Very stubborn virus

[LuckytoHaveYOU]

The main reason that I am writing this post is to warn whoever else that might be reading this about a malware program or virus or something that I currently have on my computer and hopefully get some help. This thing is quite a bugger.

So it turns out that whatever I have generates a fake Microsoft security icon next to all of my other active running program icons in the bottom right-hand corner of my screen that indicating that my computer may be at a security risk. When I clicked on it an almost identical "Microsoft" firewall security page comes up with all of the firewall settings and security features (some of which are defaulted to "security off" to make me think windows is not covering my security needs properly) and the refers me to a third party paying service that claims it will get protect/rid my computer of any viruses.

At this point, currently, I am forty hours deep in figuring out the what I can do to get this wretched thing off my computer. I have used the 8-step viruses/spyware/malware preliminary removal instructions and although some infections were erased, the final result was that my computer was still cursed with this infection. Obviously whoever wrote this program to infect my computer has done everything VERY well to prevent me from deleting it.

Some of my other symptoms of this mystery virus include: firefox starting up very slowly and taking longer to refresh information, iTunes taking a lot longer to do everything, ***Any/ALL spyware, firewall, and malware programs not being able to update their databases (including a freshly installed norton anti-virus)!****, system restore will NOT work, and neither will windows updates. Oh, and did I forget to mention that my windows "turn off system restore" is "disabled by group policy"?

At this point in time I am almost certain that all my bank accounts, passwords, credit cards, and other accounts have been compromised. I will be reprogramming all my accounts after this is fixed.

Anyways, to try fixing the problem, I tried to turn off system restore, but since this feature/option was disabled by the virus, I had to find out another route. I Googled my problem and I got some instructions from a website to go in manually through Start<Run<"regedit.exe"<(navigate /scroll mouse to)=HKEY_LOCAL_MACHINE \ Software \ Policies \ Microsoft \ Windows NT \ SystemRestore<then delete DisableConfig and DisableSR in the right hand screen.

I thought that this would help to fix the reinfection or something but it did not. So far I have ran avira, avast, superanti-spyware, malwarebytes, HJT, CCleaner, SmitFraudFix, Norton, and Comodo, but nothing has fixed it yet. Some things have shown up here and there but the infection is still there and Comodo is telling me that it is from pop-up windows.

Now I cannot uninstall Norton Anti-Virus Internet Security for some reason and none of my anti-virus/spyware/firewall programs will update to the databases. I am confused on what to do next. Will someone help me? I have attached the hijackthis report.

 

[rf6647]

The new HJT log is consitent with your problem.
Tick off the items in the second quote block.

Repeat efforts to get down to 1 firewall & 1 AV program.

.....what I can do to get this wretched thing off my computer. I have used the 8-step ..malware preliminary removal instructions .... still cursed with this infection.

!***Any/ALL spyware, firewall, and malware programs not being able to update their databases (including a freshly installed norton anti-virus)
!****, system restore will NOT work, and neither will windows updates. Oh, and did I forget to mention that my windows "turn off system restore" is "disabled by group policy"?

So far I have ran avira, avast, superanti-spyware, malwarebytes, HJT, CCleaner, SmitFraudFix, Norton, and Comodo,

Now I cannot uninstall Norton Anti-Virus Internet Security for some reason and none of my anti-virus/spyware/firewall programs will update to the databases.

I am confused on what to do next. Will someone help me? I have attached the hijackthis report.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
.
O2 - BHO: (no name) - {0FE32980-4444-4BCA-BF73-2660100EC27A} - (no file)
O2 - BHO: (no name) - {198f89a0-41b3-4f24-aa54-c94bc907831d} - (no file)
.O2 - BHO: (no name) - {5C35B589-336A-43E5-B77F-9233B6223FBA} - (no file)
O2 - BHO: (no name) - {C7FB2400-D0A6-40B1-B8AF-298DC66602FD} - (no file)
O2 - BHO: (no name) - {DCD2D13F-4AD5-429F-898E-2D418C9723C5} - C:\WINDOWS\system32\mlJYspPf.dll (file missing)

O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')

O20 - Winlogon Notify: nnnlkhff - nnnlkhff.dll (file missing)

 

[LuckytoHaveYOU]

I have checked off the selected items you specified for me but it did not seem to do anything? I am confused as to what you mean when you say "repeat efforts to get down to one firewall and AV". I still need help on this. None of my software updates to the databases so running scans do nothing because this virus has duped them into thinking that nothing is wrong. I really don't want to reformat. Help???

 

[rf6647]

OK. Let’s follow this tack. Here is the post that is the source:
mflynn - brutal malware. Use link in upper right corner to view entire thread.

The following is an excerpt.

D/L Xclean_Micro
http://www.xblock.com/download/xclean_micro.exe

No install, just run it. Delete all it finds. Decline to reboot on each item found, until the program finishes then reboot.
Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.
Please make a note of what it found as it has no log - (this may not be practical).
If it does run in normal mode and does removals, then reboot to regular Safe mode and run again.

Repeat until it runs clean or progress stalls.

Once here, uninstall MBAM & SAS.
Download new sources for MBAM & SAS.
If not reachable from Techspot, then try www.download.com.

Post logs & report progress.

 

[LuckytoHaveYOU]

Yeah, lol, I can get online in safe mode. My computer is so messed up.. let me try this and then get back. I will report back when finish these steps.

 

[LuckytoHaveYOU]

ok, I followed the steps to run xccleaner and it found a couple things which I deleted off my computer but after expecting a log after so many times, I forgot to write these applications down - I think one of them was named -viewbuilder-... I also installed and ran stinger which did not find anything. I uninstalled MWB and SAS after xccleaner was done (donwloaded both from download.com) and MWB worked fine with updates and everything (just as it did before) when I reinstalled it but the "system configuration settings" prevented me from reinstalling SAS in safe mode so it still will not update to the database and I am at another brick wall. I am writing this to you in safe mode again and am looking for more help. Please let me know anything else that I can do.

 

[mflynn]

Hi LuckytoHaveYOU

Lets hope you are luckytohaveme

The answer to your problem do only post #3. get the attachment.

https://www.techspot.com/vb/topic115811.html

Come back here to post all logs.

Mike

 

[LuckytoHaveYOU]

Ok so the sas file that you made and that I downloaded to my desktop still will not let me update. It says "make sure that your firewall is not blocking SuperAnti-Spyware". The MWB was able to update and detected one trojan but the MWB was always able to update.

I am about to give up. This is ridiculous, it has been over 50 hours now trying just to get my anti-virus softwares to update to the databases online. I have no access to the internet in normal mode as I am in safe mode with networking running and trying to update all these processes.

I have some logs attached.

 

[mflynn]

Hi Lucky

Well don't get negative now as you have broke mbam loose.

Turn off the Firewall for a few moments if it will not take your approvals/exceptions.

If you read the fixit log you will notice the volume that it cleaned. The failures were where I was trying to get what may be there. Likely in your case they were not there.

So you were bad bad off.

Now a couple of runs with mbam and sas in normal mode will break the Dam loose and things will begin to roll!

Mike

EDIT: Boot normal and begin it should work now. Remember if the Firewall won't knuckle under turn it off long enough to do the scans,

 

[LuckytoHaveYOU]

I think I have above average perseverance and diligence but this is pushing it. Sorry for getting negative. I will keep trying.

I really appreciate all the help from everyone. You guys are giving me hope, lol.

I have one concern, however, that these actions are getting blocked by a "firewall" that I do not have running. I can't seem to get the "firewall" to stop blocking all my updates? Comodo does not appear to be running in the background and I have added the SAS to the "trusted programs" access but it still is being blocked.

This is the problem I have right now.

 

[mflynn]

OK when his happens are you still in safe mode networking?

Since the mbam ran in Safe Mode Networking see if it will now run without updating in normal mode! If it does and finds more, then run it again until it comes up clean.

else
----------------------------------------------------------------------------------------------------------------------------------
OK lets go in a different direction do this in Normal or Safe Mode Networking:

Download SD Fix to Desktop among other things Catchme to look for RootKits.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-clickto RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished.

Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt

Copy and paste the Report.txt file to your next post.
----------------------------------------------------------------------------------------------------------------------------------

then the above works or not

ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall

Mike

PS I promise at some point here one of these will succeed and it will be like a Dam opening. Hhang in there! What is the alternative any way a SHOP where they may format away you valuable data photos emails.

 

[LuckytoHaveYOU]

That's true. My friend just had his computer sent in to a store to rid his computer of viruses and it ended up costing him $300 and three weeks without a computer.

I will report back with my new results.

Thank you again for helping me and to anyone else who has any input.

 

[LuckytoHaveYOU]

Here's the logs. I don't know if it fixed it yet as I have to switch between safe mode and normal mode.

 

[mflynn]

No you are nowhere near fixed but you may have kicked off enough mud that mbam and sas will now run and that is what we are after these are Dynamic Duo.

Reboot to normal and try MBAM followed by SAS unupdated if they will run but not update.

Mike

 

[LuckytoHaveYOU]

Ok at this point I have no idea what is helping and what is hurting. It seems like nothing is getting this thing off my computer. Are there any more steps that I can take to continue my malware elimination? It appears that my computer is still too "muddy".

I have been downloading everything in safe mode because my internet does not work in normal mode now for some reason. So far, I have tried SAS and MWB in normal and safe mode with no luck, it finds nothing. But SAS won't update, oh ...wait a second, now it will!!!!!! YES!!!!!!!!! Let me get back with results after I update and scan. Hopefully this works. Starting a scan in normal mode now.

 

[mflynn]

Yes if you still have the Fixit folder it is fast so lets take it in steps.

We have not run this in Safe Mode only and we have cleaned other things since.
And we have turned off UAC since also.

1. Boot to regular Safe Mode run it let it reboot
2. Boot to Safe Mode Networking run it let it reboot
3. back to normal run it again
4. then try mbam and sas

Mike

 

[LuckytoHaveYOU]

What is UAC again? Also, do you mean to run fixit those steps? Or a different program? You just say "it" and I am a little confused. I will begin to run fixit in those steps now. Thanks.

 

[mflynn]

Sorry! Its late that was another Thread only Vista has UAC.

Yes that is what I wanted you to do run the download from the Fixit folder.

As it can clean more as it runs in each state.

Actually you should re download the Attachment as it too as I have updated it since you last downloaded it.

Mike

 

[LuckytoHaveYOU]

I am running windows XP professional edition. I am going to redownload the fix and try it again in each of safe mode then normal mode and try MWB and SAS. Will post back tomorrow. BTW, I tried to do the steps from the previous post and MWB and SAS report back as nothing being wrong, but obviously there is something wrong because of all my log reports indicate so and I still have no internet in normal mode and no updates taking place. My firewall (Comodo), SAS, Avast, Avira, and Norton do not update, (but MWB and spybot update just fine still as they did similarly in my other previous posts)... so we know that I have to try something else.

 

[LuckytoHaveYOU]

ok so i have run fixit in safe mode, reboot, then safe with networking, reboot, then applied the cracked MWB and SAS in safe networking mode. It found nothing. I still have to try them both in normal mode after I reboot, apply fixit in normal mode, then reboot. Will post back later.

 

[mflynn]

OK but no need for more mbam and sas in either safe mode.

Mike

 

[mflynn]

Ok I just reread the entire thread and have questions.

Are you still having Internet access problems?

And if so certain things update but you can't browse?

Now give me details as to general condition of computer now.

Boot up and shutdown OK?

Look and feel of just moving around in My computer etc what ever you do without the Internet?

Any programs not working or errors?

Let me know some details about the above.

But if the Internet is the remaining issues then do the 2 below operations these are not scans and should only take 3-4 minutes. Well do them anyway as they can only help.

---------------------------------------------------------------------------------------------------------------------------------
We are going to give your TCP/IP, WINSOCK, NETBIOS, ARP and DNS an Enema!!

Drag mouse and copy for pasting all the text in the box watch slider on side go to bottom and end of last line.

@echo off
ipconfig /all >"%USERPROFILE%"\Desktop\ipconfig.out
;Saves ip settings

netsh interface ip delete arpcache

ipconfig /flushdns

ipconfig /release *

ipconfig /renew *

ipconfig /registerdns

nbtstat -RR

netsh winsock show catalog >"%USERPROFILE%"\Desktop\lsp.txt
;saves log of current settings

netsh winsock reset catalog
;resets Winsock

netsh winsock show catalog >>"%USERPROFILE%"\Desktop\lsp.txt
;winsock after rest

netsh int ip reset >"%USERPROFILE%"\Desktop\tcpreset.txt
;reset TCP stack
exit
exit

Then open a cmd prompt and paste into the black screen. Ignore the errors, cmd screen will close.
reboot here

---------------------------------------------------------------------------------------------------------------------------------
Download Dial-A-Fix (DAF)
http://wiki.djlizard.net/Dial-a-fix#...C_and_articles
http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip

Have XP CD available in case DAF needs a file.

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

Check for correct time and date.

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here 1 at a time do the below

Reinstall BITS
Reinstall Windows Firewall
Repair Permissions
Reset networking
Reset WMI/WBEM (not the reinstall)

Watch for any File not found or other errors and make note as this may lead to the fix!

Reboot retest!

Get back with GOOD news for a change.

Mike