Infection type .exe stops antivirus and takes over admin rights

Please do not post inline logs, use the manage attachments button. Thanks.

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run


Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

It is a bad idea to run more than one antivirus at once, please uninstall one of them now before we continue.

• avast! Free Antivirus
• AVG 2011

If the below are just free trials then please uninstall them, if you paid for them, consider uninstalling them.

• ParetoLogic Data Recovery
• ParetoLogic PC Health Advisor
• Uniblue RegistryBooster
• Registry Mechanic 10.0

I see you ran scans in safe mode, please complete the below in normal mode unless you absolutely cannot.


Download and run Win32kDiag per the below instructions:

• Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log

C:\win32kdiag.exe -f -r


Now we need to scan the system with this special tool.

• Please download Junction.zip and save it to your root folder (C:\Junction.zip)
• Unzip it and put junction.exe in the root folder (C:\junction.exe)
• Now click Start => Run... => Copy and paste the following command in the run box and click OK:
  
  cmd /c junction -s c:\ >C:\log.txt
  ​
• A command prompt window opens and also a license agreement from SysInternals will appear.
• Accept the license agreement and the scan will begin.
• Wait until a log file opens. Attach this C:\log.txt when it finishes (the command prompt window will close when it finishes). (How to attach items to your post)
• NOTE: It scans your whole hard disk so if can take a long time. Be patient and don't do anything else while it is scanning.

And one more scanning tool I want to use to collect more information is OTL per the below.

Please download OTL by Old Timer to your desktop.
See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

1. Double-click OTL.exe to run (Vista and Win7 right click and select Run as Administrator)
2. When OTL opens, change the Output (at the top-right portion of the program) to Minimal Output.
3. Put check-marks in LOP Check and Purity Check.
4. Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.

• When the scan is complete, two logs entitled OTL.txt and Extras.txt will be created on your desktop.
• Attach both of these logs to your next message as well as any other requested logs.

If you did not deliberately set this proxy yourself then please include it in the HJT fix below:

• R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = plimus.com,www.plimus.com,regnow.com,www.regnow.com,
• R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.qword.com/?s=1
• O2 - BHO: Softonic-Eng7 Toolbar - {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - (no file)
• O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
• O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
• O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
• O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - (no file)
• O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - (no file)
• O15 - Trusted Zone: http://www.arkhan.org
• O15 - Trusted Zone: http://*.arkhan.org
• O15 - Trusted Zone: *.qword.com
• O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe (file missing)
• O23 - Service: QWRNVPQTKDU - Unknown owner - C:\Users\Martyn\AppData\Local\Temp\QWRNVPQTKDU.exe (file missing)

After clicking Fix exit HJT.


Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

• Right-click OTM.exe And select " Run as administrator " to run it.
• Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.

Code:

:reg
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\XKZNYWSHY]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{F48DA960-0FD9-4BB5-9826-C0C271C6C74D}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Pqicilexe]

:files
C:\Users\Martyn\AppData\Local\fc791de1
C:\Users\Martyn\AppData\Local\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb
C:\Windows\Temp\CR_584D1.tmp
C:\Windows\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb
C:\windows\system32\9B13A86D.plf
C:\Windows\assembly\GAC_MSIL\Desktop.ini
C:\Windows\3776805372
C:\Windows\$NtUninstallKB7783$\1546955388                                                       
C:\Windows\$NtUninstallKB7783$\4235795937                                                       
C:\Windows\$NtUninstallKB7783$\4235795937\@                                                      
C:\Windows\$NtUninstallKB7783$\4235795937\click.tlb                                              
C:\Windows\$NtUninstallKB7783$\4235795937\L                                                      
C:\Windows\$NtUninstallKB7783$\4235795937\L\qnbwvoto                                             
C:\Windows\$NtUninstallKB7783$\4235795937\loader.tlb                                             
C:\Windows\$NtUninstallKB7783$\4235795937\U                                                      
C:\Windows\$NtUninstallKB7783$\4235795937\U\@00000001                                            
C:\Windows\$NtUninstallKB7783$\4235795937\U\@000000c0                                            
C:\Windows\$NtUninstallKB7783$\4235795937\U\@000000cb                                           
C:\Windows\$NtUninstallKB7783$\4235795937\U\@000000cf                                            
C:\Windows\$NtUninstallKB7783$\4235795937\U\@80000000                                            
C:\Windows\$NtUninstallKB7783$\4235795937\U\@800000c0                                           
C:\Windows\$NtUninstallKB7783$\4235795937\U\@800000cb                                           
C:\Windows\$NtUninstallKB7783$\4235795937\U\@800000cf 

:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


Now re-run TDSSKiller and attach the NEW log, please.

See if Combofix will now run.

Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know how things are running for you now.

 

Do you have the logs from OTL? Thanks.

 

Seemed you skipped the OTL step

 

Address my previous question about the proxy server please. I assume you are purposely set up to use one?

Also, tell me, were you ever able to run rootrepeal? Can you try now please and attach the log. (Refer to instructions in R&R)


We need to run an OTL Fix

• Right-click OTL.exe And select " Run as administrator " to run it. If Windows UAC prompts you, please allow it.
• Copy and Paste the following code into the textbox. Do not include the word Code

Code:

Code:

:otl
@Alternate Data Stream - 194 bytes -> C:\ProgramData\TEMP:D1B5B4F1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.qword.com/?s=1

:files
C:\Windows\System32\drivers\loeaqcp.sys
C:\Windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
  
:commands
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

• Then click the Run Fix button at the top.
• Click Image.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. ATTACH that report in your next reply.

Download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
• It will create a folder named HostsXpert in whatever folder you extract it to.
• Run HostsXpert.exe by double clicking on it.
• Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
• Click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

Re run TDSSKiller and attach the new log.



Download this file to your desktop

Kaspersky Virus Removal Tool

Run the program you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan.

• On the first tab select all elements down to Computer and then select start scan.
• Once it has finished select report, save and attach that.

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop.

Now an analysis scan

• Select the Manual Disinfection tab
• Press the Gather System Information button
• Once done , still on the Manual Disinfection tab click the little icon of a file which is the "reports" button. Now click on Manual Disinfection report.You should see an option to save a report here with a little button with an icon of a disk. Attach this log please.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Are you now able to use normal mode??

 

Can you zip it for me?

 

but I did use some proxy configurating programs

If you no longer use this ProxySwitcher Standard then please uninstall it at a lter date when you are able to, otherwise leave it alone.

However I still can't run in normal mode. Hmm, I want you to do the below.


Use another PC to try create one or more of the below CDs to boot from that allow you to run scans and perform many other tasks without Windows even being loaded. Sometimes this can help to get you started when all else fails. They can even help in cases where a previous scan may have removed something that resulted in your PC being unbootable.

• Avira Rescue CD
• AVG Rescue CD
• BitDefender Rescue USB
• F-Secure Rescue CD
• Kaspersky Rescue Disk.
• SystemRescueCD
• Trinity Rescue CD

Let me know how you get on with that. Perhaps afterwards you might be able to access normal mode again.

Please also run OTL like I outlined in post # 8. Attach the log.

Then: Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Good. Please see if Combofix will now run.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.