"HKEY_LOCAL_MACHINE" Trojan - Please Help!

Dear Sir / Madam,

My laptop became infected on 07/06/09 with a Trojan. I have run my anti-virus and anti-Malware software which typically identifies ~22 Trojans each time. It quarantines & deletes all but 2 which it states will be deleted on reboot. The problem: standard reboot is disabled and the screen goes to black before the initial login screen. I was able to successfully login through SafeMode with a manual / forced shutdown and reboot. In SafeMode, all audio features are disabled and multiple Microsoft Windows error boxes (around 14 each time) automatically pop up stating various applications have stopped working. e.g.:

"mkvknro.exe has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available"

"Dr. Web scanner for Windows has stopped working . . . "

"Gbohotjhaz eqepo has stopped working . . . " etc.

Basically I am prevented from standard login, audio is disabled, and I am stuck at this point as all of my antivirus and malware programs quarantine all but 2 trojans which are to be deleted on reboot, however, standard reboot is disabled. Any assistance that can be provided would be extremely helpful and sincerely appreciated. I will include the full Malwarebytes' Anti-Malware 1.34 scan log below:

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 6.0.6000

7/6/2009 7:12:53 PM
mbam-log-2009-07-06 (19-12-53).txt

Scan type: Quick Scan
Objects scanned: 65026
Time elapsed: 13 minute(s), 4 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
C:\Windows\Fonts\services.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\glaide32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\glaide32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cognac (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\gsf83iujid.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\Windows\System32\msxml71.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\glaide32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Brian Curtis\AppData\Local\Temp\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Brian Curtis\AppData\Local\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Brian Curtis\AppData\Local\Temp\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Brian Curtis\AppData\Local\Temp\j.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Brian Curtis\AppData\Local\Temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Fonts\services.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

 

TimW,

Thank you very much for the prompt reply and this information. I apologize for not initially following the procedures outlined in the "READ & RUN ME FIRST" section. I have completed the process and did run into a few road-blocks with a few of the downloads and logs. This is likely due to my limitation of being in Safe Mode through all steps prior to running Combo Fix. Upon reboot following Combo Fix my laptop now is able to login through Normal mode and my system appears to be virus-free.

The Malwarebytes log is substantially larger this time around compared to my initial post. I kept record of all notices and errors throughout the READ & RUN ME FIRST steps which I will copy / paste below:

"Updating Sun Java:

1) Would not allow Java(TM) SE Runtime Environment 6 to be uninstalled

error: "Windows Installer" "The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance."

2) Upon attempting to run/install the latest Java: Error Screen: "The Windows Installer service is not accessible in Safe Mode. Please try again when your computer is not in Safe Mode or you can use System Restore to return your machine to a previous good state."

MSconfig for Normal Startup Mode

1) In the General tab, "Normal Startup" was selected. Re-selected, clicked Apply & OK to reboot PC. Upon reboot, same black screen preventing login in normal mode. Had to manually shut down, restart & enter Safe Mode.

Enable viewing of hidden files, system files and file extensions

1) There is no "Organize" option after selecting "Explore" after right-clicking the Start menu as directed in the "Ho to view hidden, system files & folders!" post by chaslang. I am unaware if this is unique to my being in Safe Mode, but would assume this is the cause of my difficulty. I researched online how to potentially enable hidden files in Safe Mode and was unsuccessful. Other options for Vista include accessing "Folder Options" through 'start--control panel--apearance and personalization (named simply "personalization" in my Vista version)--folder options. Unfortunately there is no a "Folder Options" listed in my personalization folder.

Step 3: Installing Tools & Running Scans - SUPERAntiSpyware

1) I can run the SAS.exe file which then takes me to a "Windows Installer" popup with "Windos Installer. V.4.00.6000.0" at the top, a listing of text and an OK button at the bottom. When I click OK the box disappears, however, there is no icon created on the desktop and the program also does not appear through start--all programs either. As a huge feature of this trojan is multiple "Windows Explorer" error notices indicating Windows Explorer has stopped working, immediately followed by a notice that Windows Explorer is restarting (this happens around 14-15 times) I would assume it is preventing SUPERAntiSpyware from becoming functional. I have not found a solution to this problem on the MajorGeeks forum. It allows the .ee file to run, but fails to create a desktop icon & the program cannot be located. Unfortunately this prevented me from moving forward with this step to run the program and generate a log report. Suggestions?

MalWare:

1) Following scan, ensured everything was checked, clicked remove selected, an info box popped up stating: "Regedit has been disabled and will affect the quarantining process. Malwarebytes' ANti-Malware will not enable Regedit." I clicked "OK" and quarantining resumed.

2) **PLEASE REVIEW PRINTSCREEN ATTACHMENT NOTICE GIVEN OF TROJANS THAT COULD NOT BE REMOVED** - - clicked "YES" on this notice to restart computer, restart in normal mode was once again disabled. manually shut down & entered Safe Mode.

**SYSTEM REBOOTED SUCCESSFULLY IN NORMAL MODE FOLLOWING COMBO FIX SCAN**

RootRepeal:

1) Downloaded the .rar file, extracted with WinRAR to desktop. Upon attemting to open program I received a "RootRepeal Error" message reading "Attempt to read from address: 0x00e5a000" - - I clicked OK & a notice that RootRepeal has stopped working appears. I have tried this numerous times, using the .zip download as well but still receive this error. "
______

After reviewing the attached logs and printscreen, please let me know if additional actions would be desired (i.e. attempting the initially erroneous scans and downloads now that Normal login is no longer restricted) and I will perform these promptly. Thank you once again for all of your help as it is sincerely appreciated.

 

Thank you once again for all of your help. The requested logs are attached.

On a side note: I have been checking my financial accounts due to this recent trojan and have not noticed any suspicious activity. I will call and cancel all credit cards & I have already changed my passwords on a separate PC. My only question is regarding my actual checking account number & PIN at my credit union. I ensured not to log into any financial accounts through the duration of the virus. Do you recommend going to the lengths of closing this checking account and starting a completely separate one due to this situation? Any advice you can give would be much appreciated.

Thanks again & please let me know if any further steps are necessary.

Brian

 

The requested logs are attached. Thanks once again for your help and please let me know if any further action may be required.