Still trying to recover computer after "Vista Antivirus 2008" malware infection.

[Zen_Sorcere]

Over the weekend I clicked on something I know I shouldn't have, and my computer became infected with the "Vista Antivirus 2008" malware.  At the same time the stupid WGA thing started acting up (which I had never seen before), telling me my copy of XP wasn't valid.  So all of this starts happening at the same time.  Windows and alerts were popping up all over the place, and when my wallpaper got changed to something else, that was when I hit the reset button (since the power button wasn't having any response), and pulled the power plug on my modem.  After that, I haven't been able to launch Firefox at all.  I double-click on the icon, and I get an hourglass for a brief moment and then nothing happens.  Other applications have the same thing occur when I try to launch them (including some of the programs you recommended in your "Before asking for help" post (http://www.computerhope.com/forum/index.php/topic,46313.0.html).

On Monday, I did locate a program to remove the WGA stuff called "Remove WGA 2.1" (located here: http://www.softpedia.com/get/Tweak/Uninstallers/RemoveWGA.shtml) and was able to remove that, and haven't had an occurrence of the WGA since then.  I also turned off the Auto-install updates.

On Monday as well, I was able to get my older version of HJT working as well as Registry Mechanic, which I'd had on the computer for a little while, though non of my other programs (Spybot, Ad-aware) were functioning.  On Monday at work, I printed out some instructions I'd found on the web in regards to removing the Vista thing, and I burned a CD that had McAfee, Malabyte's Anti-Malware, and the WGA remover onto a CD to take home (since my computer has no internet access on it's own right now, doesn't matter if the modem is plugged in).  I couldn't get Malabyte's to launch, nor McAfee.  I attempted to follow some directions I had found for manual file removal but, they didn't quite match up with what I was seeing.

I also Monday night started getting variants of the Blue Screen of Death, where the font was larger and blockier, and would usually say that the boot up was interrupted because of some danger and it would list something different each time the issue occurred (BOOT_DRIVER was one of them once).  The screen wouldn't stick around very long, so I wish I could tell you more specifics, but I can't really.  The computer would restart after the Blue Screen went away, and the computer would tell me, once back at the desktop, that it was starting in "diagnostic" mode.  the Blue screens only seemed to occur if I started the computer up in Normal mode, and would happen about a minute after getting to the desktop.  I'm guessing I may have screwed something up in the registry with the Registry Mechanic tool I was using to try and diagnose problems. :/

Tuesday at work, I found your site while I continued to try and find some help.  I came across your "before you ask for help" post, printed out all the steps, downloaded and burned onto CD's every program you mentioned (and their updates you provided download links for), and began going through those steps once I got home.   I was able to copy the programs onto the Desktop, but not all of them would launch.  All 3 programs listed in Step A (Avast!, AVG, and AntiVir Personal) wouldn’t launch after I double-clicked the icon; the hourglass would appear for the briefest of moments, and then nothing would happen (just like the issue w/ Firefox I mentioned above).  In addition to the 3 programs in Step A, I had the same problem with Malabyte’s Anti-Malware (again) and the newest version of HijackThis.  My older version worked fine.  I was hesitant to remove the old one unless I was sure the new one would work (they were located in different places).  I burned some logs from some of the programs to a CD, so I could at least post them.

I was able to get some slight progress done with the other programs.  I still can’t launch all applications though (including Firefox).  Boot up is much faster now, which is a step in the right direction.  From what I could tell, I think the odd-looking Blue screens of Reboot/death have been mitigated, though I’m not positive about that.

So at this point, I'm not sure what to do. 



[recovering disk space -- attachment deleted by admin]

[evilfantasy]

Download Combofix by sUBs from one of the below links.
(Try all three if necessary)

Link #1
Link #2

Combofix MUST be saved to the desktop.
 
Close all other browser windows.
 
Go to Start > Run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe" /killall

Press Enter and Combofix will begin to run.
 
When finished, it will produce a log file located at C:\ComboFix.txt
 
Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall.

Combofix should not take more than 20 minutes to run.

----------

Add the combofix log in the next reply.

[Zen_Sorcere]

Installing both options (linked above) to the Desktop went smoothly.  When I downloaded both options for it onto my work computer, it named one of them "ComboFix(2).exe". 

I typed in the text as stated in the Run field, and it highlighted the "(2)" icon of the ComboFix.exe, options, but nothing else happened.  I double clicked on the normally named icon, with the same result.  When I double clicked on the "(2)" version,  however, some activity showed, but a message popped up telling me I couldn't rename it "(2)".  So I renamed it "ComboFix3.exe".  Double clicking on it again at that point resulted in the application launching.


The log is attached.

I was able to launch Firefox after the ComboFixer completed it's task, so I plugged my modem back in, and was able to post this to you from home.

I will be taking off shortly, so I will unplug the modem again and power down the computer, just in case.  I'll sign back in when I return home to see what further instructions you might have.  Otherwise, I'll check back in the morning when I get to work again.

[recovering disk space -- attachment deleted by admin]

[Zen_Sorcere]

Some additional notes:

Upon Combofix.exe's reboot, a RUN DLL message popped up saying c:\WINDOWS\system32\vmlmhflq.dll was missing.  This did not appear after a normal boot up.

Also on each boot up, a notification popped up saying the Firewall was disabled.

[evilfantasy]

The instructions say "Download Combofix by sUBs from one of the below links." You don't need two copies. It's OK since you got one of them to run, just delete the one that wouldn't run and keep ComboFix3.exe.

Now try to run MalwareBytes again and post the log. You may need to download a new install file since you can now use the internet.

Download Malwarebytes' Anti-Malware (MBAM) from here or here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.
  

Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

----------

Now run a new Hijackthis scan and post that log along with the MBAM log.

[Zen_Sorcere]

The instructions say "Download Combofix by sUBs from one of the below links." You don't need two copies. It's OK since you got one of them to run, just delete the one that wouldn't run and keep ComboFix3.exe.

Yes, I would have only downloaded one, but given the random accessibility of programs, I figured I'd play it safe.


Copied & Pasted contents of "mbam-log-7-17-2008 (02-26-08).txt":
----------------------------
Malwarebytes' Anti-Malware 1.20
Database version: 960
Windows 5.1.2600 Service Pack 2

2:26:08 AM 7/17/2008
mbam-log-7-17-2008 (02-26-08).txt

Scan type: Quick Scan
Objects scanned: 37815
Time elapsed: 4 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\rhccwwj0eg5v (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike Gilson\Desktop\antivirus-2008pro.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
----------------------------------



[recovering disk space -- attachment deleted by admin]

[evilfantasy]

Looks good so far, is everything running OK now?

We need to get you some good free antivirus installed before you get infected again.



Before we continue download and install a free anti-virus software.

Remember to only install one antivirus! They are all good and if you want to know I prefer to use Avast!
 

• Avast! Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
  
• AVG Free Edition -    Free edition of the AVG anti-virus program for Windows.
  
• AntiVir Personal - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.

.
----------

After the antivirus is installed and running...

• Click START then RUN
  
• Now type ComboFix3 /u in the runbox
  
• Make sure there's a space between ComboFix3 and /u
• Then hit Enter.

.

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
----------

Delete temporary files

Go to:

• Start
• Run
• type: CLEANMGR.EXE
  
• Press Enter.

.
When prompted select the C: drive and click OK.
Check the boxes for:

• Temporary Internet Files
• Downloaded Program Files
• Recycle Bin
• Temporary Files

.
Click OK or Enter

----------

Use the Kaspersky Online Scanner

Important! If using Windows Vista open your browser by right-clicking on its icon and select Run As Administrator to perform this scan.

• Click Accept.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.

The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

• Next, in the Save as prompt, Save in area, select: Desktop.
  
• In the File name area use KScan, or something similar.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

[Zen_Sorcere]

Everything appears to be running great now, yeah.

I installed Avast!, as you suggested, and it did a big scan when I rebooted.

The uninstall for ComboFix3.exe was completed.

Cleanmgr.exe was also completed.

I did the Kaspersky Online Scanner, as well, and it appears to have come out 100% clean:

------------------------------------------------
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
 Friday, July 18, 2008
 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
 Kaspersky Online Scanner 7 version: 7.0.25.0
 Program database last update: Friday, July 18, 2008 04:40:30
 Records in database: 967237
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - My Computer:
   A:\
   C:\
   D:\
   E:\

Scan statistics:
   Files scanned: 54894
   Threat name: 0
   Infected objects: 0
   Suspicious objects: 0
   Duration of the scan: 01:01:06

No malware has been detected. The scan area is clean.

The selected area was scanned.
-------------------------------------------------


At this point the only negative notification that appears is a Windows Security Alert regarding the Windows Firewall being turned off.

[evilfantasy]

Look here > How to turn on or turn off the firewall in Windows XP

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Important: You Need to Update Windows and Internet Explorer regularly to protect your computer from the malware and other security threats that are on the Internet. Go to Microsoft Windows Update and get all critical updates.

If you are running any Microsoft Office version go to the Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

----------

Make sure all of your security programs are up to date and run scans with them regularly. Once or twice a week minimum.

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I would suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Use only trusted security software like the programs listed on this page. Trusted security tools & resources