off and will attempt this last stage at a later time. I now need to look into what anti-virus software to get - I am certainly going to get something more robust than AVG seems to be. I will look at the recommendations given elsewhere on this site.

Boy, what a nightmare!!

 

Thanks for the painkiller - I was quite ill last night, but I don't think it had anything to do with this performance. Probably ate something that upset me. Feeling a bit more chipper this morning.

OK, I think I've done it all now.

I installed the free Comodo Internet Security (AV and firewall combination), which looks to be a good program. It seems to be popping up warnings about things I don't really understand, but I expect it will settle down eventually.

I have left SuperAntiSpyware and Malwarebytes on and will consider purchasing the full versions.

While uninstalling Combofix, Comodo launched a few warnings, but I expected it to be the Combofix files it was detecting so I accepted them and Combofix uninstalled eventually.

Regarding the other tools, I have uninstalled those that have an uninstall option, but can things such as the .exe files downloaded onto the desktop simply be deleted? Such as TDSSKiller.exe (and associated folders), SystemLook.exe, avenger.exe and RootRepeal.exe.

I couldn't find HijackThis in Add/Remove programs, so presumably this didn't get installed as a standalone program.

I ran the MGclean.bat file, but the C:\MGtools folder is still there - can I delete that?

I went into disable and re-enable System Restore, but at some point it must already have been disabled. I enabled, disabled and re-enabled it again and it is now back on, but I wasn't prompted to reboot at any stage so I hope that has all worked.

Do I now consider this machine to be clean?

I am now looking at my own machine and I am going to remove AVG and get Comodo on here as well. And then batten down all possible hatches against anything of this nature happening again!!!!