Aggressive Rootkit seems Unremovable

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

 

You need to let the MGTools.bat run until completion ....don't close down the window until it has finished running all 5 logs.

 

run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip

 

That and the ComboFix log .....but I need to go for a while so I will look at the logs and get back to you.

 

Ok...I took a quick look and the things you need to do are as follows:
Uninstall:
J2SE Runtime Environment 5.0 Update 8"
J2SE Runtime Environment 5.0 Update 9"
Java 2 Runtime Environment, SE v1.4.2_03
LimeWire PRO 4.12.6
Viewpoint Manager (Remove Only)"
Viewpoint Media Player

You have multiple anti-virus programs running ...you need to uninstall all but one:
PC Tools AntiVirus3.6
Norton 360
AVG 7.5

Now tell me exactly what the system32\drivers file is that you say keeps coming back or is reported by which ever program is reporting it.

 

Norton is a known resource hog ..so I would uninstall that and AVG if you prefer the other.

Please download GMER and save it to your desktop:

• Unzip (extract) it to your desktop.
• Disconnect from Internet and close all running programs.
• There is a small chance this application may crash your computer so save any work you have open.
• Double-click gmer.exe to run it.
• Let the gmer.sys driver to load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO.
• Click the Rootkit tab.
• Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
• Then click the Scan button. Wait for the scan to finish.
• Once done, click the Copy button.
• This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop. Attach this log to your next reply.

NOTE: If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode whereas many other rootkit revealers do not.

 

Until you uninstall ALL but one antivirus program (decide which you prefer, we like AVG Free) we are not going any further. This is one of the first instructions in the READ & RUN ME for a reason. You should not have posted any logs until you have completed ALL of the instructions in the READ ME. Also you did not uninstall Viewpoint Manager as requested.

You also need to put your system in normal startup mode using MSconfig as requested at the start of the READ & RUN ME.

Then after you have done all of the above, attach a new MGlogs.zip file by running GetLogs.bat again.

The hidden file AVG Anti-Rootkit may be just from another scanning type tool. It said it was a hidden driver. We shall see. But it will be much easier to figure things out once you have removed all the unnecessary redundant programs. All of these could also make it impossible to fix anything if there is a problem.

The file probably does not even exist or it probably renames all the time and could be related to installed software (even games....especially protected games).

 

Here are all the tools you have installed that related to malware in general. I highlighted in bold black the problem areas.

As you can see Norton/Symantec is still on your computer wasting resources and causing problems due to not only duplicate antivirus programs but duplicate firewalls because Norton 360 has a firewall and you also have PC Tools Firewall.

No wonder you have CPU useage issues. Installing more that one (and you had at least 3 ) cause all kinds of problems and makes it very difficult to completely recover from.

Try running the below. I'm not sure if it will work with Norton 360.
Norton Removal Tool (SymNRT)

Let me know what happens.

It's gone now. It was in your previous log that I looked at.

 

Also note that right now AVG Antisypware is also conflicting with ComodoBO Clean beacuse the 15 day trial of AVG Antispyware provides realtime blocking just like BOClean. Thus you should uninstall AVG Antispyware now. Yes I know it was requested in the READ ME but we don't know when you come here what is installed and we need your PC scanned and clean. BOClean also has no scanner.

 

That's much better but Norton is still hanging on a little.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Core LC
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

Do you use Dell Support and do you know why all the below need to be running at startup?

Now run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/se...000001f.0000004b&c=00000082.00000045.00000119


After clicking Fix, exit HJT.

Now reboot.

Now run Ccleaner!

Are things working any better?

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created.

 

Are you saying it is taking longer?

Is it changing names after each reboot? Or is it changing names each time you run AVG Anti-rootkit? What is is called now?

 

Why are you using MSconfig when the READ ME ask you to put your system in Normal Startup mode?? You need to put your PC in normal startup mode now.

I still see the below. Does that mean you need these?
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2

 

At this point, I'm not convinced this is malware. I'm not sure what it is for but it could be related to something you have installed. What actual malware problems are you having?

You should know. The below is a quote right out of the first step of the READ & RUN ME

You are not in normal startup mode, I can see that in your logs. Get into normal startup mode and then attach a new MGlogs.zip file. Also run ComboFix again and attach a new log from it.

They were unrelated. If you don't use the Dell Support items then remove them using analyse.exe

 

But what process is using the CPU time?

When you see high CPU useage, try the below.

Download ProcessExplorer

• Unzip it to its own folder somewhere you can locate it.
• Now run procexp.exe by double clicking on it.
• Let's configure some options first:
  • Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked.
  • Now click on iexplorer.exe (or which ever process is the hog)
  • Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
• Now click on File and then Save As. And save the process list.
• Post it back here as an attachment.
• also tell me how much of the CPU was being used and by which processes and threads. You can get this info by double clicking on the process that seems to be hogging CPU time. Then in the next window click the Threads tab. There is a column showing CPU use and also you can double click on the line showing I CPU useage and it will give you a Stack for the thread. What do you see in the stack.

I'm not convinced that this is malware.