Hello,

I've been a long time reader and this forum has helped me many times. However, this is the first time I have not been able to remove a virus/malware. So I am posting for some help.

The malware will not allow Malewarebytes to update, nor will it allow superanispyware to update. I am getting false alerts as follows: "Warning: the media system on your computer is corrupt", "system alert: virus.win32.pgcode.ak - click balloon to install antivirus..." etc

Both Malewarebytes and superantispware find issues but upon rebot, the maleware returns.

mbam - Log

Malwarebytes' Anti-Malware 1.38
Database version: 2353
Windows 5.1.2600 Service Pack 3

7/1/2009 11:14:13 AM
mbam-log-2009-07-01 (11-14-13).txt

Scan type: Quick Scan
Objects scanned: 106358
Time elapsed: 3 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACmgokkshxtlivjshys.dll (Trojan.TDSS) -> Delete on reboot.
\\?\globalroot\systemroot\system32\UACjjqfrjtiqoqxlxjcb.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\UACmgokkshxtlivjshys.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
\\?\globalroot\systemroot\system32\UACjjqfrjtiqoqxlxjcb.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\Super\local settings\temporary internet files\Content.IE5\05CKESMV\load[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.


SuperAntiSpyware Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/01/2009 at 11:39 AM

Application Version : 4.26.1006

Core Rules Database Version : 3961
Trace Rules Database Version: 1902

Scan type : Quick Scan
Total Scan Time : 00:17:39

Memory items scanned : 451
Memory threats detected : 2
Registry items scanned : 539
Registry threats detected : 0
File items scanned : 28476
File threats detected : 2

Rootkit.Agent/Gen-UACFake
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACJJQFRJTIQOQXLXJCB.DLL
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACJJQFRJTIQOQXLXJCB.DLL
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACMGOKKSHXTLIVJSHYS.DLL
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACMGOKKSHXTLIVJSHYS.DLL

Thank you for your time and help,

Sailerman

Hello sailerman !

Welcome to the site! My nickname is heir and I'll be helping clean up your computer.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:

• To make sure that you receive an email when I reply to this topic, please click here and check that this topic is listed under Malware Removal and Spyware Removal.
• Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!
• When posting logs, please ensure Wordwrap is turned off in Notepad (to check, open Notepad in the menubar click on Format and make sure that Word Wrap is unchecked)
• Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
• NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!
• Make sure you reply to this thread using the Add Reply button:

Please read my posts completely before following the instructions.
It may be easier for you if you copy and paste a post to a new text document or print it for reference later.
This is required when you won't have access to Internet.


Step 1.
ComboFix:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Step 2.
OTL:

• Download OTL to your desktop.
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Underneath Extra Registry at the lower left set it to Use Safelist.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Step 3.
Things I would like to see in your reply:

1. The content of C:\ComboFix.txt from step 1.
2. The content of OTL.txt and Extras.txtfrom step 2.

Heir,

Thank you for your timely response. I have "fixed" the issue... I have fixed it so well windows boots to blue screen of death and safe mode just locks up...LOL I "jacked" my drive and hooked it to a laptop, via USB, scanned the drive NAV, it removed several files, some of which I believe were *.sys files. This has rendered me unable to boot into windows.

I will try and recover windows but it is not looking so good at this point. You may as well close this thread. If I happen to recover from my "genius" move, I will start a new post.

Once again, thank you and all your help, keep up the great work,

Sailerman

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.