System Security Virus - Can not open Malwarebytes

[brooklynfeline]

Three days ago System Security 2009 started running on my computer. I was able to boot into Safe Mode and run AVG. The pop-ups stopped but I can't search on the internet, it will redirect me or not even pull up the page.

I haved tried everthing to get Malwarebytes to run and still will not. I have renamed the program and the mbam.exe to m.exe. I have tried to uninstall malwarebytes and the computer freezes. I try to run the setup and I even wait til it completes after 30 minutes. When I try and open the program, I get the hourglass then nothing happens.

When trying to download ComboFix, the computer gives me an error saying I need to download again from bleepers and that I may have a virut virus. I even renamed the combofix to 123.exe and still gave me the same error. I can run Avg but it will not clear any of the threats. When trying to install Avast, the screen locks up. I can run CCleaner and it clears out some of the cookies. Thanks in advance for any help I can get.

 

[brooklynfeline]

I was just able to run Malwarebytes in Safe mode. Attached is a log and hjt log.

 

[touch]

Hello brooklynfeline

Click here: Click here: Gmer
and download the installer for Gmer to your desktop, then click that file to run Gmer.
(scroll down, and click on – Download Exe – Button)

If on it's opening scan Gmer locates items shown in red or indicates "hidden" or "rootkit", stop there, and click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and attach it here please. We don't want any crashes just from taking an initial look at things.

If not, then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and attach it here please.

 

[tystanwick]

In HijackThis put checks next to the following then hit fix all:

O4 - HKCU\..\Run: [kell] C:\program Files\Manson\liser.exe
O4 - HKUS\S-1-5-18\..\Run: [kell] C:\Program Files\Manson\liser.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kell] C:\Program Files\Manson\liser.exe (User 'Default user')
O20 - Winlogon Notify: ahrdvdd - C:\WINDOWS\
O23 - Service: e5yw3yhaqghraewh3ye3hbsshsnqqa80 - Unknown owner - C:\WINDOWS\e5yw3yhaqghraewh3ye3hbsshsnqqa81.exe

It looks like you have a rootkit. If you can get online, download combofix. Unfortunately I can't post the link for you due to forum restrictions. But if you go to bleepingcomputer with a dot com after it you will find it.

When saving combofix to your PC, rename it to 123.com so malware won't disable it. Launch combofix (now titled 123.com), allow it to download and install the Recovery Console if it prompts you. Once the scan starts, DO NOT TOUCH YOUR PC, clicking anywhere while combofix is running is enough to make your system become non-responsive. Be forewarned that combofix will make your desktop dissapear and will also reboot your PC as needed. This is normal.

Once combo fix is done, post its logfile and another HJT logfile here, please.

 

[brooklynfeline]

Here is the log from Gmer. I just got a blue screen again. I rebooted in safe mode and downloaded Gmer.

 

[ChrisDown]

Yes, you have two rootkits. I (like tystanwick) have a belief that ComboFix might be the best way to proceed.

You can download combofix from here, once done please upload the log.

Please do not click the window, as it may stall ComboFix.

 

[brooklynfeline]

I am still getting the same error message with Combofix. I click on save and change the name to 123.exe. It downloads to the desktop and after I click run it says that the file has been compromised, there may be a virut virus on your computer. Please redownload.

 

[touch]

brooklynfeline ->

Start->Run-> Devmgmt.msc ->ok
On the toolbar, Click on View -> "Show hidden devices"
2.
Scroll down and locate Non-plug and Play Drivers
Click the + sign to expand
3.
tdss(other random characters)
uac(other random characters)
SKYNET(other random characters)
ab56sy26 (or similar 8 character random name)

Right click on it/them, and select “Disable”

4. Restart your computer

Download The Avenger by Swandog46:
http://swandog46.geekstogo.com/avenger2/download.php.
Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
Copy all of the text in the below quotebox to the clibpboard by highlighting it and then pressing Ctrl+C.

Files to delete:
C:\WINDOWS\system32\drivers\SKYNETtryqcner.sys
C:\WINDOWS\system32\drivers\UACfvvrxolxaisqxbr.sys

In the avenger window, click the Paste Script from Clipboard icon, button.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).

Please attach Avenger log.

 

[brooklynfeline]

I do not see any of the skynet or tdss drivers listed under the Non-Plug and Play Drivers. I saw them on the Gmer log and I didn't run a scan. Here is the Avenger log.

 

[cardman927]

go in and set your use account not to share files or folders with other users, then create you a new user account, this should give you enough time to download and run the programs you need to do.

 

[brooklynfeline]

I am still getting a system32/uacinit file that malwarebytes can not remove.

 

[brooklynfeline]

I have created a new user account and it locked up on me. I could not open the new account. It tells me to check with my administrator. My sound is not working now and I am getting a error in the bottom right corner saying "Warning. The media system on your computer is corrupt. Update your sound and video codec." Is there any other way I can download Combo Fix?

 

[brooklynfeline]

I have started the reinstall. I couldn't even log into safe mode. I kept getting blue screens. Can anyone give me some advice on which spyware and virus removal I need to have on my new OS. Thanks

 

[Bobbye]

brooklynfeline, it's going to confuse things if you try to follow directions from several different members. Touch has begun guiding you. Stick with his directions.

He suspected a Rootkit which is he requested you run GMER.

Perhaps the two other new member could allow Touch to work with you without asking for additional programs.

 

[brooklynfeline]

Thanks. At that point I knew my computer was about to crash. So, I was desperate for anyone's help. I have reinstalled XP on my computer 5 days ago.

 

[Bobbye]

Sorry it wasn't worked out for you. We consider the problem 'fixed'- the hard way!