Elusive virus disables Windows Update and Malwarebyte!

By Betelgeuse
Jan 16, 2010
Topic Status:
Not open for further replies.
  1. Hi Group,

    Caught a bad one, it disables Windows Update and Windows malware removal tool. It will not allow Malwarebytes Anti-Malware to run (shortcut for "mbam.exe" not valid after install). Random popups for "registry monitor" "best anti-virus" "nexplore" "Www.facebook survey" and others. Looks like search results are altered. I could not DL Avast anti-virus, had to DL from another PC to USB drive and install from there, Avast did not locate the infection. I was running AVG free which let it through and it got through my router firewall. Followed 8 step process except for Malwarebyte which will not run even after reinstall and run from install menu. Attached hijackthis, combofix, and supersntispyware logs... Super anti spyware found a buttload of things and I put them in the locker, popups seem to have stopped, what is my next move, many thanks!

    Attached Files:

  2. Betelgeuse

    Betelgeuse Newcomer, in training Topic Starter

    eset log added

    Here is eset log...

    Attached Files:

    • log.txt
      File size:
      857 bytes
      Views:
      2
  3. Betelgeuse

    Betelgeuse Newcomer, in training Topic Starter

    Malwarebytes log

    Machine speed back where it was, ran MS updates without it getting disabled, no updates found. Ran MS malware removal tool successfully, no infections found. Reinstalled Malwarebytes and it ran quick scan without shutting down, log attached. Looks like Superantispyware caught the baddies, everything that would not run before will now run after it cleaned up system.

    Please help me make sure system is clean for real!

    Thanks for all your help!

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I suspect the virus is elusive because you ran random programs in random order instead of following the 8 steps. All your logs show malware. If you would like to start over the right way:

    Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Then follow THIS. When through, attach the 3 logs for review.

    Please don't run any other programs for malware unless instructed.
  5. Betelgeuse

    Betelgeuse Newcomer, in training Topic Starter

    Thanks!

    Thanks so much for your help, working my way through the 8 steps now. Will post logs asap.
  6. Betelgeuse

    Betelgeuse Newcomer, in training Topic Starter

    Logs attached

    Fresh logs attached:

    Attached Files:

  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    You shill have Vundo entries. You might want to disable the Nero backup till all of it is out:

    Please download VundoFix.exe HERE and save to your desktop:
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the ‘Fix Vundo’ button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    Please attach the C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
  8. Betelgeuse

    Betelgeuse Newcomer, in training Topic Starter

    Fresh logs attached

    Hi Bobbye,

    Vundo fix came back clean, rescanned with HiJackThis, attached HJT log, vundofix would not attach as it is 0kb.

    I ran Vundofix with firewall and SAS on, no Vundo found, then I disabled Firewall and SAS, came back clean... Then I rebooted, ran again and came back clean.

    Any ideas?

    Thanks for your help.

    Attached Files:

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I cannot figure out why this entry is still here:

    O20 - AppInit_DLLs: gobewowi.dll

    Let's try running Combofix now and see if it picks it up:
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

      Important! Save the renamed download to your desktop.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Double click on the setup file on the desktop to run
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
    • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Rescan with HijackThis when through.
    Attach Combofix report and new HJT log.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.