HELP - MALWARE: can't get it gone!!

This has been a problem for about a week now,
Avast keeps popping up "THREAT HAS BEEN DETECTED" TROJAN HORSE BLOCKED... avast file system has blocked a threat... no further action is required
object: c:\\windows\installer\{9a722e5a-ed15-d0eb-3ec8-2c42e11bfa4}\U\80000032.@ also 80000064.@

I have run every scan in your instructions to no avail.....
I have run Avast in Boot-Time scan which fails to work, malwarebytes and SAS finds objects says it is deleting them and upon restart same thing pops up again.
nothing seems to get rid of this, I REALIZE IT IS BEING BLOCKED, BUT IF IT IS BEING BLOCKED THEN IT IS PRESENT and I want rid of it

Combofix failed to run, after instal, nothing happened. the program did not start. however is seemed to create a new folder in the C drive C:\32788r22fwjfw which appears to be a complete copy of the drive over and over.

I am at a loss this time so Please HELP

 

Welcome to MajorGeeks, flpegasus

http://img196.imageshack.us/img196/3557/tdsskiller.gif Re-scan with TDSSKiller with the parameters you used before.
This time if TDSS File System appears, delete it!
Then attach the latest TDSSKiller log. (How to attach)

http://img194.imageshack.us/img194/4930/combofix.gif Attempt to run ComboFix using these directions:

• Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
• This opens the Run dialog box.
• Copy and paste the below text inside the text-field:
  • "%userprofile%\desktop\ComboFix" /nombr
• Now press ENTER
• ComboFix should launch and try to scan. Let me know exactly what happens if it does not run successfully this time around.
• You can also try this from Safe Mode. See: How to start your computer in Safe mode
• Attach C:\ComboFix.txt if it was successful. (How to attach)

 

combo-fix still will not run in nirmal startup or in safe mode ... consistantly extracts to output folder:32788r22fwjfw which appears to be an imsage of the c drive

 

1.Please download HitmanPro.

• For 32-bit Operating System - http://i.imgur.com/dEMD6.gif.
• This is the mirror - http://i.imgur.com/dEMD6.gif
• For 64-bit Operating System - http://i.imgur.com/dEMD6.gif
• This is the mirror - http://i.imgur.com/dEMD6.gif

2.Launch the program by double clicking on the http://i.imgur.com/5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

3.Click on the next button. You must agree with the terms of EULA.

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done right click on the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!

8.Click on the next button.

9.Click on the "Export scan results to XML file".

10.Save that file to your desktop and zip and attach it in your next reply.

 

hitman pro log

 

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 31

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  netbt.sys
  nsiproxy.sys
  services.exe
  svchost.exe
  tcpip.sys
  tdx.sys
  /md5stop
  %windir%\$ntuninstallkb*. /120
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\installer\{9a722e5a-ed15-d0eb-3ec8-2c42e11bfa4}\*.*
  C:\Users\Kat\Documents\Downloads\999key\*.*
  C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}\*.*
  C:\Program Files (x86)\searchcom_003\*.*
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
  • Extras.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

 

OTL scan results

 

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
SRV - [2011/06/26 02:45:56 | 000,256,000 | ---- | M] () [Auto | Stopped] -- C:\32788R22FWJFW\pev.3XE -- (PEVSystemStart)
IE - HKU\S-1-5-21-1412358692-4079125580-2316313148-1003\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = https://search.blekko.com/ws/?source=fd56a584&tbp=rbox&toolbarid=searchcom_003&u=20120428304E4B579B5DC00F70B7DEBC&q={searchTerms}
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 10.4.1)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 10.4.1)
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{6ed0c5e8-8037-11e1-9164-00266cee8ca6}\Shell - "" = AutoRun
O33 - MountPoints2\{6ed0c5e8-8037-11e1-9164-00266cee8ca6}\Shell\AutoRun\command - "" = E:\KODAK_Software_Downloader.exe
[2012/06/02 12:15:47 | 000,000,000 | -HSD | C] -- C:\windows\SysWow64\%APPDATA%
@Alternate Data Stream - 136 bytes -> C:\ProgramData\TEMP:99F8C0E6
@Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:4EFDF5FB
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:1DD8718C
[COLOR="DarkRed"]:files[/COLOR]
c:\windows\system32\services.exe|C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe /replace
type C:\Users\Kat\Documents\Downloads\999key\README-HOWTOUSE.txt /c
C:\Users\Kat\Documents\Downloads\999key /d
c:\windows\installer\{9a722e5a-ed15-d0eb-3ec8-2c42e11bfa4}
C:\Users\Kat\AppData\Local\{9a722e5a-ed15-d0eb-3ec8-2c42e11bfa4}
C:\Program Files (x86)\searchcom_003 /d
C:\windows\assembly\GAC_32\Desktop.ini
C:\windows\assembly\GAC_64\Desktop.ini
c:\windows\system64 /d
ipconfig /flushdns /c
netsh int ip reset resetlog.txt /c
netsh winsock reset /c
c:\windows\system32\wevtutil.exe cl Application /c
c:\windows\system32\wevtutil.exe cl Security /c
c:\windows\system32\wevtutil.exe cl Setup /c
c:\windows\system32\wevtutil.exe cl System /c
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[clearallrestorepoints]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know what problems remain after you have completed these steps.

 

ok ... so i stopped Avast until next restart, right click on OTL, run as administrator, program starts and shortly after stopped responding. At the same time my desktop greys out and nothing works. After 20 min I force a restart and get a black desktop with a functioning cursor in the middle. I thought that the computer might be running extremely slow and wait quite a while, nothing. I tried restarting in SAFE with the same response. I start with last know good config and got back in
OTL pops up then disappears, there is a OTL file under C:\ however it does not contain hhmmss.log hence screenshot.
I did run MG tools and attached the log but I salso got an error while running it "nslookup.exe Ordinal 1108 not found.
Avast is still advising that this pest has been blocked
I wqant you to know how much i appreciate your help, this one completely stumped me!!!!

 

Hello,

http://img205.imageshack.us/img205/1894/otl.gif Go into Safe Mode with Networking and retry the same OTL fix. See: How to start your computer in Safe mode with Networking
The OTL fix will want to reboot the computer. Allow it to reboot into Normal Mode.

 

New OTL log attached

Still getting the avast warning "Trojan Horse Blocked"

 

Yes the fix ran into some difficulties but we are getting closer

http://img707.imageshack.us/img707/6703/generalxpicon.gif Download SystemLook from one of the links below and save it to your desktop.
Download Mirror #1
Download Mirror #2

If you have a 64-bit system, please download the 64 bit version from here:
SystemLook (64-bit)

• Double-click SystemLook.exe to run it.
• Copy and Paste the content of the following code box into the main text-field:

Code:

[COLOR="DarkRed"]:filefind[/COLOR]
services.exe
[COLOR="DarkRed"]:regfind[/COLOR]
9a722e5a-ed15-d0eb-3ec8-2c42e11bfa4
[COLOR="DarkRed"]:folderfind[/COLOR]
{9a722e5a-ed15-d0eb-3ec8-2c42e11bfa4}

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan and a file entitled SystemLook.txt will be created on your desktop.
• Attach that file to your next message. (How to attach)

__

http://img194.imageshack.us/img194/4930/combofix.gif Attempt to run ComboFix using these directions:

• Delete your old copy of ComboFix.exe. Download a new ComboFix.exe to your desktop.
• Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
• This opens the Run dialog box.
• Copy and paste the below text inside the text-field:
  • "%userprofile%\desktop\ComboFix" /killall
• Now press ENTER
• ComboFix should launch and try to scan. Let me know exactly what happens if it does not run successfully this time around.
• Attach C:\ComboFix.txt if it was successful. (How to attach)

 

when vombofix tries to install, it looks like everything is going well until the last 2 lines and it says output folder C:\\32788r22fwjfw
it looks at though i have a minimum of 30 mirrors under this folder
The program never comes up after install
I also have several "desktop.ini" files on my desktop now

 

I turned off Avast, brought up the run window and pasted the text from your post, Combofix looks like it is installing until the last 2 lines where it says output folder C:\\32788R22FWJFW ... if you look inside this folder it is a copy of the C drive. it continues to copy itself into this folder over and over in the windows explorer

 

Hello,

The ones on your desktop are normal and will be hidden once again when we are finished with malware removal.

Download this attached services.zip file.

Extract the services.exe file inside of it into the root folder of your C: drive ( C:\services.exe )
It has to be here or the below will not work.

Once this is done, run this OTLfix below while you are in Safe Mode with Networking.

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:files[/COLOR]
c:\windows\system32\services.exe|c:\services.exe /replace
C:\windows\assembly\GAC_32\Desktop.ini /d
C:\windows\assembly\GAC_64\Desktop.ini /d

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
The fix will require a reboot. Allow it to reboot into Normal Mode.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

I'm so frustrated

 

If you are still having problems:

http://img827.imageshack.us/img827/1263/frst.gif For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

 

Still having the same problem

 

I will continue to work on this tomorrow as I have a chronic illness and need to go lie down. AGAIN I WANT TO THANK YOU FOR YOUR HELP!!!!!

 

I'm sorry to hear that.
I have prepared a fix using FRST whenever you are ready to continue.
Please make sure that the clean services.exe file I uploaded is still in the root directory of C: before proceeding. If it is not there, copy it to there again.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

 

I am NOT getting the Avast warning after running the last fix.
Thank you so much!!!

 

I guess I spoke to soon ... the trogan warning has stopped .... however i am now getting a malware blocked "Threat detected" C:\program files(x86)windows live\mail\wlmail.exe
win32:malware-gen
in file c:\users\kat\appData\local\microsoft\windows live mail\tmp.ebd

 

Hello,

Run this scan next: Using ESET's Online Scanner

__

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Avast was telling me I needed to restart, so I set a boot time scan to run....after restart I am not getting any warnings and everything seems to be functioning properly...
Again I want to thasnk you for your help!!!

 

You're welcome.

• If you are not having any malware problems we can wrap this thread up.
• If you are still having malware problems then I will need to see the results from the ESET online scan next.

__

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If we had you run FRST, the c:\FRST folder can be deleted at this time.
7. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
8. Go to add/remove programs and uninstall HijackThis if it present
9. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
10. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures pointed to by step 7 of the READ ME
      for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe