Very bad Malware - scrubbers forced off

[John L]

Win XP Pro SP3

system was infected 2 days ago.

First it turned off Symantec AV; then Windows defender.

I had Malwarebytes on the system ( non-realtime) and when I lauched it the
first time, I started Quick Scan then the windows disappeared. The icon went
blank.

Started in Safe mode with networking
Re-loaded Malwareytes, it took and the Icon image re-appeared. It took an
update but when launched; the window dis-appeared. Secound launch said I did
not have permission to access the file. Also, it said path was bad.

I then loaded egnima spyhunter. It loaded but the very same thing happened
to it as it did to Malwarebytes.

Is there a stand alone "de-louser" that I can use. If it boots to XP, the
bad guy takes over and kills the killers.

What does my son have on his system?

 

[Leonard Grey]

When a computer is that badly infected, it's usually not possible to
fix. The only way out is to erase the hard drive and start over. You
could bring the machine to a professional, but don't be surprised if you
get the same advice.

 

[Elmo]

Win XP Pro SP3

system was infected 2 days ago.

First it turned off Symantec AV; then Windows defender.

I had Malwarebytes on the system ( non-realtime) and when I launched it
the first time, I started Quick Scan then the windows disappeared. The
icon went blank.

Started in Safe mode with networking
Re-loaded Malwarebytes, it took and the Icon image re-appeared. It took
an update but when launched; the window dis-appeared. Second launch
said I did not have permission to access the file. Also, it said path
was bad.

I then loaded Egnima Spyhunter. It loaded but the very same thing
happened to it as it did to Malwarebytes.

Is there a stand alone "de-louser" that I can use? If it boots to XP,
the bad guy takes over and kills the killers.

What does my son have on his system?

Burn BitDefender, or another program listed at the link below, to a CD
(using a working machine) and test the infected machine with it.
BitDefender also has a Rootkit checker on the Linux Desktop; run it if
you think that's the problem:

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

Download the executable rather than the .iso image, if one is
available.. it prompts you to insert a CD and burns the file, no problem.

Then run these:

Malwarebytes© Corporation
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

SuperAntispyware
http://www.superantispyware.com/superantispywarefreevspro.html

 

[Bob Lucas]

Some infections have inbuilt defences, which interfere with
Malwarebytes and resident anti-virus protection.

Have a look at the instructions at
http://tech.amikelive.com/node-144/tdss-trojan-and-bediddle-adware-removal-guide.

These instructions describe a workaround, which camouflages
Malwarebytes. Although the instructions mention the TDSS rootkit
infection, the workaround is also effective against some other
infections, which adopt a similar modus operandi. The workaround
enables a disguised version of Malwarebytes to remove the
infection.

If that doesn't resolve the problem, you could download and scan,
using the free edition of SUPER AntiSpyware from
www.superantispyware.com.

Another possibility is Panda ActiveScan, from
www.pandasecurity.com/activescan/index.

If you are using a desktop (as opposed to a laptop computer) and
none of the previous suggestions removes the infection, you might
need to try an entirely different approach.

This approach requires the use of a second computer. Download
and install Malwarebytes and SUPER AntiSpyware onto the second
computer. Also, make sure the second computer has adequate and
up-to-date protection against malicious software.

Then, remove the hard drive from the infected computer and
connect it to the host computer as a slave drive (or in a USB
caddy). Boot the host computer.

Following boot-up, the infection should remain inactive. That is
because the host computer has not booted from or run any programs
from the infected drive.

Firstly, scan the infected drive, using the host computer's
standard anti-virus protection. Then, perform a second scan,
using Malwarebytes. Then, use SUPER AntiSpyware for a subsequent
scan. Hopefully, one or more of these remedies will detect and
remove the infection.

Then, replace the drive in the original computer. Download and
re-install Malwarebytes (just in case the original installation
was damaged by the original infection). Then, use Malwarebytes
for yet another scan.

Good luck.

 

[Leythos]

Try using my Remove-it software

PCBUTTS1, you've exposed yourself as the PIRATE/THIEF we all have said
you are.

You've been clearly exposed as a thief when you pirated code containing
a special marker enter by the real author, the file named
"obatssrsghde.exe" was a marker inserted into Stuarts batch file you
stole from him, it was a KEY that proves you're a thief:

For those that don't know, Stuart inserted the obatssrsghde.exe marker
into his batch file to prove, to the community, that PCBUTTS1 / The Real
Truth MVP is actually a lying thief, and PCBUTTS admitted in his own
post that he created the marker and claimed to know what it was - even
claimed to have submitted the malware to anti-virus vendors, but the
joke was on him, Stuart told everyone in the community about it BEFORE
it appeared in PCBUTTS1 download.... There is no actual file named
obatssrsghde.exe in the malware community, it was a ruse.

The key is in the spelling (shifted one character):

obatssrsghde.exe
pcbuttsthief

If you change (add) 1 character to each letter you will see that
"obatssrsghde" is actually the marker "pcbuttsthief" - proving that
PCBUTTS1 is a thief.

Are there other markers - YES, does PCBUTTS1 know about them - no,
they've been there for a long time, but this is the most obvious one.

Face it Chris/PCBUTTS1/TRT, you've exposed yourself in public.

 

[turbo]

Change the filename of the malwarebytes from * .exe to *.com and then launch
it.. A lot of trojans will 'fiddle' with the windows association of EXE
files.

 

[David H. Lipman]

From: "John L" <[email protected]>

| Win XP Pro SP3

| system was infected 2 days ago.

| First it turned off Symantec AV; then Windows defender.

| I had Malwarebytes on the system ( non-realtime) and when I lauched it the
| first time, I started Quick Scan then the windows disappeared. The icon went
| blank.

| Started in Safe mode with networking
| Re-loaded Malwareytes, it took and the Icon image re-appeared. It took an
| update but when launched; the window dis-appeared. Secound launch said I did
| not have permission to access the file. Also, it said path was bad.

| I then loaded egnima spyhunter. It loaded but the very same thing happened
| to it as it did to Malwarebytes.

| Is there a stand alone "de-louser" that I can use. If it boots to XP, the
| bad guy takes over and kills the killers.

| What does my son have on his system?

| --

| *****************
| John Lenz
| (e-mail address removed)



You probably are rooted by the TDSS RootKit.

http://www.gmer.net/#files
Close all programs and utilities and and perform "quick scan" with Gmer and after that run
a full scan to be sure that machine is clean.

Steer clear away from the PCBUTTS1 Remove-It software. It will deliberately cripple
Malwarebyte's Anti Malware and block access to legitimate web sites. Both the author and
the conglomeration of plagiarized software called Remove-It are malicious.

 

[Barry Schwarz]

Try using my Remove-it software, it should remove that malware from your
system. Choose yes for all options when prompted. Download it here
http://www.ms-mvp.org/ if it does not then let me know as I as currently
working on an update but it wont be ready for a few more hours.

This is not the MVP site despite its fake logos.

The correct MVP site is http://www.mvps.org/.

 

[John L]

I downloaded and booted bitdefender rescue CD into as a Linux environment.
This is one tough bug. As soon as I started the program, it was killed.

--

*****************
John Lenz
(e-mail address removed)

Win XP Pro SP3

system was infected 2 days ago.

First it turned off Symantec AV; then Windows defender.

I had Malwarebytes on the system ( non-realtime) and when I launched it
the first time, I started Quick Scan then the windows disappeared. The
icon went blank.

Started in Safe mode with networking
Re-loaded Malwarebytes, it took and the Icon image re-appeared. It took
an update but when launched; the window dis-appeared. Second launch
said I did not have permission to access the file. Also, it said path
was bad.

I then loaded Egnima Spyhunter. It loaded but the very same thing
happened to it as it did to Malwarebytes.

Is there a stand alone "de-louser" that I can use? If it boots to XP,
the bad guy takes over and kills the killers.

What does my son have on his system?

Burn BitDefender, or another program listed at the link below, to a CD
(using a working machine) and test the infected machine with it.
BitDefender also has a Rootkit checker on the Linux Desktop; run it if
you think that's the problem:

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

Download the executable rather than the .iso image, if one is
available.. it prompts you to insert a CD and burns the file, no problem.

Then run these:

Malwarebytes© Corporation
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

SuperAntispyware
http://www.superantispyware.com/superantispywarefreevspro.html

 

[John L]

Dave,

I came up in safe mode and launched gmer (scrambled.exe). It runs and finds
the following:

\\?\globalroot\Device\_max++>\FC190040x86.dll

The program continues to run and the drops from the screen. How bad is the
virus/trojan. If i re-reun, it finds the same problem.

The very firat time I ran it, it showed more \\?\globalroot\ entries.

How does gmer clean this stuff. If I right-clicked on the red tagged entry,
I only had "options" available; all others were greyed out.

THX

 

[John L]

Bob,

I tried the aproach and immendaitely upon lauch in safe mode, mab.exe was
killed.

 

[Bob Lucas]

That's the problem with new infections. There is no magic bullet
that will resolve every case.

I wonder whether it would be possible to connect the infected
drive to another computer (as a slave), boot the host computer,
and scan the infected drive? The infection should remain
inactive, because the host computer does not need to boot from
the infected drive. If that isn't possible, then I don't know
what else to suggest.

However, you might obtain additional information, if you Google
against \\?\globalroot\Device\_max++> and other permutations of
the name

 

[David H. Lipman]

From: "John L" <[email protected]>

| Dave,

| I came up in safe mode and launched gmer (scrambled.exe). It runs and finds
| the following:

| \\?\globalroot\Device\_max++>\FC190040x86.dll

| The program continues to run and the drops from the screen. How bad is the
| virus/trojan. If i re-reun, it finds the same problem.

| The very firat time I ran it, it showed more \\?\globalroot\ entries.

| How does gmer clean this stuff. If I right-clicked on the red tagged entry,
| I only had "options" available; all others were greyed out.

| THX

| --

| *****************
| John Lenz
| (e-mail address removed)

A bad enough Trojan RootKit known as TDSS.

Go to; http://www.thespykiller.co.uk/index.php?board=3.0

Post the above information, what you have done to date and the fact that I forwarded you
to get assistance.


NOTE: Registration is REQUIRED at the SpyKiller forums.

 

[Elmo]

I downloaded and booted Bitdefender rescue CD into as a Linux
environment. This is one tough bug. As soon as I started the program,it
was killed.

Knoppix was killed, or the malware scanner? Knoppix doesn't play well
with some Dell machines, I've found.. Also try other CD's at that site.

(Previous posts):


Burn BitDefender, or another program listed at the link below, to a CD
(using a working machine) and test the infected machine with it.
BitDefender also has a Rootkit checker on the Linux Desktop; run it if
you think that's the problem:

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

Download the executable rather than the .iso image, if one is
available.. it prompts you to insert a CD and burns the file, no problem.

Then run these:

Malwarebytes© Corporation
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

SuperAntispyware
http://www.superantispyware.com/superantispywarefreevspro.html