Elusive virus disables Windows Update and Malwarebyte!

[Betelgeuse]

Hi Group,

Caught a bad one, it disables Windows Update and Windows malware removal tool. It will not allow Malwarebytes Anti-Malware to run (shortcut for "mbam.exe" not valid after install). Random popups for "registry monitor" "best anti-virus" "nexplore" "Www.facebook survey" and others. Looks like search results are altered. I could not DL Avast anti-virus, had to DL from another PC to USB drive and install from there, Avast did not locate the infection. I was running AVG free which let it through and it got through my router firewall. Followed 8 step process except for Malwarebyte which will not run even after reinstall and run from install menu. Attached hijackthis, combofix, and supersntispyware logs... Super anti spyware found a buttload of things and I put them in the locker, popups seem to have stopped, what is my next move, many thanks!

 

[Betelgeuse]

eset log added

Here is eset log...

 

[Betelgeuse]

Malwarebytes log

Machine speed back where it was, ran MS updates without it getting disabled, no updates found. Ran MS malware removal tool successfully, no infections found. Reinstalled Malwarebytes and it ran quick scan without shutting down, log attached. Looks like Superantispyware caught the baddies, everything that would not run before will now run after it cleaned up system.

Please help me make sure system is clean for real!

Thanks for all your help!

 

[Bobbye]

I suspect the virus is elusive because you ran random programs in random order instead of following the 8 steps. All your logs show malware. If you would like to start over the right way:

Uninstall ComboFix.exe And all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Then follow THIS. When through, attach the 3 logs for review.

Please don't run any other programs for malware unless instructed.

 

[Betelgeuse]

Thanks!

Thanks so much for your help, working my way through the 8 steps now. Will post logs asap.

 

[Betelgeuse]

Logs attached

Fresh logs attached:

 

[Bobbye]

You shill have Vundo entries. You might want to disable the Nero backup till all of it is out:

Please download VundoFix.exe HERE and save to your desktop:

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the ‘Fix Vundo’ button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

Please attach the C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

 

[Betelgeuse]

Fresh logs attached

Hi Bobbye,

Vundo fix came back clean, rescanned with HiJackThis, attached HJT log, vundofix would not attach as it is 0kb.

I ran Vundofix with firewall and SAS on, no Vundo found, then I disabled Firewall and SAS, came back clean... Then I rebooted, ran again and came back clean.

Any ideas?

Thanks for your help.

 

[Bobbye]

I cannot figure out why this entry is still here:

O20 - AppInit_DLLs: gobewowi.dll

Let's try running Combofix now and see if it picks it up:
Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

• Double click on the setup file on the desktop to run
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  
• Query- Recovery Console image
  
  
  
  
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
  
  
• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Rescan with HijackThis when through.
Attach Combofix report and new HJT log.