I used Geekstogo a few years back for help with a desktop of mine. Because of your great success, I decided to try here again when my parents called me and told me their laptop was under attack.
The Story:
The first issue was a different scareware, systemprotect, I think, that one of my folks trusted and installed onto their system (Laptop, Windows XP Pro SP2). It changed their back ground to an entire malware, virus, adware warning. (Hilariously over the top and misspelled...)
It also caused constant popups warning of non-existent sercurity alerts (like more scarewares do.
They had NO anti-anything installed... so I quickly installed Spybot, Threatfire, ad-aware and Malware Bytes.
The malware blocked Threatfire and Malware bytes from installing, it prevented ad-aware from running and kept spybot S&D from removing the files it did scan and find.
A friend tried to fix it. Somehow, he was able to remove the issues by following an online guide which instructed him on what files to delete and what to change in the registry.
Everything seemed fine, and the computer was back to normal until the next day when my dad started to use internet explorer. Wherever he went, it installed "Protection System" and made things much worse.
The current issues are the following:
Protection system is installed and running.
Every 30 seconds, it shows a balloon from the task panel warning of an imminent threat.
Every 2 minutes it pops up either with a similar warning or one that says "A computer at this IP address is attacking your computer..ect...
It ever came up with a warning that "Malware Bytes" is a high threat and must be removed immediately. (MalwareBytes was installed in the interim of the first and second problem)
It adds porn links to the desktop.
The wallpaper is an active desktop recovery screen.
The malware also blocks access to some websites. It completely blocks access to some antivirus sites and gives this warning to "popular" sites like facebook, myspace or ebay:
"Restricted Site!
This web site is restricted based on your security preferences.
Your system is infected. Please activate your antivirus software."
_______
I have tried all my programs previously mentioned. and I completed your "Malware and Spyware Cleaning Guide" Here are the results:
SysRestorePoint - would not run
Erunt - Completed step
MalwareBytes - will not run
Numerous antivirus programs...I didn't try them all, but I wasn't having any luck with the ones I did try
Windows Updated
I didn't risk a rebot since most of the previous didn't work
RootRepeal - worked:
ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2009/07/24 00:42 Program Version: Version 1.3.2.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB1B45000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF79DD000 Size: 8192 File Visible: No Signed: - Status: - Name: hjgruixfumujai.sys Image Path: C:\WINDOWS\system32\drivers\hjgruixfumujai.sys Address: 0xB1F38000 Size: 159744 File Visible: - Signed: - Status: Hidden from the Windows API! Name: mchInjDrv.sys Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys Address: 0xF7A69000 Size: 2560 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB1597000 Size: 49152 File Visible: No Signed: - Status: - Hidden Services ------------------- Service Name: hjgruisqtenbmq Image PathC:\WINDOWS\system32\drivers\hjgruixfumujai.sys Service Name: UACd.sys Image PathC:\WINDOWS\system32\drivers\UACcqokxehkrt.sys ==EOF==
OTL - Worked (Log attached)
That's about it...
thanks for any help I will get...
I am awaiting your response.
Kris
Attached Files
Edited by DrLucky, 24 July 2009 - 01:21 AM.