HELP Virus Shutting down everything even MBAM etc.

Hi, Im the old mrgoogle(AKA Julius Caesar, Ffruitt, Jack Arse etc.) but I don't know what happened to my account. Apparently the username "mrgoogle" doesn't exist anymore. But anyways I made this account a while back too so here's my story..


Okay so I have a 10.1 inch Asus Eee Pc. Just recently I was bowsing the net and Avira AntiVirus popped up with a whole bunch of messages saying Trojan detected/virus detected etc. I selected to quarantine them all. I minimized my browser afterwards, and what do I see? Shortcuts to porn all over my desktop.

I deleted them and check on the scan. The scan had detected items but just before it was finished Avira's Window just dissappeared. I have been restarting ever since in safe mode etc. and I am unable to open anything at all. I get an random error message everytime I try and open something. I transferred SuperAntiSpyware, CCleaner, MBAM, and Hijack this using a usb stick. I installed them one at a time and tried each one. The only one that worked was CCleaner. The others-as soon as they start scanning they dissappear. [like exit basically].

I have basic skill needed to remove small viruses using the above programs and I have done so before, but as nothing can open including HiJackThis, I decided my last resort is to formt my hard drive and re install windows XP. The only problem is I have no CD drive whatsoever. So how would I install XP WITHOUT an external drive.

Thanks in advance, I hope someone has some options for me.

Update. I found some wierd processes runnig in task manager. b.exe, and msa.exe. I did some googling and found that msa.exe is a virus.. but I have no idea how to go about getting rid of it. I also cannot run any malware removal programs as I already stated.

Also in my Temp files I found a.dat and it cannot be deleted... Just keeps re appearing.

Nothing is working... Internet is not connecting and windows firewall cannot be started or even opened. But I have been transferring install files for MBAM, superantispyware etc. from another pc with a usb stick. I just can't download anything directly.


PS This is not a bump, Im just adding onto my message.

[will]

Thanks for the additional information, sit tight and a specialist will be with you.

No problem.

you could try to run your mbam under safe mode, if that wont work, then .. reload windows unfortunately.

Yea well I already said that didn't work.. and I'm waitng for someone with a bit more experience to respond like EvilFantasy. So please don't bump my thread any more as I know he works his way from the bottom up.

[Malware Removal Specialist]

Hello Mr.Google and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs. The first thing you should try is to re-name SAS and MBAM. Go to C:\Program Files, SAS and change the Superantispyware.exe to something else such as help.exe. Do the same for MBAM and see if they will run in Normal Mode. Paste the logs in your next reply if you can get them to run.

Okay I renamed SAS and its now scanning. Will do with MBAM as well and post logs when complete. Thanks alot!!

SAS Log:

Code: [Select]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/04/2009 at 06:21 PM

Application Version : 4.29.1004

Core Rules Database Version : 4217
Trace Rules Database Version: 1978

Scan type       : Complete Scan
Total Scan Time : 01:12:12

Memory items scanned      : 475
Memory threats detected   : 6
Registry items scanned    : 4686
Registry threats detected : 25
File items scanned        : 41348
File threats detected     : 27

Trojan.Agent/Gen-Bongl[L]
C:\WINDOWS\SYSTEM32\MSXM192Z.DLL
C:\WINDOWS\SYSTEM32\MSXM192Z.DLL
[ter8m] C:\WINDOWS\SYSTEM32\MSXM192Z.DLL

Trojan.Agent/Gen-FakeAlert[BTWSRV]
C:\WINDOWS\SYSTEM32\BTWSRV.DLL
C:\WINDOWS\SYSTEM32\BTWSRV.DLL

Trojan.Agent/Gen-Koobface
C:\WINDOWS\SYSTEM32\FASTNETSRV.EXE
C:\WINDOWS\SYSTEM32\FASTNETSRV.EXE

Trojan.Dropper/Gen-NV
C:\WINDOWS\SYSTEM32\RESTORER32_A.EXE
C:\WINDOWS\SYSTEM32\RESTORER32_A.EXE
[restorer32_a] C:\WINDOWS\SYSTEM32\RESTORER32_A.EXE
[restorer32_a] C:\DOCUMENTS AND SETTINGS\GEKK0\RESTORER32_A.EXE
C:\DOCUMENTS AND SETTINGS\GEKK0\RESTORER32_A.EXE
[restorer32_a] C:\DOCUMENTS AND SETTINGS\GEKK0\RESTORER32_A.EXE
C:\WINDOWS\Prefetch\RESTORER32_A.EXE-2C748582.pf

Trojan.Agent/Gen-Reader_S
C:\WINDOWS\SYSTEM32\READER_S.EXE
C:\WINDOWS\SYSTEM32\READER_S.EXE
C:\DOCUMENTS AND SETTINGS\GEKK0\READER_S.EXE
C:\DOCUMENTS AND SETTINGS\GEKK0\READER_S.EXE
[reader_s] C:\WINDOWS\SYSTEM32\READER_S.EXE
[reader_s] C:\DOCUMENTS AND SETTINGS\GEKK0\READER_S.EXE
[reader_s] C:\DOCUMENTS AND SETTINGS\GEKK0\READER_S.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#reader_s [ C:\WINDOWS\System32\reader_s.exe ]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\READER_S.EXE
C:\WINDOWS\Prefetch\READER_S.EXE-1AD17DDC.pf
C:\WINDOWS\Prefetch\READER_S.EXE-31E43321.pf

Trojan.Unknown Origin
HKLM\Software\AGProtect
HKLM\Software\AGProtect#Cfg
HKU\S-1-5-21-3569182144-909318194-2716909117-1005\Software\Microsoft\Windows\CurrentVersion\Run#PopRock [ C:\DOCUME~1\Gekk0\LOCALS~1\Temp\b.exe ]

Rootkit.MailGrab
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr#Type
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr#Start
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr\Security
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr\Enum
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\tcpsr\Enum#NextInstance

Rogue.ProtectionSystem
HKU\S-1-5-21-3569182144-909318194-2716909117-1005\Software\Protection System
C:\Program Files\Protection System

Trojan.Agent/Gen
C:\WINDOWS\system32\A.TMP
C:\WINDOWS\system32\B.TMP
HKU\S-1-5-21-3569182144-909318194-2716909117-1005\Software\NordBull
HKU\S-1-5-21-3569182144-909318194-2716909117-1005\Software\PopRock
C:\WINDOWS\TEMP\VRT1.TMP

Trojan.Agent/Gen-FDUPX
C:\DOCUMENTS AND SETTINGS\GEKK0\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\FIZDFOJF\BOT[1].TXT

Trojan.Agent/Gen-FakeAlert
C:\WINDOWS\SC.INS
C:\WINDOWS\TEMP\VRT3.TMP

Trojan.Agent/Gen-NumTemp
C:\WINDOWS\SYSTEM32\13.TMP

Trojan.Agent/Gen-Tmp[Hehe]
C:\WINDOWS\SYSTEM32\2D.TMP
C:\WINDOWS\Prefetch\2D.TMP-3541E84A.pf

Trojan.Agent/Gen-Dropper[Temp]
C:\WINDOWS\SYSTEM32\C.TMP
C:\WINDOWS\SYSTEM32\F.TMP
C:\WINDOWS\Prefetch\C.TMP-31A4EB53.pf

Trojan.Agent/Gen-VB[LSM32]
C:\WINDOWS\SYSTEM32\LSM32.SYS

Trojan.Agent/Gen-WIWOW64
C:\WINDOWS\SYSTEM32\WMDTC.EXE
C:\WINDOWS\Prefetch\WMDTC.EXE-075C188E.pf

MBAM Log soon...

Okay..yea I tried the same thing with MBAM and it cannot even start scanning it just shuts off as soon as I click scan.

[Malware Removal Specialist]

Do not restart the computer until one of the tools does it for you.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
 
There are 4 different versions. If one of them won't run then download and try to run the other one.
 
Vista and Win7 users need to right click Rkill and choose Run as Administrator
 

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.exe
* Rkill.com
* Rkill.scr
* Rkill.pif

Once you've gotten one of them to run then try to immediately run the following.

----------
 
Now download and Run exeHelper.

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Attach the log.txt file to your next message.[/list]

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

Okay I ran all the Rkills from my desktop and I have no idea if they worked but what happened is when I opened each one, a Command Prompt came up saying something like "Checking for malware, please wait". Then after a few seconds everything disappeared except my desktop (so explorer.exe im thinking). Then it reloaded and windows explorer was closed and so was the command prompt.

Anyways Im guessing that wasn't supposed to happen, but I ran exehelper anyways and heres the log:

]exeHelper by Raktor
Build 20091021
Run at 17:27:02 on 11/05/09
Now searching...
Checking for numerical processes...
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\21274
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\opeia.exe
Checking for bad registry entries...
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--



I ran ComboFixer also, and the little loading bar came up and "loaded" all the way, then disappeared and nothing happened. 

[Malware Removal Specialist]

Delete ComboFix.

Download ComboFix from one of the below links. You must rename it before saving it!

Important! You MUST save ComboFix to your desktop.

Link #1
Link #2

Rename ComboFix to Combo-Fix before saving it to the desktop.





Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on Combo-Fix.exe & follow the prompts.

Vista users Right-Click on Combo-Fix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.
 
Post the contents of that log in your next reply.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

Okay first of all, I cannot disable Avira AntiVirus because it is not open. It doesn't autorun when windows starts anymore, and when I try to open the Application file I get the message;

Code: [Select]

The Application Module
c:\program files\avira\antivir desktop\avcenter.exe
cannot be found or has been modified or destroyed.
The AVCENTER.EXE cannot be started.
Please check your installation!

Second, I did exactly what you said with combo-fix and the same thing happened. Loading bar comes up and loads all the way. Then disappears and nothing happens.

[Malware Removal Specialist]

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

When I go to the Online scan I get "Webpage cannot be displayed" error. It takes a few minutes to "load" before it just shows the error, but any other webpage loads just fine.

[Malware Removal Specialist]

Try this one please.

Scan your computer with Panda ActiveScan

* Once you are on the Panda site click the Scan your PC now button.
* A new window will open...click the Scan Now button.
* If it wants to install an ActiveX component allow it.
* It will start downloading the files it requires for the scan. (Note: It may take a couple of minutes)
* You may get a warning from Internet Explorer that Panda is ready to install, please allow it.
* The scan will begin. Please be patient as it can take an hour or more to complete.
* When the scan completes, if anything malicious is detected, click the Export to: button (looks like a little Notepad).
* Save the ActiveScan.txt to a convenient location like your desktop.
* Note: You do not need to select any of the Disinfect options. We will remove any threats manually.

* Post the contents of the ActiveScan report in your next reply.

Same Cannot display webpage error. *censored* this is frustrating.

[Malware Removal Specialist]

Go to C:\Program Files and find the MBAM folder. Right click the Malwarebytes program and rename it to abc123. The double click it and see if it runs.

Nope. Just shuts off like before.

[Malware Removal Specialist]

Do not restart the computer until one of the tools does it for you.

Please download and run the below tool named Rkill

(courtesy of BleepingComputer.com) which may help allow other programs to run.
 
There are 4 different versions. If one of them won't run then download and try to run the other one.
 
Vista and Win7 users need to right click Rkill and choose Run as Administrator
 

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.exe
* Rkill.com
* Rkill.scr
* Rkill.pif

Once you've gotten one of them to run then try to immediately run the following.

----------
 
Now download and Run exeHelper.

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Attach the log.txt file to your next message.[/list]

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

Uhh.. again? I already did exactly all that and it didnt work.

there must be trojan attacked your computer. you could load the software in the website and have a change.

Please delete this post. Obviously spam.

[Malware Removal Specialist]

Download OTL to your desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* When the window appears, underneath Output at the top change it to Minimal Output.
* Check the boxes beside LOP Check and Purity Check.
* Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy and pate the contents of these files, one at a time, into your next reply.

Note: You may need two or more posts to fit them all in.

Okay found my old account. Uh new problem though. explorer.exe disappeared randomly. And when I reboot it doesnt load. Just my wallpaper shows.....? There is also a bunch of .tmp processes running in task manager.

And I cant start explorer.exe from task manager. It says something about permissions. Same thing in safe mode.

[Malware Removal Specialist]

Try creating a new account. If that doesn't work you will need a Rescue CD or USB.

http://evilfantasy.wordpress.com/bitdefender-rescue-usb/

http://evilfantasy.wordpress.com/2009/05/06/rescue-cds/

Alright thanks for all your help EF

The usb one says something about unless you are an advanced linux user..but my pc is windows not linux???

[Malware Removal Specialist]

The rescue system is Linux based. Just follow the instructions and it will tell you every step you need to put Bitdefender on the USB and run it.

Alright I followed the instructions and have tried many diffirent scanner isos (dr.web, kaspersky...etc) but when I boot my laptop it says "Please insert bootable media". I changed the boot order to only boot from "Removable Device". Im guessing thats what the USB drive would be?? The only three options I have are Harddrive, CDRom(which I don't even have), and Removable Device.

Should I maybe start a new topic in a different section? Or do you have some advice?

[Malware Removal Specialist]

Yes, please try asking how to boot from a USB in the Windows forum. You might copy that last post and add it to the new thread.