Antivirue Pro - Morpheusbar suspect - Malwarebytes won't run

[Needhelpnotaguru]

Hello

This is a very long story with lots of issues I have not been able to find explanations or fixes for. My brother-in-law's PC is infected with malware and possibly some type of virus. He is running Windows XP SP2, Internet Explorer 8 and uses McAfee for virus protection. He previously installed Malwarebytes on his system, but I am unsure if it was disabled prior to the incident. He also previously installed Spybot, which may also have been disabled prior to the incident. He called me in a panic on the 22nd of October that his system had a virus. I went over there a few days later to see what I could do. My husband's family turns to me with everything computer oriented since I have been using computers since age 4 in 1977.

I may have some experience with computers and am usually good at figuring things out when they aren't working, but I have never worked with viruses or malware before a few days ago with one exception that was actually an easy fix. I went over to my brother-in-law's house with my macbook in hand to check out his infected PC. After making sure that he was not connected to the internet, I turned it on and attempted to start in Safe Mode. This had already been disabled by the malware/virus so I was forced to start Windows normally: immediately pop-up warnings appeared that his computer was infiected with this, that and the other virus. So many pop-ups that the desktop was obscured amidst the mess of them. I used the taskbar to close out what I could. I attempted to open McAfee, for a few attempts this did not work, possibly because the computer was still trying to go thru start-up processes. When it did open I told it to lockdown the firewall, I briefly looked at the log which seems to have caught something that it removed and something else that it quarantined on the same day that my brother-in-law called me to say he had a virus. I told McAfee to run a full scan. Then I went to my macbook to try to decipher what I was seeing. One of the prominent pop-ups said Antivirus Pro on it. So, I did a search for this. I was able to find a post at bleepingcomputer.com which addressed the issue as well as a few posts on other sites.

Following advice I had read from those websites, I attempted to open task manager to kill a few processes. Task Manager was also disabled by the malware/virus. So, as the next step, I did a search for files and folders named sysguard (which was also advised on one of the websites I had visited). I found two files: C:\Program Files\sryeif\nlrhsysguard and C:\WINDOWS\Prefetch\NLRHSYSGUARD.EXE-0BB89106.pf which I renamed and moved to the recycle bin where they are now sitting. Meantime while I was doing this, several sessions of "Internet Explorer" were opening with webaddresses such as viagra.com, porno.com, etc. I was able to kill some of them using the taskbar, but not all. I attempted to establish an internet connection to see what would happen. Of course Internet Explorer informed me that it was unable to establish a connection with the standard looking "Diagnose Connection Problems" button. I closed that window from the taskbar. The McAfee scan was near completion so I waited until it found nothing (of course!). I rebooted the system, again attempting to use Safe Mode which is still disabled today. This time, upon logging into Windows I was able to open task manager. I found two suspect processes: wscsvc.exe and win64.exe, so I killed them both. This stopped the barrage of pop-ups and I was able to see new short-cut icons on the desktop whose icons were actually pornographic pictures. I removed these to the recycle bin, but was unable to find out where the short-cuts were pointing to.

At some point I was prompted to look at a documents and settings folder. This folder looked suspicious to me because it was the computer owner name followed by what seems to be a random set of 8 numbers and letters (ex: Mary.10BT9S5Z) when there was already a folder named with just the computer owner name (ex: Mary). I opened the folder and within the time span of about 30 seconds that folder grew from approx 1.16GB to approx 1.37GB. This alarmed me somewhat. The pace at which this thing was apparently adding new information while not even connected to the internet!

I turned off the computer and decided to call it a day after spending 4 hours working at it. I returned the following day (yesterday) with a flash drive I had brought from home containing malwarebytes set-up program and a few other tools that were recommended by another website's forum. I had renamed the malwarebytes mbam-setup file to something like Help. I plugged in the flash drive and copied the set-up file to the desktop. I then attempted to install malwarebytes. You guessed it! The mbam.exe file was deleted before the program could launch. I returned home and this time installed malwarebytes on my uninfected PC at home, then copied mbam.exe twice to my desktop and renamed both copied (one I named HelpMe.exe and the other Helpme.com, this was just in case the malware/virus was going to prevent me from opening any .exe files). This time I did not use my flash drive, which I suspect is most likely infected, but instead copied the two files to a CD that I could bring back to my brother-in-law's house.

I returned to his house, turned on the infected PC, and inserted the disk with the renamed mbam.exe files. I was thinking this was going to be victory. I thought wrong. Attempting to launch mbam.exe got me a new error that some C:\Windows\System32 .DLL file was not a valid windows image. I believe the actual .DLL was named something like MVS60.DLL, but I can't guarantee my memory is accurate on that one and the piece of paper I wrote it down on is still at his house. One of the people from another website who is trying to advise me on this whole issue had advised in a previous post on that website that I might get messages like this one after mbam.exe ran the first time. His advice was that I get Hijackthis to fix it. Unfortunately, I have not yet found a way to get Hijackthis onto the infected PC since I cannot use the internet on that PC and Hijackthis seems to want to run from the internet. I have not tried getting it from my PC at home, but trying to download it to my flash drive from my macbook was not successful (arg I hate macbook, but my husband loves it).

If I cannot make headway today, I must consider the alternatives: smashing the infected PC to pieces using a sledge hammer; pushing the infected PC out of a window; or reformatting the hard drive of the infected PC.

When responding to this, please keep in mind the factors that I have already mentioned:

1. The infected PC will NOT start in any type of SAFE MODE or debugging mode

2. The infected PC cannot access the internet

3. The mbam.exe file will not execute due to a random .DLL error

Previously unmentioned: system restore does not work either.

Thank you for any advice you can give me, and for the time it took you to read this.

-Needhelpnotaguru

P.S. Before calling me, my brother-in-law did call McAfee which he thought was protecting him, their answer was that they could fix it for $89.95. I would like to know what McAfee subscribers are paying for already if this is what they say when their software doesn't do what it is supposed to do in the first place!!

[Needhelpnotaguru]

I forgot to note that during my time yesterday I noticed something in another McAfee log stating that morpheusbar a pontentially unwanted program had been allowed sometime last month. I changed the McAfee permission to block this file which appears to be an internet explorer toolbar that generates random pop-up advertisements. I then used add/remove programs to attempt to remove it from the infected computer, but who knows if that worked. I suspect that morpheusbar generated a pop-up ad which was closed out, using the "X" in the upper right hand corner instead of the taskbar, by whoever was using the computer. And I think that this is what caused the malware/virus to download.