Rogue anti-malware infection that disables executables and periodically opens sites

Hi,
This morning I was infected with drive-by malware after visiting a rogue website and I was really hoping for some assistance in dealing with it.

Let me just give a quick description of the symptoms. The infection has installed rogue anti-spyware pop-ups and alerts which spring out from both the task bar and in the centre of the desktop (above the icons and windows).

When I attempt to open an executable file (.exe, .bat etc) it generates an error along the lines of "Application cannot be opened. *** is infected. Do you want to activate your anti-virus software now?". *** seems to be the first executable I attempt to open, and thereafter it simply closes the file immediately after opening.
Annoyingly, this means I cannot open any anti-malware programs (along with anything else - i.e. notepad, word, etc). I am also unable to open task manager and add/remove programs from control panel. It also periodically opens up pornographic websites.

I have read the malware removal guide on this site and downloaded all the recommended tools and programs (super anti-spyware, malwarebytes, MGTools, comboFix, CCleaner, RootRepeal, etc). Majorgeeks has actually very ably assisted me in the past, so I'm familiar with the general malware removal process. However, in this case I am not able to begin with even the preliminary cleaning steps let alone the malware scans because this infection prevents me executing any programs.

I am running windows XP and have norton 360 installed.

Just some quick final observations which may or may not be helpful:

-Norton actually detected an intrusion attempt after visiting the site, and claimed it successfully blocked it. However, an infection obviously got through and looking at the history logs I noticed a malicious executable had been loaded into the temp folder at: C:\Documents and Settings\user\Local Settings\Temp\hxiushave\bwiyquslaib.exe. Also, one level up - in the Temp folder - a malicious executable called 00360693.exe had been planted. When I located these files on disk, they both had the same suspect icon of a ?modem? with a red arrow pointing up on it.

-An executable d:\installer.exe made 14 modifications to the system.

-Norton flagged a Trojan.ADH (and blocked it a presume).

-I tried changing the name of the malwarebytes executable and the extension type, but it was still blocked.

This is a bit of a bummer particularly given it is the second drive-by infection I've gotten in a relatively small period of time (last 6 months or so). Anyway, any assistance would be greatly appreciated.

Thanks in advance,
Nelson (mrpoate)

 

Re: Rogue anti-malware infection that disables executables and periodically opens sit

Hey Kestrel,

Thanks very much for your help. Sorry my reply wasn't as immediate as it could have been, your reply reached me in the middle of the night when I was sleeping (aussie over here).

I attempted to download and run the Rkill tool, but the malware seemed to block them from running. I would try to run them and nothing would happen (Rkill does display some visible window or cue that it is running right?). I noticed though that the window in windows explorer that displayed the contents of the downloads folder (where I downloaded the Rkill files to) lost focus, and regained focus when I hit enter. My theory is maybe an error prompt was provoked by the malware, but I couldn't see the prompt because it was hidden behind the fake anti-virus pop-up in the middle of the screen.

I also then tried downloading and running AVPFind.bat, with similar results (didn't run). Same deal with exeHelper and the online super anti-spyware scan.

However, I tried logging into the infected computer on a different account, and many of the problems (at least the obvious ones) disappeared. The fake anti-virus pop-ups seemed gone, as well as (I think but am not sure) the periodic opening of unwanted websites. Unfortunately an error message still emerged when I attempted to open malwarebytes, but on the flip side all other executables seemed to work.

Again, thanks very much for your time. I think you were the guy that helped me out last time so cheers I meant to give an official thanks last time but for some reason couldn't work out how to do it or something.

Anyway I hope you've got some clue about what to do next,

Nelson (mrpoate)

 

Re: Rogue anti-malware infection that disables executables and periodically opens sit

Hi again Kestrel,

So I attempted to run MGTools today and yes unfortunately it also was almost immediately shut down by the malware. I notice with it and the other recommended anti-malware programs however that they seem able to execute very briefly, so the malware takes maybe a bit less than half a second to close them.
Consequently some of the tools were able to generate logs, but sadly the logs are empty other than the global header announcing the program (as they didn't have time to be populated properly I would think). Even though the infection closes even the text files when I open them, I was still able to tell this in the half second or so they were open for.

In short seems like a pretty clever piece of malware albeit nasty. You don't think there's anything I could do with the other user account that seems much less affected by the malware do you (and is able to run most executables)? Like running some of the anti-malware programs off the other user account?

Anyway, thanks again, this is a real pain in the arse

Nelson