Nasty malware

[cbinsf]

This is by far the most nefarious malware I've encountered. It has disabled all anti-malware/virus updates (mbam, Ad-Aware, Spybot, nav). Mbam and spybot will not even run. IE does not run. My google searches have also been hijacked. Today I found the malware will not allow me to updates my iTunes podcasts. Every so often iexplore.exe runs as a process in the background. I'm on the verge of reformatting the drive if I don't find a solution. Any suggestions? The HijackThis log is attached.

hijackthis_log.txt

[miekiemoes]

Hi,

Please try this version of malwarebytes: Click the link here

Save it on your desktop. You'll see it will have a random name, and will look similar like this:

Doubleclick on it, so it will extract the files and will start Malwarebytes automatically.

In case the installer (random named file) won't run either, rename it to EXPLORER.EXE and try again.

When Malwarebytes opens, click the "Update" tab FIRST and select to check for updates in order to get the latest updates.

In case Malwarebytes doesn't open, search for the folder mbam-installer on your desktop, open it and doubleclick the file winlogon.exe which will be present in there. This should launch Malwarebytes.

Then perform a scan and let it remove what it found. Reboot afterwards (important).

After reboot, post the malwarebytes log together with a new HijackThislog.

In case you're having problems with above instructions, let me know.

[cbinsf]

Thanks for the info and helping! I followed your directions, but when I tried to run either the randomly name exe file or the renamed one I get the following error message:

An error occurred. Please report the following error code to the Malwarebytes' Anti-Malware support team.

Error Code: 730 (0, 0)

What should I try next?

[miekiemoes]

Hi,

I assume Malwarebytes was never installed before? Because that would make sense.

Ok, let's try something different first...

* Please download Malwarebytes' Anti-Malware from Here

Save it to your desktop.

RENAME mbam-setup.exe to firefox.exe (this should allow you to install Malwarebytes).

Let me know if that works.

[cbinsf]

Actually I do have mbam installed and it's been a reliable defense against malware. I followed your directions and downloaded from your link and went through the installation process (which took a lot longer than what I can recall) and eventually the installation finished. From the last setup screen I launched mbam but nothing happened. I could see mbam as one of the processes in Task Manager. I killed it. Started mbam again. Same result. I checked Program Files and it looked like the latest version of mbam was fully installed.

Other things I've discovered ... When I check Disk Management in Windows I do not see my two hard drives! I think that means I have a rootkit virus. That may also explain why I can't do a System Restore. Right now I am furiously backing up all my files while my PC is still bootable (although it usually takes 3 to 5 attempts!).

What should I do next to kill this virus?

[miekiemoes]

Hi,

Ok, navigate to the C:\Program Files\Malwarebytes' anti-malware folder and rename the mbam.exe in there to firefox.exe or svchost.exe or winlogon.exe

Then launch it via that exe.

Let me know if it opens/runs.

Also, since it looks like your PC is severly infected, I suggest, while it is still bootable, to make a backup of important files first. This because malware may suddenly cause an unbootable situation because of the damage.

[cbinsf]

Thanks. I'll try to run mbam again after I've backed up all my files (may take a while!) because mbam may ask for a reboot and who knows if the PC will actually boot?! I'll report back later. I do appreciate your time in this matter.

[miekiemoes]

Ok let me know if that worked. If not, then we still have other solutions/methods. Ofcourse this all depends with what exactly you are dealing and how severly inefected/damaged the computer already is.

[cbinsf]

Hi, I'm back. After backing up everything I was indeed able to start mbam using your instructions. It would not let me do an update, but I got a scan going. It found 14 threats that got taken care of. For some reason I can't attach the log or include it in this post. In any case, my boot up seems a bit smoother, but the same problems remain -- IE not working, iexplore.exe pops up as a process every minute or so (I end it in Task Mgr as soon as I see it), and I get this message "Norton Anti-Virus Auto-Protect is Disabled" when it is obviously not. Next suggestion? At least now I feel better that all my files are safely backed up.

[miekiemoes]

Hi,

Can you copy and paste the contents of the log?

In either way, we need to clean up some more here, so also do next..

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[cbinsf]

The mbam log is attached. I've downloaded combofix, but it does not run, so no log. I do see combofix.exe in Task Mgr. Maybe it's not working because Norton Anti-Virus is still running. I couldn't disable it the way your link described. When I chose to turn off "Enable Auto-Protect" it goes off but turns back on. So I used services.msc to stop Symantec AntiVirus. But I still see Enable Auto-Protect checked. One other problem I have is that iexplore.exe pops up and runs as a process every minute or so. Everytime it rears its head I end it in Task Mgr. If I don't do that the computer will be nonresponsive in a few minutes. So even if I can get combofix going, can I leave Task Mgr running? Otherwise, the iexplore.exe process will freeze the pc. I'm posting all this on a second computer.

mbam_log_2010_01_05__18_01_33_.txt

[miekiemoes]

Hi,

The malware may be blocking combofix by name.

Please delete Combofix and redownload it, using the following method:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Tools->Options->Main tab
     
   • Set to "Always ask me where to Save the files".
     

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

  
  

• Close any open browsers.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

[cbinsf]

Thanks for the quick responses. I downloaded combofix to my desktop after renaming it per instructions. I stopped all my anti-virus/malware programs (Ad-Aware and NAV). combo-fix.exe did not run. No combofix screen or prompts came up. So I deleted it. I then tried to boot in safe mode and the computer will not boot. This was not surprising since it did not work before -- for some reason the computer will not boot in safe mode but will boot in regular mode. So I tried to download combofix again in regular mode, but now something is blocking the save to desktop step. Finally I downloaded combofix and renamed it to my desktop on my second computer, then moved it to my bad computer, double-click combo-fix, same result -- nothing. I appreciate all your help, but maybe the best option for me at this point is to bite the bullet and wipe my sick drive and reinstall Win XP from scratch. I backed up all my files in case it comes down to this.

[miekiemoes]

Can you try to rename Combofix to winlogon.exe instead?

I appreciate all your help, but maybe the best option for me at this point is to bite the bullet and wipe my sick drive and reinstall Win XP from scratch. I backed up all my files in case it comes down to this.

To be honest, if a computer is so severly infected (if that was in my case), then I don't even bother to try to clean up and format and reinstall anyway, this because I want to be able to fully trust my computer again. With a manual cleanup, there's no guarantee that it will resolve all damage the malware already caused and I can trust my computer again. I know most people rather prefer the manual cleanup because they have too much to lose otherwise, but in a lot of cases, a format and reinstall is still the fastest and safest solution.

That's why this decision is different from person to person. So if you rather prefer to start from scratch, then it's fine for me as well (since I would do the same).

[cbinsf]

Much appreciation for your input and help. Looks like I just got hit by a wave of bad infections and the best approach to insure a clean machine is to do a clean reinstall. I'll take one last pass to make sure I have all my files backed and will start the process of a clean install. Again, a lot of respect for people like you who are willing to help poor souls like me at a time of major anxiety!

[miekiemoes]

You're most welcome. Just make sure this won't happen again, so Please read my Prevention page with lots of info and tips how to prevent this in the future.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.