My poor infected laptop...

Please use add/remove programs to uninstall:
Antivirus 2010

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

Driver::
chyohbgw
fqinztyu
mdudveih
mdvutynz
mhaehprk
oqmsveqq
wbswpwoe

File::
c:\windows\system32\drivers\wbswpwoe.sys
c:\windows\system32\drivers\oqmsveqq.sys
c:\windows\system32\drivers\mhaehprk.sys
c:\windows\system32\drivers\mdvutynz.sys
c:\windows\system32\drivers\mdudveih.sys
c:\windows\system32\drivers\fqinztyu.sys
c:\windows\system32\drivers\chyohbgw.sys
C:\jsfhjjsd.bat
C:\Windows\temp\{E9C1E0AC-C9B1-4c85-94DE-9C1518918D02}.tlb
C:\Windows\temp\{E9C1E0AC-C9B1-4c85-94DE-9C1518918D01}.tlb

Folder::
C:\Windows\temp\mife
C:\Windows\temp\wjnx

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!


Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

• Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  Vista/Windows 7 users right-click and select Run As Administrator.
• If TDSSKiller does not run, try renaming it.
• To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
• Click the Start Scan button.
• Do not use the computer during the scan
• If the scan completes with nothing found, click Close to exit.
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
• Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
• A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_14.17.05_log.txt) will be created and saved to the root directory ( usually Local Disk C ).
• Attach this log to your next message

Now download and install an AV program.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
* TDSSKiller log.
* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Open msconfig and check the boot tab. Is Safe Boot checked?

Do you have your OS CD? If so, change the boot order in the bios to cd-rom as first boot device, then boot to the CD. Get into the recovery console and type:
fixboot.

Let me know if that works.

 

Two things to try.

First run MBAM and chose to do a full scan.

Next, try to create this disc:
Vista and Win7 Recovery disc

You may need to change the boot order in your bios to cd-rom as first device.

For fixing the boot issues:
To run the Bootrec.exe tool, you must start Windows RE. To do this, follow these steps:

1. Put the Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.
2. Press a key when you are prompted.
3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
4. Click Repair your computer.
5. Click the operating system that you want to repair, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. Type Bootrec.exe, and then press ENTER.


Let me know how you do with this.

 

@TimW: Are you looking at procdll.txt ? See the below:

svchost (\\.\globalroot\Device\svchost.exe\svchost.exe)

 

@Chaslang, sorry, but I am missing that.

@frustratedzombie Go to start / programs / accessories / and right click Command Prompt. Choose to run it as administrator. Then when it opens, type:
cacls "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /G Everyone:F
and press enter on your keyboard.

Now try to run a full scan with MBAM.

 

First, you must verify that you can access the Vista Recovery Environment.
To do so, restart your computer and begin tapping the F8 key to enable the Advanced Start menu.
If the option 'Repair your computer' is available, select it.

If not available, you will need to insert your Vista installation dvd and restart, then press any key when prompted to boot from the cd.
At the Install Windows screen, select Repair your computer. (image below)

http://noahdfear.net/WTT/3.gif

Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Environment.
Once you get to the System Recovery Options screen, first take note of the drive letter assigned to the operating system, then select Command Prompt.

http://noahdfear.net/WTT/5.gif

Type the following bolded command at the x:\sources> prompt (or x:\windows\system32>) then hit Enter.

cd /d x:\windows <--- the red x represents your operating system drive letter, as shown in the image below


http://noahdfear.net/WTT/lookvis.gif

At the C:\Windows> prompt type the following command then hit Enter

look.bat

You will see many files copied then return to the x:\windows> prompt.
Type Exit then restart your computer and logon in normal mode.


Please go to start > run and type

maxlook -sig

and hit enter. A logfile will open, please post back with the content of the logfile.

 

Were you not able to run Maxlook?

 

We know that the svchost (\\.\globalroot\Device\svchost.exe\svchost.exe) is the cause of your issues, but we needed Maxlook to uncover the file. Let me consult with Chaslang again to see what other course of action we can take.

 

Let's try this while I am waiting on Chas.

Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then double click on it to run it.

AVPFind.bat

It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the avplog.txt file that is will hopefully be created on your Desktop as long as the malware does not block the batch file from running. (See: HOW TO: Attach Items To Your Post)

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Administrator


You only need to get one of them to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

1. Rkill.exe
2. Rkill.com
3. Rkill.scr
4. Rkill.pif

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.

If you are having problems running Rkill, you can download iExplore.exe or eXplorer.exe, which are renamed copies of Rkill.com, and try them instead.

* If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run then try to immediately run the following.

Now download and Run exeHelper from Raktor

• Please download exeHelper to your desktop.
• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• A log file named log.txt will be created in the directory where you ran exeHelper.com
• Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

If you already have them installed, be sure to update Malwarebytes and SUPERAntiSpyware before the scan!

Now try to run MBAM.

Now run this: SUPERAntiSpyware - running & getting a log

Now run this: C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



Now you need to attach (See: HOW TO: Attach Items To Your Post ) the below logs created while running the above scans

• exeHelper log
• Malwarebytes Anti-Malware log
• MGlogs.zip - normally it is C:\MGlogs.zip - only attach this log from MGtools.exe DO NOT attach any logs seen in the MGtools folder.

 

RKill found the same file.

Try this:
Download Rootkit Unhooker from HERE.
Save it to your desktop.
Now double-click to run RootkitUnhooker.
Click the Report tab, then click Scan.
Select the pages Drivers, Stealth, Files, Code Hooks. Uncheck the rest. Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.
Attach the report to your next reply.

 

Crap......one more stab at it for tonight.

http://eric71.geekstogo.com/tools/Rooter.exe

I don't recall if this creates a log, but if it does, please attach it.

 

I am going to leave you tonight and will be back tomorrow. Hopefully Chaslang will have some suggestions by then. In the meantime, you might want to start considering backing up your data and personal files in case we have to do a complete reformat and clean re-install.

 

Let's see what Chas may have to suggest before the re-install. Though that may well be the safest thing to do, it may come to that.

 

Boot the Vista Recovery Environment again but this time choose Command Prompt to open a command prompt. When you get the C:\Windows> prompt type the below command and hit the enter key

maxlook -sig

Tell me exactly what happens.

Then no matter what happens, continue on to trying to do all of the below ( in safe or normal boot mode, whichever you can run). Keep going no matter what.




Please download ProcessExplorer

• Unzip it to its own folder somewhere you can locate it.
• Now run procexp.exe by double clicking on it.
• Let's configure some options first:
  • Click View and select Show Lower Pane. And where it says "Lower Pane View" make
    sure DLL's is checked.
  • Now click on the below if you see it. If it does not show click on winlogon.exe instead.
    • \\.\globalroot\Device\svchost.exe\svchost.exe
  • Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
• Now click on File and then Save As. And save the process list.
• Post it back here as an attachment.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• the log from Process Explorer
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Almost forgot! See if you can run the below online scan.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Attache this log to your next post.

 

Please download and run Win32kDiag per the below instructions:

• Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log

C:\win32kdiag.exe -f -r

 

I would have to say that is probably the safest choice.

 

Be careful of what you back up. Once you are back up and running, do a malware scan or two on your backups.

 

Good to know, so let us know how it goes.

 

Sorry I could not get back to you sooner to try and continue with these. Real work had me extremely busy this week and I had no time to be here at all for a few days.

 

You're welcome. Make sure you work thru the below now:

How to Protect yourself from malware!