I need someone smarter than me

I can't figure this one out.

History: I sat down at my computer one day to see fake spyware messages - apparently from AV Security. I tried SuperAntiSpyware, then Malwarebytes, the Norton. They all found stuff and got rid of stuff. I could now start my computer when I wasn't in safe mode but web links were redirecting randomly and my computer was playing random sound bytes (I think from cached files of things I had viewed online). I proceeded to try every reputable antispyware program I could find and followed several tutorials. At one point, I even uninstalled IE 8, FF, Java, and Adobe Flash hoping to rid myself of the infection with the removal of these programs. I still have not reinstalled Java or Flash. Eventually I came across this site and ran the requested tools in the specified order (except RootRepeal - I have Win 7 64bit).

Present: According to Kaspersky (not presently installed but had been at one point, internet explorer is accessing a variety of pages for about 30sec at a time. IE does show up as a running process but does not show up as an open window. Meanwhile, any links that I click on (not just Google) redirect me. I have been getting around this by copying the link location and pasting it in the address bar. Logs are attached. I'll attach the malwarebytes log in the next post.

 

OK, here's the Malwarebytes log.

Thanks for any help you can give.

 

Hi and welcome to Major Geeks, PastorEric!

The highlighted is a hidden and active partition set by a new form of the TDL rootkit/bootkit.

First we need to delete this partition before we can attempt to successfully restore a clean Master Boot Record (MBR). -- This should stop the redirects.

Before we proceed, do you have your data backed up just in case I am unable to get your system booting to the correct partition again? Let me know before we proceed.

 

Yes, the data is backed up. How should I go about removing the partition? Thanks.

 

Do you have your Windows 7 DVD as well? We will need it to restore a clean MBR.

You can download the Windows 7 x64 recovery console from here if you do not have the Windows 7 DVD. We only need to make use of the recovery console anyways >> http://digiex.net/downloads/downloa.../2660-windows-7-64-bit-x64-recovery-disc.html

You can software such as ImgBurn to burn the CD/DVD as an image >> http://majorgeeks.com/ImgBurn_d4870.html

You may want to print out the rest of these instructions.
-------------------------------------------------------
I am still working out the kinks of this procedure so let me know if you have any questions before proceeding. A lot of problems with the partition tables are caused by this infection and can take some time to fully resolve.

First, download Download gparted-live-0.10.0-3.iso (115.1 MB)
You will need a blank CD to burn this ISO to. You can burn the .ISO using software like ImgBurn.

Now boot off of this newly created CD.


You should be here...
Press ENTER


By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER.


Choose your language and press ENTER. English is default [33]


Once again, at this prompt, press ENTER

You will now be taken to the main GUI screen below

According to your logs, the partition that you want to delete is 1.87 MB (MiB)
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:


Now you should be here:



Is "boot" next to your OS drive? -- According to your logs, your OS drive is the 683.57 GB size partition.

If "boot" is not next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags

In the menu that pops up, place a checkmark in boot like the picture below:


Now double-click the button.

You should receive a small pop up like this:

Choose reboot and then press OK.

Now reboot into the Windows 7 recovery console USING THE CD/DVD and execute the following commands from the command prompt:

• bootrec /fixmbr
• bootrec /fixboot
• exit

Once back in Windows...

Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

 

Here is the MBR log. It looks like it came back clean and so far (I'm posting this about 3 mins after completion) it looks like that solved the problem. :-D

 

Perhaps I posted too soon. The redirect seems to be solved but I cannot change my desktop background. It was somehow set to a solid grey sometime during my attempts at removing the virus and I basically ignored that. Just now I tried to change it back and I cannot change it. That appears to be the only remnant I can see so far though.

 

Copy the bold text below to Notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "All files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

If it was successful, reboot. Let me know if this was able to correct it.

 

Still some more traces of the ZeroAccess infection you had.

Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]Folder::[/COLOR]
C:\Windows\assembly\temp\U
C:\ProgramData\{071012C3-2764-457D-B41E-93AA7ADE5F06}
C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
C:\Program Files (x86)\Ask.com
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}]

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

Now install the current version of Sun Java from: Sun Java Runtime Environment

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

I did not notice the registry edit you posted until after I ran Combofix (log is attached). Combofix seems to have corrected the issue but ran the registry edit anyway just to make sure and I did get a success message. I appreciate all of your help. You are a credit to humanity. :-D

 

No problem. Surf safely!

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

All right, having seemingly gotten rid of the virus and completed the requested steps, I tried to take your suggestions for preventing stuff in the future and that's when I discovered I can't update Windows now.
I get Error code 80070005 with the message "Windows could not search for new updates"

 

Try this:

Please download Windows Repair by Tweaking.com to your desktop.

• See the download links under this icon:
• Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
• Now open this folder and double-click Repair_Windows.exe.
• Click the Start Repairs tab on the far right.
• Click Custom Mode so there is a bullet in it.
• Click the Start button (bottom right)
  Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
• Click Unselect All
• Put a checkmark in the following items:
  • Repair Windows Update
• Now click the Start button (bottom right)

Reboot if requested for changes to take effect.

 

That seems to have done the trick! Saying thank you doesn't seem to be enough. Is there a place on the site where I can make a financial contribution?

 

All right, I'm going to quit saying my problems are solved until I've spent a week or so problem free. I've discovered a new issue. About 90% of the files in the Documents folder (including the folder itself) have been marked hidden. I don't know if other files have been hidden or not. Does this indicate some other kind of problem or is there an easy way to batch process my documents and uncheck the hidden property. Thanks for your patience.

 

Please download RogueKiller by Tigzy to your desktop.

• See the download links under this icon:
• Double-click RogueKiller.exe to run it. (Vista and Win7 right-click and select Run as Administrator)
• When it opens, press the number 6 and press ENTER.
• A report should appear.
• Attach RKreport[1].txt to your next message. (How to attach items to your post)
  Note: It will be at whichever location you ran RogueKiller from. I asked that you put it on your desktop, so it should be there.
• You can now type the number 0 and press ENTER to exit RogueKiller.

 

Attached is the log from RogueKiller. It seems to have fixed that problem.

Meanwhile, Windows Update (Now thankfully working) installed Microsoft Security Center which keeps detecting "Trojan: DOS/Alureon.E" but doesn't seem to be able to fix it.
I can't figure out how to upload a log from that but here is what the History says: It lists the virus mentioned above next to each time slot

10:48 - Removed
11:05 - Allowed
11:15 - Removed
11:36 - Removed
12:44 - Quarantined
1:02 - Removed
1:18 - Removed
1:39 - Allowed
1:48 - Allowed
1:58 - Quarantined
2:11 - Removed

It is deciding on the actions without my input.

 

I am thinking that maybe now MSE has awaken and realized there was a problem with the hidden partition we removed earlier. Since we removed it using a different method, maybe that is why MSE is being tricked into thinking it's still there.

However there may be a TDLFS so make sure you read these instructions for how I would like you to run TDSSKiller (I noticed you ran it before).

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)

 

OK, I ran TDSKiller, rebooted, ran it again. The first time it found a TDSFS and I selected Delete. The second time, it gave me an option to update which I did and it scanned clean. MSE still thinks there's a problem.

 

Ok good

You should try clearing MSE's history and then see if MSE will still report a problem.

 

No good. I cleared the history, ran quick scan, and it detected it again. I get an error when it tries to clean it. Here's what it says:


Security Essentials encountered the following error: Error code 0x80070032. The request is not supported.

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items:
boot:\Device\HarddiskVolume4
boot:\Device\HarddiskVolume4\
boot:\\.\PHYSICALDRIVE0\Partition3 (Type 17)

Get more information about this item online.

 

Can you re-run MGtools.exe and attach the new MGlogs.zip

 

OK, here's the new MGLog.

New Problem: Every 15 minutes or so my internet connection stops working. Rebooting (Which MSE is very eager for me to do) seems to temporarily fix it. The problem isn't happening anywhere else in the building. (If it matters, my computer is connected via ethernet cable to a router into which all the other computers in the building are plugged [4 desktops, 2 laptops, a WD Netcenter drive, a copier, wireless router and a single cable modem which we all share to use the internet].)

 

This partition is back or was never deleted. Did you have difficulty completing these directions? >> http://forums.majorgeeks.com/showpost.php?p=1683658&postcount=5

That partition needs to be deleted. Let me know as I can have you test out a new tool that claims it can remove it too.

 

I see that the partition is back. G Parted appeared to have worked the last time. I can try it again or I can try another tool.

 

MAXSS Removal Tool x64

Let us know the results if it finds anything.

Then run C:\MGtools\GetLogs.bat again and attach the updated MGlogs.zip

 

OK, I tried GParted again before I got your last post. I deleted the partition, rebooted into GParted one more time to make sure it didn't instantly reappear. Ran the commands in the recovery tool and then ran MBRcheck. Then I ran MGTools just so you would have all the info I can.

MSE is happy now.

I'm out of time for today and because of the holiday (Thanksgiving in case you're not from the USA) I won't be back to work on this machine until Monday. If I see anything suspicious on Monday, I'll try the MAXSS Removal Tool x64 and let you know what happens. If I don't have any further problems, I'll print out and frame your avatar and instruct my children that you are henceforth to be considered family . Thanks so much.

 

The partition is gone according to your logs too.

Happy Thanksgiving!

 

All right! My computer has been running unattended since Wednesday and there's no sign of anything running itself. I've been using it for a few hours this morning and everything seems normal. I cannot thank you enough for all of your help.

 

Glad to hear things are working well Surf safely!