rootkit.0access and other malware

[deeps]

I've been dealing with zero access rootkit and other malware for a week now..

Can't run most programs, or get online and can't seem to access ip configuration address. Any help would be greatly appreciated.

Ran malware, super antivirus and combo fix...results below.

[thisisu]

Hi and welcome to Major Geeks, deeps!

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)

Have you attempted going through this yet? READ & RUN ME FIRST. Malware Removal Guide

If not, you need to at this time. Let me know what did not run. You don't have to complete the scans you have already completed again.

[deeps]

Yes, i have done the read and run me malware removal...followed the steps.

Here is the tdsskiller log...thanks again.

[thisisu]

You made no mention of MGlogs.zip. Please attach that file if you were able to run MGtools.exe

Also attach the log from running DeFogger.

Then complete the following:

Please download OTL by Old Timer to your desktop.

• See the download links under this icon:
• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• When the window appears, underneath Output at the top-right, make sure Standard Output is selected.
• Select Scan All Users.
• Check the boxes beside LOP Check and Purity Check.
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  netsvcs
  %systemdrive%\*.exe
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  explorer.exe
  ipnat.sys
  ipsec.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemroot%\*. /mp /s
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  %systemdrive%\MGtools\
  %systemdrive%\
  %userprofile%\desktop\
  hklm\software\microsoft\windows\currentversion\run|exe /rs
  hklm\software\microsoft\windows\currentversion\runonce|exe /rs

• Now click the button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be two log files on your desktop entitled OTL.txt and Extras.txt.
• Attach both OTL.txt and Extras.txt to your next message. (How to attach items to your post)

[deeps]

Apologize for the missing files...thanks again for all the help.

[thisisu]

From Add/Remove Programs (via Control Panel), please uninstall the below:

• J2SE Runtime Environment 5.0 Update 6
• Java(TM) 6 Update 18
• Java(TM) 6 Update 2
• Java(TM) 6 Update 3
• Java(TM) 6 Update 5
• Java(TM) 6 Update 7

Please download Disable/Remove Windows Messenger by Doug Knox to your desktop.

• See the download links under this icon:
• Double-click MessengerDisable.exe
• Place a check-mark in Uninstall Windows Messenger
• Click Apply
• Click Exit

Now we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right-click and select Run as administrator)
• When OTL opens, copy the text in the code box below and paste it into the text-field.
  
  Code:

  :processes
  killallprocesses
  :otl
  FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
  O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
  O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
  O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
  O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
  O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
  O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
  O29 - HKLM SecurityProviders - (digeste.dll) - File not found
  O33 - MountPoints2\{e1412540-3cbe-11df-814a-001676bc312a}\Shell - "" = AutoRun
  O33 - MountPoints2\{e1412540-3cbe-11df-814a-001676bc312a}\Shell\AutoRun - "" = Auto&Play
  O33 - MountPoints2\{e1412540-3cbe-11df-814a-001676bc312a}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
  O33 - MountPoints2\{e1412541-3cbe-11df-814a-001676bc312a}\Shell\AutoRun\command - "" = setupSNK.exe
  [3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
  [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
  [2011/10/09 11:08:53 | 000,000,000 | ---- | M] () -- C:\WINDOWS\2329406891
  [2011/10/08 10:19:49 | 000,662,349 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavifw.avm
  [2011/10/09 10:53:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG2012
  [2010/10/15 07:59:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
  [2007/12/12 23:58:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
  [2009/04/01 10:18:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
  [2010/04/20 08:18:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
  [2009/09/17 09:08:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
  [2009/04/18 16:49:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
  [2011/09/23 08:13:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Gary\Application Data\AVG2012
  [C:\WINDOWS\$NtUninstallKB33688$] -> Error: Cannot create file handle -> Unknown point type
  @Alternate Data Stream - 151 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
  :services 
  abedd78a
  :files
  C:\$AVG
  C:\WINDOWS\$NtUninstallKB33688$ /d
  C:\WINDOWS\system32\drivers\ipsec.sys|C:\WINDOWS\system32\dllcache\ipsec.sys /replace
  ipconfig /flushdns /c
  netsh int ip reset resetlog.txt /c
  netsh winsock reset /c
  :reg
  :commands
  [purity]
  [emptyjava]
  [emptytemp]
  [emptyflash]
  [resethosts]

• Now click the button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• When complete, Notepad will open.
• Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

Now install the current version of Sun Java from: Sun Java Runtime Environment

Put your computer back into Normal Startup Mode and reboot before proceeding to the next step >> Use MSconfig to setup for Normal Startup Mode


Now open OTL again and click the button
Note: This automatically updates the OTL.txt log on your desktop.
Attach OTL.txt to your next message. (How to attach items to your post


Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS

[deeps]

Attached the OTL run fix and scans but can't access C:\MGtools\GetLogs.bat

Getting an error stating 'Windows cannot find 'C:\MGtools\GetLogs.Bat'. Make sure you typed the name correctly, and then try again.'

Still can't access the internet.

[thisisu]

Quote:

Attached the OTL run fix and scans but can't access C:\MGtools\GetLogs.bat

Getting an error stating 'Windows cannot find 'C:\MGtools\GetLogs.Bat'. Make sure you typed the name correctly, and then try again.'

I need you to open this folder using Windows Explorer: C:\MGtools
Inside you will see a bunch of files, look for the one named GetLogs.bat
Then double-click GetLogs.bat. Let this run unhindered.

Afterwards, attach the MGlogs.zip file -- It's at C:\MGlogs.zip

[deeps]

Quote:

Originally Posted by thisisu

I need you to open this folder using Windows Explorer: C:\MGtools
Inside you will see a bunch of files, look for the one named GetLogs.bat
Then double-click GetLogs.bat. Let this run unhindered.

Afterwards, attach the MGlogs.zip file -- It's at C:\MGlogs.zip

I understand, i tried that, when i double click the file GetLogs.Bat in the MGTools folder, that's the error prompt i get.

[thisisu]

Please download Tweaking.com - Windows Repair by Tweaking.com to your desktop.

• See the download links under this icon:
• Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
• Now open this folder and double-click Repair_Windows.exe.
• Click the Start Repairs tab on the far right.
• Click Custom Mode so there is a bullet in it.
• Click the Start button (bottom right)
  Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
• Click Unselect All
• Put a checkmark in the following items:
  • Reset Registry Permissions
  • Reset File Permissions
  • Register System Files
  • Remove Policies Set By Infections
  • Repair Winsock and DNS Cache
  Note: Leave everything else unchecked
• Put a checkmark in Restart System When Finished
• Now click the Start button (bottom right)
• Let this run unhindered, then reboot afterwards.

Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

KillAll::
DirLook::
c:\mgtools
FileLook::
c:\mgtools\getlogs.bat
c:\mgtools.exe
C:\WINDOWS\system32\drivers\ipsec.sys
C:\WINDOWS\system32\dllcache\ipsec.sys
Folder::
C:\WINDOWS\$NtUninstallKB33688$

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

Please download SystemLook by jpshortstuff to your desktop.

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :reg
  ipsec
  regfind:
  *ipsec*
  :filefind
  ipsec.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (How to attach items to your post)
  Note: The log be found on your desktop entitled SystemLook.txt

[deeps]

Ran tweaking window repair unhindered even though a prompt box kept telling me 'execute processes remotely has encountered a problem and needs to close.'
...rebooted after program finished.

Dragged CF Script file into combofix and froze up on last command Output folder C:\32788R22FWJFW

Rebooted manually in safe mode w/ networking.

[thisisu]

Quote:

Originally Posted by deeps

Dragged CF Script file into combofix and froze up on last command Output folder C:\32788R22FWJFW

What do you mean here?

Quote:

Ran tweaking window repair unhindered even though a prompt box kept telling me 'execute processes remotely has encountered a problem and needs to close.'
...rebooted after program finished.

I am not familiar with the error message you are saying you received. Can you take a screenshot?

Quote:

Rebooted manually in safe mode w/ networking.

Are you unable to boot into Normal Mode now?

You can try the same steps from Safe Mode with Networking if you need to.

[deeps]

Quote:

Originally Posted by thisisu

What do you mean here?

After i created the CFScript.txt file and dragged it into combo fix, running fine, then stalled at that last file name that i mentioned. Did not continue to run.

I am not familiar with the error message you are saying you received. Can you take a screenshot?

attached the screenshot.

Are you unable to boot into Normal Mode now?

You can try the same steps from Safe Mode with Networking if you need to.

I can still boot up in normal mode but opted to run it in safe mode w/ networking...tried running windows repair again in safe mode, but same prompt box kept appearing.

[thisisu]

Quote:

Originally Posted by deeps

I can still boot up in normal mode but opted to run it in safe mode w/ networking...tried running windows repair again in safe mode, but same prompt box kept appearing.

Looks like a bug with the Windows Repair program.

Let's try the some of the same fixes another way.

Now download exeHelper by Raktor.

• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• A log file named exeHelperlog.txt will be created in the directory where you ran exeHelper.com
• Attach the exeHelperlog.txt file to your next message. (How to attach items to your post)
  Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!

• Now press and hold the Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  C:\win32kdiag.exe -f -r
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
• Attach this log to your next message. (How to attach items to your post)

Download Junction by Mark Russinovich to your desktop.

• Extract junction.exe to your desktop.
• Now press and hold the Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  cmd /c %userprofile%\desktop\junction -s c:\ >%userprofile%\desktop\junction.txt
  
• When it's finished, there will be a log called junction.txt on your desktop.
• Attach this log to your next message. (How to attach items to your post)

After junction, try the CFScript and SystemLook directions again.

Please download Microsoft Fix it 50199 to your desktop.

• Double-click it to run.
• Reboot when asked to.

[deeps]

the exe.helper DL came up as a trojan threat and was quarantined by AVG

[thisisu]

Did you install AVG or any other AntiVirus recently?

[deeps]

Quote:

Originally Posted by thisisu

Did you install AVG or any other AntiVirus recently?

No, i'm Dling all the files through a separate laptop and using thumb drive to my infected desktop.

[thisisu]

Quote:

Originally Posted by deeps

No, i'm Dling all the files through a separate laptop and using thumb drive to my infected desktop.

Ok, proceed to the next steps.

Run the Microsoft FixIt tool from Normal Mode whenever you get to that step

[deeps]

Quote:

Originally Posted by thisisu

Ok, proceed to the next steps.

Run the Microsoft FixIt tool from Normal Mode whenever you get to that step

So just bypass the exehelper command?

[thisisu]

Quote:

Originally Posted by deeps

So just bypass the exehelper command?

Yes.