Trojan dropper preventing AV from running

Hi there. I hope someone will be able to help me.

I have a Gateway GT5654 PC with Vista Home Premium 32-bit.

I was looking for the latest episode of Glee, but when I couldn't find it for download in the usual place, I googled to find a streaming version. (Turns out glee hadn't aired the most recent episode because of baseball, hence why I couldn't find it.)
I found a site that said I could watch glee episode 9, but I had to install a program to watch it - which I knew was a risk, but I stupidly thought I would be able to manage the problem if it was malware - and I took the risk.

Almost immediately while it was installing, AVG alerted me that a trojan had been found. I stopped the installation through task manager.
I looked at the programs installed, but didn't recognize anything new.

I ran ccleaner.
Then I ran AVG. It had a few results along the lines of:

Spyware.Generic.CE
Tojan horse Dropper.Generic.BDQF

\\?\globalroot\Device\_max++>\562e5318x86.dll
C:\ProgramFiles\Java\jreb\bin\jusched.exe (2436)
C:\Programfiles\AcousticsMixcraft4\patch.exe

It said I had to be a power user to remove them - I ok'd this, but then it said it wasn't able to remove them, something along the lines of the file location doesn't exist.

So I started the malware removal process. I ran ccleaner from all accounts, disabled user accounts, made sure hidden files were visable, etc.

I tried to run SUPERAntiSpyware Free Edition. It loaded initially, but then closed down.
I tried to run malwarebytes, but it said "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."
I uninstalled malware bytes, and then tried to reinstall it, but it wouldn't install, gave me the same message.
The same thing for spybot - I tried uninstalling it, but couldn't reinstall it, got the same message.
(The next time I tried running Superantispywayre, I got that same message.)
I had read some mix opinions about combofix, that it's super powerful and can mess up your computer if you don't know what you're doing, so I didn't run it right away.
I started RootRepeal, started a scan, but when I tried to switch tabs because I wasn't sure if it was working, the computer froze. I pressed restart, but then had problems getting it to start again, the power button just kept flashing. I waited a while, nothing happened, so I unplugged the computer and restarted it and it ran.

note: I continued using the computer/internet while on and off working my way through the malware removal process. Internet explorer would at times open up new tabs to websites (I can't remember which sites) or redirect my page to these sites, especially if I was trying to download programs from majorgeeks.
Also, at some point during the many hours of time, I checked my bank account to see if I had been paid - which was really, really stupid of me. Eventually I shut down the computer, to resume the process the next day.

I may have repeated some of the steps, ie running what I could, such as AVG more than once.
I looked again to the programs installed, sorted them by date, and found a program called something like bt DNA (I can't remember exactly) that was installed the previous day. (It looked like Bittorrent, which is why I didn't recognize it as new before.) I uninstalled it.
I tried running MGtools, but it said it couldn't find it.

I googled my symptoms and found that it could be a keylogger and had maybe given them access to my bank account. So I changed my bank account, email, etc passwords from a different computer (laptop).
I physically disconnected the PC and stopped using the internet.

I then ran combofix. It ran for as bit, then said there was rootkit activity and had to restart.
It restarted, then continued running.
Again it said again that it had rootkit activity and needed to restart.
Then an error message popped up saying the program had to close. The computer restarted, but the combofix wasn't running anymore.

On the laptop I looked through other threads with people who had similar problems and followed some advice they were given, ie. I downloaded GMER and F-Secure Blacklight on the laptop then moved them to the PC and installed them.

I ran blacklight, but it didn't find anything.
I ran gmer, but didn't understand the info presented.

I ran combofix again, and the whole process finished and found some infected files - cngaudt.dll

After each new things I did, I kept trying to run superantispyware or installing malwarebytes - this was my way of testing to see if the computer was still infected.
After comobofix, I tried installing malwarebytes, I got the message "illegal operation attempted on a registery key that has been marked for deletion."
Superantispyware still had the "you do not have the appropriate permission" message.
I restarted the computer.

I tried installing malwarebytes again; it didn't work in normal startup mode, but I was able to get it to install in safemode. It ran, and found
Trojan.Sirefef C:\Qoobox\Quarantine\C\windows\system32\cngaudtll.win
Trojan.Dropper C:\Windows\Win32K.sys

In safe mode, I was also able to install Spybot, but when I tried running it, I got the same error message as when I try to run superantispyware.

I tried running RootRepeal again - without switching tabs. I ran it under "files". I let it run and went to bed. 7 hours later it was unfinished - stuck on c:\windows\winsxs\manifests. There was a list of file paths that said "locked to the Windows API!"
I thought 7 hours was long enough - I wasn't sure if it was actually working anymore, so I tried stopping it, but it just seemed to freeze, so I exited it. Some time later an error message popped up from rootrepeal saying something about a file couldn't be found. (I dunno exactly what it said). Then the message disappeared, and the screen went black (it still said safe mode at the top, but the desktop icons, mouse, and the start menu, etc were gone).
I restarted the computer in safe mode, grabbed my logs, and am in the process of backing up all my files.

At this point, I don't know what else to do - I tried doing everything I could so I wouldn't have to bother you guys, but I don't know how else to proceed.

I have the following logs:
mbam
combofix
mgtools
gmer
fsbl (two logs, 'cause I ran it twice)

I couldn't run superantispyware, and I couldn't get a log from rootrepeal.

Thanks!
Allison

 

The remaining blacklight logs.

 

Thank you very, very much for your assistance!!

I had to uninstall AVG, because it wouldn’t let me download exeHelper, even after I disabled all of the AVG components that I could and exited from the tray. After I uninstalled it, I was able to download the file.

I ran rkill.exe . I think it ran – I clicked on it as an administrator and a window popped up saying to be patient. Then it closed down, without any other comments. I assumed this meant it had done its thing - I hope so!
I then immediately ran exeHelper.

Malwarebytes Anti-Malware found no results.

I then ran MGtools, but there was a problem.
I had turned on UAC before I posted for the first time. I forgot to turn it off and was following the directions for MGTools very closely, but when I double clicked on MGTool.exe, the program started running immediately, and I was not able to go and turn off UAC.
I realized this when I had to approve every change to the registry.

During the process, a prompt came up that said,
“ For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file, HijackThis may NOT be able to fix this.
If that happened, you need to edit the file yourself. To do this, click Start, Run and Type: notepad c:\Windows\System32\drivers\etc\hosts
and press Enter. Find the line(s) HijackThis reports and delete them. Save the file as ‘hosts.’ (with quotes) and reboot.
For Vista, simply exit HijackThis, right click on the HijackThis icon, choose “Run as administrator”. “

I clicked “ok” to the prompt, and the process continued. It finished and said it was unable to create MGlogs.zip, and sure enough when I looked in C:\ there was no MGlogs.zip.

I never did anything with HijackThis that the prompt had said.

How should I proceed?

(Thanks again!)

I have attached the mbam log and exehelperlog, but I don't know if a mgtools log was created (or where it might be).

 

Thanks for your work!!
I am truly sorry about my error with MGtools.

Please find the attached logs.

Also, I do not know if it is relevant, but the first time MGtools ran (which I couldn't find the log for), there was a pop up that said something like, "Steel WerX WhoAmI has stopped working". I closed it as per the instructions in the MGtools dialogue box.
The second time MGtools ran, there was no such pop up.

Thanks!

 

I did as you instructed and fixed those lines in HijackThis.

I am not sure that the virus is completely gone, though, because I still cannot run SUPERAntiSpyware.

Unfortunately, I didn’t think to check to see if SUPERAntiSpyware would run until after I got to step #6 in the clean up process, which means I have already uninstalled Combofix and HijackThis.
(Sorry! I was so excited at the thought that the virus was gone, that I wasn’t thinking clearly, I guess.)

After restarting the computer after turning on UAC, there was a prompt saying that windows had blocked Malwarebytes Anti-Malware from running at start-up. (I am able to run Malwarebytes from the desktop, though.)
This made me question if the virus was gone, because I never had that prompt before the virus.

Then, when I went to install SUPERAntiSpyware a prompt came up that said
“Error 1321: Windows installer has insufficient privileges to modify this file: C:\ProgramFiles\SUPERAntiSpyware\SUPERAntiSpyware.exe”
I hit “retry”, but the prompt just came up again.
I chose “ignore” and continued with the installation, but when I went to run the program, the old “Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.”

Does this mean that the virus is still there?

(Thanks again for your wonderful assistance!)

 

SUPERAntiSpyware will run now! This is excellent. :-D

I have attached the logs that you requested, as well as the log from SUPERAntiSpyware.

 

Oh! Please note, I have discovered that although SUPERAntiSpyware will run no problem and can run as a startup program,
Malwarebytes Antispyware is still being blocked as a startup program. I do not recall ever having this happen before the virus. When I click on Malwarebytes, it will run, though. (It just can't run as a start up program.)

 

Sorry for the lag in my reply; I do appreciate your continued efforts!!

I deleted: C:\Users\Allison\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs
This file did not exist: C:\Program Files\Malwarebytes' Anti-Malware

RemJunct.bat was super quick, it was up for less than a second then gone. It was so quick I wasn't even sure if it had really run, but I found the c:\MGtools\remjunc.txt file, so I assumed it did run.
(Now I'm not sure, because the log file wouldn't upload and when I looked into it, I realized it was blank.)

I ok'd the many "finish" windows from C:\MGtools\FixPerm.bat

C:\MGtools\GetLogs.bat did its thing.

I reinstalled Malwarebytes without any problems. I ran a quick scan, also without any problems. (It found a popcaploader, which from my admittedly completely nontechnical experience, seems like fairly routine adware. You didn't mention the need for the malwarebytes log, so I haven't attached it.)

To verify the blocked startup program prompt was gone, I restarted the computer... and the blocked startup program message still popped up. But, like before, I am able to run Malwarebytes fine by clicking on it; it's just blocked as a start up program.
(Since you said SUPERAntiSpyware and Malwarebytes are not necessary as startup programs anyways, I changed the startup settings for SUPERAntiSpyware. I haven't done so for Malwarebytes yet though.)

I tried uploading the logs, but had some difficulty.

I repeatedly tried uploading c:\MGtools\remjunc.txt but it just said "upload failed". It was at this point that I looked into the file and realized it was blank.

I wasn't able to upload Win32kDiag.txt and C:\MGlogs.zip , because I got the errors "You have already attached this file in this thread." I renamed the files, and tried a few times, but still wasn't able to upload them.
I did a search and discovered that this means I am trying to upload old files, which makes me think that I did something wrong in the running of the processes today.
Should I run them all again? (I would just do so, but I want to confirm that I am supposed to try again.)