Zentom.... Help

Did you try using RKILL?

Try this if Rkill did not work.

Please download RogueKiller.exe and save it to your desktop.

• Now quit all running programs.
• Double click RogueKiller.exe to run it.
• When prompted, type 1 and hit Enter.
• A RKreport.txt should appear on your desktop.
• Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe .
• Please post the contents of the RKreport.txt in your next Reply.

What exactly have you tried from the below?

 

So you need to tell me what you have tried and what has not worked so that we are working on the same page so to speak. Refer to the R&R and let me know what you have attempted.

Are you able to run this?

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run

If nothing is working/running then you are going to have to boot into safe mode and see if you can work that way.

 

Yes, and try running everything else in the READ & RUN ME FIRST. Malware Removal Guide in safe mode if you really cannot get things to run in normal mode.

 

Download and run Win32kDiag per the below instructions:

• Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log

C:\win32kdiag.exe -f -r


Now we need to scan the system with this special tool.

• Please download Junction.zip and save it to your root folder (C:\Junction.zip)
• Unzip it and put junction.exe in the root folder (C:\junction.exe)
• Now click Start => Run... => Copy and paste the following command in the run box and click OK:
  
  cmd /c junction -s c:\ >C:\log.txt
  ​
• A command prompt window opens and also a license agreement from SysInternals will appear.
• Accept the license agreement and the scan will begin.
• Wait until a log file opens. Attach this C:\log.txt when it finishes (the command prompt window will close when it finishes). (How to attach items to your post)
• NOTE: It scans your whole hard disk so if can take a long time. Be patient and don't do anything else while it is scanning.

And one more scanning tool I want you to try to use to collect more information is OTL per the below.

Please download OTL by Old Timer to your desktop.
See the download links under this icon:

1. Double-click OTL.exe to run (Vista and Win7 right click and select Run as Administrator)
2. When OTL opens, change the Output (at the top-right portion of the program) to Minimal Output.
3. Put check-marks in LOP Check and Purity Check.
4. Now click the button.

• When the scan is complete, two logs entitled OTL.txt and Extras.txt will be created on your desktop.
• Attach both of these logs to your next message as well as any other requested logs.

 

Double-click OTL.exe to start the program.

• Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

Code:

:processes
:otl
:files
C:\32788R22FWJFW
C:\Windows\4187824115
C:\Users\Administrator\Desktop\Zentom System Guard.lnk
@Alternate Data Stream - 784 bytes -> C:\Windows\4187824115:216031750.exe

:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

• Then click the Run Fix button at the top.
• Click the OK button.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

See if you can run this:
direct exe

 

Your MGLogs.zip was basically empty. Let have you try to fix the file associations for the exe files with this:
Vista File Fix
Scroll down to the box with the various file association fixes.

If that works, try doing the OTL fix again.

If you can't, download The Avenger by Swandog46 to your Desktop.

See the download links under this icon
Extract avenger.exe from the Zip file and save it to your desktop.

1. Extract avenger.exe from the Zip file and save it to your desktop
2. Run avenger.exe by double-clicking on it.
3. Click OK at the warning to continue to use The Avenger
4. Do not change any of the check box options!
5. Shut down your protection software now to avoid possible conflicts.
6. Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
   
7. Now click the button
8. Click Yes to the prompt to confirm you want to execute.
9. Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
10. Your PC should reboot, if not, reboot it yourself.
11. A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
12. Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

Then attach the below logs:

* C:\MGlogs.zip

 

Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.

• Right click the Command Prompt entry and select Run As Administrator.
  
  • It is critical that you run it this way.
  
  
• If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.
• Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple/brown is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
GetRunKey<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
ShowNew<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.

 

See if you can do this in safe mode.

 

And you still can't run either OTL or MGTools? Open task manager and see if you have any task that has nothing but random numbers. Disable it if you do.

 

If you really cannot run anything to provide us information that we need to perform a proper diagnosis, your option would be to use another PC to try create one or more of the below CDs to boot from that allow you to run scans and perform many other tasks without Windows even being loaded. Sometimes this can help to get you started when all else fails. They can even help in cases where a previous scan may have removed something that resulted in your PC being unbootable.

• Avira Rescue CD
• AVG Rescue CD
• BitDefender Rescue USB
• F-Secure Rescue CD
• Kaspersky Rescue Disk.
• SystemRescueCD
• Trinity Rescue CD

 

If you have not yet tried to follow Kestrel13! instructions, try the below first.

Do this again and look to see if you find the below process running:

finc70dkk.exe

If you see it, then right click on it and end this process. If that works then right click the Start button and select Explore. If this works, Windows Explorer will open up. Navigate to and delete the below files:

C:\Users\Administrator\AppData\Roaming\220C544ADC40A7A4AD2ED4F412E349DB\finc70dkk.exe
C:\Users\Administrator\AppData\Local\catresacl.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zentom System Guard.lnk
C:\Users\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Zentom System Guard.lnk

Also delete the below folder:
C:\Users\Administrator\AppData\Roaming\220C544ADC40A7A4AD2ED4F412E349DB


Then reboot your PC and see if you can run MGtools and attach the C:\MGlogs.zip file

 

5b6e10a6-626a-484d-8fa0-60ca066a3c5f.com <--- What is this seen on your desktop? Is it combofix renamed?

Java(TM) 6 Update 11 <--- Uninstall outdated Java.


Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• O2 - BHO: (no name) - {0E709D0A-E609-45BE-BFC3-37D4FEBAE7E5} - C:\Users\Administrator\AppData\Local\NetworkWMP.dll
• O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
• O2 - BHO: (no name) - {CA094986-93F3-4A3B-8BD2-E901A09A948C} - C:\Windows\system32\fastsrch.dll
• O4 - HKLM\..\Run: [cabdbgui.exe] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\cabdbgui.exe"
• O4 - HKLM\..\RunOnce: [*cabdbgui.exe] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\cabdbgui.exe"
• O4 - HKLM\..\RunOnce: [*cachesvccat.exe] "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cachesvccat.exe"
• O4 - HKCU\..\Run: [GoogleBackupBackup] rundll32.exe "C:\ProgramData\GoogleBackupBackup.dll",DllRegisterServer
• O4 - HKCU\..\Run: [ej-technologies Update] rundll32 "C:\Users\Administrator\AppData\Local\Apps\AppsUpdate\Appsupdt32.dll",DllRegisterServer
• O4 - HKCU\..\Run: [Adobe Update] rundll32 "C:\Users\Administrator\AppData\Local\Citrix\CitrixUpdate\Citrixupdt32.dll",DllRegisterServer
• O4 - HKCU\..\Run: [finc70dkk.exe] "C:\Users\Administrator\AppData\Roaming\220C544ADC40A7A4AD2ED4F412E349DB\finc70dkk.exe"
• O4 - HKCU\..\Run: [AppsUpdate] C:\Users\Administrator\AppData\Local\Apps\AppsUpdate\Appsupdt32.exe
• O4 - HKUS\S-1-5-19\..\Run: [AppsUpdate] C:\Users\Administrator\AppData\Local\Apps\AppsUpdate\Appsupdt32.exe (User 'LOCAL SERVICE')
• O4 - Startup: cachesvccat.exe
• O4 - Startup: debugntfscpl.exe
• O4 - Startup: Zentom System Guard.lnk = C:\Users\Administrator\AppData\Roaming\220C544ADC40A7A4AD2ED4F412E349DB\finc70dkk.exe
• O4 - Global Startup: cabdbgui.exe
• O15 - Trusted Zone: *.accessallstate.com
• O15 - Trusted Zone: *.aicpcu.org
• O15 - Trusted Zone: *.allstate-lcec.lrn.com
• O15 - Trusted Zone: agencygateway.allstate.com
• O15 - Trusted Zone: agencygateway1.allstate.com
• O15 - Trusted Zone: agencygateway2.allstate.com
• O15 - Trusted Zone: allianceweb.allstate.com
• O15 - Trusted Zone: mymail.allstate.com
• O15 - Trusted Zone: webmail.allstate.com
• O15 - Trusted Zone: *.allstate.com
• O15 - Trusted Zone: *.allstateagencies.com
• O15 - Trusted Zone: *.allstatehelp.com
• O15 - Trusted Zone: *.allstateinsurance.skillwsa.com
• O15 - Trusted Zone: *.bisyseducation.com
• O15 - Trusted Zone: *.custhelp.com
• O15 - Trusted Zone: *.elementk.com
• O15 - Trusted Zone: *.gotoassist.com
• O15 - Trusted Zone: *.insmark.com
• O15 - Trusted Zone: *.insmark.us
• O15 - Trusted Zone: *.insmarkstore.com
• O15 - Trusted Zone: *.learn.net
• O15 - Trusted Zone: *.nicta.org
• O15 - Trusted Zone: *.sumtotalsystems.com

After clicking Fix exit HJT.


Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the area. Do not include the word Code.

Code:

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"GoogleBackupBackup"=-
"ej-technologies Update"=-
"Adobe Update"=-
"finc70dkk.exe"=-
"AppsUpdate"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"cabdbgui.exe"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\RunOnce]
"*cabdbgui.exe"=-
"*cachesvccat.exe"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E709D0A-E609-45BE-BFC3-37D4FEBAE7E5}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA094986-93F3-4A3B-8BD2-E901A09A948C}]

:files
C:\Users\Administrator\AppData\Local\NetworkWin32.dll
C:\Users\Administrator\AppData\Local\NetworkWMP.dll
C:\Users\Administrator\AppData\Local\propbootadsl.exe
C:\Users\Administrator\AppData\Local\ServiceWMP.dll
C:\Windows\system32\fastsrch.dll
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\cabdbgui.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cachesvccat.exe
C:\ProgramData\GoogleBackupBackup.dll
C:\Users\Administrator\AppData\Local\Apps\AppsUpdate\Appsupdt32.dll
C:\Users\Administrator\AppData\Local\Citrix\CitrixUpdate\Citrixupdt32.dll
C:\Users\Administrator\AppData\Roaming\220C544ADC40A7A4AD2ED4F412E349DB\finc70dkk.exe
C:\Users\Administrator\AppData\Local\Apps\AppsUpdate\Appsupdt32.exe
C:\windows\debugntfscpl.exe
C:\USERS\ADMINI~1\STARTM~1\PROGRAMS\STARTUP\caches~1.exe
C:\USERS\ADMINI~1\STARTM~1\PROGRAMS\STARTUP\debugn~1.exe          
C:\USERS\ADMINI~1\STARTM~1\PROGRAMS\STARTUP\zentom~1.lnk        
C:\ProgramData\evtsdevxml.exe
C:\Program Files\Free Offers from Freeze.com
C:\windows\5158974E2D28401893357694C2974746.TMP
C:\windows\system32\bootproxycat.exe
C:\windows\system32\snxplghnyg.tmp
C:\windows\system32\wscui32.dll

:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


Reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

No! It is because SUPERAntiSpyware was not installed properly. It is running from the Desktop!!!! And the above is just the alternate version of the program.