Trojan horse taken my rights and registry, can't do anything

Somehow I acquired a trojan horse. I have McAfee and AVG. Ran both and got 3 trojans:
program files\shared\lib.dll, temp\kYFZYrwbcT.exe, temporary internet files\content.IE5\5VXVWUTH\Setup.exe

Now I cannot execute any programs nor get onto the internet. I also cannot run the task manager. I am stuck and just can't function. I WILL NOT CONSIDER re-formatting my hard drive. I am communicating from another laptop I have. I have malware but I am not allowed to run it. Apparantly I am no longer the administrator. I even tried to download to a flash drive and install from there but it won't let me install or copy anything.

Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:

• Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  
• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  
• If you have already asked for help somewhere, please post the link to the topic you were helped.
  
• We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:
  
  Reply to this topic with the word BUMP, or
  see this topic.
  
  
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

---

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

Maybe you're too geeky to help me. Would you please re-read my post. I can't get on the internet. I can't copy/paste or download anything executable even from a cd or flash drive. I can get into some apps because I have a doc on my desktop for instance. I can't get into the app by clicking on the icon. My rights have been denied or the file may be in use..., the file format may not be supported...or the file may be corrupt. I have spent hours on this researching and trying things, I was at one point able to restore my computer to an earlier point but it did not rectify the problem. This is my last resort short of taking it somewhere and I am hours away from that option.

I have gotten the combofix.exe onto the sad laptop. I have tried to run it several ways, run as..., start... etc. but it fails because it keeps popping open the "OPEN WITH..." menu. I am still stuck, I will check back later to see if anyone can help with this problem. I spent a whole day yesterday on the sad laptop so I will check back periodically for something to try. Thank you.

I tried to run combofix and it says avg and mcafee are still running, i cant close them, so I went ahead and ran. After hours of "scanning for infected files" msg., it doesn't do anything or give me any more messages.

In order for this to get removed, it is important to take steps necessary to get the tools needed to disinfect the computer.

Please make this CD, so we can go in to Recovery Mode and disinfect the computer.

Download the OTLPE Network REATOGO Windows Recovery Environment.

• Place a blank CD-R disc in to your CD burning drive.
• Download OTLPENet.exe and double-click on it to burn to a CD using ISO Burner.
• Reboot your system using the boot CD you just created.
  
  Note : If you do not know how to set your computer to boot from CD follow the steps here
  
• Your system should now display a REATOGO-X-PE desktop.
  
• Double-click on the OTLPE icon.
  
• When asked "Do you wish to load the remote registry", select Yes
  
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  
• OTL should now start. Change the following settings
  • Change Drivers to Non-Microsoft
    
  • Press Run Scan to start the scan.
    
  • When finished, the file will be saved in drive C:\_OTL\MovedFiles
    
  • Copy this file to your USB drive if you do not have internet connection on this system
    
  • Please post the contents of the OTL.txt file in your reply.

Okay, I was able to run combo fix and it appears my computer is all right. I just kept trying to run it and then check to see if I could run task manager. I finally could so I ran combo fix again and I got the log. Do I need to do anything else (besides a major backup )? Thank you so much for your help.

Oh by the way, I was trying to do the things you told me to but I didn't have any cd's so I tried with my flash drive. In the interim I did the above. Byte by byte, I guess combo fix beat it down. I didn't wan't you to think I wasn't following directions and wasting your intelligent advice. Again, thank you so much and also for having this site. I will donate as soon as I can and save this site to my favorites and tell my friends about it!

Most of the time, when you have originally detected the malware issue, it means the computer is infected by malware of some sort. Antivirus scanners may not show a sign of the malware still being there, which could be a sign of a rootkit.

Whenever rootkit scanners, and antivirus software scan for the rootkit, it gets as close to the system kernel as possible. If the rootkit is beyond that point, it will not be detected.

So, the idea is, is when you post to a forum that you need help removing malware, it is best to stay with the helper, to ensure your computer is clean. However, it is up to you to continue or not.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

I am soooo staying. Thank you. So is that the next step? Uninstall combofix? What exactly do I do now?

I ran the uninstall command as you directed and received the info box that says "combofix is uninstalled" and clicked the "OK" button.

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  
• Copy and paste the entire report in your next reply.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4336

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

7/21/2010 4:10:07 PM
mbam-log-2010-07-21 (16-10-07).txt

Scan type: Quick scan
Objects scanned: 141637
Time elapsed: 10 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

MBRCheck

Download MBRCheck to your desktop.

• Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
  
• It will show a black screen with some data on it.
  
• A report called MBRcheckxxxx.txt will be on your desktop
  
• Open this report and post its content in your next reply.

---

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

---

Please make sure to include the following in your next reply:

• MBRCheck log
• ESET Online Scan log

MBRCheck, version 1.1.1
(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0
\\.\D: --> \\.\PhysicalDrive0

Size Device Name MBR Status
-----------------------------------------------------------

93 GB \\.\PhysicalDrive0 Unknown MBR code

Found non-standard or infected MBR
Enter ’Y’ and hit ENTER for more options, or ’N’ to exit:


So what now, I can't get it to download, I clicked on the blue option in your post and ran it. Also, there is no log on my desktop. The black screen is posted above waiting for a response.

The path of the MBRcheck is c:\documents and settings\owner\desktop
but I don't see any icon or description of such. It's just that it is still open so I can see the path of the file.

I have to go to a supper engagement so I will check when I get back for your response. I am hoping the supper won't be more than a couple of hours. Again, thank you for your help. I am in MN, USA so I don't know what the time difference is where you are helping from. I will let you know when I return.

I have returned from supper. I will check tomorrow to see what you have sent.

Run MBRCheck.exe

• Run MBRCheck.exe
  
• Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  
• Please push the 'Y' key and then press Enter
  
• When program ask you Enter your choice: enter 2 and press the Enter key
  
• Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
  
• Enter 0 and press the Enter key.
  
• The program will show Available MBR codes:, followed by a list of operating systems. Please enter 1 for Windows XP, and then press Enter.
  
• When asked Do you want to fix the MBR code? type in YES and press enter
  
• Restart your PC.

Please post a new MBRCheck log in your next reply.

Completed the task.

Ooops! Here is log.
MBRCheck, version 1.1.1
(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0
\\.\D: --> \\.\PhysicalDrive0

Size Device Name MBR Status
-----------------------------------------------------------

93 GB \\.\PhysicalDrive0 Windows XP MBR code detected

Done! Press ENTER to exit...

Good thing we cleaned that.

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

Here is new Malware log.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4339

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

7/22/2010 3:04:27 PM
mbam-log-2010-07-22 (15-04-27).txt

Scan type: Quick scan
Objects scanned: 144057
Time elapsed: 14 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

Okay, I will post after the above is completed.

It has finally finished and here is the log.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17055 (vista_gdr.100414-0533)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=cb29a115dc63a74eb508b3cf0fe2ca2d
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-22 11:36:49
# local_time=2010-07-22 06:36:49 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1024 16777175 100 0 15802216 15802216 0 0
# compatibility_mode=5121 16776537 100 85 106365530 112918173 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=115291
# found=0
# cleaned=0
# scan_time=8710

Are you gaining control over your computer again?

Let me know of any other issues.

It appears all is well. Is there anything else I need to do?

Your logs appear to be clean. If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:

• Cleaned System Restore
  
• Ran OTC
  
• Ran TFC
  
• Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.